Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×

Microsoft Invites Black Hats into Vista 189

gtzpower writes "Microsoft is inviting hackers to 'Take Your Best Shot' at Vista. 'You need to touch it, feel it,' Andrew Cushman, Microsoft's director of security outreach, said during a talk at the Black Hat computer-security conference. 'We're here to show our work.'" From the article: "A security team with oversight of every Microsoft product — from its Xbox video game console to its Word program for creating documents — has broad authority to block shipments until they pass security tests. The company also hosts two internal conferences a year so some of the world's top security experts can share the latest research on computer attacks." Essentially a tie-in with an article we discussed yesterday.
This discussion has been archived. No new comments can be posted.

Microsoft Invites Black Hats into Vista

Comments Filter:
  • by ed.han ( 444783 ) on Friday August 04, 2006 @11:43AM (#15847228) Journal
    aren't they already freaking there?!

    ed
  • by HugePedlar ( 900427 ) on Friday August 04, 2006 @11:43AM (#15847229) Homepage
    ...I was going to point out the dupe, but now the editors have started doing it for us!

    "Essentially a tie-in with an article we discussed yesterday."
  • by MindPrison ( 864299 ) on Friday August 04, 2006 @11:44AM (#15847236) Journal
    They invite hackers to take their best shot?

    Why not just PAY the hackers to do their best at breaking it?
    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Friday August 04, 2006 @11:55AM (#15847326)
      Step #1. No open ports.

      Step #2. No services running that are not absolutely essential.

      The idea is to reduce the number of available avenues for attacks. Then you can focus on protecting/hardening the apps that are running. Such as (on Linux) putting them in a chroot jail.
    • by mrxak ( 727974 ) on Friday August 04, 2006 @11:59AM (#15847353)
      Probably a good idea to do $1,000 pet exploit found first, plus a free copy of Vista when it's done for everyone reporting at least 20 (let's be honest, it probably won't be that hard to find 20), and some other rewards for most found. Microsoft could afford to pay these guys and get some actual results out of it. The alternative really is to let all the black hats find out the exploits months in advance, report nothing, and then on release day things go absolutely nuts.
      • by dr_dank ( 472072 ) on Friday August 04, 2006 @12:35PM (#15847576) Homepage Journal
        Something like this would bring the wannabees and dingbats out of the woodwork. A real paranoid black hatter wouldn't want to have his identity known or put himself under Microsoft's sights for a non-serious amount of money. You'd better believe that people that take this challenge will be closely watched from now on.
        • A real paranoid black hatter wouldn't want to have his identity known or put himself under Microsoft's sights for a non-serious amount of money. You'd better believe that people that take this challenge will be closely watched from now on.

          It would be cheaper just to hire them. Monitoring people cost a lot of people, you could expect it would take a team of 3-4 people just to keep tabs on one of them.

          Want to see paranoid? Take a guess - who many of these secret hackers already work for microsoft do you
      • by Anonymous Coward
        $1000 per exploit? Are you kidding? From a company that rapes us for billions for their shoddy work? $1000 would be an insult. So is this cheap marketing ploy. Just because a bunch of hackers have better things to do than to work for free for Microsoft doesn't mean that Vista has iron clad security. Of course, the mainstream media is too stupid to see through this transparent marketing ploy, and will happily regurgitate the PR on the newswire, misinform the public, and collect their paycheck. So inst
      • Probably a good idea to do $1,000 pet exploit found first, plus a free copy of Vista when it's done for everyone reporting at least 20 (let's be honest, it probably won't be that hard to find 20), and some other rewards for most found.
        Second Prize: $1000 and 2 free copies of Vista.
    • Why not just invite the hackers to do their best at breaking it? (Before electing to pay them.)

  • Trap? (Score:5, Funny)

    by mrxak ( 727974 ) on Friday August 04, 2006 @11:45AM (#15847244)
    It could be a trap, you know. Bring in the black hats, and then brainwash them en masse so they don't want to use computers anymore but still buy many copies of MS products. No more security problems!
  • by MrSquirrel ( 976630 ) on Friday August 04, 2006 @11:46AM (#15847245)
    ------------Now-----------
    MS: "Have it Vista, hackers -- see if you can find any exploits"
    BHs: *they go to it* "Nope, we don't have any security holes to report to you, it looks like Vista is impenetrable."

    ------------Vista is released-----------
    MS: "What the heck? How can there be over twelve-thousand viruses for Vista on the day it's released?!"
    BHs: "All your Vistas are belong to us! Thanks for your help Microsoft!"
    • Ah, funny and true.
    • Yeah, who would like to look for a hole and report it just to have it fixed?

