Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers, Meet Microsoft

CowboyNeal posted more than 9 years ago | from the come-together dept.

Microsoft 496

Mz6 writes "The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle. Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network. 'It was just silent,' said Stephen Toulouse, a program manager in Microsoft's security unit. 'You couldn't hear anybody breathe.' The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color."

cancel ×

496 comments

Sorry! There are no comments related to the filter you selected.

FIRST POST (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12837139)

FIRST POST

Blue (0)

Anonymous Coward | more than 9 years ago | (#12837140)

... is the corporate color. It's just too easy.

Blue? (1, Interesting)

XanC (644172) | more than 9 years ago | (#12837141)

I didn't know that... But come to think of it, the Windows 3.0 splash screen was all blue.

And 3.1 was a black background, but blue graphic.

Re:Blue? (5, Funny)

nxtr (813179) | more than 9 years ago | (#12837151)

Come to think of it.... BLUE screen!

And a fatal error... (2, Funny)

CPNABEND (742114) | more than 9 years ago | (#12837220)

Resulted in the BLUE screen of death!

Anything but... (1)

fembots (753724) | more than 9 years ago | (#12837245)

Green Hat [filmfestiv...terdam.com]

Re:Blue (1)

MrAnnoyanceToYou (654053) | more than 9 years ago | (#12837263)

Microsoft: How many times have you seen it today?

You'd think they'd have some shame rather than pride about bugs crushing their entire OS at once.

HEY TIMOTHY! SUCK ANY MORE COCK TODAY! FAGGOT! (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12837142)

*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*
g_______________________________________________g
o_/_____\_____________\____________/____\_______o
a|_______|_____________\__________|______|______a
t|_______`._____________|_________|_______:_____t
s`________|_____________|________\|_______|_____s
e_\_______|_/_______/__\\\___--___\\_______:____e
x__\______\/____--~~__________~--__|_\_____|____x
*___\______\_-~____________________~-_\____|____*
g____\______\_________.--------.______\|___|____g
o______\_____\______//_________(_(__>__\___|____o
a_______\___.__C____)_________(_(____>__|__/____a
t_______/\_|___C_____)/______\_(_____>__|_/_____t
s______/_/\|___C_____)_______|__(___>___/__\____s
e_____|___(____C_____)\______/__//__/_/_____\___e
x_____|____\__|_____\\_________//_(__/_______|__x
*____|_\____\____)___`----___--'_____________|__*
g____|__\______________\_______/____________/_|_g
o___|______________/____|_____|__\____________|_o
a___|_____________|____/_______\__\___________|_a
t___|__________/_/____|_________|__\___________|t
s___|_________/_/______\__/\___/____|__________|s
e__|_________/_/________|____|_______|_________|e
x__|__________|_________|____|_______|_________|x
*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*

