Forgot your password?
typodupeerror
Microsoft Security

Microsoft Consults Ethical Hackers at Blue Hat 162

Posted by samzenpus
from the dare-you-to-break-it dept.
linumax writes "For the second year in a row, Microsoft Corp. invited a small number of hackers onto its Redmond, Wash., campus to crack the company's products for all to see.Blue Hat V2 was held on Thursday and Friday and teamed noted "white hat" hackers with Microsoft employees to break into and expose security weaknesses in the company's products. Over 1,000 Microsoft developers, managers and security experts attended, including Microsoft brass Jim Allchin and Kevin Johnson, co-presidents of the company's Platforms, Products & Services Division."
This discussion has been archived. No new comments can be posted.

Microsoft Consults Ethical Hackers at Blue Hat

Comments Filter:
  • Good thing (Score:5, Insightful)

    by Sinryc (834433) on Wednesday October 19, 2005 @07:51PM (#13831592)
    This is a good thing. It always is good to get someone to try and break your software, that way you know what you can do to fix it. Lets be honest here, Microsoft is number 1 in sales, so I hope they can make a better product, for the saftey of everyones computer.
    • Re:Good thing (Score:3, Interesting)

      by SycoCowz (823572)
      A small invited group is hardly representative of the resources global hacker community. They should unleash the world on their software, ala OpenHack; that would be a better security test and/or learning experience.
      • Re:Good thing (Score:5, Insightful)

        by geekoid (135745) <dadinportland&yahoo,com> on Wednesday October 19, 2005 @08:04PM (#13831686) Homepage Journal
        Except this way they can keep the vulnerabilities to the selves and fix them with less PR issues.

        Hiring outside security people to break a system is not uncommon.
      • Re:Good thing (Score:4, Insightful)

        by Captain Splendid (673276) <capsplendid@@@gmail...com> on Wednesday October 19, 2005 @08:41PM (#13831930) Homepage Journal
        A small invited group is hardly representative of the resources global hacker community. They should unleash the world on their software, ala OpenHack; that would be a better security test and/or learning experience.

        Well, yeah, but this is Microsoft, so let's be thankful for small mercies, eh? Baby steps, my friend, baby steps.

        • These are the same presenters and materials as CanSec West, ToorCon and BlackHat. This is to get this material in front of the developers, who will profit by the experience - and their executives - to get this on the agenda for the business.

          Make all the wisecracks you want. I was there this last Friday, and as an old Pen/Vuln hand, found it quite worthwhile.
          • No wisecrack was intended, in fact, quite the opposite. The fact that Microsoft is (publicly) doing things (like this) that it wouldn't have touched with a ten-foot pole a few years ago is great. I'm no Microsoft lover, but imagine if all of a sudden MS started actually innovating and taking a few more chances. Personal computing is already a lot of fun, but it would be much better if the 800-pound gorilla in the room loosened up and joined the party once in a while.
      • They should unleash the world on their software, ala OpenHack; that would be a better security test and/or learning experience.

        Uuuh, every day the entire world is unleashed on their software with no set parameters. MS's software is hacked at, picked at, poked, prodded, more than any other software on the planet. Every single day. I'd stake my life that that a hacker, somewhere in the world, is trying to poke holes in MS's software every second of every day. They have had more cumulative experience with
      • do you really think that skilled hackers that are into it for the money, are going to reveal their tricks of the trade to OpenHack ?
    • by Anonymous Coward
      This is a good thing. Finally someone with ethics on the Micro$oft campus.
    • Too true. I'm wondering if Billy beefed up security this year to prevent someone from hacking into his home computer during the Blue Hat and putting all his Scheisse videos on a projector for all to see.
    • by Agarax (864558)
      They are aiding Microsoft, the Great Darkness which is called Abomination, Destroyer of the Earth, the Gates of Hell.

