Hackers, Meet Microsoft 496
Mz6 writes "The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully
lured a Windows laptop onto a malicious wireless network. 'It was just silent,' said Stephen Toulouse, a program manager in Microsoft's security unit. 'You couldn't hear anybody breathe.' The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color."
Good start (Score:3, Insightful)
It seems like Microsoft is showing their own coders how vulnerable their code is, but these are probably the people who already know that best.
Pay outs (Score:5, Insightful)
well, it's a start, but a late one (Score:5, Insightful)
First, at a company like Microsoft, I'd be asking about the 2 senior managers who didn't know about heap attacks. Second, this whole article is a bit of a puff piece it seems designed to put Microsoft in the best light, "Can't we just all get along?".
Good for Microsoft that they're willing to do this kind of thing... shame on them for waiting until the five years into the 21st Century. While I don't hold much hope Microsoft truly cares about security other than how it affects their public image and bottom line, maybe that kind of pressure will finally be enough to get them to clean up their mess, if only a little bit.
Technical Competence (Score:3, Insightful)
So what? Maybe they read some document informing them of what a heap overflow is. It's more important that these managers understand what goes into the code and the technical details that make the system operate, not what an "obscure" problem like a heap overflow is. Microsoft's managers can only claim technical know how if they have experience working as developers, because otherwise it's simply too hard to understand the real issues that the engineers have to face.
Some things to note (Score:3, Insightful)
"visibly angry" (Score:2, Insightful)
To me, this is very telling about those engineers' beliefs and attitudes about their own code. It also speaks volumes about their skill (and their personal belief about their own skill levels).
Real engineers fix problems, they don't get emotional.
Re:Puzzled: why get angry? (Score:5, Insightful)
Imagine if you made a product, and were fairly proud of the work you had put into it, and then someone grabs it, and publicly demonstrates that it's terribly flawed, making you appear to be a fool. It's natural to be angry, and hopefully it will only inspire them to greater vigilance in an attempt to save face.
Microsoft Security (Score:4, Insightful)
Re:well, it's a start, but a late one (Score:3, Insightful)
"I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said.
Anyone can say that they have knowledge of a particular issue...how many of these vice-presidents actually went on to demonstrate that knowledge? I'm guessing zero.
Re:Good start (Score:2, Insightful)
Re:for Microsoft it is easer... (Score:5, Insightful)
Can We Get Firefox Developers To Do This, Too? (Score:5, Insightful)
I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0). It was painfully obvious that Microsoft had missed the Internet boat, and shortly thereafter, Bill Gates sent his historic all-hands memo pointing the company in the direction of the Internet.
It took them some time to get it right, but eventually IE took over. Now, you'd have a hard time finding a Microsoft product more complex than Minesweeper or calc.exe that doesn't connect to the Net somehow. And let's not forget that Netscape provided Microsoft with some much-appreciated help in taking over the Web, by screwing up their own release schedule so badly that there never was a Netscape 5.0.
Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.
Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing. Thomlinson's comments about how seeing their code exploited "hits people in the gut", and the fact that "he was glad to see the crowd of engineers taking things personally" -- these things are right on the money. These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.
In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me. It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition. SP2 wa s huge leap forward in security for Windows and for IE, and Blue Hat makes it obvious that Microsoft is just going to get better at it. In the meantime, Firefox appears to be standing still on the security front, or maybe even losing a little ground. Sure, it's still miles ahead of IE's security, but if IE keeps up the pace, it will overtake Firefox sooner or later -- probably sooner.
Is there any way the Firefox development team (and the OO.o team, and anyone else who's working on high-profile F/OSS projects) can take a lesson from Blue hat? Can we get together events like this of our own?
If we don't, I can already see that by 2009 or so, at the latest, I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS. And I don't want to see that happen.
Re:Good start (Score:5, Insightful)
But *can* MS actually do anything?
Given the bowl of spaghetti called nearly 2 decades of Windows, how much freedom of action do they really have to clean things up? Tug at a strand here to fix it, and who knows where the other end is? How many side effects will there be from that one fix? Yet at the same time, their market power is based on Windows and their code base. Force too big a migration, too much retraining, and it might well turn into a different kind of migration - to someone else's platform.
They've got a ticklish and tough job ahead. But then again, they did it to themselves.
Re:Puzzled: why get angry? (Score:5, Insightful)
If it takes public embarassment to get these engineers to take problems seriously, then they're totally fucked.
