Version: 2008

(continued from previous page)

News.com special report:

Securing Microsoft: A long road

Tell us what you think about this storyTalkBack    E-mail this story to a friendE-mail    Add to your del.icio.usdel.icio.us    Digg this storyDigg this

(continued from previous page)

A better understanding helped fuel mutual respect, but Cushman was quick to warn executives and others at the company that there would be disagreements over the best way to protect customers. It's up to Microsoft, he said, to prove through actions that its approach worked.

Two years after its Black Hat party, Microsoft brought some of that crowd inside for the first Blue Hat, an event that plays off the Black Hat show and the blue badges worn by Microsoft employees.

Not everyone at the software maker was so enthusiastic about the idea, including Jim Allchin, head of Windows development at the time.

"When we started talking to the security community, he was not very happy about it," Stathakopoulos said. But Allchin warmed to the idea. "As a matter of fact, he was the first person sitting in the executive session," Stathakopoulos said.

"They sometimes tell me when I've caused them ludicrous quantities of work. There's not really an ongoing dialogue. I'm more focused on building the tools than doing unpaid quality assurance for Microsoft."
--Halvar Flake, CEO, Zynamics

Allchin ultimately became one of Blue Hat's biggest proponents, citing the event's value in goodwill and developer education.

The latter piece is extremely important. Microsoft has a large security team--and smaller teams of people focused on security within its various product units. However, it relies heavily on the developer ranks to use secure processes when writing the millions of lines of code that go into flagship products like Windows and Office, as well as things like the Xbox and Windows Mobile.

Blue Hat has also led to closer relationships with some of the hackers. Kaminsky, who attended the first Blue Hat, now does extensive work with the company. A well-respected outsider, Kaminsky has quite a bit of sway with Microsoft's programming ranks.

Microsoft's success with Blue Hat has not gone unnoticed. Earlier this year, eBay launched its own "Red Team eBay" security conference, with plans for another next year.

Redmond's security outreach goes beyond Blue Hat, though. For one thing, Microsoft has hired a huge chunk of the security research community at one time or another. In particular, for Windows Vista, it sewed up much of the world's penetration testing expertise to find security holes in the operating system as it was under development.

"Microsoft has invested more money in securing Vista than anybody has ever invested into securing any piece of software before," said Halvar Flake, who authored a tool that analyzes what parts of code a patch has changed. He is chief executive of security firm Zynamics, formerly known as Sabre Security.

Flake estimates that Microsoft has spent $1 billion on its security push during the past few years. "One of the reasons Microsoft could afford doing this is because they are a monopoly. No company that is exposed to real market forces could afford spending $1 billion on securing software products," he said.

Stathakopoulos declined to confirm how much Microsoft spent hiring outsiders to do penetration testing but said whatever it amounted to was "well worth it."

"You get some pretty amazing perspectives," he said, noting Microsoft will likely do the same thing with the next version of Windows.

Imposing some limits
There are limits to Microsoft's connection to the hacker world. Microsoft's relationships are largely with the finders--the people that discover security bug--not with those who take the exploits and use them for malicious purposes. Microsoft relies on law enforcement to deal with the latter group.

There are also limits imposed by the other side. Not everyone who comes to speak at Blue Hat wants to get all snuggly with the company. Flake has spoken twice at Blue Hat, including the most recent one, but talks only infrequently with folks in Redmond.

"They sometimes tell me when I've caused them ludicrous quantities of work," Flake said. "There's not really an ongoing dialogue. I'm more focused on building the tools than doing unpaid quality assurance for Microsoft."

Still, whether it was influenced by Microsoft or not, Flake did shift his attention somewhat, using a variant of his tool to help analyze and classify malicious software, the topic he presented at Blue Hat this year. "It's hopefully a bigger market than the malicious market, which is quite small unfortunately," he said.

Although Microsoft has made significant inroads in the security community, it has also ruffled feathers at times, in particular with its entry into the security software market. That put Microsoft in competition with companies like Symantec and McAfee. In that arena, the company struggled to create all of the human connections it needed to be successful. When it launched its OneCare product last year, it didn't have the relationships it needed with other antivirus software makers to get their virus definitions. As a result, the company scored poorly on some tests.

"I know all the major vendors have tools they develop. They could share some of these with each other, making the Internet more secure for everyone. That's something I'd really like to see from Microsoft."
--Window Snyder, Mozilla

"If you don't get Kaspersky's collection, and that collection is in the test, and you're not having any detection for it, the numbers aren't going to be there," said Vinny Gullotto, a longtime McAfee executive who joined Microsoft last year as part of its effort to deepen ties to the antivirus community.

And, when it comes to giving back to the security community, some say Microsoft should do more.

One of those people is former Microsoft employee Window Snyder, who points to the work done by her current employer, Mozilla. Mozilla announced a program at this year's Black Hat to share some of its tools, starting with a JavaScript fuzzer. The company gave browser makers a heads up, and once they were OK with it, Mozilla released the tool publicly. Within days of having access to the tool, Opera found several bugs. The browser maker eventually contributed code back to the effort.

"I know all the major vendors have tools they develop," Snyder said. "They could share some of these with each other, making the Internet more secure for everyone. That's something I'd really like to see from Microsoft."

Stathakopoulos counters that, in many cases, Microsoft can be more successful by building its know-how into programs like its Visual Studio development tools, where they can be part of the overall software design process.

"I don't think people will adopt them if we start giving one-off tools," he said. "What you end up doing is you give a lot more opportunity to the evildoers. The minute you bunch them up and you build them into the process...then you will see a lot bigger adoption."

But all in all, Microsoft gets fairly high marks for its social skills in the security community. Dragos Ruiu, who organizes the CanSecWest security trade show, said Microsoft has gained much by developing relationships with the security community. Other companies should be taking note, he said. "I think they are going to reap the benefits for years."


Add a Comment (Log in or register) (5 Comments)
  • prev
  • 1
  • next
Warm and fuzzy...
by Kings X Rocks! December 4, 2007 4:37 AM PST
Microsoft cares. They just have too many deadlines to meet to get products/updates out the door...and probably too many coders to be able to manage competently. Never a dull moment (except when vista locks up doing a large copy from a server!!)
Reply to this comment
Windows security
by MShipley December 4, 2007 1:56 PM PST
The thing is that Microsoft would have to scrap every bit of code
in their crummy OS and start over from scratch to build anything
that is even anywhere as close to secure as Mac OS X.

Either that or continue to patch, spit and smooth things over to
make a bigger mess than they have now.
Reply to this comment
"Researchers?"
by whmurray December 5, 2007 8:17 AM PST
Hardly. These are "vulnerability pimps."

When one lies down with dogs, one gets up with fleas. I first noted this in the context of rogue hackers about twenty years ago. The intervening history has confirmed me in my belief. Perhaps Microsoft can afford the risk but I would not invite them into my house, nor enter one where they were known to congregate. Working in this space is dangerous enough without associating with those who flunked playground.

Rogue hackers are sociopaths. Expecting them to function constructively within society is to expect magic. They are loners and do not function well in organizations. How good is Microsoft at herding cats?

Hacking is addictive and recidivism is high. The hacker is trying to repeat the rush he got from his first hit. As with other addicitions, tolerance grows and it requires bigger and bigger hits to even approach that first thrill.
Reply to this comment
(5 Comments)
  • prev
  • 1
  • next
Previous page
Page 1 | 2
advertisement
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET