Hackers, Meet Microsoft 496
Mz6 writes "The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully
lured a Windows laptop onto a malicious wireless network. 'It was just silent,' said Stephen Toulouse, a program manager in Microsoft's security unit. 'You couldn't hear anybody breathe.' The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color."
"End of an era"? (Score:4, Informative)
From TFA:
Funny...the Fedora install on my laptop seems fairly customizable and fairly secure all at once...
a little niggle (Score:4, Informative)
Re:Pay outs (Score:0, Informative)
Re:Corporate Color (Score:5, Informative)
Re:Pay outs (Score:5, Informative)
From http://www.microsoft.com/msft/FAQ/faqdividend.mspx [microsoft.com]:
Engineers? (Score:5, Informative)
Re:Engineers? (Score:3, Informative)
Re:Can We Get Firefox Developers To Do This, Too? (Score:3, Informative)
I don't think so. Of course they are now taking security a bit more serious, but there are so many big conceptual mistakes, so many design flaws, they won't and can't fix, or they would break thousands of applications which you can't just recompile...
Like:
- case insensitive but case-preserving filesystem (ambiguities in filenames)
- active X and other unsafe scripting languages all over the place. Its not just the browser, its also word, excel and lots of other programs.
- rpc for just about everything.
- unsafe program interfaces. some application will happily accept any malformed events from some other components.
- writeable windows\system and other writeable directories. ACLs are nice, but you do have to set sensible defaults..
Re:Engineers? (Score:5, Informative)
Re:Engineers? (Score:3, Informative)
Re:Good start (Score:5, Informative)
Apple didn't create a new OS from scratch, they bought an existing one - NeXT (although many will argue Apple bought Steve Jobs and NeXT was a nice bonus).
Moreover, since NeXT was actually released for the first time way back in 1989, OS X's codebase is actually around 4 years *older* than Windows NT's.
Apple didd this when small and surivived. And MS can do it now but cant pospone much longer.
Microsoft will not create another from-scratch OS in the forseeable future. There is simply no need. Technically and architecturally NT is just as good as any of its contemporaries. 99% of problems in Windows come from legacy support (being phased out with .NET, x86-86 also providing a convenient excuse) and less than ideal default settings (hopefully on the way out with LH).
Re:lured? (Score:4, Informative)
Re:Good start (Score:4, Informative)
Using tools like void11, you can disconnect wireless clients. Windows automatically attempts to reconnect to the WAP. If you've got an identically-named WAP and you can overpower their WAP, they'll connect to yours instead. They won't be notified, and will think that they are on their own network. Which doesn't matter too much because you could alternately just sniff all their traffic (or even inject your own) without setting up a WAP of your own.
There's a lot that MS can do about it, and code written 2 decades ago has absolutely no bearing on it.
Re:An extremely dangerous stunt (Score:3, Informative)
Anyone doing even halfway decent wireless networking in the corporate environment is simply using the wlan as a transport layer for a VPN. Without the VPN you can't get anywhere.
Re:Good start (Score:1, Informative)
You know, you claim that Microsoft is insular, but I haven't seen that here. I mean in the few days I've been here, I've met people on my team who have worked at Sun, IBM, and BEA. I myself am a college intern and have worked for TI, Nortel, and a bunch of start-ups. Exactly where are you getting your information, from which you base your opinion? Or are you just making stuff up? I suspect it's the latter.
Heh... read the sidebar (Score:2, Informative)
Excerpted for your amusement; pay careful attention and watch to see what deep technical know-how Allchin actually demonstrates beyond "nodding knowingly" (honestly, the guy probably knows what MD5 is, but he comes across as pretty silly here in spite of the praise he's getting).
Re:Can We Get Firefox Developers To Do This, Too? (Score:3, Informative)
How so? You can't create (for example) readme, README and ReAdMe all in the same directory on Windows, so you can't cause ambiguity like that.
- writeable windows\system and other writeable directories. ACLs are nice, but you do have to set sensible defaults..
Normal users don't have write access to the Windows of Program Files directories. Now, you can argue that MS hasn't exactly made it easy for people to run as normal users, but that's only partly true. NT has had ACLs from the beginning, and was released towards the tail end of the 90s - developers have had what, a decade to get used to the idea of user permissions on Windows? Even only counting from the release of XP, they've had 3 years or so. Yes, user-based security on Win 9x was non-exsitant, but come on.
Re:Engineers? (Score:3, Informative)
http://www.computer.org/software/articles/Speed.h