Don't be deceived, it's part of the plan (Score:1, Insightful)
I firmly believe they allow the virus and spyware problem to happen for this very reason.
Re:"visibly angry" (Score:5, Insightful)
Real engineers are human beings and it's quite acceptable for someone to get mad before they tackle a problem they helped create.
Old problem, not Microsoft specific (Score:2, Insightful)
a) old news
b) not Microsoft specific.
Linux and OSX can also be tricked into connecting to a rogue access point.
Whichever access point is most powerful, or higher priority will be connected to.
The only shocking thing about the article is that the engineers havent seen/heard/tried this before.
Behold, the problem (Score:3, Insightful)
The second day drew about 400 rank-and-file Windows engineers, including people who don't necessarily focus on security features in their day-to-day work.
"Don't necessarily focus on security features"? If this is just the reporter making up his own description it's not so bad. But if he's just echoing what he was told by Microsoft or whoever his source was, then they're looking at this backward and probably have been for a long time.
Anyone who touches that code for any reason at all has to keep security in mind every time he does it. It doesn't matter if he's responsible for authentication or whatever else they're including under the rubric of "security features". Any bit of code is a potential vulnerability. It only takes one buffer overflow, one set of bounds that's not checked, one line of code that doesn't validate the terminator on an input text string, to create one. And then it's a security problem for everybody. If making non "security feature" programmers aware of these issues is a new thing at MS, they've been doing this all wrong for years. (As many have suspected, but seeing it possibly confirmed is still a bit of a shock.)
An extremely dangerous stunt (Score:4, Insightful)
I'm not a shareholder or a user of their products (except to the extent that the vast majority of the companies I do business with use Microsoft) but I find this an extremely irresponsible act on the company's part. If they want to try this sort of security testing, and they should, it should be done off-site or in a shielded room.
Re:Good start (Score:5, Insightful)
I think it's a matter of levels. Sure, they doubtless know about all the holes in the code or whatever (being the ones that, y'know, PATCH it) - but it's a totally different understanding than that of an expert user.
It's like an Automotive Engineer and a Mechanic. They both "know" essentially the same things about any specific car. But it's their viewpoints and specific backgrounds that make their individual understandings both unique and useful.
Re:Invite outsiders or hire insiders? (Score:3, Insightful)
If they were an inside team doing the "blue hat" work, they'd be about as popular as Internal Affairs officers are to their fellow cops. There would be a lot of pressure to "just overlook that" from their friends, or folks who they feel loyalty to within the company.
Re:Puzzled: why get angry? (Score:3, Insightful)
I'm always open to somebody trashing my code. If they can trash it I need to learn what flaws I'm not aware of that I'm coding.
Pride comes before a fall (Score:3, Insightful)
Open Source software is not bulletproof. It suffers from security defects as well. The big difference, however, is we're up front and honest about it. Microsoft can't afford to be that way, as they rely on customer confidence and their monopoly to stay in business.
Microsoft seems to be understanding that their real problem in improving security is people, not so much the technology. By letting the "bad guys" knock the bricks down in front of the programmers who build the stuff, it ouggta sink in pretty deep.
Fix the attitude among the developers and the technical stuff will probably follow. Too bad a lot of slashdotters aren't able to experience the same thing.
FINALLY!!! (Score:3, Insightful)
The invited security experts are familiar with all kinds of expliots even at the latest patch release. However, the really smart ones are not working security for a living they are doing International Corporate Espionage where you don't publish what you find, you use it over and over and guard it as secret so you can get paid as you steal IP from one company and sell to another.
Personally, I don't believe that MS will be able to fix Windows unless they go through a complete rewrite, that means beyond Longhorn before they get it right. They can continue to bandaid it or they can start over and design the way OpenBSD designs. Include security regression testing into their milestone workflow. While they are re-doing things they can also fix all the other broken crap that needs fixin!
two BILLION a year... (Score:3, Insightful)
uh huh
think about what that sort of cash would do to help out open software in general terms, all the various neato projects done with a few dollars and a lot of skull sweat. Think about if only a fraction of that went to linux kernel development, say something small, like 100 million dollars, 1/20th of what MS spends on "security research"
I am just amazed at this,it is just a staggering sum for those products and their "security features".
Re:"visibly angry" (Score:5, Insightful)
This is so true. I've worked with many people in IT and communications over the past 17 years, in financial, military and educational institutions from desktop support to reverse engineering. People who get emotional when challenged or proven wrong are putting their ego before the problem. Their ego becomes the biggest problem and the real problem they're getting paid to fix tends to get fixed in a way that makes them look good, which might not actually be the technically better way.
The most exceptional people I have worked with, shrugged failure off and carried on with fixing things or making them better. The loudest people don't know shit and cover it up with fast talking. It seems the quiet, well educated people who are comfortable with themselves are the ones who make the biggest differences.
Unfortunately, in the past 17 years, only two people in my mind stand out to be the exceptional people, the rest are all competing in a bullshit competition with each other or are otherwise mediocre.
Re:"End of an era"? (Score:3, Insightful)
Strange. Bad. Awful.
But it's the reality with RPM, or even Apt/Emerge. The Linux distributions really have limited how much stuff the average user installs randomly from the net. But it's a temporary thing...Spyware for Linux isn't worth developing, because there aren't enough non-geek eyeballs to sell.
It's overall a pretty cool article, but the comparison I had made when talking to Ina was that spyware-assaulted Windows vs. the always-perfect nature of a fresh Knoppix CD is a surprisingly tough contest, and that people may be willing to give up their own ability to customize their system in return for the ability to protect the basic functionality of their system.
--Dan
Here We Go Again (Score:1, Insightful)
Remember Microsoft declaring Bug Month?
http://slashdot.org/article.pl?sid=02/02/02/20122
"We are not coding new code as of today for the next month." Richard Purcell, director of the Microsoft's corporate computing office. That was February 2002.
The big shock for me was actually getting contacted by a Microsoft engineer requesting more information on a particularly bad CSS issue in IE6. I hadn't believed Bug Month was anything but PR till that point.
Then nothing got fixed. It's three years later and zero IE6 CSS flaws have been fixed. Zero.
There's no reason to expect better this time.
Re:"visibly angry" (Score:5, Insightful)
I once worked for a company that hired an outside consultant to ask how they could get their product into a "better place". It was nasty code that contained snippets of Fortran, C, C++, and three other scripting languages. Some of the newer portions were being developed in JAVA with a database as the "inter-system" communication protocol. It compiled on one specific version of UNIX and threw memory alignment errors.
The consultant did an excellent job, and he really should be commended for identifying key weaknesses in the product; however, when he presented his findings, most of the managers grew visibly upset, and a few raised their voices (but I wouldn't call it yelling). People defend their collections of bad ideas, and rationalize that it's much more costly to fix problems than to just live with them a little longer.
I enjoyed my time there, but I moved on because I couldn't stand to see good ideas replaced with bad.
Re:So, uh, during that hushed silence (Score:5, Insightful)
Re:Can We Get Firefox Developers To Do This, Too? (Score:3, Insightful)
"Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security."
That is the problem, security can't be achieved the same way that browser market domination was. To fix security, MS will need the following:
A lot of rewritting, that is expensive. But can be done.
A lot of testing, that FOSS gets for free and MS pays a lot. But can be done.
Also, they'll need to modify the relationship they have with their customers. That is a hard one, MS will need to respect their clients. They'll need a complete reestruturation, but can be done.
And, finaly, the problem: MS will need to discontinue bad projects, breaking past compatibility.
Lets face it, Windows, IE and Office are kept on top because of the net effect. The advantage that people get when running those products is to get something that is compatible with everything else, so they don't need to care about that. If MS suddenly break past compatibility, they'll see their market suddenly vanish.
This is why MS will not develop secure products so soon, their software projects are flawed and they can't correct it. Those events are good PR, but will not make MS programs better than FOSS.
Knows about MD5? (Score:2, Insightful)
Re:Can We Get Firefox Developers To Do This, Too? (Score:3, Insightful)
Second, most of MS problems are caused by the fact they miss nearly every boat, and then come up with half-assed solutions to catch up. Security is not somehting that can be tacked on later, like a GUI or browser or RSS feed. It must be designed into the infrastrucutre. It is quite unreasonable to allow untrusted agents unlimited access to the file system, and then set up optional limits on that access and call it security.
Firefox is not comparable because firefox is not a component of the OS. It is not, as is IE, an application front end, but a standard stand alone web browser. The critical nature of firefox bugs cannot reach that of IE becuase they are not, by definition, OS level faults.
