Windows - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Windows


Microsofts Blue Hat Shows Its Serious About Security



 By: Paul F. Roberts
2005-10-31
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Windows story.


  Table of Contents:
  1. Microsofts Blue Hat Shows Its Serious About Security
  2. ' What Blue Hat Really '
  3. ' Hacker Bulls'

Rate This Article:
Poor Best
Microsofts Blue Hat Shows Its Serious About Security
( Page 1 of 3 )

The often-criticized company invites hackers to the conference table as part of its pledge to improve software security.

For critics of Microsoft Corp.s software, 2003 was a very good year. The appearance of the Slammer and Blaster worms was evidence—if any were necessary—that things had gone badly awry at the Redmond, Wash., software giant.

In articles over the days and weeks that followed, security experts and even the companys customers took Microsoft to task for issuing too many patches and doing too little to make them easy to deploy.

Chairman and Chief Software Architect Bill Gates year-old Trustworthy Computing initiative had failed, experts concluded.

Today, many of those security experts have changed their tune and now say that Microsofts commitment to improving security, which began in earnest with the Trustworthy Computing memo, has begun to pay dividends.

Microsoft, the argument now goes, has transformed itself from an IT security laughingstock to an industry leader and advocate for secure development practices.

Holes in Windows are fewer and harder to find. Other software vendors, such as Oracle Corp., that ridiculed Microsoft, now find that they are the target of security researchers ire.

Resource Library:
At the same time, Microsoft has gone from pariah to security industry darling: host of swank parties and mixers at the annual Black Hat hacker conference in Las Vegas; sponsor of its own researcher confab, Blue Hat; and a major employer of security talent.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The sunny reviews are no accident. Almost four years after Gates hit the Send button on the Trustworthy Computing e-mail, harnessing the work, minds and goodwill of security researchers has become a key element of Microsofts strategy for improving the quality of its products and burnishing its tarnished image.

George Stathakopoulos, general manager of the Security Engineering and Communications group at Microsoft, was an early advocate of improving relations with independent security researchers.

As a young engineer at Microsoft in the early 1990s, Stathakopoulos was part of the teams that shipped Windows 3.1.1 and Windows for Workgroups before becoming one of the original members of the Internet Explorer product group in 1995. He remembers the first security bug that was reported in IE, his companys awkward response to it and the string of viruses that followed: BubbleBoy, Melissa, ILoveYou, Code Red and Nimda.

As reports of new holes in IE poured in during the late 1990s, Stathakopoulos said, he and others often fumbled their response to them.

"We did not know how to handle [bug reports]. ... I personally remember looking at a bug and saying, This is by design. It has to be this way," Stathakopoulos said.

A visit to Black Hat during that period didnt help, Stathakopoulos said.

"It was not pleasant," Stathakopoulos said. "This guy came out making smart-ass comments about Microsoft and then showing problems we have with our products. I remember being infuriated."

Hours later, however, Stathakopoulos found himself wondering aloud to a colleague about the security holes: "How could we have missed that?"

Three years later, Stathakopoulos and Microsoft were not only back at Black Hat, they were hoisting drinks with attendees at a company-sponsored party—the first of many to come. "We didnt know if anyone would show up," Stathakopoulos said.

But the hackers did show up, in large numbers and on time, Stathakopoulos said.

Click here to read about Ciscos controversial attempt to silence a speaker at the Black Hat conference.

After an awkward few minutes, during which Microsoft and non-Microsoft attendees kept to themselves, the two groups began to mingle, with Microsoft techies tossing back drinks with renowned bug hunters such as David Litchfield, of the U.K.-based company Next Generation Security Software Ltd., who discovered the hole used by the Slammer worm, and Marc Maiffret, co-founder of eEye Digital Security Inc., in Aliso Viejo, Calif., Stathakopoulos said.

The new Blue Hat conferences grew out of the companys experience at events such as Black Hat, wrote Andrew Cushman, director of the Security Engineering and Communications group.

