Hackers, Meet Microsoft 496
Mz6 writes "The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully
lured a Windows laptop onto a malicious wireless network. 'It was just silent,' said Stephen Toulouse, a program manager in Microsoft's security unit. 'You couldn't hear anybody breathe.' The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color."
Blue? (Score:2, Interesting)
And 3.1 was a black background, but blue graphic.
Kind of old... (Score:2, Interesting)
The unusual March gathering, a summit of sorts between delegates of the hacking community and their primary corporate target...
We're in what, mid June now? Slashdot: "olds" and recycled duplicate articles for nerds, I guess...
Still it's nice to know that Microsoft at least acknowledges that there is a problem they aren't addressing properly.
Re:well, it's a start, but a late one (Score:2, Interesting)
Too bad about the other two. I guess they don't have enough guile to be promoted any further.
You mean to tell me... (Score:2, Interesting)
So you mean to tell me, that Microsoft employs *no* hackers of any hat or has ever known one? They make it seem like it was the first Thanksgiving all over again. Puh-leaase.
Today's lesson is: Hire hackers if you want to build a secure OS.
Getting through to engineers is hard (Score:5, Interesting)
I reckon it's because so many programmers have at least a touch of Asperger's. The number of times I'd try to explain that customers behave like monkeys, focusing on the wrong things, buying products for the wrong reasons. But these reasons aren't "wrong" if it means the difference between selling a product and not selling a product. That yes, it's "wrong" to buy a product because we've used Times Roman screenfonts but the competitor used Tahoma, but just change the goddamn font, OK?
Reminds me of the story about 1-Click from Amazon. After patiently explaining what he wanted, the developers all nodded and said, yes, they can do 1-click. A few weeks later the prototype is ready and Bezos tries it out. He clicks on a book. And up pops a dialog box that says "Are you sure?"..
Read about this in Cooper's book "The Inmates Are Running The Asylum."
K.
Invite outsiders or hire insiders? (Score:2, Interesting)
Re:"End of an era"? (Score:4, Interesting)
While what you say is certainly true, I'm not sure I buy that as a complete explanation.
Consider Apache vs. IIS...IIS is in the minority there, but which is more secure?
Give Microsoft Its Due (Score:5, Interesting)
This represents a step in the right direction for Microsoft. Perhaps as a community we need to face the possibility that they may be changing. I read the entire article, and it seemed as if Microsoft genuinely wanted to change. I run Linux, and so do a lot of you, so it is understandable when a lot of you will deride Windows no matter what because it represents a competitor. I just don't buy into that philosophy, it doesn't hold much room for fair.
Giant Anti-Spyware, IE 7, and the anti-vrus acquisitions are all good indications. Let us just hope, for the internet and personal computing's sake, that Microsoft doesn't blow it and charge for them. Either that, or blows it so hard their customers (corporate and power user home) all look for more stable operating systems (hint: all other consumer desktops of any note run a Unix derivative of one sort or another).
Re:Kind of old... (Score:1, Interesting)
Re:Give Microsoft Its Due (Score:4, Interesting)
Microsoft always catch up after being behind everyone else after roughly ten years, in everything they do. The same is true for their current drive towards security, where they are starting to catch up to, say, the seriousness with which 1980's UNIX vendors approached security.
The underlying problem though is that Microsoft only ever develop anything reactively, never proactively. Every move they've ever made has been kind of like: "hey look, company XYZ has produced this excellent product ABC, and everyone loves it, let's also start working on something like that and release a semi-decent version five years from now". This will never change.
So it's all fine and well that Longhorn 2006/7 will be the first MS OS ever actually built with a serious company-wide intention of being secure, but the question is, do you want to always be at least "ten years behind" like that? Do you think it's good to keep putting your money into the company that only knows how to "catch up", in an industry that really runs much better when there is leadership and innovation?
Re:Good start (Score:5, Interesting)
It's like the old saying - three ways to do things: right way, wrong way, army way. Training recent graduates to the corporate culture only works if there are others coming in to stop it being an exercise in corporate narcissism, which is dangerous in a company like Microsoft that makes money by high volume, low development cost "good enough" software as distinct from the expensive low volume stuff you would trust to handle a stock exchange or air traffic control. If they aimed to be the best they would not be so successful, they would be undercut.
The guys writing the code need to be aware of what is going on in the rest of the world.
Re:"End of an era"? (Score:4, Interesting)
Linux these days is generally more secure out of the box. But when you install it, you really need to do a 'netstat -ln' and see what's open. Then set up a reasonable firewall. Your average idiot out there can't do this. (I use Gentoo, so I have absolutely no clue how other distributions handle this stuff, and I don't know what kind of blackbox firewall setups are out there.)
Linux can be less secure than Windows. Usually that's accomplished by turning on all sorts of crap that you don't need, not securing it, and not updating it.
Windows, by default, is a typical blackbox. The thing is an absolute mess. Years after they first appeared, we still have Outlook viruses that pop up every day. Web browsing with MSIE is like playing Russian Roulette. At least with Linux you don't have to worry about that as much. With Linux, you set the system up, and it stays set up that way for the most part. So many packages (malicious and legitimate) change settings in Windows, that it's nearly impossible sometimes to have a good picture of what is going on with your system.
