Microsoft Consults Ethical Hackers at Blue Hat 162
linumax writes "For the second year in a row, Microsoft Corp. invited a small number of hackers onto its Redmond, Wash., campus to crack the company's products for all to see.Blue Hat V2 was held on Thursday and Friday and teamed noted "white hat" hackers with Microsoft employees to break into and expose security weaknesses in the company's products. Over 1,000 Microsoft developers, managers and security experts attended, including Microsoft brass Jim Allchin and Kevin Johnson, co-presidents of the company's Platforms, Products & Services Division."
Good thing (Score:5, Insightful)
Typical /. response (Score:0, Insightful)
Of course if this were an OSS project, the code would be there for all to see and try to crack instead of 'select' few.
Still, I'm sure it's a useful PR exercise.
It's about time... (Score:4, Insightful)
A sign of changing times, indeed. It seems pretty clear that Microsoft has needed to buddy up more with the people who can break their software, because it's going to happen anyways, at least now they might have a head start. I can't really commend the decision to start now, though, as it seems to be both forced by the current politics and belated in that they should have had the foresight to do it earlier.
Yawn, nothing to see here -- move along... (Score:3, Insightful)
This is just a publicity stunt, a pretense that Microsoft is taking security research seriously.
If I'm wrong, then it would be interesting to know what security vulnerabilities were "uncovered" at their event. Are they going to be disclosing the details of such flaws? What do you, as a security researcher, have to "sign away" to participate?
Re:Good thing (Score:5, Insightful)
Hiring outside security people to break a system is not uncommon.
Adgenda indeed (Score:3, Insightful)
Why on earth would they want to secure an OS, if it gets too secure there is less of a reason for people to spend hundreds of dallors on the next version..
I could have saved them a lot of trouble (Score:5, Insightful)
If they wanted to have their boxes 0wned, they don't have to hold a conference and invite a bunch of hackers over. I know a better way.
Just plug the suckers straight into the net. And wait about three minutes. Done deal.
Can't Expect Improvements (Score:3, Insightful)
Furthermore, if they were to start prioritizing security (or just plain old "quality") over the task of "making money", their shareholders would be very unhappy.
I think the only thing that could cause them to take it seriously would be some sort of PC-aids: a worm that would linger, damaging business data and hardware -- such that customers would decide to finally junk Windows.
This is very different from other businesses. E.g. if Paypal screws up their security, they will go out of business. So Paypal probably has some awesome security.
Definition hacker? (Score:3, Insightful)
Re:On the internet (Score:3, Insightful)
Re:I could have saved them a lot of trouble (Score:2, Insightful)
Recall the studies that appeared some months ago (around February, I believe) showing that XP SP2, Mac OSX, and Ubunto Linux all resisted being compromised over a two week period of being connected to the net. XP SP2 was attacked much more, but resisted the attacks. XP SP1 was also part of the study, and it got owned within 12 minutes.
Re:Good thing (Score:4, Insightful)
Well, yeah, but this is Microsoft, so let's be thankful for small mercies, eh? Baby steps, my friend, baby steps.
I guess that's good and all (Score:3, Insightful)
1. This is currently some sort of annual peepshow extravaganza: these ties should be kept all the time, pay them, it's important.
2. More critically -
they're proabably going to invest more on stuff like Digital Rights Management, because they're more wary of people hacking MS content. By that I mean they might see things like illegal tranfer of media as a bigger issue, because it affects their reputation/their content protection schemes/their standards. I hope it doesn't sideline what business company users are worried about (things that affect their company, like virii, trojans), and not Microsoft's business model/vision of more trivial things (like preventing media copying) - which is they've been investing a lot in recently. Home Windows != Business windows, or at least it shouldn't be.
That was a dull post.
Re:Typical /. response (Score:5, Insightful)
MS does something interesting (Score:1, Insightful)
Re:PR Stunt. (Score:3, Insightful)
Tell me... what are other software companies doing to improve their product security?
Microsoft is leaps and bounds ahead of most software vendors when it comes to product security. Go ahead, flame away at Microsoft. I'll agree there have been some colossal security screwups in Microsoft products.
At least they have a plan (and it's currently in place and working) to improve their product quality. What is your software vendor doing in that arena?
Honeypots anybody? (Score:2, Insightful)
Re:Stupid (Score:5, Insightful)
IE has never been anywhere but in user space. "Integrated into the OS" doesn't mean "runs in kernel space".
When can we look forward to an O/S that doesn't have a re-ocurring fee every three years?
Woah, thanks for letting me know - I'm well overdue on my payment!
Seriously, what the hell is that supposed to mean? MS generally supports its OSes for about 10 years, which is a damn sight longer than any of the Linux distributions. It's also been longer than three years since XP was released. Finally, just because the OS is no longer supported doesn't mean that it spontaneously stops working. Sure, there are no more security patches for it, but you can still use it, if you feel you're sufficiently secure. A well-controlled PC or network behind a firewall used by savvy people is at almost no risk of being owned.
Why do I have to agree to license a patch (MS05-51) for software I bought that was defective in the first place?
The same reason you have to agree to a licence to use the original software - because of the fiction that you need permission to install the software and load it into RAM, as that constitutes copying. In order to maintain the fiction, MS has to licence its patches, too. (In fact, I can't remember the last (commercial) patch that didn't require a licence click-through)
For that matter, I installed some GPLed software yesterday (Squirrel SQL client) and it required me to agree to the LGPL on installation. MS aren't the only ones with crazy licence agreement requirements...