Unlike the Las Vegas extravaganza, Blue Hat allows Microsoft to bring Black Hat-style presentations right to the companys doorstep. Even more important, it gives high-level executives access to top security minds, said David LeBlanc, former security architect for Microsofts Office Division and now chief software architect at Webroot Software Inc., an anti-spyware company in Boulder, Colo.

The most recent Blue Hat, in October, brought Black Hat veteran Dan Kaminsky and "white hat" hackers such as Dave Maynor, of Atlanta-based Internet Security Systems Inc., and Matt Miller and Vinnie Liu, of the Metasploit Project, to Redmond to discuss their techniques for finding holes in Microsoft products.

Read more here about Microsofts Blue Hat conference for ethical hackers.

More than 1,200 Microsoft developers attended sessions with the researchers, filling the Redmond campus largest lecture hall. On another day, the white hats lunched and gave abbreviated versions of their presentations to an audience of Microsoft executives that included Jim Allchin and Kevin Johnson, co-presidents of the companys Platform Products & Services Division, and Mike Nash, head of the companys Security Business & Technology Unit.

"I cant say Ive ever dropped a zero-day on senior management before," Kaminsky, an independent researcher, wrote in a Microsoft-sponsored chat session following the event, referring to an undiscovered security hole in the companys software.

"I walked into a room with the head of Windows and three of the brains that made it happen," Kaminsky wrote of his meeting with Microsoft brass. "Whats the first thing I did? Dove into obscure protocol negotiations and asked if I was actually seeing a problem. Looks like I was," he said.

Next Page: What Blue Hat really does for Microsoft developers.





  Reader Comments: Microsofts Blue Hat Shows Its Serious About Security
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Windows Articles          >>> More By Paul F. Roberts
 