In a twisted way of measuring popularity, it looks like Britney Spears tops the list. According to Panda Software and 7 years' worth of infected messages, Britney's name was used most in attempts to get users to open malicious e-mails. Rounding out the top 5 were Bill Gates, Jennifer Lopez, Shakira, and Osama Bin Laden. Other notables include Bill Clinton, Pamela Anderson, and, of course, Anna Kournikova. All the names on the list have been used multiple times with different tag lines. The names of these celebrities are used in coordination with misleading promises of illicit pictures or late breaking news to tempt users into opening an infected e-mail attachment or to click on a bogus link. Are we really this stupid? Do we really think these unsolicited message will lead to pictures of Osma being hanged, or video of Michael Jackson? It also amazes me that some of these names seem a little dated. Pamela Anderson? And are guys really that desparate to see nude pictures of celebrities? We must be, because these attackers pick on us for a reason: it works. Social engineering will always work because people will always be able to be fooled. I guess I just assumed people would figure out how to spot fakes after a while. How many times do you have to click on the link to realize there isn't really a picture? In a twisted way of measuring popularity, it looks like Britney Spears tops the list. According to Panda Software and 7 years' worth of infected messages, Britney's name was used most in attempts to get users to open malicious e-mails. Rounding out the top 5 were Bill Gates, Jennifer Lopez, Shakira, and Osama Bin Laden. Other notables include Bill Clinton, Pamela Anderson, and, of course, Anna Kournikova. All the names on the list have been used multiple times with different tag lines. The names of these celebrities are used in coordination with misleading promises of illicit pictures or late breaking news to tempt users into opening an infected e-mail attachment or to click on a bogus link. Are we really this stupid? Do we really think these unsolicited message will lead to pictures of Osma being hanged, or video of Michael Jackson? It also amazes me that some of these names seem a little dated. Pamela Anderson? And are guys really that desparate to see nude pictures of celebrities? We must be, because these attackers pick on us for a reason: it works. Social engineering will always work because people will always be able to be fooled. I guess I just assumed people would figure out how to spot fakes after a while. How many times do you have to click on the link to realize there isn't really a picture? In a twisted way of measuring popularity, it looks like Britney Spears tops the list. According to Panda Software and 7 years' worth of infected messages, Britney's name was used most in attempts to get users to open malicious e-mails. Rounding out the top 5 were Bill Gates, Jennifer Lopez, Shakira, and Osama Bin Laden. Other notables include Bill Clinton, Pamela Anderson, and, of course, Anna Kournikova. All the names on the list have been used multiple times with different tag lines. The names of these celebrities are used in coordination with misleading promises of illicit pictures or late breaking news to tempt users into opening an infected e-mail attachment or to click on a bogus link. Are we really this stupid? Do we really think these unsolicited message will lead to pictures of Osma being hanged, or video of Michael Jackson? It also amazes me that some of these names seem a little dated. Pamela Anderson? And are guys really that desparate to see nude pictures of celebrities? We must be, because these attackers pick on us for a reason: it works. Social engineering will always work because people will always be able to be fooled. I guess I just assumed people would figure out how to spot fakes after a while. How many times do you have to click on the link to realize there isn't really a picture? In a twisted way of measuring popularity, it looks like Britney Spears tops the list. According to Panda Software and 7 years' worth of infected messages, Britney's name was used most in attempts to get users to open malicious e-mails. Rounding out the top 5 were Bill Gates, Jennifer Lopez, Shakira, and Osama Bin Laden. Other notables include Bill Clinton, Pamela Anderson, and, of course, Anna Kournikova. All the names on the list have been used multiple times with different tag lines. The names of these celebrities are used in coordination with misleading promises of illicit pictures or late breaking news to tempt users into opening an infected e-mail attachment or to click on a bogus link. Are we really this stupid? Do we really think these unsolicited message will lead to pictures of Osma being hanged, or video of Michael Jackson? It also amazes me that some of these names seem a little dated. Pamela Anderson? And are guys really that desparate to see nude pictures of celebrities? We must be, because these attackers pick on us for a reason: it works. Social engineering will always work because people will always be able to be fooled. I guess I just assumed people would figure out how to spot fakes after a while. How many times do you have to click on the link to realize there isn't really a picture? In a twisted way of measuring popularity, it looks like Britney Spears tops the list. According to Panda Software and 7 years' worth of infected messages, Britney's name was used most in attempts to get users to open malicious e-mails. Rounding out the top 5 were Bill Gates, Jennifer Lopez, Shakira, and Osama Bin Laden. Other notables include Bill Clinton, Pamela Anderson, and, of course, Anna Kournikova. All the names on the list have been used multiple times with different tag lines. The names of these celebrities are used in coordination with misleading promises of illicit pictures or late breaking news to tempt users into opening an infected e-mail attachment or to click on a bogus link. Are we really this stupid? Do we really think these unsolicited message will lead to pictures of Osma being hanged, or video of Michael Jackson? It also amazes me that some of these names seem a little dated. Pamela Anderson? And are guys really that desparate to see nude pictures of celebrities? We must be, because these attackers pick on us for a reason: it works. Social engineering will always work because people will always be able to be fooled. I guess I just assumed people would figure out how to spot fakes after a while. How many times do you have to click on the link to realize there isn't really a picture? In a twisted way of measuring popularity, it looks like Britney Spears tops the list. According to Panda Software and 7 years' worth of infected messages, Britney's name was used most in attempts to get users to open malicious e-mails. Rounding out the top 5 were Bill Gates, Jennifer Lopez, Shakira, and Osama Bin Laden. Other notables include Bill Clinton, Pamela Anderson, and, of course, Anna Kournikova. All the names on the list have been used multiple times with different tag lines. The names of these celebrities are used in coordination with misleading promises of illicit pictures or late breaking news to tempt users into opening an infected e-mail attachment or to click on a bogus link. Are we really this stupid? Do we really think these unsolicited message will lead to pictures of Osma being hanged, or video of Michael Jackson? It also amazes me that some of these names seem a little dated. Pamela Anderson? And are guys really that desparate to see nude pictures of celebrities? We must be, because these attackers pick on us for a reason: it works. Social engineering will always work because people will always be able to be fooled. I guess I just assumed people would figure out how to spot fakes after a while. How many times do you have to click on the link to realize there isn't really a picture?

Re:HEY TIMOTHY! SUCK ANY MORE COCK TODAY! FAGGOT! (0, Funny)

Anonymous Coward | more than 9 years ago | (#12837221)

You know that picture is almost on-topic.

MOD PARENTS UP! (1, Funny)

Anonymous Coward | more than 9 years ago | (#12837317)

I'm glad your parents decided to fuck without birth control. Truly you are one of humanity's greatest accomplishments.

PS: You're a fag.

Re:MOD CHILD UP (0)

Anonymous Coward | more than 9 years ago | (#12837354)

As maturity is sorely lacking in the poster.

So, uh, during that hushed silence (5, Funny)

Neil Blender (555885) | more than 9 years ago | (#12837143)

What were they thinking? "Oh, shit our OS isn't secure?"

Re:So, uh, during that hushed silence (5, Funny)

halltk1983 (855209) | more than 9 years ago | (#12837160)

I think it was more along the lines of "I hope the boss doesn't get this or he'll find my pr0n stash on the corporate laptop"

Re:So, uh, during that hushed silence (5, Funny)

WillAffleckUW (858324) | more than 9 years ago | (#12837168)

What were they thinking? "Oh, shit our OS isn't secure?"

