Get Smart about Business Spending(continued from previous page)
"Blue Hat" brought together the world's most powerful software company and the security researchers who pick apart its products. Participants included:
Jim Allchin: Jim Allchin is Microsoft's group vice president in charge of the Windows
unit. His job is to oversee the development of current and future versions of the operating system.
Matt Thomlinson: As Microsoft's director of security engineering, Matt Thomlinson is in
charge of making sure programmers throughout the company are up to speed on current and emerging threats.
Noel Anderson: Noel Anderson is Microsoft's program manager for wireless, mobility and
home networking. He's one of the Windows programmers responsible for
managing the ways in which the operating system connects to wireless
networks.
Dan Kaminsky: Dan Kaminsky's recent research includes looking at the limitations of
hashing algorithms, as well as the potential for sending large files via
the Internet's Domain Name System. He is currently doing work for Avaya.
HD Moore: HD Moore is the creator of Metasploit, a tool that system administrators can use to test whether their systems are safe from intrusion.
Over the years, security has become an increasingly bigger concern for Microsoft. Some key events:
March 1999: The Melissa virus infects hundreds of thousands of computers, drawing attention to a new class of threat, the mass-mailer e-mail worm.
October 2000: Microsoft's corporate network is hacked.
January 2002: Microsoft Chairman Bill Gates sends his "We must do better" memo, launching the company's "trustworthy computing" initiative.
August 2003: The MSBlast worm hits, infecting 120,000 computers in less than 24 hours.
February 2004: The MyDoom bug knocks out the SCO Group's Web site but fails to take down its other target: Microsoft.
May 2004: A $5 million reward from Microsoft helps snag a teen suspected of authoring the Sasser worm. The suspect, Sven Jaschan, is now
Microsoft's blast from the past
Security tool more harmful than helpful?
Gates: 'Everything' impacted by security concerns
Decoding the lessons of Slammer
'Trustworthiness' still a goal for Microsoft
WinInsider
Security threats becoming broader, Microsoft says
SearchWindowsSecurity
Will Enterprises Care About Windows OneCare?
eWeek
Associate editor: Yvonne Guzman
Copy editors: Leslie Katz, Richard Defendorf
Design: Michelle White
Production: Michelle White, Mike Markovich
(continued from previous page)
adding that he doesn't plan to change his practice of giving companies 30 days before going public with issues. "I still have no desire to play e-mail tag with the (security response team) for a year for every bug that I find."
But Moore did gain a better understanding of why it takes Microsoft so long to create patches and said his impression of the people who create the products have changed. "I still may not agree with their security policies and how they handle bug reports, but at least I know they actually believe what they are saying," he said.
Director of security
engineering, Microsoft
Others agreed. "They are taking this subject seriously. It was really cool to see," said Kaminsky, a security researcher who does work for telecommunications company Avaya. "At some point, there was a shift at Microsoft."
That shift began in earnest with a well-publicized memo written by Gates on the concept of "trustworthy computing" in 2002. Security had long been a concern at Microsoft, but the issue became imperative after several high-profile attacks exposed the degree of its vulnerabilities.
"The security faults we are seeing could end up bringing an end to the era of personal computing," Kaminsky said. "The ability to customize our computers is under attack from those who are customizing it against our will."
It was this kind of impassioned rhetoric that won respect even among some of the more wary Microsoft participants.
Noel Anderson, a wireless networking engineer on Microsoft's Windows team, became suspicious as soon as he walked into the hacking demo--and saw the giant wireless antenna at the front of the auditorium.
Anderson decided that he should leave his laptop turned off, an instinct that saved him the embarrassment of falling into the hackers' trap, even though the hackers focused on a demo laptop. But under different circumstances, he thought to himself, "I might have even fallen for that."
As a result, Anderson and his team walked away with some concrete ideas on how to make sure future versions of Windows are more resilient to wireless attacks. He also left the room with a new respect for the hackers behind the demonstration.