xr㶲0;; ʷ♵M푦d[kŲ,xMT(S$IϮO7t%_gq2Kht7F;?;;~$rLH56%3E]"I͝#Ⱦp(IFA)v@{iFuۚ8A&pTwd>B_'Щѩ&€dJ4lhlBhL@ƾQ8ƻMLbh;&qXC< tWӺ%A`FA|QCѺQQy$pm<$Qyc QL$tb9 QY )+Jt/"(?c&s?9; Ț_h@Q50NK <[8 #5nCQeKF֠}lui!l 1!o߮z$fRv'nWoR 25I2Z@[,HGmfCc`pmׇɩV Tq3c}fݷt{#Էƀ:SSC3MuN_CԿ(ҀK8VR#/y y>x u"˭Uֶ5^Gq3ݹcoE-2GlR =y7`JaCzJ&5\_-׉E>7 ؗY͢aE3l˸):4 PS+}(Z]rL.-g~oRzEÝ}1+UUeۿ]H #[wn5ZIۇvz\?ȣ59NA7߈ ZDTQRp& Rc@G'I_:G]>o VQ~ISC 40"@K3zĢ>Q}48M-AoA>EF,sA4 衊Ġ+W+֟1e`>=~\wEN_:>Ww:Qڟ+̊?V[U7#>扷kx?-`kh`cR^ٗG$Nzǃm2 1)H|]: ٠{N X(-t[RH3}yp%#,+RY4C! ,2ɌcPu t:CsƊf}+tWT7ohH2 3IsQ8j\K0F \ Q#|`Mil&XJp?Ӕ>`i+1TE0mESq:]Q4y3Dɭ g3E94>BBp4<01ApJn.b? [Z&gѧfmY%YWcL㑖zLU/{~֧6,qH"0U`A). 8ǵ:.o:j~:Ra**rkTQũt :2h bXP7XaQp6 @!0h v?3gԴHwTjh|N჎(>&ʋCPsiYnL-@sՇtw@>;wO޺zN uno/Ab# Z3x*z$tH hA'rkJO7.[A0? [ O`r\[ hk= Dy+wMGH@b1,{DM`#ρYC2{k:G\[-[Y6x O͹A C s\(L7^ 2)%%E24.'H(BHP!9[h ]99z|?{"!bRNk ['5RxB#ܝCRQMVJ9b -xkb}I)l͌eY&zϏaLlW^, Uto35Mus֪%6zhBơ3yjmS#U^^tw4,qƾcҿX~8& 3R>c~ poǖaF?ҚhyNu!SB3A ~6;:)Xئ5[}f{l6gA3uNP"E_ ۝mý-˗O.DKQzV[ ng$50+gUA+G|@]Oچhp$H80W2`aBS몶bg`m1Lx>x# d46, ,[b)#C.W鍥k?j G[Q@r(aNgT3aAK[6 ~XOM{b^ /jtg 'jE)j4'`/#[ݵ A ;vm۽ sD~,-CZ!]˙P7uX8F_͆OCBM&Hy 8TU@G?_􆕏1 !Wܔv R6󀧬3wdlrCJRE}x\.)J5Ew` N 2$Ћh <|!CX&,\$] (DrIa TWk藑`..7]T6AÎ'"%1ڧ>s!b*/W+ )\|;Ogz^*k :ѡUUR;,Z 8;8]ex%MQ9tc~y05M׃ZfeY:57A_!^R`wf%6UY8f51?0kY /ÎTU5 ܧ i VR9A} l#d;y\W4Uudù`Qдa#MA"H;+4kpí225\˥U;NPd[wk-}{B$XDzԲ':*f56 PGG$؃L1>̌k}P~sAYoYr:iwx295Nks;N`k%ԑJk欭+4stJ(ͤVJ)EeDExYKCU<~U&.r/fҿ柩 BWT~ZUusUIH5 ]Uj; 3e0FPBR1|ʼ'r ]N7._VZiza: L:HP+ Y| #"Ԅ6xpL+SxA!RD#$ |*$ ] Vspu^3.+!9kw> {gq o2 }E\u@*v%?}8:֧6MF&;fB,&8IvIͧ^Y{{:9\|x6(}:<4.dhhT7Nus!d};][zsіҽN z֓!yBVݧ=Uti)qfm2G<2u\8$ [^q@ښ һ:i_qbAjNZ _k=W&7U8\;HF_aߪ,$"0.)tvȝyE9{B*q_Ʒ2sy5A6^SF(+bK"$DY |i'U^_f} bt<~Ut";#Wo9j ~_!c&o8~ ѶP֬=8Ymrl׸zI ~2)}Cm9˝~H (9o =%(E٦z_W@dj&ubJT=Kz=O?{( clwQ(S>P$-zbennKlx0cRȔ&=I8z>SB&Դ5ۓ4-i^Eqj ieʒ~i/h' ۡX#қ_.6G8+ (OMkzisy^]~ںmDrF]=`l+LZQ"A|J| a9nG e!>RဏQFhEg;y--EU-VYҋÛhqb yx+=$ $ r@Ί~\A=$v<ݛ9z`푎cIŋ؍n ~:qE42Tdi'sؾ6 }ahuх[ `Сw[v$3m=g)Ս)A/Ms>å=`L:M\gOhNPD(PQEĵTrmzc촫"ÈR H V FP ߽?qw>P]ʌ,=}!G&zEpB.Z;͆ؓ9̆{JǻkA]iNw7pHUFᚎx XJ~Ol'Mt6DjEWcgw#9Ȫ̙S.R؉o'w3^q,&jwAoFǥ4/MZ2g;;;G׍sGg#F0XvƹEt`/4v7 ]ekw}B!uB6Km܊ȥ9.r\ 5"nx*ZY$|:Okd" h6vo"Ba"sME[۴r]Cauk§ ,'i_Wc#ޚU2$;lߔ1g.o(#__k w K%/ !]9?3[Oͨ_ h>|s(u©[t[:`8[&5#h,e6Բ_) &Lي? spruWlw\ݬe~:tkE\pBt{jJIX~&Q w/ Q>43ˁmr.C-nQOԪ/ǘS{,E7:Xz?7 7+"ڂRrI}W8L߹C:tD'p~Q)vϩ'<\IYw3:9s u; $@٦8bp'vS0AE Sb Z!q!|p'e`ǹ‚ w~a udsAHx|( 0?BTkǨiË95 PKZ<:,ʨQ3N-$D^#Mt1.speሒu@,P;J~Xۊ#B->Nkر0G7`;acr-9,WxTtNJ]y/Rov쪒^ۃX,R8P^R+I^Zl!!}^c KXu@b3#3C4M{M#([M-\q^C@mC 9$a2LTZS*}j>rO7s-"n@"$ $@r!f"r=]prҟuvW96!'J*v9EqdU0jY;BT@E!0U!^ ׏< z.."4l9v@VUȊQݙ7gr$Y>w LNt,J ޯU*42 s .D o_kKIHj>k ~2A5Y%Rh>RѲK8PEcFZ-,Hh>譺)U^QCz ÈLTXSN Tch Tպ҇BsA*o`+[a!oX+[!Q+oU|.ViOQ%lO)V_Q\@:ҙ H_LB4\Ԅm&’$ $ y !2azJm,/C5"%)^Qr q jU<% Y1fN\+$ 03~1;#ѥ7;7;7;7;oF W}8W/o^`JǺ4 ~K<3$`TiC$ @$ "Iz DfGz;T*Z'a\镥Y Eq1''1QD߼ Բݐ/z uIu Z]+~PtV~~}VOcwpyo'Hsub6r')ph0+`sH%t5>;*i%6]3` Ae*Ä΀0oe_I~擫nH`W"0!?CHm.6 1guR9> 3ORJz\Xh^i!^-t2}p#=c< 0*r\bAiqP$ECwqmSj3[~[roooo7n*U *1MWH]3GK¦T/neR~@{=MA"t1H "Bcon[㏶?F{eĉ'z< O@ U< izt- ET3P1&xU7~uzdLt@4"ÏGp|}+'xSfD =xqU$Iŷ5[7G|[WR7rϣlei(]f~:'TZkDna;+4w6~sy׻{1sʽV'S =ԳxRş zwy)*}*7ʙK +ŷj /4`䵱u7} C- l߽!٩q,fER i[oF6௶aqlau&j$|`Ym}m-6ә{K"eX -_?'mFDAmAȼ=KԬE5VfX*j%"Q0M?W+⌱fae9s?*I5T "IK)z:kҽ:u]W[2)` r闶Qpq{}Kbdvȼh~-^,Aܓ فa@{ob%6Y3;(5dC^`C(řn.;v4n[*7g ][E|Ro|ՊOZYҡQ7 ?=ևjTn#$Ɩ ҘX/GOq\dE'yHd1*=MÛ*b m0B~ LuM|{y%o? &Su(41N yNxNJ6Ȣ#xbu~HKpI-L Q q G:g{@=n ?/[?5>^ۏoˑ2TŦW#!kX55 ;'%GV2C[ s яTmS_$C7~^5sJO(+a4>(CZP"Z=’וM}Ir9bI|Km@`j '&lZO8AXJzܘEJPa_ye%"ey3t{iQdĨ1gfSYh9[Ycj9F/j5e_]͹O?P. ]ZˣXuV%d{VH=ܚ&/E(([3H>PSZ[WUH*4,Ǐ|^kik6J=!