      Collaboration with the followers of Mammon results in eternal damnation!
    • by rob_squared (821479) <rob AT rob-squared DOT com> on Wednesday October 19, 2005 @09:48PM (#13832277)
      In related news, 1000 marine snipers were asked to John Smith's community farm and challenged them to hit the broad side of his barn.
    • So blue hats are hackers that actually admire Microsoft? Am I the only one who sees a contradictory here? Not a single architect appreciates a building that is built built from the top-down. Just like no true hacker appreciates M$ or their design and data structures. Adults are to good for "hats" or anything material of the sort anyways.
  • I wonder... (Score:4, Interesting)

    by CygnusXII (324675) on Wednesday October 19, 2005 @07:52PM (#13831606)
    I wonder how many items covered this year, were rehashes of last year, and "we told ya so!"
    • That's probably why they were hired. I think MS is starting to get really serious about their security. I bet they're really tired of the constant bad PR about their security and I bet that in some biz segment the perceived lack of security is affecting their business.
  • by aussie_a (778472) on Wednesday October 19, 2005 @07:53PM (#13831608) Journal
    Every day is Blue Hack day.
    • I think it's a plot by BG. He's using the hackers to break into government sites for world control! Yeah! You'll see. All of those white hats will die in mysterious ways! And he'll put bugs purposely into his code so that he can sell upgrades!

      Oh, wait...that's a Bond Movie [imdb.com] ...my bad!

      • Heh... when I got the invitation, I was a tad suspicious.

        Told my family where I was going, and when I was to return. If I failed to check in, I pointed to woods around Redmond where they were to look for my body.
  • It's about time... (Score:4, Insightful)

    by bypedd (922626) on Wednesday October 19, 2005 @07:54PM (#13831628)
    Kaminsky and others have spent years sounding alarm bells about holes in the security defenses of Microsoft's software, including the Windows operating system and the Internet Explorer browser. As a sign of how times have changed, he and other presenters were treated to a lunch with retiring Windows chief Allchin and Johnson...

    A sign of changing times, indeed. It seems pretty clear that Microsoft has needed to buddy up more with the people who can break their software, because it's going to happen anyways, at least now they might have a head start. I can't really commend the decision to start now, though, as it seems to be both forced by the current politics and belated in that they should have had the foresight to do it earlier.

    • I can't really commend the decision to start now, though, as it seems to be both forced by the current politics and belated in that they should have had the foresight to do it earlier.

      Er... what would you say if they didn't do it (now)? It's either a good thing or it's not. Well, it can only be a good thing, really.
    • No, I don't think so. They are playing catch up no matter what they do. We all know that there have been cases of exploits that have been found, use, and not reported.
      At least they seem to be responding to pressure to do someting proactive about it now.
  • this segregation cannot continue!!!!!
  • by jkind (922585) on Wednesday October 19, 2005 @07:55PM (#13831637) Homepage
    Okay I don't like either of these terms for hackers with morals.. Lets think of something new:

    -Deeks (decent geeks?)
    -Prerds (Principled Nerds?)
    -Fairackers (fair hackers?)
    Also remember that the term hacker is not always seen as negative in of itself: From: http://www.smoothwall.net/support/glossary.html [smoothwall.net] "A highly proficient computer programmer who seeks to gain unauthorised access to systems without malicious intent."
  • by merc (115854) <slashdot@upt.org> on Wednesday October 19, 2005 @07:57PM (#13831646) Homepage
    I'm sure "(white|blue)-hat hacker" in this case is redefined to mean "anyone who cooperates with Microsoft when finding security vulnerabilities". Of course there are always proper ethical ways of dealing with the discovery of serious security flaws in software--that doesn't mean they have always had Microsoft's business or PR interests in mind.

    This is just a publicity stunt, a pretense that Microsoft is taking security research seriously.

    If I'm wrong, then it would be interesting to know what security vulnerabilities were "uncovered" at their event. Are they going to be disclosing the details of such flaws? What do you, as a security researcher, have to "sign away" to participate?
    • by pookemon (909195) on Wednesday October 19, 2005 @08:19PM (#13831781) Homepage
      I'm sure "(white|blue)-hat hacker" in this case is redefined to mean "anyone who cooperates with Microsoft when finding security vulnerabilities".

      Yes, the rest of the world would call them Testers.
      • Actually, laugh all you want, but you would be surprised just *how* much Microsoft pushes the whole security/testing/debugging/safe code aspect during its college presentations.

        Heck, if you decide to go for an internship you have pretty much 3 choices - Program Manager (specs), SDE (Software Development Engineer) and SDET (Software Development Engineer in Test). That last position is very much QA.
      • Yes, the rest of the world would call them Testers.
        If you know how testing can positively verify that no security bugs remain in a non-trivial program, I'm all ears.
        • I would like you to define how this exercise differs from Testing? Other than Microsoft don't actually have to employ the people they are using - not that that defines testing in any way?
          • Testing compares actual application behaviour to a defined list of expected behaviour. Security bugs often fall outside the remit of testing (tho' fuzzing has , uhm, blurred the line somewhat) because they often manifest themselves in scenarios that were not forseen at design time (which is when the spec's definde, and of course QA tests are defined by the spec. Specs rarely describe what software should NOT do, only what it SHOULD do.

            Yes I have done professional QA on well-known software products, as wel

    • Actually, I see a reason for this that isn't all that obvious. It's one thing to hear that someone has found a vulnerability in a piece of software you helped write. It's a lot different to actually see them do it, and how they do it. Maybe the higher-ups at MS realize that and this is their way of giving that kind of experience to their developers.
    • I'm sure "(white|blue)-hat hacker" in this case is redefined to mean "anyone who cooperates with Microsoft when finding security vulnerabilities".

      As I pointed out above, the term blue hat is just a name for an internal conference. All of the engineering staff I met did not call themselves anything other than employees. Not even the security people there. (Although the ones I know in hacker circles might call themselves black/white/grey hat, but then again, they probably don't care enough to use those lab

  • Ethical? (Score:3, Funny)

    by frovingslosh (582462) on Wednesday October 19, 2005 @08:03PM (#13831677)
    If they are ethical, why are they working with Microsoft?
    • belly chuckles.
    • If they are ethical, why are they working with Microsoft?

      Gee... because much of the world's economy flows across desktops and servers running MS products?

      And if any association with an organization or group you don't like means something to you... are you suggesting that there are no unethical users of Linux or other non-MS platforms/tools?

      Even people who don't use (or like) MS and/or its products have an interest in hundreds of millions of people running cleaner, safer machines. Get a grip.
  • Adgenda indeed (Score:3, Insightful)

    by oztiks (921504) on Wednesday October 19, 2005 @08:09PM (#13831712)
    This type of this stuff happened upon the realese of XP, everyone thought it was secure and i remember geeks and business people alike preaching how great and secure XP is and how there arnet any problems. A year later the problems a rose, now its time for everyone to go out an by Vista so lets peddle how we as microsoft care about our users security to get them to by Vista, then we'll do what we did before... let it get out of control so when it comes to the next version after vista we can look like the heros again

    Why on earth would they want to secure an OS, if it gets too secure there is less of a reason for people to spend hundreds of dallors on the next version..
    • Geeks preaching XP security? I don't know of any. Quite a few people did praise XP SP2 though.
  • What did they find, hmmmm?

  • Marketting move? (Score:4, Informative)

    by elfguygmail.com (910009) on Wednesday October 19, 2005 @08:12PM (#13831738) Homepage
    Why do I feel this is nothing more than a marketting move to show MS in a brighter light. After all, they are releasing a new Windows, Office, etc next year...
  • by Weaselmancer (533834) on Wednesday October 19, 2005 @08:14PM (#13831751)

    If they wanted to have their boxes 0wned, they don't have to hold a conference and invite a bunch of hackers over. I know a better way.

    Just plug the suckers straight into the net. And wait about three minutes. Done deal.

    • I'd laugh thinking this is something humerous that was just said, execpt ive seen this happen!
    • Unfortunately (or fortunately), this wouldn't work with XP SP2. ;-)
      Recall the studies that appeared some months ago (around February, I believe) showing that XP SP2, Mac OSX, and Ubunto Linux all resisted being compromised over a two week period of being connected to the net. XP SP2 was attacked much more, but resisted the attacks. XP SP1 was also part of the study, and it got owned within 12 minutes. :p
      • i knew someone who put a spanking brand new 2003 box in a dc not so long ago, didnt run the patches before linking it up ...

        3hours and the system had enough spyware on it to sink a battle ship!
        • Anyone care to explain to me how you get spyware on a computer without browsing to 'not-so-decent-sites' or installing junk software from the Internet?
          • yes, just put the box on a broadband connection and wait a few minutes.
            Someone will port scan you and fix your spyware challenged machine for you.
            apparently ms does not put their boxes on broadband networks.
          • Anyone care to explain to me how you get spyware on a computer without browsing to 'not-so-decent-sites' or installing junk software from the Internet?

            install windows

  • by oztiks (921504)
    "I would imagine that if we look into the future at the sixth Blue Hat ... there probably won't be anything like the topics discussed at the first and second one, because things will have changed," he said.

    ummmmm ... DUH!!!!!

  • by electrosoccertux (874415) on Wednesday October 19, 2005 @08:22PM (#13831800)
    Microsoft is ok with "white hat" hackers, but when asked about the "Red Hat" crackers, Microsoft confirmed that these malicious coders only hurt Windows.

    Heh, yeah, thats the point of Linux.
  • by putko (753330) on Wednesday October 19, 2005 @08:23PM (#13831804) Homepage Journal
    You can't expect much in the way of security improvements at Microsoft -- MicroSoft does things to make money. If security costs money for them, or causes the support desks of their customers to take a lot of bullshit calls, they won't do it.

    Furthermore, if they were to start prioritizing security (or just plain old "quality") over the task of "making money", their shareholders would be very unhappy.

    I think the only thing that could cause them to take it seriously would be some sort of PC-aids: a worm that would linger, damaging business data and hardware -- such that customers would decide to finally junk Windows.

    This is very different from other businesses. E.g. if Paypal screws up their security, they will go out of business. So Paypal probably has some awesome security.
  • PR Stunt. (Score:4, Interesting)

    by miffo.swe (547642) <daniel.hedblom@g ... .com minus punct> on Wednesday October 19, 2005 @08:25PM (#13831820) Homepage Journal
    Just like with Windows 2000 (the unbreakable) this is just a publicity stunt. Real security comes from good design, not slap together crap and let 1000 monkeys throw random bits at it.
    • Re:PR Stunt. (Score:3, Insightful)

      by Nevo (690791)
      You apparently haven't read up on Microsoft's Secure Development Lifecycle. Microsoft is now designing security into their products from the ground up. (http://msdn.microsoft.com/msdnmag/issues/05/11/S D L/default.aspx [microsoft.com])

      Tell me... what are other software companies doing to improve their product security?

      Microsoft is leaps and bounds ahead of most software vendors when it comes to product security. Go ahead, flame away at Microsoft. I'll agree there have been some colossal security screwups in Microsoft pr
  • Definition hacker? (Score:3, Insightful)

    by azatht (740027) on Wednesday October 19, 2005 @08:25PM (#13831829) Homepage
    Isn't the definiton of a hacker not a cracker?
  • by Anonymous Coward
    In related news, Playboy Inc. invited a small group of whackers to their office to check out next year's calendar girls.

    Afterwards everyone had lunch with Natalie Portman.
  • by RiotXIX (230569) on Wednesday October 19, 2005 @09:05PM (#13832073) Journal
    But from the article I got the impression of 2 things:

    1. This is currently some sort of annual peepshow extravaganza: these ties should be kept all the time, pay them, it's important.

    2. More critically -
    they're proabably going to invest more on stuff like Digital Rights Management, because they're more wary of people hacking MS content. By that I mean they might see things like illegal tranfer of media as a bigger issue, because it affects their reputation/their content protection schemes/their standards. I hope it doesn't sideline what business company users are worried about (things that affect their company, like virii, trojans), and not Microsoft's business model/vision of more trivial things (like preventing media copying) - which is they've been investing a lot in recently. Home Windows != Business windows, or at least it shouldn't be.

    That was a dull post.
  • by Anonymous Coward
    and /. has 60 comments of flamebait for every 3 decent comments. Grow up linux zealots.
  • So... (Score:3, Funny)

    by Liam Slider (908600) on Wednesday October 19, 2005 @09:47PM (#13832273)
    How many seconds into the conference did it take for them to get royally pwned?
  • by Viking Coder (102287) on Wednesday October 19, 2005 @09:52PM (#13832305)
    "For the second year in a row, Microsoft Corp. invited a small number of hackers onto its Redmond, Wash., campus to crack the company's products for all to see."

    Admiral Ackbar sez...

    IT'S A TRAP!
  • Stupid (Score:5, Interesting)

    by NullProg (70833) on Wednesday October 19, 2005 @10:22PM (#13832466) Homepage Journal
    This does nothing towards Mom and Dad surfing the internet using IE. Getting owned is simple.

    XP/SP2 and 2003 Server are pretty much secure out of the box. When can we look forward to
    IE being moved to user space? Never? When can we look forward to an O/S that doesn't have a re-ocurring fee every three years? Why do I have to agree to license a patch (MS05-51) for software I bought that was defective in the first place?

    If it weren't for Quicken, Mom and Dad would be using SuSE by now.

    Enjoy,

    • Sigh... Microsoft bears some blame for their "IE is part of the OS" legal rhetoric, but for technicially competent people to still think that meant that IE ran in kernel space is really inexcusable.