Finally, these 'try to break into my house' kind of tests are king of useless. If nothing happens then the vendor unfairly claims security. If something happens, it is either spinned to a nonevent or the particular problem is fixed, and, agian, security is unfaily claimed. It is a PR stunt.
I am sure you will tell your clients to go with MS no matter what, as you likely make most of your money fixes the MS problems, and an effecient OS would mean that you would be forced to find a real job.
Re:Puzzled: why get angry? (Score:4, Insightful)
Why, exactly? If saving face motivates people to solve the problem, then I'm all for it. Frankly, I don't care if they fix the problem because they want to save face, impress their girlfriend or because little green men from the planet Weebo have told them to. I care about results. If the problem is fixed, the problem is fixed. Their motivation doesn't even enter my mind.
Re:"visibly angry" (Score:2, Insightful)
I have been developing since more than 15 years and have worked for great organizations. You could get emotional if corporate process and stratagies do not permit you to develop quality code. Have you ever worked in a marketing driven company where dirty work is appreciated by clueless managers, because it is fast and they wanted everything yesterday? Have you ever worked for an organization that puts more priority to marketing gymmics?
M$ is not an exception, and many good practices of Software Engineering are bypassed there. The developers are expected to code and pray ( I am exagareting, but it is not far from reality).
Organization process is very important. It brings the best out of individual. Real engineers feel suffocated with lot of marketing shit around.
Re:for Microsoft it is easer... (Score:3, Insightful)
That's why it's so useful to get people who are totally detached from the project to have a stab at finding problems. That's also why, when you write a novel or story, you have a friend edit it and likewise why your publisher employs copy editors instead of just taking your word for it.
Re:Can We Get Firefox Developers To Do This, Too? (Score:3, Insightful)
Hell, for the longest time, IE was THE browser to use because of it's standards compliance, features, etc...
Also, the only security advantage Firefox has with not being integrated is that it's not shipped with the OS. The fact is, is that IE is shipped with every single Windows computer, and as such anyone can be exploited by it. IE is NOT part of the OS, except that the rendering engine is used to render some OS componants, however, it is no more integrated than Firefox.
Firefox is also just a front-end, just that it is a front-end to a different rendering engine (Gecko).
Re:"visibly angry" (Score:5, Insightful)
I have to disagree. I've fixed/solved some majorly complicated problems in the past 20 years. In many cases, I've gone through periods of frustration that got vented as 'anger.' Once vented, I settled down to the task at hand.
The most exceptional people I have worked with, shrugged failure off
It seems the quiet, well educated people who are comfortable with themselves are the ones who make the biggest differences.
Perhaps. But that itself does not prove (or even suggest) that some exceptional people are not also 'passionate.'
You probably should not make such sweeping generalizations. There are many personality types among people who are very effective at very complex tasks.
Re:Can We Get Firefox Developers To Do This, Too? (Score:3, Insightful)
IE has no greater ability to do damage to the system than Firefox does.
Re:well, it's a start, but a late one (Score:3, Insightful)
To Microsoft, security is about features. A builtin "firewall", VPN, encryption of this or that, trusted something or other. Applets and wizards.
They're basically stuck in that position, too. The cash cow is actually layer upon layer of such features, fundamentally designed for a different, and far less ambitious, job than it's now asked to perform.
I'd better stop, or I'll go into full-on rant mode. Oops, too late.
Windows needs a complete rewrite, but that's not enough. If they did that now, they'd wind up with the same sorts of problems they currently have.
Even a total refocus on security is not enough. They have to change who they are as a company. They have to change the mindset that says that software's value is determined solely by how much revenue it produces.
To a software business the value of a product can be measured by how much money it makes, but it's an unholy error of the stupidest freshman sort to value individual parts of the design by how much they'll bring in. Some parts are so essential, and some phases of design so vital, that without them the overall product falls on its face.
The marketplace doesn't know enough about the inner workings of your product to tell you what value to place on any particular phase of design. The market (eventually) tells you how well it likes the finished product versus your competitor's, but hidden design processes aren't part of the comparison.
Security has got to be considered at every step of the design process. It follows along with robustness, portability, scalability, and overall algorithmic soundness.
I have a suggestion for you Microsoft design managers out there, for the next time your boss says, "Hey, let's make [X] really easy - that would really sell!". Don't just nod. Look at them and say, "Maybe, but it would also be simple to exploit."