More likely:

"How can we spin this from bad to good?"

Re:So, uh, during that hushed silence (4, Funny)

Anonymous Writer (746272) | more than 9 years ago | (#12837201)

Answer:

"That is a feature, not a bug"

Re:So, uh, during that hushed silence (1)

WillAffleckUW (858324) | more than 9 years ago | (#12837300)

"That is a feature, not a bug"

Help me, Obit Juan Denobi, you're my only hope!

makes me think of that scene in Starship Troopers where they talk about nuking bugs dead and then you see a film clip of kids stepping on cockroaches while their teacher laughs insanely ... and just as effective ...

Re:So, uh, during that hushed silence (1, Funny)

Dunbal (464142) | more than 9 years ago | (#12837286)

Or OMG they found my stash of gay pr0n right here in front of everybody...

Corporate Color (5, Funny)

DavidLeblond (267211) | more than 9 years ago | (#12837145)

The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color.

Must... not... make... obvious... BSOD comment.... aughhh!

Re:Corporate Color (1)

taniwha (70410) | more than 9 years ago | (#12837307)

Err isn't 'big blue' someone else?

Surely MS's corporate colors must be more like the windows logo red/yellow/blue/green?

How about 'Blue Screen' ? (3, Funny)

bani (467531) | more than 9 years ago | (#12837146)

To me, it's a far more fitting name.

Re:How about 'Blue Screen' ? (0)

Anonymous Coward | more than 9 years ago | (#12837252)

The comment above yours seems appropriate.

Was it really necessary to explain Blue Hat? (0)

Anonymous Coward | more than 9 years ago | (#12837150)

I mean... what were we going to think... that it was named after the Blue Man Group? That IBM was hacking Microsoft?

Good start (3, Insightful)

Jason1729 (561790) | more than 9 years ago | (#12837154)

But will MS actually do anything?

It seems like Microsoft is showing their own coders how vulnerable their code is, but these are probably the people who already know that best.

Re:Good start (2, Insightful)

StupidHelpDeskGuy (636955) | more than 9 years ago | (#12837261)

True, but I am sure you have a few arrogant coders at your place of business. A few senior level coders certainly have an over inflated sense of self where I work. An experience like this would probably be beneficial in and of itself.

Re:Good start (4, Insightful)

dpilot (134227) | more than 9 years ago | (#12837281)

> But will MS actually do anything?

But *can* MS actually do anything?

Given the bowl of spaghetti called nearly 2 decades of Windows, how much freedom of action do they really have to clean things up? Tug at a strand here to fix it, and who knows where the other end is? How many side effects will there be from that one fix? Yet at the same time, their market power is based on Windows and their code base. Force too big a migration, too much retraining, and it might well turn into a different kind of migration - to someone else's platform.

They've got a ticklish and tough job ahead. But then again, they did it to themselves.

Re:Good start (5, Insightful)

still_sick (585332) | more than 9 years ago | (#12837403)

It seems like Microsoft is showing their own coders how vulnerable their code is, but these are probably the people who already know that best.

I think it's a matter of levels. Sure, they doubtless know about all the holes in the code or whatever (being the ones that, y'know, PATCH it) - but it's a totally different understanding than that of an expert user.

It's like an Automotive Engineer and a Mechanic. They both "know" essentially the same things about any specific car. But it's their viewpoints and specific backgrounds that make their individual understandings both unique and useful.

Puzzled: why get angry? (5, Funny)

shm (235766) | more than 9 years ago | (#12837158)

From TFA, "... some of the engineers were turning red, becoming obviously angry at the demo hacking incident ..."

I would think they would be looking at their shoes.

Re:Puzzled: why get angry? (5, Insightful)

Hockney Twang (769594) | more than 9 years ago | (#12837240)

Contrary to popular belief, most of these developers aren't intentionally releaseing what they know to be insecure code. They test it beforehand, and sign their work. They are making what they believe to be a good effort at security.

Imagine if you made a product, and were fairly proud of the work you had put into it, and then someone grabs it, and publicly demonstrates that it's terribly flawed, making you appear to be a fool. It's natural to be angry, and hopefully it will only inspire them to greater vigilance in an attempt to save face.

Re:Puzzled: why get angry? (5, Insightful)

bani (467531) | more than 9 years ago | (#12837285)

Saving face is exactly the wrong motivation to fix security problems.

If it takes public embarassment to get these engineers to take problems seriously, then they're totally fucked.

Re:Puzzled: why get angry? (1)

geekoid (135745) | more than 9 years ago | (#12837299)

This is what happens when you hire prima-donas with monster egos.

MS upper managment has a long fight trying to change entrenched developer and middle managment habits.

Every MS and former MS employee I have worked with throughs a fit when proven wrong. OR worse, there code works, but is impractical to maintain and ask them to change it.

I have only workde with a few dozen of them, so my sample is small and could be anomalous.

Re:Puzzled: why get angry? (0)

Anonymous Coward | more than 9 years ago | (#12837329)

Let's see.. they were "turning red". Anger? or embarrassment/shame? Most people are going to turn red from the latter far easier than they will from the former! Maybe they were angry at _themselves_ for not thinking about the exploit opportunities, but this sounds like a case of good ol' embarrassment to me.