ɣ`5<+;\n&z:,ֻx z2[o^7G'ܬTME- Gܬ2ǖܐS uQaNa3TXD\bJG29#n--eaaZ$v\ S Dcޥ"E"#MZ~RQ!VuĕպԴzYܧF(+%gɕF1Ttך5}/}Y0Y$֞;m^aηfgG1^:(]L]?0s{EMF^[ώ5XlDwO 0ۉpd&íT2ý<HH9~:hSvY\d3-nVTm}yV]=1q8 @1; Qqb6b~m>9lg0TYSbfY3ZMqxe״5B\Ć[HM_#Ƙ}ND9F+PSKC7<6K$}@dȇ=T|>-n3Z]}:GКچGt(|N n,MY,>t~M& )IMБ ܟޕ=U'=yhx &̊(HKt<.:>m[={LfROa"gLN!_ _ݰ,VI mydi#ȓ+2 1hlZ/ul_?#=:}?o>ZxX29k `C-Cۑ?/N΂Bх<=y אT ]\VZAf<H]EWVZCG\nX|I7o8gkH0jCB9Ҍ9oF立ЍQݹ!?1@L-{a@iAX#hbGc W>nrn[քၰ5"t B[ccߝ6#TwnduyyH^ۤ|չtz}޻[S֊E_gn՝Es1(4O-Vbv>4m+Lxe$AN/Z6Srԙpi.$ /"cɃwg;8/dԝ'a~?)Qd3̋ qW~4aa ^f)o\}-[I 3YWG>ȱkH r:h) FQg cc>oH]hF*5/ʶ΁ss_r j}q (߃^N>R`} झ O?9O!NyY9)4;'9пNN>ӹɇwrs?9akvs 挿 yv?taݜw>9'E/@3?#' ݜ|ߋ A{9ȟȗ^|̡KS *~0~0~@ >3_a|_r%א{CuN@9^$)gV.qv*es_)4rRyW[Ӝ}ϑgUsv^Va{jg~W_} KwWK0Tt[L쵊cn-k:vņB__2𞫫qLvwe,o,hcENz9&yQg΂'8Vɴ&V !,Et|"\r5½1o>eqb?AzK[<F4q< 3ޛ.xwY몮,j8“m(9q}2Sop١Oj] O WYn- aP8'~ j'<3;X^,!.Z֧6KtF}Y ÉN#ь~F D29 <9GqN]Q[t'4\h ;םCöwA |$U˚VVk[*j f{D8 R*R'Ӏe`_)&Kˤ h[q2boVS7 y8n[z^"z%^>AO'O U^@,ŋdaSOp^'Wv0~'P`֞.:^G,'v'w cѬz`2.uV{A [dתeH:`٠'SkC3 фYBD˼fΛMzԍy8J!Q4l1Aҙ |^:%3!]{ߨTxP eņCm8D[ WLn1&PS.*;=Yry{ d>`X)43ǬMgaw./G]  \&,4S>Ip16`:sh^6a5qY[c]` g&a5c*g%ͧB0A6ZwzhLS,Fh_cArd9~U ZC70;ۈXq%f<̦ImHnNg3L[!½|۸<;zlF,b vԙ%1H_T3lf^͘=%u)S/=oty'Wxc/3{'0ML+fAl!3&rA(]5,PCD3*=/V,|vb.mlgJ8e`'4u `.{eC})L9 H|Q\k֊<#!1苄I Mc 'Vj͙*u/wi#~:4%]+83b{sJߊJd(`^璑̀ԛjd_%\7AӡL6ԃ[E/=G"c =q'Jԫ Ma{-Okd9Hz%zU x&.7#33Q)ւ_gзcǁ/K[KV7۲b&\`1W$k$GdRͤO=$nDJEg)۠(,%_* >nX"3>m`>Ncc'LXZe纖9cbZ)qmGfd_ZW5Z@<K"/CZ34 ҇^؁;qV' 3>&rx{Kkы.H d|_OExƮ~ Qxi%鎎Fdu(IU`>4(Na")1,lp+>c7Ϗq`d2oz/ON70Am+Lȏ,l [Ze']D.hrE#O ر~ m j fY Vj 1>f@xH>%B6Yrynuҵ-Irz,ɀ~UˆBd+KU̵ѩ%Xk^٠C><goa)nԈ|rZ$?aHbU3|7ZОs,C Sga+Ea2z(g,1F wAiv! Z# *f" ZL+bB؉ZsR)LΡnlqQ!*a#ٌ{ M<[,.7үu!;zZ|yƳc{_o>OxNž=Kf s)VR,_X0]< :+7.E!XȩT5?_KobA;s<] VsT/7uG<;n&5_QyB;FLl4$Χy*?#[7nxQOW'RTF^zI2v]NN:񝞝T7qr9z˳ƛ|ǠbP