      No, then their current modell is much better, find a hole, report it and have it ignored by Microsoft for the next couple of months/years.
      • No, then their current modell is much better, find a hole, report it and have it ignored by Microsoft for the next couple of months/years.
        Those who are at this conference who do work as security professionals can't create any buzz or get attention if big holes are fixed before release. Like the GP suggests, just wait until Vista is released and then all this stuff is likely to come flying out of the woodwork, just in time to make some people money.
        • I guess everyone hoarding security problems and releasing them shortly after the Vista release will actually improve the security situation for Vista. This way, the issues may not get fixed before release, but they get fixed or at least reported pretty soon there after. So security is improved, even if this tactic will make Vista look more insecure than is warranted at launch, because the results of several months of vulnerability testing by outside parties will be released all at once rather than over that
  • by The Famous Brett Wat ( 12688 ) on Friday August 04, 2006 @11:46AM (#15847253) Homepage Journal
    The real black hats want it to be widely deployed before they start exploiting it.
    • The real black hats want it to be widely deployed before they start exploiting it.

      Exactly.

      All they'll garner from this attempt are Grey hats looking for a job that will sell out their friends for a management title and the blackies too stupid to assume Microsoft will never fix it, but smart enough to realize it certainly won't be before release.

      So a huge influx of cross-platform, release day ready viruses.

      Go Microsoft. :/

       
    • BINGO, you win!

      This is a marketing stunt to make people feel safer if they used Vista.

      And how do you think the 'security experts' think of Microsoft after they had the guy fired for opposing Microsofts view a year or two ago? It's all marketing, just like most public statements from and about Microsoft. IMO.

      LoB
  • Please. Wash your hands after. We don't need those Vista cooties infecting everything else when you get back.
  • Quote (Score:5, Insightful)

    by Anonymous Coward on Friday August 04, 2006 @11:51AM (#15847292)
    "There are some who feel like that the conditions are such that they can attack us there. My answer is bring them on," Ballmer said. "We've got the force necessary to deal with the security situation."

    Say, wait. If you've just given prerelease test copies of Vista to 3,000 "black hats"... and you're hoping they'll find bugs in them and report them back to you before Vista ships... I mean... how do you know that's what they're actually going to do?

    What if some of these "black hats" look over Vista, find security bugs, keep them secret, go back to Microsoft and say "Whelp! Looks like Vista doesn't have any security holes at all!"; then wait for Vista to be released, and once it's out have a 0-day exploit that they can use in their offshore spam/spyware businesses and that no one else will even know exists until two years from now when a gray hat independently finds and publishes it and Microsoft finally fixes it?

    I mean, of course that's a worst case scenario. But still, sometimes I think the old thinking on how the world of hackers works no longer really applies now that the primary motivating force is not pride, but money (in the form of sweet, sweet herbal viagra).
    • Re:Quote (Score:5, Insightful)

      by mottie ( 807927 ) on Friday August 04, 2006 @12:36PM (#15847580)
      You speak a lot of sense.. I would think that doing this with "White Hats" would make more sense. Realistically all the Black Hats would already have a cracked beta copy that they've downloaded anyways. I'm sure they all would want to have their name attached to the first 0 day exploit. This is all just more press for Microsoft's attempts at security.
    • You miss the point. Microsoft knows that your worst case scenario is possible. But they have enough confidence in their code to risk that, and risk it in public view. They think that even if a genuine "black hat" finds a hole and keeps it to himself, the hole won't be major, and that there will be relatively few instances of that in any case. If they're wrong, then yes, there will be many 0-day exploits when vista is released. But theyr'e confident that that won't be the case.

      BTW, I was under the impre
  • by postbigbang ( 761081 ) on Friday August 04, 2006 @11:51AM (#15847299)
    Consider: Microsoft gets to ride free hacks this time-->before the OS gets released. All that nice work, and they don't spend a dime. Interesting also because the release they gave out isn't a 'community-style' release. It makes one wonder if there's a 'Vista-call-home' component to it, too. Might be nice to know which of the coders actually tried to boot the thing, and then note their IP for future reference (or maybe to turn over to the NSA).