Re:Puzzled: why get angry? (1)

Neil Blender (555885) | more than 9 years ago | (#12837387)


Exactly. When someone finds a bug in our software and it's my fault, I usually get embarassed or mad at myself (or the testers depending on the exact nature of the bug and how reasonable it would have been for them to have found it during test.) To the person who found and reported the bug, I feel grateful, even if they are a total dick about it.

SLow but steady, Microsoft rises from the ashes... (3, Funny)

nugneant (553683) | more than 9 years ago | (#12837165)

...like a Phoenix. Slowly, people are catching on. I mean, this HAD to raise some eyebrows.

It's one thing to read about this on the internet - people say all sorts of things on the internet and you learn to tune it out ater a while.

But seeing it in front of your own very eyes, watching the hack attack commence in the blink of an eye, the pulse of a heartbeat, the shiver of a twitch, the essence of a raindrop, the flash of an instant, with the click of flint before it ignites the gunpowder in a Civil War era cannon-- etc-- it's shocking.

And so, ten years later, after learning from the hackers, their once-sworn enemies, the Great Microsoft rose to became Operating System: NWO. And that, my children, is the story of how Herr Syrs Bill Gates and Al Gore created and patented the internet.

Hey! (4, Funny)

Mr2cents (323101) | more than 9 years ago | (#12837167)

The event, which Microsoft has not publicized, was dubbed 'Blue Hat' -- a reference to the widely known 'Black Hat' security conference, tweaked to reflect Microsoft's corporate color.

Hey, IBM is Mr. Blue! Microsoft is Mr. Pink!

Re:Hey! (0, Redundant)

CyberDave (79582) | more than 9 years ago | (#12837312)

Mr. Pink: How about if I'm Mr. Purple? That sounds good to me, I'll be Mr. Purple.

Joe: You're not Mr. Purple. Some guy on some other job is Mr. Purple. You're Mr. Pink!

Mr. White: Who cares what your name is?

Mr. Pink: Yeah that's easy for you to say, you're Mr. White, you have a cool sounding name. All right look if it's no big deal to be Mr. Pink, do you wanna trade?

Pay outs (5, Insightful)

1967mustangman (883255) | more than 9 years ago | (#12837170)

So microsoft has what like 50 billion in cash reserves? Why don't they just do a bug bounty and like $50 a bug. Like mozilla did. 50 billion/50 = 1 billion bugs they could find and fix that would hav to make some kind of dent right....................oh wait never mind.

Re:Pay outs (0, Flamebait)

DAldredge (2353) | more than 9 years ago | (#12837283)

No, they have between 10-20 billion. They returned over 25 billion to their shareholders via tax free dividends.

Re:Pay outs (0, Informative)

Anonymous Coward | more than 9 years ago | (#12837394)

While finding the holes is important, fixing them in a way that doesn't break something else or make new holes is what really costs the money.

I was sure it was green (5, Funny)

djKing (1970) | more than 9 years ago | (#12837176)

M$'s corporate color is blue? Could have sworn it was green.

- Peace

well, it's a start, but a late one (4, Insightful)

yagu (721525) | more than 9 years ago | (#12837178)

The hackers, for their part, seemed equally impressed with the technical knowledge of the senior executives they encountered.

At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a "heap overflow." When he asked the crowd, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up.

"I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said.

First, at a company like Microsoft, I'd be asking about the 2 senior managers who didn't know about heap attacks. Second, this whole article is a bit of a puff piece it seems designed to put Microsoft in the best light, "Can't we just all get along?".

Good for Microsoft that they're willing to do this kind of thing... shame on them for waiting until the five years into the 21st Century. While I don't hold much hope Microsoft truly cares about security other than how it affects their public image and bottom line, maybe that kind of pressure will finally be enough to get them to clean up their mess, if only a little bit.

Re:well, it's a start, but a late one (2, Interesting)

tktk (540564) | more than 9 years ago | (#12837248)

Yeah...but did anyone actually test them? If I were a senior manager, I would have raised my hand too.

Too bad about the other two. I guess they don't have enough guile to be promoted any further.

Re:well, it's a start, but a late one (2, Insightful)

TripMaster Monkey (862126) | more than 9 years ago | (#12837259)

At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a "heap overflow." When he asked the crowd, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up.

"I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said.


Anyone can say that they have knowledge of a particular issue...how many of these vice-presidents actually went on to demonstrate that knowledge? I'm guessing zero.

Re:well, it's a start, but a late one (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12837353)

fag

Waiting... waiting... (1)

zakkie (170306) | more than 9 years ago | (#12837193)

for for the the first first .com.com .com.com joke! joke! ;-) ;-)

Re:Waiting... waiting... (1)

codergeek42 (792304) | more than 9 years ago | (#12837225)

That that was was not not funny. funny. =P =P

Yuo... yuo... (0)

Anonymous Coward | more than 9 years ago | (#12837257)

fail fail it it.

"End of an era"? (3, Informative)

TripMaster Monkey (862126) | more than 9 years ago | (#12837194)


From TFA:


"The security faults we are seeing could end up bringing an end to the era of personal computing," Kaminsky said. "The ability to customize our computers is under attack from those who are customizing it against our will."

Funny...the Fedora install on my laptop seems fairly customizable and fairly secure all at once...

Re:"End of an era"? (1)

Turd Rippleton (558149) | more than 9 years ago | (#12837273)


That's b/c not nearly as many hackers are targeting Fedora... or Apple for that matter. I have to admit though, Kaminsky's remark is a little dramatic.

Re:"End of an era"? (3, Interesting)

TripMaster Monkey (862126) | more than 9 years ago | (#12837324)


While what you say is certainly true, I'm not sure I buy that as a complete explanation.

Consider Apache vs. IIS...IIS is in the minority there, but which is more secure?

Re:"End of an era"? (1)

Turd Rippleton (558149) | more than 9 years ago | (#12837386)


Well said :)

Silence of the Lambs (3, Funny)

WillAffleckUW (858324) | more than 9 years ago | (#12837195)

would be more appropriate than Blue Hat conference.

Re:Silence of the Lambs (1)

DaveCar (189300) | more than 9 years ago | (#12837346)

Maybe Brown hat?

Or Ass-hat?

for Microsoft it is easer... (0)

ratta (760424) | more than 9 years ago | (#12837199)

to have bugs found by hackers rather than by its own employes (that have access to the source code).

Re:for Microsoft it is easer... (4, Insightful)

Humorously_Inept (777630) | more than 9 years ago | (#12837269)

Is that so entirely unusual? Would you trust yourself to edit a manuscript that you wrote? When you review your own work, you naturally see your intentions instead of your results. That can be true at a personal, team or corporate level so it's not necessarily just a matter of easier.

Re:for Microsoft it is easer... (1)

ratta (760424) | more than 9 years ago | (#12837322)

i find quite sad that someone who can access the source code is looking for the help of someone who cannot access it... Sorry, but your comparison with a manuscript doesn't really make sense (i this context).

Re:for Microsoft it is easer... (1)

zerokey93 (192643) | more than 9 years ago | (#12837378)

I would trust myself, but chances are, any other human that reads it just wouldn't get it. I would also trust someone close to me, but I think the results would be similar. You need an alien set of eyes. Which is why on a project as immense as Windows, code reviews and QA should probably be done by groups outside of that specific area of development.

I'm not a MS employee, so I'm not aware of exactly how they do things, but this makes sense. It has worked for several companies I've worked for.

Hushed silence, huh? (1)

Red Dane (771396) | more than 9 years ago | (#12837205)

I bet most of the engineers were thinking.. oh cripes.. what if we discover ANOTHER FLAW?

I raise a beer to all salaried software developers who put in long crunchtime hours.

|-|4rd c0r3!!! (0)

Anonymous Coward | more than 9 years ago | (#12837206)

Wow. Luring a laptop onto an insecure network. Those guys are fucking 31337 man. I ph34r them!!!!


Is it just me, or is this just the usual load of slashdot wank?

2002 WTF? O.o (1)

Spy der Mann (805235) | more than 9 years ago | (#12837211)

From TFA: That shift began in earnest with a well-publicized memo written by Gates on the concept of "trustworthy computing" in 2002. Security had long been a concern at Microsoft, but the issue became imperative after several high-profile attacks exposed the degree of its vulnerabilities.

Sheesh! It's 2005 and there are still unpatched vulnerabilities. Damn hackers, they're always faster than us! (/sarcasm)

Re:2002 WTF? O.o or Why I Love SR-520 (3, Funny)

WillAffleckUW (858324) | more than 9 years ago | (#12837326)

Sheesh! It's 2005 and there are still unpatched vulnerabilities. Damn hackers, they're always faster than us! (/sarcasm)

Heck, they just released a bug fix for an IE bug that was already fixed, put back in by mistake (since it was still in IE), and refixed in Firefox ... today.

Wow, it's like watching paint dry.

Luckily for them hackers just go away on vacation in the intervening years between bug fixes ... right?

Wait for it, Wait for it... (3, Funny)

kryogen1x (838672) | more than 9 years ago | (#12837213)

How many Red Hat jokes are going to be made now?

Technical Competence (3, Insightful)

ronark (803478) | more than 9 years ago | (#12837222)

At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a "heap overflow." When he asked the crowd, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up.
"I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said.

So what? Maybe they read some document informing them of what a heap overflow is. It's more important that these managers understand what goes into the code and the technical details that make the system operate, not what an "obscure" problem like a heap overflow is. Microsoft's managers can only claim technical know how if they have experience working as developers, because otherwise it's simply too hard to understand the real issues that the engineers have to face.

Re:Technical Competence (1)

Neil Blender (555885) | more than 9 years ago | (#12837271)

Didn't you read the whole article?

When pressed for more details on the subject, one vice president answered, "That's when your....heap.....overflows? Right?"

Re:Technical Competence (1)

ronark (803478) | more than 9 years ago | (#12837294)

Damn. I must have missed that part. Did the article describe him as being pointy haired?

Colors explication: (3, Funny)

ratta (760424) | more than 9 years ago | (#12837226)

White hats do white magic

Black hats do black magic

Blue hats do blue screens of death

Ha HA (0, Offtopic)

cerebralpc (705727) | more than 9 years ago | (#12837230)

In my best Nelson voice

Blue?!? (0)

Anonymous Coward | more than 9 years ago | (#12837233)

Blue is the color you get when your depressed, If I had to work there as security programmer, I would be blue too... knowing that the next scriptkiddie would cost me my job..

Also remember, it's not Blue Screen O Death, it's Blue Screen Of Job Security for people who have to support it :)

Some things to note (2, Insightful)

UnknowingFool (672806) | more than 9 years ago | (#12837234)

Programmers actually thought that their code could not be exploited. I don't know if this is collective arrogance or part of the MS culture, but it seems most of the world outside of MS knows how easily code in general can be exploited. With as many security problems MS has had and Bill Gates many public proclaims about security, you would think that they would know there may still be issues in their code.

"visibly angry" (2, Insightful)

bani (467531) | more than 9 years ago | (#12837238)

Matt Thomlinson, whose job it is to help make Microsoft engineers create more secure code, noticed that some of the engineers were turning red, becoming obviously angry at the demo hacking incident.

To me, this is very telling about those engineers' beliefs and attitudes about their own code. It also speaks volumes about their skill (and their personal belief about their own skill levels).

Real engineers fix problems, they don't get emotional.

Re:"visibly angry" (1)

CaptainCarrot (84625) | more than 9 years ago | (#12837253)

Especially as this should have some as no surprise. That Windows is insecure isn't exactly secret, esoteric knowledge.

Re:"visibly angry" (0)

Anonymous Coward | more than 9 years ago | (#12837274)

You don't think you can become emotionally attached to code you spend alot of time on?

Re:"visibly angry" (1)

TripMaster Monkey (862126) | more than 9 years ago | (#12837282)


Real engineers fix problems, they don't get emotional.

Spot on. A`real engineer would have welcomed the learning opportunity, not wasted time getting all moody.

Re:"visibly angry" (5, Insightful)

gordgekko (574109) | more than 9 years ago | (#12837291)

That's right, real engineers aren't human beings who would be upset to have their work publicly shown to be lacking. They're supremely efficient human beings who engineered their own feelings out.

Real engineers are human beings and it's quite acceptable for someone to get mad before they tackle a problem they helped create.

Re:"visibly angry" (1)

Chris Kamel (813292) | more than 9 years ago | (#12837342)

You're not an engineer obviously. To be the best at whatever it is that you do, you have to take it personally. People who work with concepts like "I just do what I'm paid to do" are rarely ever the best. A software engineer's code is his little baby, to see it being broken/hacked into or whatever is like seeing someone harming their baby. And worst of all, it's happening because they didn't "secure" their baby enough. Actually one of the common techniques for interviewing software engineers is to ask them to talk about _the_ project they're most proud of, if the interviewee didn't get personal they're usually deemed not passionate enough about their job and it could be a deal breaker for hiring the canidate.

Re:"visibly angry" (1)

Chris Kamel (813292) | more than 9 years ago | (#12837359)

sorry, forgot to close the tag after the first "have to" :s

Re:"visibly angry" (0)

Anonymous Coward | more than 9 years ago | (#12837376)

Imagine you wrote 10,000 lines of code, 99.9% of which is completely bug-free, and then somebody comes along and finds the 10 lines that you wrote at 11pm on a Friday. Suddenly he's the genius for spotting one overflow out of the hundreds of places where you correctly compensated and you're a moron who can't code.

Get it now?

Re:"visibly angry" (0)

Anonymous Coward | more than 9 years ago | (#12837398)

I would be more concerned if they weren't emotional. If you are not emotionally involved in what you are doing, why are you doing it? You are likely to do a half-assed job because you don't care one way or the other, as long as you get your money.

I think most people would consider Linus a "real engineer" and he gets quite emotional over his pet project.

Microsoft Security (4, Insightful)

jfonseca (203760) | more than 9 years ago | (#12837241)

Microsoft has managed to link itself with bad code to a degree that, recently, I spent over 40 minutes convincing a programming team that Code Complete was actually a good book and did not reflect the bad quality of Microsoft software.

Kind of old... (2, Interesting)

Dunbal (464142) | more than 9 years ago | (#12837247)

From TFA...

The unusual March gathering, a summit of sorts between delegates of the hacking community and their primary corporate target...

We're in what, mid June now? Slashdot: "olds" and recycled duplicate articles for nerds, I guess...

Still it's nice to know that Microsoft at least acknowledges that there is a problem they aren't addressing properly.

Re:Kind of old... (2, Interesting)

colton cummings (887877) | more than 9 years ago | (#12837388)

By Ina Fried Staff Writer, CNET News.com June 15, 2005 4:00AM PDT

Car Jokes? (2, Funny)

LiquidCoooled (634315) | more than 9 years ago | (#12837256)

fta: Nevertheless, he understands why not all Microsoft developers were satisfied with the explanation.
"I'm also sure Ford wasn't too happy with (Ralph) Nader's reports in the late '60s," he said. "What do you mean you are telling people our cars can blow up?"


I wonder if Bill actually laughed the first time he read the microsoft car joke?

No introduction needed. (1)

Blue Eagle 26 (683113) | more than 9 years ago | (#12837264)

I believe that these two have already met.

You mean to tell me... (2, Interesting)

doswarrior (889064) | more than 9 years ago | (#12837266)

"We have conversations where we say an attacker might do this or an attacker might do that. Now there is a face to some of those guys," Anderson said. "They were just as much geeks as we were."

So you mean to tell me, that Microsoft employs *no* hackers of any hat or has ever known one? They make it seem like it was the first Thanksgiving all over again. Puh-leaase.

Today's lesson is: Hire hackers if you want to build a secure OS.

Can We Get Firefox Developers To Do This, Too? (5, Insightful)

kmactane (18359) | more than 9 years ago | (#12837280)

I remember when Windows 95 came out, with its weak, obviously-an-afterthought "web browser" (IE 3.0). It was painfully obvious that Microsoft had missed the Internet boat, and shortly thereafter, Bill Gates sent his historic all-hands memo pointing the company in the direction of the Internet.

It took them some time to get it right, but eventually IE took over. Now, you'd have a hard time finding a Microsoft product more complex than Minesweeper or calc.exe that doesn't connect to the Net somehow. And let's not forget that Netscape provided Microsoft with some much-appreciated help in taking over the Web, by screwing up their own release schedule so badly that there never was a Netscape 5.0.

Flash-forward to a couple of years ago, when Bill sent out yet another all-hands memo, pointing the company in the direction of security. At first, we all laughed. But now it's becoming more and more obvious that they're taking security every bit as seriously as they once took the Internet. They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.

Make no mistake, this kind of event is exactly what a company that wants to get secure should be doing. Thomlinson's comments about how seeing their code exploited "hits people in the gut", and the fact that "he was glad to see the crowd of engineers taking things personally" -- these things are right on the money. These things say to me that, within a few years, we're going to see some really damn secure stuff coming out of Microsoft.

In the meantime, Firefox exploits are cropping up at a seemingly greater pace. This worries me. It looks like a repeat of 1997, when Netscape lost huge amounts of ground to IE by producing a product that wasn't as good as the competition. SP2 wa s huge leap forward in security for Windows and for IE, and Blue Hat makes it obvious that Microsoft is just going to get better at it. In the meantime, Firefox appears to be standing still on the security front, or maybe even losing a little ground. Sure, it's still miles ahead of IE's security, but if IE keeps up the pace, it will overtake Firefox sooner or later -- probably sooner.

Is there any way the Firefox development team (and the OO.o team, and anyone else who's working on high-profile F/OSS projects) can take a lesson from Blue hat? Can we get together events like this of our own?

If we don't, I can already see that by 2009 or so, at the latest, I'll be telling clients to go with Microsoft products, because they're more secure than F/OSS. And I don't want to see that happen.

Re:Can We Get Firefox Developers To Do This, Too? (5, Funny)

Mingco (883841) | more than 9 years ago | (#12837368)

They are aiming to be the top of the heap in security, and they've got drive, ambition and aggression.
Ironically, once they reach the top of the heap in security, they'll discover that it has been overwritten by overflowing buffers.

Don't be deceived, it's part of the plan (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12837288)

First they show that (shock!) Windows is insecure, and then after much "deliberation" they will throw their hands up in the air, declare "computers" and "The Internet" to be insecure, and use that as a ploy to get Trusted Computing made mandatory by government.

I firmly believe they allow the virus and spyware problem to happen for this very reason.

Getting through to engineers is hard (5, Interesting)

kt0157 (830611) | more than 9 years ago | (#12837301)

In my previous company I tried to communicate with engineers. I was an engineer, but it's still damned hard. Programmers just don't "get it" without hard work. In the end, this kind of smack-in-the-face-by-the-real-world approach is what is needed.

I reckon it's because so many programmers have at least a touch of Asperger's. The number of times I'd try to explain that customers behave like monkeys, focusing on the wrong things, buying products for the wrong reasons. But these reasons aren't "wrong" if it means the difference between selling a product and not selling a product. That yes, it's "wrong" to buy a product because we've used Times Roman screenfonts but the competitor used Tahoma, but just change the goddamn font, OK?

Reminds me of the story about 1-Click from Amazon. After patiently explaining what he wanted, the developers all nodded and said, yes, they can do 1-click. A few weeks later the prototype is ready and Bezos tries it out. He clicks on a book. And up pops a dialog box that says "Are you sure?"..

Read about this in Cooper's book "The Inmates Are Running The Asylum."

K.

Invite outsiders or hire insiders? (2, Interesting)

dozek (525516) | more than 9 years ago | (#12837303)

I find it is interesting that a company with record cash in hand and well documented employee benefits would not have their own 'blue hat team' on staff. I mean, why invite outsiders in to reveal the exploits? Surely MS can afford an elite team of their own...especially when 1/3 of the R&D budget is going to security matters.

