LAS VEGAS—Cats and dogs living together.
Thats the only way to describe the party that Microsoft Corp. threw here Thursday night at the close of the Black Hat Briefings. The gathering was billed as a thank-you for all of the people who have helped the software giant improve the security of its products over the years. Given that agenda, one would have reasonably expected to see a crowd of current and former Microsoft employees with a few outside experts thrown in for good measure.
But the group that showed up at the ultra-hip Ghostbar lounge at The Palms hotel was instead made up of the crème of the crop of security researchers, crypto experts and even high-level Bush administration officials. With more piercings and tattoos per capita than the population of most college campuses, the guest list was a flat-out whos who of the security world. And the fact that they all turned out for a party put on by Microsoft—a company considered by many in the room to be the root of all evil—was the most surprising twist of all.
To call Microsofts relationship with the security community strained would have been a vast understatement in years past. But, the combination of the companys massive internal effort to improve the security of its software and the outreach and communications work done by the Microsoft Security Response Center has apparently thawed relations between the two sides considerably.
Many of the researchers on hand for the party said they couldnt have imagined showing up at a Microsoft event as little as 12 months ago. In fact, one guest said that he figured gathering this group of people together in one room would have triggered the apocalypse.
For evidence that the era of good feelings truly has dawned, you need look no further than the names on the invitation-only manifest for the party: Marc Maiffret and most of the research and engineering team from eEye Digital Security Inc.; David Litchfield—pere et fils—of Next Generation Security Software Ltd.; Thor Larholm, of PivX Solutions LLC; Chris Wysopal, of @stake Inc.; Marcus Sachs from the Cyber Security Division of the Department of Homeland Security; Phil Zimmermann, creator of Pretty Good Privacy; and even Kevin Mitnick, late of the federal prison system.
Notably absent from the party were most of Microsofts top security executives. Taking up the slack was the staff of the MSRC, which has turned over quite a bit in the last year. Once run mainly by senior Microsoft managers, the MSRC now is made up of a much younger crop of security specialists who are perhaps better suited to the task of working with and relating to the researchers who make it their business to find weaknesses in the companys software.
Many of the researchers in the crowd have been among Microsofts chief tormenters for the last few years. Maiffret and eEye have built their reputation on digging out vulnerabilities in the Microsofts products, including the flaw that was exploited by the infamous Code Red worm two years ago. Wysopal, as a member of the famed L0pht hacking collective, spent considerable time hammering on Microsofts products. And Litchfield and Larholm both have become well-known for their research on a variety of fronts.
So, to see these folks mingling, drinking, and yes, even laughing, with the Microsoft employees was odd to say the least. The weirdness was not lost on anyone on either side of the equation.
Looking around the bar, it was difficult to believe how friendly and cordial everyone was being, said Maiffret, who early in his career drew the wrath of Redmond for including exploit code in some of eEyes vulnerability advisories. The company has long since stopped releasing exploits, and Maiffret and his crew were happily trading stories with their opposite numbers in the MSRC.
None of which is to imply that these researchers have suddenly gone soft on Microsoft. Quite the contrary in fact. Many of the attendees spent considerable time explaining to MSRC staffers what the company could do to improve its response process and where its blind spots are.
But, by the time the doors were thrown open to the Ghostbar regulars (read: NBA players, celebrities and their posses) and a mob of MSRC folks piled into a stretched-out and blacked-out SUV limo with a band of researchers instead of riding off with the Four Horsemen, it was clear that times were indeed a-changin.