    Still, with many noted reviewers in full belief that it's swiss cheese, it ought to be fun to see who eats it with crackers.
    • And you really think a "black hat" would boot Vista on a computer with a live net connection?? Man, the only connection it would have is to another box that is carefully listening for any traffic coming across that cat5....go back to class kid.
      • Exactly. a "real black hat" would assign the machine a static IP, and filter at the firewall any outbound traffic. of course, the GP probably thinks all '31335 hax0rs' still use Linksys's.
      • by postbigbang ( 761081 ) on Friday August 04, 2006 @01:23PM (#15847885)
        You're of the mistaken belief that all the people that go to BH and DefCon are genius, code-cracking hackers. They're not. Instead, you get a whole bunch of wannabees and lots of security officers that are scared shitless of their next attack.

        So MS gets to tease these guys, make them think that they're tough stuff, and it's all hilarious. Sorry you didn't catch that.

        Half these guys will discover that Vista has not one WGA-like heartbeat responder, but several. Trace the protocols. I did.
    • This is friggin hilarious, Half the people here think this is MS's first attempt at finding bugs and exploits in vista. The other half think it's a conspiracy theory to find and create a database of known hackers. 1. The NSA needs no help finding hackers... The really good ones.... WORK FOR THEM. And if they don't they probably will some day. At some point, due to the purely sickening salaries they get paid to work for them. The difference between black and white, is about high-5 figures in most cases. Som
      • and probably never did.

        What incredible hubris to believe that Microsoft's cadre of bounds-checking idiots could write their way out of a wet paper bag. Sure, Microsoft tests code. And we've found enormous root-rendering bugs in it. One of them is published.

        This is all PR. And the NSA thing was a joke, dude. See my other reply: most of the people that go to BH and DefCon are NOT coders, but will probably try it. Some are very clever. A few have hacked /. and are on their way to try to F me up personally for
  • by wealthychef ( 584778 ) on Friday August 04, 2006 @11:52AM (#15847304)
    Security expert at Microsoft: "delay shipping Vista! We know it's ready otherwise, and people are clamoring for it, and stock prices depend on it, but I've discovered a security hole that is very serious!" Bill Gates: "I think you need a career change. Don't you have an assistant that says it's ready to ship as is? Let me talk to him..."
    • by Anonymous Coward
      From TFA:

      "A security team with oversight of every Microsoft product...has broad authority to block shipments until they pass security tests."
  • Head Start (Score:2, Interesting)

    Way to give the hackers a head start in probing the vulnerabilities of yet another microsoft product. Now we will be minmizing the time vista is out before MS recieves all these complaints of new viruses for their new OS.
    • Way to give the hackers a head start in probing the vulnerabilities of yet another microsoft product.

      Black hats (and anyone else interested) can already download betas of Vista.

  • Won't help them (Score:3, Insightful)

    by MECC ( 8478 ) * on Friday August 04, 2006 @11:54AM (#15847319)
    Until MS figures out that permissions should be based on tasks, roles, and objects instead of who you log in as, all the stupid human tricks inthe world won't help them. It looks to me as though security in vista has the same thinking underpinning its design as NT/2K/XP - log in as admin to do admin things, and have permission to to anything.
    • From what I hear this is not entirely true. A friend of mine has been working with current builds of Vista for work, and apparently it's not "Administrators access all" anymore. There's a group called "first installer" or something to that effect that has sole access to certain aspects of the operating system. Apparently though, it's more annoying to people who actually need to get to this stuff than it is helpful to keep people who know what they're doing out, as is always the case. However, I don't think
    • Re:Won't help them (Score:4, Informative)

      by Anonymous Coward on Friday August 04, 2006 @12:16PM (#15847445)
      Sorry, that's not the case. Permissions in Vista really ARE based on tasks, roles, and objects.

      Even when you are running as Administrator, it still requires that you consent when you're running tasks/programs/etc that need superuser status. When you run the console while you're logged into administrator, it does not automatically have superuser status--you need to choose to run the console as administrator.

      All accesses (to services, registry sections, config/admin programs, and anything that tries to change those) are based on ACLs (access control lists). How do I know this? I'm one of the contracted testers that is working with the vista firewall and its ACLs.

      Is it perfect? I don't know. But I do know it feels pretty secure--not entirely different from the way things worked when I played around with setting up Linux server boxes in college (which was only a year ago).
      • "you need to choose to run the console as administrator"

        What kinds of privs are in effect then? All access All, or role allowed to do task for object (or something like that)? - Just curious

        • Re:Won't help them (Score:3, Informative)

          by Anonymous Coward
          In the case of the console, choosing "Run As Administrator" (assuming the admin account you've got access to has full-admin status) is the same as typing "su" into your *nix terminal.