Re:Invite outsiders or hire insiders? (1)

geekoid (135745) | more than 9 years ago | (#12837335)

They probably do, but outside security people are paid to find issues and are usually outside the politics.

lured? (0)

Anonymous Coward | more than 9 years ago | (#12837311)


HOW did they 'lure'?
popping bug?
spinner?
midge?
golden antenna?
it's a radio for crying out loud.

" Dan Kaminsky: Dan Kaminsky's recent research includes looking at the limitations of hashing algorithms, as well as the potential for sending large files via the Internet's Domain Name System. He is currently doing work for Avaya. "


what's this DNS large files business?
been tunneling port 53 for ages. because the port 53 is open prior to subscribing with many cable companies it'll get you a link for free

Give Microsoft Its Due (5, Interesting)

MrNonchalant (767683) | more than 9 years ago | (#12837331)

I'm banking that I'm the first one to say this, and that there are at least a few reasonable moderators out there.

This represents a step in the right direction for Microsoft. Perhaps as a community we need to face the possibility that they may be changing. I read the entire article, and it seemed as if Microsoft genuinely wanted to change. I run Linux, and so do a lot of you, so it is understandable when a lot of you will deride Windows no matter what because it represents a competitor. I just don't buy into that philosophy, it doesn't hold much room for fair.

Giant Anti-Spyware, IE 7, and the anti-vrus acquisitions are all good indications. Let us just hope, for the internet and personal computing's sake, that Microsoft doesn't blow it and charge for them. Either that, or blows it so hard their customers (corporate and power user home) all look for more stable operating systems (hint: all other consumer desktops of any note run a Unix derivative of one sort or another).

Old problem, not Microsoft specific (2, Insightful)

sublimespot (265560) | more than 9 years ago | (#12837332)

That technique is

a) old news
b) not Microsoft specific.

Linux and OSX can also be tricked into connecting to a rogue access point.

Whichever access point is most powerful, or higher priority will be connected to.

The only shocking thing about the article is that the engineers havent seen/heard/tried this before.

It was just silent... (5, Funny)

kmortelite (870152) | more than 9 years ago | (#12837333)

"It was just silent," said Stephen Toulouse, a program manager in Microsoft's security unit. "You couldn't hear anybody breathe."

And then some guy in the back stands up and starts yelling "Developers! Developers! Developers..."

Re:It was just silent... (1)

sublimespot (265560) | more than 9 years ago | (#12837361)

you gave me a total visual of that. Sweat dripping down his armpits. hahah

Blue hat of death (0)

Anonymous Coward | more than 9 years ago | (#12837357)

Makes me think of that scene in The Killing Fields when you would confess your sins to the uncle they would put that colored plastic bag over your head and dump you the second they were through with you. Those that help the enemy secure their product are traitors and should be the first against the wall when the inevitable Linux desktop revolution occurs. We should think now, long and hard as to what technology we will be using to maintain our traitor's list or MS might just get the jump on us. It will be ironic if we are forced to use a feature-rich MS product to maintain our MS traitors list.

Behold, the problem (2, Insightful)

CaptainCarrot (84625) | more than 9 years ago | (#12837363)

Or at least part of it anyway. From the article:

The second day drew about 400 rank-and-file Windows engineers, including people who don't necessarily focus on security features in their day-to-day work.

"Don't necessarily focus on security features"? If this is just the reporter making up his own description it's not so bad. But if he's just echoing what he was told by Microsoft or whoever his source was, then they're looking at this backward and probably have been for a long time.

Anyone who touches that code for any reason at all has to keep security in mind every time he does it. It doesn't matter if he's responsible for authentication or whatever else they're including under the rubric of "security features". Any bit of code is a potential vulnerability. It only takes one buffer overflow, one set of bounds that's not checked, one line of code that doesn't validate the terminator on an input text string, to create one. And then it's a security problem for everybody. If making non "security feature" programmers aware of these issues is a new thing at MS, they've been doing this all wrong for years. (As many have suspected, but seeing it possibly confirmed is still a bit of a shock.)

a little niggle (3, Informative)

JamesD_UK (721413) | more than 9 years ago | (#12837364)

Can people write, or the editors make sure that article summaries are just that, not cut and pasted paragraphs from the article? The posting makes it look like Mz6 wrote those paragraphs which is only true if she's Ina Fried .

An extremely dangerous stunt (3, Insightful)

G4from128k (686170) | more than 9 years ago | (#12837390)

Unless Microsoft uses NO wireless on its campus or unless the walls were RF shielded, this was a very dangerous stunt. If a hacker can gain access to a Windows machine via wireless (and they can according to this account), then they would be able to (and might have) accessed wireless networks outside the meeting room but inside the corporate firewall. Range is no protection as it would be not hard to build a high-gain antenna into the lid of a hacker's laptop and orient it to pickup WiFi elsewhere on the Microsoft campus. If a hacker can gain access to an inside machine, they could plant a backdoor for later exploits including attacks on the the company's codebase.

I'm not a shareholder or a user of their products (except to the extent that the vast majority of the companies I do business with use Microsoft) but I find this an extremely irresponsible act on the company's part. If they want to try this sort of security testing, and they should, it should be done off-site or in a shielded room.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>