"It's not just a bunch of disaffected teenagers sitting in their mom's basement," he said. "These are professionals that are thinking about these issues."
The hackers, for their part, seemed equally impressed with the technical knowledge of the senior executives they encountered.
At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a "heap overflow." When he asked the crowd, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up.
"I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said.
Yet regardless of the mutual admiration, some tense moments were inevitable during the confrontation.
Microsoft developers, for instance, were visibly uncomfortable when Moore demonstrated Metasploit--a tool that system administrators can use to test the reliability of their systems to intrusion. But Metasploit also includes a fair number of exploits, as well as tools that can be used to develop new types of attacks.
"You had these developers saying, 'Why are you giving the world these tools that make it so easy to do exploitation?'" Kaminsky said. They calmed down, he said, once the researchers were able to state their case.
"We do regression testing in the real world of software development," Kaminsky said. "If we say, 'This thing isn't going to break,' then we need to test that. What these tools give is the ability to do this kind of testing, to be able to say not just, 'We did the best we could,' but 'We tried stuff and nothing worked.'"
Nevertheless, he understands why not all Microsoft developers were satisfied with the explanation.
"I'm also sure Ford wasn't too happy with (Ralph) Nader's reports in the late '60s," he said. "What do you mean you are telling people our cars can blow up?"
Security researcher
By the end of the two days, those on both sides felt they had just scratched the surface and were more than willing to meet again.
And executives such as Toulouse and Anderson said they came to a better understanding of what makes hackers tick.
"We have conversations where we say an attacker might do this or an attacker might do that. Now there is a face to some of those guys," Anderson said. "They were just as much geeks as we were."
The next time a Blue Hat event is held, as promised by Microsoft, Kaminsky said he would jump at the chance to return--assuming Microsoft lets him back.
"I'll be there next time, no matter what," he said. "I have some really interesting and devious plans coming up." 
them where they've been going wrong..
i sure as hell feel safe, knowing monkeys are coding.
why did they have to regularly be given talks to produce safer code;
obviously not listening.
I'd like to introduce you to the world of IRC, Mr. Anderson. Please, step into the Internet's biggest cess pool -- where you will find the source of every single "hack", virus, worm, or scam.
I'd also like to inform you that Microsoft Security regularly monitors their gateways for any outbound traffic to ports 6660-6667. Hmmm, could I be simply talking smack, or is there an actual POINT to Microsoft's concern with IRC?
Good day, Mr. Anderson.
What are you guy's thinking.....a true hack never gives away the juciest of secrets. hmphf
First, the word 'hacker' is here just to draw readers, inspire fear and awe and to mislead.
Second, why are we supposed to be impressed if the guy in charge of Windows knows about MD5? OF COURSE, he's supposed to know about MD5- but Ina Reid seems to imply that we should be impressed because he does!
in order to lure them in...
Never been hacked or infected.
Do you thinnk giving away something called "economic security" and golden parachutes can buy loyalty?
Too big is too big!
Want real security? Stop paying salaries to security people.
Remember Bin Laden?
How about the Chinese, North Vietnamese, North Koreans, Iranians and Arabians.
Cultural differences engender secrecy
Sanskrit, Ancient Hebrew, and the unwritten languages using verbal analogies, implications, and time based iflections top mention few variables which change each time they are used?
coverage. Keep it up.
The idea behind ANY sort of 'hashing' is to be a 'one-way' encryption. For instance if you divide two numbers and toss the remainder or the quotient and keep the rest, you just lost data! You can't get back to the original input of the method. Keep applying this over and over and before long the output is so 'mangled' that it's unique.
Now, MD5 has been proven and tested to the point where it would take a hell of a lot longer than 3 minutes (the time it took to take over that laptop), to generate an identical MD5 for a file with identical filesizes as a legit file.
Microsoft's using MD5 as the 'scapegoat' to this step in their lack of security, goes to show you just how much they hate Open Source Software, the GNU.org GPL (General Public License), and how much they use FUD (Fear, Uncertainty, and Doubt) attacks to point the finger of blame onto others.
How Linux programmers around the world who don't all speak English and barely break the language barrier with translation tools like Altavista's BableFish engine, can beat a team of over paid all English speaking idiots who claim this and that.
I for one question the existance of all this Anti-Virus software for Windows... If you could simply fix the exploits at the root of the problem. Why doesn't Microsoft just do that then? If they cared so much about increasing their monopoly, make a better Operating System than Linux! Instead of buying out the parts of the Linux community that'll give in and partnering with hardware companies so they don't make software drivers in Linux. Only instead, they create a market out of EXPLOITS for companies like Panda/Macafee/Norton/and ofcourse MICROSOFT! Where the fixes are always 'RE-ACTIVE' not 'PRO-ACTIVE' like Linux. Where the system has to constantly scan everything for 'viral' activity. When the system could simply check for this stuff on the fly internally to prevent exploits from occurring.
Actions should speak louder than words people, and if that's the case here then, CLEARLY, Microsoft sucks! Wake up people!
I've never known webpages to use MD5 on the actual page content. Most client/servers use ETags, which are based off the INode (location of the hard drive), filesize, and last modified date/time in Unix Epoch relative timestamp form.
I think Microsoft just made the claim of MD5 being the cause because it's Free Software, and Linux/GNU/Free Software (Foundation) is their biggest competitor.
As close to PROOF as you can possibly come to this, the Halloween Documents (memoes from Microsoft to it's employees) http://opensource.org/halloween/
And the links spread out on this page http://microsuck.com/content/whatsbad.shtml
Are all excellent reads. You will learn just how Microsoft manages to make Linux and Free Software in general look 'evil' and 'costly', with lies that are believable, so that you 'obey' like a slave to their Fear-Uncertainty-Doubt (FUD) attacks. For when you compete with Microsoft, there is no level playing field!
They have been more prepared by virtue of security threats and outright attacks than they ever were from simply an honest technical need.
I still find that most every network is vulnerable. I know some people will say this publicly and follow it up with comments along the lines of a computer unplugged and submerged in concrete, etc.
I don't mean vulnerable in that sense...
I mean vulnerable in the sense that a "hacker/cracker/attacker/etc." is reading your e-mail and contemplating what to do with that list of passwords and credit card info deom some list on your computer.
This is only the first skin of the onion and when any company is faced by a thorugh determined mind that is resolved to attack it by any means necessary, then that company will simply be at the mercy of said assailant.
Now, this sounds like talk. And actually it is written words, but do not discount my words as "warning" for a warning they are not. A truth is a truth in that it can simply be proven "true" or "false".
With that said, I would remind everyone from Redmond to Washington to tighten your own borders and do so in a thorough scorched earth fashion.
I typically build a concentric network defense from a layered model with keypoints that observe other selected keypoints.
I suggest the same approach by taken but also with physical security, biometrics if available, policy and training.
These items should be mandatory, too often they are not because they conflict with corporate policy or they upset the executives in one manner or another.
Someone once told me "There are ways to protect a network, software, code, etc. ...".
To whom I replied, "They better be some good ones"
Think about it...
In defense, the networks of today are more secure than they have ever been.
However, are they as secure as they could be?
Let your consience be your guide...
In the end each company is as secure as someone reports it is...
Who reports to whom?
- Zealot yes, but not just for Linux.
- by November 24, 2005 4:04 PM PST
- I consider myself a Zealot for freedom and open source. So I'll support (BSD) Unix, Linux, and ReactOS. Because as long as we have idiots who support tyrants like Bill Gates, the human race will merely think it's free, while it lives under the guise of ignorance and slavery.
- Reply to this comment
-
(38 Comments)Perhaps the ultimate problem with Windows is they strive most of all to make it so easy any moron can use it to do simple things, (ex. play games/check email/etc.). For it's when you remove challenge from people's lives that they often become the most lazy! Whether it's mental or physical laziness, it still leads to dependency.