      IE never ran in kernel space. Nowdays many parts of it don't even run with user privleges, but are hieved off to a process that runs with even fewer privleges than the user. When Microsoft said "IE is part of the OS", what they meant, in technical terms, is: it's important that we ship the HTML processing libr

    • Re:Stupid (Score:5, Insightful)

      by Tim C (15259) on Thursday October 20, 2005 @02:27AM (#13833490)
      When can we look forward to IE being moved to user space? Never?

      IE has never been anywhere but in user space. "Integrated into the OS" doesn't mean "runs in kernel space".

      When can we look forward to an O/S that doesn't have a re-ocurring fee every three years?

      Woah, thanks for letting me know - I'm well overdue on my payment!

      Seriously, what the hell is that supposed to mean? MS generally supports its OSes for about 10 years, which is a damn sight longer than any of the Linux distributions. It's also been longer than three years since XP was released. Finally, just because the OS is no longer supported doesn't mean that it spontaneously stops working. Sure, there are no more security patches for it, but you can still use it, if you feel you're sufficiently secure. A well-controlled PC or network behind a firewall used by savvy people is at almost no risk of being owned.

      Why do I have to agree to license a patch (MS05-51) for software I bought that was defective in the first place?

      The same reason you have to agree to a licence to use the original software - because of the fiction that you need permission to install the software and load it into RAM, as that constitutes copying. In order to maintain the fiction, MS has to licence its patches, too. (In fact, I can't remember the last (commercial) patch that didn't require a licence click-through)

      For that matter, I installed some GPLed software yesterday (Squirrel SQL client) and it required me to agree to the LGPL on installation. MS aren't the only ones with crazy licence agreement requirements...
      • IE has never been anywhere but in user space. "Integrated into the OS" doesn't mean "runs in kernel space".

        User space under Windows and Linux is different. Perhaps I should have constructed my post better.

        From just last week A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code e
    • Why would moving IE to the user space help, when the default is Administrator?
    • If it weren't for Quicken, Mom and Dad would be using SuSE by now.

      I and two others I know (the other two are not IT people) run Quicken in Linux under Crossover Office. Works beautifully in my experience. A couple very minor visual glitches on some dialog boxes, but that's basically it. If they really wanna move the Linux (in other words "not just becuase you or I may want them using linux") then I'd say they could do it today with Crossover Office.

      I suppose I should add that your mileage may vary.
  • Honeypots anybody? (Score:2, Insightful)

    by betasam (713798)
    With so many security holes cropping up in the past, it would be more prudent for Microsoft to have a honeypot [wikipedia.org] setup. This event (article) is closer to a marketing show (call in white hats, black hats, anybody) for a new release. Microsoft does have the resources to put up such a "Challenge" machine and try to keep it online by fixes, lure the real black hats to crack it. Fixing that would really help them work on their security (if they are truly concerned.) There are reports of independent Honeypot projec
    • Having target machines was included in the demonstration at the last event. Microsoft employees watched as the systems were compromised. This article did not give any technical details of the activities of this year's event.

      Article sounds like it was just a regular old trade show. The article mentions a social mixer, a meeting for executives, and a meeting for engineers. Surely there was something more interesting than this that happened, but it isn't in this article.
    • I think the whole concept of a honeypot is not to tell anyone about it. So how do know Microsoft does not currently have a honeypot set up ?
  • Hackers? Or Feature Finders?
  • Goes to show that Micrsoft is now a typical mature business. It's future as an innovative company will likely sink further. That's considering they used to toot loudly how they could solve everything internally and with internal means. Hopefully this will make customers more comfortable with OSS, that even Microsoft needs outside (out of their control) help to figure out their products.

    Obviously they're learning from the OSS movement, which is good.

    Will they still make money... of course. This doubles a

    • Hopefully this will make customers more comfortable with OSS, that even Microsoft needs outside (out of their control) help to figure out their products.

      Why would this make customers more comfortable OSS? If anything, this will strengthen MS's reputation in customers minds because it shows that they are, finally, starting to take the security of their products more seriously. It shows maturation and growth that they can say "Hey, we aren't up to speed on all of the attacks that will be launched against

  • The questions I have are

    1. Why don't they hire these guys to play around and do this all of the time?

    2. If they have people finding holes for them, why are there still holes?

"The chain which can be yanked is not the eternal chain." -- G. Fitch

Working...