For critics of Microsoft Corp.s software, 2003 was a very good year. The appearance of the Slammer and Blaster worms was evidence—if any were necessary—that things had gone badly awry at the Redmond, Wash., software giant.
In articles over the days and weeks that followed, security experts and even the companys customers took Microsoft to task for issuing too many patches and doing too little to make them easy to deploy.
Chairman and Chief Software Architect Bill Gates year-old Trustworthy Computing initiative had failed, experts concluded.
Today, many of those security experts have changed their tune and now say that Microsofts commitment to improving security, which began in earnest with the Trustworthy Computing memo, has begun to pay dividends.
Microsoft, the argument now goes, has transformed itself from an IT security laughingstock to an industry leader and advocate for secure development practices.
Holes in Windows are fewer and harder to find. Other software vendors, such as Oracle Corp., that ridiculed Microsoft, now find that they are the target of security researchers ire.
At the same time, Microsoft has gone from pariah to security industry darling: host of swank parties and mixers at the annual Black Hat hacker conference in Las Vegas; sponsor of its own researcher confab, Blue Hat; and a major employer of security talent.
The sunny reviews are no accident. Almost four years after Gates hit the Send button on the Trustworthy Computing e-mail, harnessing the work, minds and goodwill of security researchers has become a key element of Microsofts strategy for improving the quality of its products and burnishing its tarnished image.
George Stathakopoulos, general manager of the Security Engineering and Communications group at Microsoft, was an early advocate of improving relations with independent security researchers.
As a young engineer at Microsoft in the early 1990s, Stathakopoulos was part of the teams that shipped Windows 3.1.1 and Windows for Workgroups before becoming one of the original members of the Internet Explorer product group in 1995. He remembers the first security bug that was reported in IE, his companys awkward response to it and the string of viruses that followed: BubbleBoy, Melissa, ILoveYou, Code Red and Nimda.
As reports of new holes in IE poured in during the late 1990s, Stathakopoulos said, he and others often fumbled their response to them.
"We did not know how to handle [bug reports]. ... I personally remember looking at a bug and saying, This is by design. It has to be this way," Stathakopoulos said.
A visit to Black Hat during that period didnt help, Stathakopoulos said.
"It was not pleasant," Stathakopoulos said. "This guy came out making smart-ass comments about Microsoft and then showing problems we have with our products. I remember being infuriated."
Hours later, however, Stathakopoulos found himself wondering aloud to a colleague about the security holes: "How could we have missed that?"
Three years later, Stathakopoulos and Microsoft were not only back at Black Hat, they were hoisting drinks with attendees at a company-sponsored party—the first of many to come. "We didnt know if anyone would show up," Stathakopoulos said.
But the hackers did show up, in large numbers and on time, Stathakopoulos said.
After an awkward few minutes, during which Microsoft and non-Microsoft attendees kept to themselves, the two groups began to mingle, with Microsoft techies tossing back drinks with renowned bug hunters such as David Litchfield, of the U.K.-based company Next Generation Security Software Ltd., who discovered the hole used by the Slammer worm, and Marc Maiffret, co-founder of eEye Digital Security Inc., in Aliso Viejo, Calif., Stathakopoulos said.
The new Blue Hat conferences grew out of the companys experience at events such as Black Hat, wrote Andrew Cushman, director of the Security Engineering and Communications group.
Unlike the Las Vegas extravaganza, Blue Hat allows Microsoft to bring Black Hat-style presentations right to the companys doorstep. Even more important, it gives high-level executives access to top security minds, said David LeBlanc, former security architect for Microsofts Office Division and now chief software architect at Webroot Software Inc., an anti-spyware company in Boulder, Colo.
The most recent Blue Hat, in October, brought Black Hat veteran Dan Kaminsky and "white hat" hackers such as Dave Maynor, of Atlanta-based Internet Security Systems Inc., and Matt Miller and Vinnie Liu, of the Metasploit Project, to Redmond to discuss their techniques for finding holes in Microsoft products.
More than 1,200 Microsoft developers attended sessions with the researchers, filling the Redmond campus largest lecture hall. On another day, the white hats lunched and gave abbreviated versions of their presentations to an audience of Microsoft executives that included Jim Allchin and Kevin Johnson, co-presidents of the companys Platform Products & Services Division, and Mike Nash, head of the companys Security Business & Technology Unit.
"I cant say Ive ever dropped a zero-day on senior management before," Kaminsky, an independent researcher, wrote in a Microsoft-sponsored chat session following the event, referring to an undiscovered security hole in the companys software.
"I walked into a room with the head of Windows and three of the brains that made it happen," Kaminsky wrote of his meeting with Microsoft brass. "Whats the first thing I did? Dove into obscure protocol negotiations and asked if I was actually seeing a problem. Looks like I was," he said.