Microsofts New Security Hat
No company has been more victimized by hacker attacks than Microsoft. The reasons for being targeted are no secret: Microsofts monopoly market share and its own negligence in secure software design.
Chastened by this unhappy history, Microsoft has begun to do the right thing with regard to security. By actively participating in the upcoming Black Hat security conference in Las Vegas Aug. 2-3, Microsoft is setting an example that all software companies should be following.
Not too long ago, Microsoft was the butt of jokes when it came to security. George Stathakopoulos, general manager of the Security Engineering and Communications group at Microsoft, recalled that at a Black Hat conference in the late 1990s, "It was not pleasant. This guy came out making smartass comments about Microsoft and then showing problems we have with our products. I remember being infuriated."
A few years later, Microsoft was hosting parties at Black Hat to get to better know hackers, both black- and white-hatted. Last October, the company kicked off its first "Blue Hat" conference, inviting community members to its Redmond, Wash., headquarters to discuss how Microsoft code was getting cracked. The company hosted its second Blue Hat conference in March.
Despite these efforts, Microsoft is not out of the woods as far as security is concerned. Its Vista version of Windows is still in beta and already has had a security patch issued. And some of Vistas much-touted security features, such as the User Account Control, have had to be revamped.
But Microsoft is seeking to apply lessons learned from the Black Hat conference to Vista and claims to be "the first software vendor to present an entire Black Hat Briefing track on a pre-release product, specifically to gather security researcher feedback," according to the Microsoft Security Response Center Blog. We think, though, that no matter what kind of response the company gets to its daylong security track at Black Hat, Microsoft, Windows users and the security community will be the better for it. Its true the more knowledge malicious hackers have about the insides of Windows, the more clever ways they will find to exploit it. However, the more knowledge good-guy hackers can give Microsoft about how Windows is being exploited, the better.
We have been vocal in our criticism of Microsofts software design practices in this space. In some ways, Microsoft has no choice but to go this route. The same old hack-and-patch routine has reached bottom. In addition, there was a time when Microsoft had a fortress mentality with regard to criticism. However, its recent track record is one of opening up to the critiques of the security community and incorporating that feedback to build better software. Microsoft is doing the right thing and deserves credit for it. More commercial software vendors should be doing the same thing.
Tell us what you think at firstname.lastname@example.org.
eWeeks Editorial Board consists of Jason Brooks, Jeffrey Burt, Larry Dignan, Stan Gibson, Scot Petersen and Lisa Vaas.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.