The response will tell you how far the focus has really shifted.
Wrong Thinking (Score:2, Insightful)
Re:Good start (Score:3, Insightful)
used to be you loved CS to go into it, now many do just for a quick buck or a job.
i'm in 3rd year at SFU, and most poeple i know can't program worth a damn. pointers, multi threaded stuff, assembler confuses many of them. Some never used anything but java untill this year! and then here i am sitting in CMPT 300 as the teacher tried to teach C++ to most of the class and THEN theach OS OS and threads. sad.
Skill level has come way down. there are some good ones i've met, but when i look at some teaches code and find errors, and see the general lack of skill... Most of the skilled people i know are still only skilled in application level and usualy with java. So very few who know asm/C and hwo to do low level on the metal stuff.
best teacher i had was one who did work in alot of companies, he knew his shit. then i got a new young guy next sem, just got out of school and did research, he code sucked. He just didn't know things.
The guys writeing the core code of a operating system should be old vertrens, because they know what works, and they've been around forever and seen it all. I dont' care what school anyones come from, or how smart you think you are.
I work on windows device drivers, I know how hard it is to even do low level work, let alone do it right. My dads been doing drivers for 20+ years now, i'll see something and think, oh, in school, or this way is better, and most of the time, hes like no, the school way is wrong because XXXX and such. Stuff you wouldn't know unless you'd seen it done, and fail.
Experiance is worth way more then any school. Sad that the people who hire don't relize that.
What's really sad (Score:3, Insightful)
It's really sad that they had several hundred engineers sitting around, getting taught lessons like this. 99% of the so-called hackers out there really aren't that great. And it's unlikely anything earthshattering here was used.
I find it truly surprising that not one single Microsoft Engineer could take it upon himself to discover these flaws beforehand. And that they were surprised by these results.
That tells me a lot about the Engineering talent. Hopefully some small change has been made in the mindset there. It would at least be a good small start; because one key thing about improving security is the mindset.
Re:Puzzled: why get angry? (Score:5, Insightful)
The problem is that saving face can be accomplished by only hiding the problem, or squelching discussion of it, or pretending it isn't there.
Saving face generally seems to take the path of least resistance, and implies a desire to not face the issue.
Re:Can We Get Firefox Developers To Do This, Too? (Score:2, Insightful)
Get out of your chair, go out into the world, and try to create an original thought.
Re:Good start (Score:3, Insightful)
And it's not like they are understaffed on the OS team. Adding more programmers to a project does not ensure success and may actually make the process take longer.
Re:Good start (Score:3, Insightful)
Slashdot responses about MS and BitTorrent are just FUD.
Re:Constructive criticism (Score:3, Insightful)
If same boss organized a conference and allowed SOMEONE ELSE to purposely expose my NULL pointer dereference by demonstrating that the mouse locks up or causes a seg fault or whatever, then I would feel that my boss was making a point: I'm an employee who is worth publicly humiliating.
I would find a new job.
Third party support (Score:3, Insightful)
How long do you think it took Windows to reach the state its in now? If you looking at just the major changes there have been a LOT compared to other software. (Windows 95, 98, 2000, XP, not counting updates, ME, or versions older than 95 and the unreleased Longhorn). Has there EVER been a major serious of software changes in history on this scale? The answer is a simple, no way.
Throw in the fact that nearly 90-something% of all computer software is designed to fit into a Windows environment, the billions of users who have accustomed themselves to Windows' own quirks and the ever present threat of losing marketshare to Apple or Linux and what you're asking is impossible. There is no magical development wand that can be waved and all of Microsoft's problems would be solved. This isn't a Linux project where every user personally works on and personally customizes their OS either. The most obvious solution for Windows to take is simple, 'if it isn't broken (enough), don't fix it (yet)'
Re:Good start (Score:3, Insightful)
Since XP was released.
OS X has matured into a great product getting faster and better with each release.
Linux has gone from hard to install for the average person to being easy.
Beos has come back from the dead.
Sky OS was competely written by a lone programmer(1999-2005)including drivers and a full GUI.
Now MSFT out numbers all those companies/people by 10 to 1 in the case of apple. why can smaller companies produce more unique software faster than MSFT can? The size of the apps is the same. They can do similar things to MS offerings. yet MSFT can't keep up.
Re:Third party support (Score:2, Insightful)
Re:Knows about MD5? (Score:3, Insightful)