          In the case of various tasks (such as, say, firewallsettings.exe, the replacement for firewall.cpl) giving the OS permission to run it (or, if you're on a non-admin account, typing in an admin user/pass) allows you to only run that task.

          So, if a certain user account has access to, say, change the firewall settings and not user
      • Re:Won't help them (Score:3, Interesting)

        by value_added ( 719364 )
        When you run the console while you're logged into administrator, it does not automatically have superuser status--you need to choose to run the console as administrator [...] How do I know this? I'm one of the contracted testers that is working with the vista firewall and its ACLs.

        This sentence doesn't parse for me, but I'd be interested in knowing whether Vista has a "super user", or are you using that term in the historically generalised and hence meaningless sense? In 2000, there's SYSTEM (not entirely
        • I'd also be interested if there's any useful tools for managing permissions. Or is that still a mixture of DOS attributes and whatnot that one needs to right-click one's way through the file system/registry/etc. to make effective use of?

          CACLS [ss64.com] and NTRIGHTS [ss64.com] have been around for a while now.

          • CACLS and NTRIGHTS have been around for a while now.

            So have a bunch of similar one-off tools provided in the various Resource Kits. Have you even used these? Sorry, I can't consider any utility that spits out verbose, nonparseable output as useful except as a last resort. Or is the idea that I'm supposed to be running DIR /Q and cacls and collating the output into a book that I can print daily to get some practical use from it and accomplish a mundane task? Because right now, I sure as hell can't accomp
            • I sure as hell can't accomplish anything even remotely similar to a trivial 'find . -type f -perm 0777 -user value_added -exec blah {}

              That's not a fair comparison at all, because ACLs are IMO significantly more complex than standard unix bits. I know there is an ACL implementation for Linux to compare - and for example, the output of getfacl does not seem to be significantly simpler than that of cacls.

      • Re:Won't help them (Score:4, Insightful)

        by jimicus ( 737525 ) on Friday August 04, 2006 @01:23PM (#15847886)

        Even when you are running as Administrator, it still requires that you consent when you're running tasks/programs/etc that need superuser status


        So, having spent years training normal users that the correct way to get anything done is to click "Yes" on every single dialog box that comes up, regardless of what the dialog actually says, they're now doing the same to sysadmins?
        • Hopefully for truly sensitive apps, you would need to also type a password, which is much more secure.
          • In principle, yes, because it means leaving a workstation unlocked is far less of an issue than it is with NT4/2K/XP.

            However, in practise it is typical for Microsoft to copy Apple then balls up the implementation in some fundamental way the first couple of times around. I can think of a few ways this could happen:

            1. The user is prompted for their password so often that they don't think twice when they're required to enter it.
            2. Malware in 3 parts. The first part is a keylogger to capture the password.
      • Re:Won't help them (Score:3, Interesting)

        by chris_7d0h ( 216090 )
        So, does Vista have a system administration account or not?

        An equivalent of the Unix "root" user account or is it more like Ubuntu where the admin account is "hidden" by default and you have to sudo / RunAs whenever you want to do something outside your sandbox? I'm one of those people who do "sudo su -" whenever I put on my "admin hat" and I really hope Vista has an admin account since doing RunAs for every app. when doing sys-admin stuff is pretty tedious.
  • "Now Vista, can you show us on this doll where the hacker touched you?

    "Let the record show that the victim pointed to the KERNEL!"
  • by FlyByPC ( 841016 ) on Friday August 04, 2006 @11:59AM (#15847354) Homepage
    It's one thing to invite hackers to "take their best shot" at breaking Vista. Even if you could trust them to report what they found (and hey, these black-hatters seem like nice, trustworthy guys, right?), how should they really know what the source contains?

    ...unless M$ is letting them look at the source itself -- but since I haven't heard any reports of Hell freezing over, I'm guessing that isn't happening.
  • by Morosoph ( 693565 ) on Friday August 04, 2006 @12:08PM (#15847401) Homepage Journal
    Microsoft does not want black-hats to be cracking Vista, unless they're visiting a honeypot; for black-hats will keep what they know to themselves, and maybe create false trails. Rather, MS is indicating the grey- and white-hats that they're legally in the clear.

    "Black Hat" is simply the name of the conference organiser, a cool name to be sure, but not an indication of who MS is reaching out to.
  • Invite the non-yet-assimilated into the cube, as to save on expenses.
  • Knowing how bad security actually is in Microsoft products (a company with such resources should have come up with somthing like Tripwire combined with ACLs and maybe even better things a long time ago) the blurb sound like out of this world.
  • Good! (Score:2, Insightful)

    by scuzzman ( 928420 )
    I say good for them. At least Microsoft is attempting to release a secure product. Sure, it may still have its holes, but this is possibly the most constructive thing they could've done to increase the security of this OS. It's nice to see Microsoft actually paying attention to security as opposed to ignoring it and thinking all the [spy|mal|ad]ware will go away as we've seen them do for 20 years now.
    • So how does one contact a black-hat and how does M$ check their 'credentials'. Are they even trying to ensure they're not just entertainings some script kiddies with a tour of M$ and a free lunch. - They will get lunch right?

      Heck, where do I apply?
  • by Drathos ( 1092 ) on Friday August 04, 2006 @12:19PM (#15847462)
    "A security team with oversight of every Microsoft product from its Xbox video game console to its Word program for creating documents has broad authority to block shipments until they pass security tests."

    So.. Have they been on a 10 year vacation or something?
  • by LaughingCoder ( 914424 ) on Friday August 04, 2006 @12:22PM (#15847477)
    Imagine if this is a special version of Vista that keeps detailed logs that can somehow find their way back to MS. This could give them a nice window (no pun intended) into the black hats' methods. Probably the black hats would be all over that, though.

    Or, imagine that the Vista they get is not the one the rest of us will get -- MS could, for example, purposely insert a bunch of security problems of varying severity and type to see how sophisticated the black hats are.
  • When I saw the headline "Microsoft Invites Black Hats into Vista
    ", I thought: "With all the security holes in it, didn't they invite Black Hats into Win XP too?" :-)
  • by hellfire ( 86129 ) <deviladv AT gmail DOT com> on Friday August 04, 2006 @12:30PM (#15847537) Homepage
    The title has created some incredibly +5 funny comments, which is great for cheap entertainment, but the title is completely fucking wrong and now the flamethrowers must be unleashed.

    From TFA:
    After suffering embarrassing security exploits over the past several years, Microsoft Corp. is trying a new tactic: inviting some of the world's best-known computer experts to try to poke holes in Vista, the next generation of its Windows operating system.

    Black hats are the bad guys, the guys actually hacking the computers for the sake of getting money and identities. The security experts are the good guys!

    Maybe I'm overreacting, but that little change in the title rather important. It turns the story from "Microsoft showing all the efforts it is making to improve security" to "Microsoft so desperate to improve security they invite convicted hackers/spammers/international mafia to come hack vista!"

    Of course, without said change, we have no +5 funny comments, and thus no real story to make fun of, because there's not much material to make fun of here, and nothing to critize about Microsoft because what they are doing in the article is what they should be doing. Nice Job Slashdot.
  • Can Microsoft every recreate the excitement that accompanied releases like Windows 3 or 95? Back then a large segment of the population, at least in the US, was still transitioning from no or limited personal computing to having and using their own machine, and they usually ran about $2000 for a leading edge one. Nowadays, just about anybody who can cough up $600 to Dell can have one on their doorstep in a few days, up and running, internet connected, and have been there, done that either before or at work.
  • 'You need to touch it, feel it,'

    Sort of like what these guys [comingzune.com] are doing to the bunny?

  • IIRC, didn't Microsoft do something like this when they were getting Windows 2000 ready for release? This looks very familiar.

  • ... Just wait until its released and break its face upon release.
  • There definitely are some fun days ahead !!!

  •   Wouldn't it be better to invite/pay White Hat hackers? Black Hat hackers don't help people. They just help themselves and exploit others.
  • Sounds more like they are looking to get the Grey and Whites involved. Which wouldn't be a bad thing. You just have to hope they're as good as the Blacks. Because as sure as you have a herd of people step up to test this there will be at least a few who get a copy for nefarious purposes.

    I will have to agree that Zonk and the greelighters here might want to read the articles then re-read the headlines to make sure they aren't just fanning the flamewars.

    I'm just sayin...
  • Meaningless Ploy (Score:2, Interesting)

    by eepok ( 545733 )
    Am I the only one that sees this as a well-contained and rigged attempt at advertising security in high-control situations?

    OF COURSE it's going to be difficult/improbably to hack the Vista box that MS provides to Black Hat. It's running no unnecessary processes and has all known security checks locked down.

    What really matters (to consumers) is the following is whether or not it will be as secure when 15 different unnecessary and unupdated programs are running in the background.

    No? Somehow, I'm n

If you are smart enough to know that you're not smart enough to be an Engineer, then you're in Business.

Working...