Meet Microsoft's bug hunters

REDMOND, Wash.--George Stathakopoulos is not one to mince words--or pause between them.

Whether extolling the virtues of Nikon cameras, explaining why Greek olive oil is the best in the world, or talking security, Stathakopoulos has plenty to say and is in quite a hurry to say it all.

A couple of years back, the Microsoft general manager was slated to give a security chat in Japan to a group of engineers, developers, and partners.

As he was rehearsing his speech, one of his Japanese colleagues implored him to slow down. "You speak so fast," Stathakopoulos was told. "Our translators can't keep up."

Worried that he would forget the warning, his colleagues put a device under the podium that was programmed to flash "slow down" if he started talking too fast.

Halfway through his mile-a-minute speech, Stathakopoulos noticed this constant blinking. It was the signal to slow down. He slowed a bit, he recalls, but not much.

It is that same passion and energy that his colleagues say make him such an effective leader. He can easily command the respect of both those who work for him as well as those above him. One of his team members, Andrew Cushman, said Stathakopoulos is the kind of guy you would follow off a cliff.

Bug hunters like Stathakopoulos and Cushman have helped shape security practices at Microsoft over the past 10 years. Part 1 of a CNET News.com special report, which launched Monday, takes a look at how much of today's practices can be traced to painful lessons Microsoft learned firsthand. Part 2 of the report, which ran Tuesday, examines the role of the human element in helping to squash bugs. The final story, which makes its debut Wednesday, looks at the changing nature of threats.

A middle child who is more the peacemaker by nature, Cushman is not above trying to get his colleagues' attention. At a 1998 security "bug fest" for the IIS Web server team, Cushman showed up in a bug costume to highlight the importance of security.

"I wore the bug suit as a way to entice team members to show up," Cushman said. "I was demonstrating that the meeting was important enough that I would debase myself--the development, test, and PM teams should commit the time to attend."

The passion of each of the members on the security team is clear. But that doesn't mean they all want to be bug hunters forever.

Matt Thomlinson says he would love the day where Microsoft doesn't need a director of security engineering--his current role. He'd go off to the Xbox team and create computer games. But he doesn't expect his dream to become reality anytime soon. "Not this year anyway," he said.

One of Microsoft's best-known bug hunters hasn't yet turned 30 and is not even a full-time employee. Dan Kaminsky is an outside researcher who attended the first Blue Hat and has been spending a lot of time at Microsoft as a consultant. Kaminsky, who is director of penetration testing for IOActive, said he isn't working exclusively for Microsoft, but has been spending a lot of time inside Redmond.

"They let me break things," Kaminsky said. "It's fun."

In fact, Cushman said, the phrase "Dan Kaminsky said we should do it this way" has become a familiar refrain from Microsoft product managers. "That is an argument that carries a fair amount of weight," Cushman said.

Kaminsky grins upon hearing this. "That's kind of cool."