I took a Windows system down ony my home network because after one of my family used the thing for a few months I threw a traffic and systems analyzer on the thing and saw so much spyware and so many viruses on it that I couldn't justify letting the thing stay on my network. This was with Norton Antivirus running on it, mind you. As it is, any Windows installation I have is sectioned from the rest of the network for just that reason. They sit on their own subnet, can't talk to each other, can't talk to the LAN, and can only route out to the Internet.
MS Coders Ignorant? (Score:2, Interesting)
Maybe its just me, but I would assume these guys would actually have spent time securing their own computers, dealing with spyware and warms, etc. Maybe even attempting to hack their own computers to test it. More so, do they not keep up on the latest techie news given that they are geeks?
Maybe if all MS programmers signed up to receive slashdot digests every day and took the time to read the articles and comments, they would learn from others' experiences with MS products and use those critiques to improve their products.
Do these people live in a hole or something?
Re:Can We Get Firefox Developers To Do This, Too? (Score:4, Interesting)
Exactly. Working for a major Systems Integrator, our customer actually has a special team of people who do nothing but hack systems, and recommend security changes to the products they buy.
We thought we had locked down our systems pretty well. They turned it out pretty good, and produced a 92-page report. (of course, some of it was gratuitous).
However, the end result: slapping security changes onto an already-developed product, results in a whole lot of breakage. This lesson will benefit our NEXT customer. And it will really, really hurt our current customer. The lesson? Security should be designed-into a system from the start.
Re:Puzzled: why get angry? (Score:3, Interesting)
No, it's not. Say you work for Microsoft, and your job deals with the NTFS filesystem. You have done everything in your power to make your system secure, but you still have to depend on other coworkers making their systems secure as well. So someone on the wireless team screws up and has a flaw. The exploit demoed uses the power of NTFS against itself to hide a virus. If I was that NTFS programmer, you're damn right I'd be upset, because you know when that bug hits the virus databases, the exploit description will include something about using a flaw in NTFS, even if the code is working exactly as it is supposed to. My work gets blamed even if it's something else that led to the exploit.
what does this have to do with windows... (Score:2, Interesting)
user idiocy is not an os flaw. end of story.
Re:Good start (Score:3, Interesting)
All software has a life cycle. And Windows has reached the end of its life. Any decent software engineer will tell you after awhile if you are patching it this hard. All your doing is patching patches! And deffently doing that will cause more problems. Like a room full of mice traps loaded with ping pong balls. Toss one in and after a while they will all be trigered.
Wonder how much of windows is real code vs patched.
It would not supprise me to see Microsoft doing a Apple after Longhorn of creating a new Windows OS from scratch and praying that LH will hold untill it comes out. Which would be that date of 2010 that was floated on a memo a while back. Apple didd this when small and surivived. And MS can do it now but cant pospone much longer.
With Dell making noises about if offered would put OS X on their boxes could force Microsoft to finaly do the correct thing and make a real secure Windows from scratch. It will breake 20 year old software but is it better to do that then be a leaking buckett of patches covering broken code! Thta no one wants to buy or use.
Re:Knows about MD5? (Score:4, Interesting)
No matter. This guy -- I had no idea who he was at the time -- heard something he needed to precisely understand, and got his answer at his first opportunity.
It's kind of cool that senior management at Microsoft a) showed up at an internal hacker con and b) knew enough to not only understand what I was talking about, but was interested enough to demand more.
Dude. Have you met anyone in senior management? There's a reason so many people relate to the Dilbert PHB.
Re:Good start (Score:5, Interesting)
the managed
Longhorn I hoped would of been a complete rewrite. it failed. There is not a single new innovative feature in longhorn now. spotlight searches fast and effective, on all but networked drives. GPU driven displays OSX and a large number of X server's(sgi's)
New remote command shell is a combination of applescript and a python interpreter. It would of been cool but it's been delayed.
Yet somewhere MSFT found the time to make their own Bit torrent P2P client and server setups. I guess it shows where MSFT lays it's priorities. An app that won't bring them cash or their Next Generation OS.
Re:Puzzled: why get angry? (Score:5, Interesting)
A step in the right direction (Score:3, Interesting)
Microsoft has become synonymous with bad software. Why else would a company as powerful as Microsoft become so desparate as pull off this latest stunt?
This story includes:
1. Uncooperative Black Hats that somehow manage to cooperate with Microsoft to assist in securing the OS, yet remain blacker than india ink.
2. Wiley engineers that manage to out-think the black hat by applying a token of common sense (the off switch).
3. Engineers that become one with the enemy to make a better product for us.
4. Flat out admittance that Microsoft makes a security challenged product, but will do much better because they've been shown that it can be compromised.
5. Direct quotes from Microsoft insiders, implying that press was standing by.
6. A specific agenda of diffusing the security issue by admitting it, then appealing to Microsoft's software genius as having the solution in hand (now that they know what the problem is).
Basically, the article can be summarized:
Microsoft didn't know that Windows XP has problems, but now that someone has shown them, they'll get right on fixing those issues.
Which is nearly the same spin we've been hearing since they first added networking to Win98.
The underlying motivation for this thread's posts (Score:2, Interesting)
You guys are scared too death that Microsoft will kill off your security argument just like they did the stability argument. All of the negative posts regarding Blue Hat, the comments that it'll do no good, the assertions that only a complete rewrite from scratch will work, blah blah blah, are nothing more than wishful thinking. Many here hope, wish, and even pray for Windows to remain vulnerable, and it's clouding your thinking. Blue Hat (and other measures taken by Microsoft) is a good thing, and many of you just can't stand it. LOL