"Blue Hat" brought together the world's most powerful software company and the security researchers who pick apart its products. Participants included:
Jim Allchin: Jim Allchin is Microsoft's group vice president in charge of the Windows
unit. His job is to oversee the development of current and future versions of the operating system.
Matt Thomlinson: As Microsoft's director of security engineering, Matt Thomlinson is in
charge of making sure programmers throughout the company are up to speed on current and emerging threats.
Noel Anderson: Noel Anderson is Microsoft's program manager for wireless, mobility and
home networking. He's one of the Windows programmers responsible for
managing the ways in which the operating system connects to wireless
networks.
Dan Kaminsky: Dan Kaminsky's recent research includes looking at the limitations of
hashing algorithms, as well as the potential for sending large files via
the Internet's Domain Name System. He is currently doing work for Avaya.
HD Moore: HD Moore is the creator of Metasploit, a tool that system administrators can use to test whether their systems are safe from intrusion.
During a recent talk in Redmond, security researcher Dan Kaminsky wasn't sure how geeky to get. After all, he was talking to a bunch of executives on the first day of Blue Hat, not Microsoft's rank-and-file engineers.
So he kept his comments brief when it came to a flaw in something called MD5--a "hashing" algorithm, or a kind of fingerprint used to authenticate documents. He figured it was probably too esoteric for his audience. The rest of his presentation was focused on a different security topic.
But when it came time for questions, "this one guy with a shock of white hair looks straight at me and just says, 'MD5.'" Kaminsky, who said the comment seemed more like an order than a request for information, complied by demonstrating how two Web pages could have the same "hash," as the man listened and nodded knowingly.
A week later, Kaminsky learned that his interrogator was Jim Allchin--one of the highest-ranking executives at Microsoft and, as the person in charge of the Windows operating system, one of the leaders in the technology industry as a whole. Allchin's questions made clear just how deep the technical knowledge runs among the most senior ranks of the world's biggest software company.
The brief encounter made a lasting impression on Kaminsky. "I was like, 'Who was that guy?'" he said.
--Ina Fried
Associate editor: Yvonne Guzman
Copy editors: Leslie Katz, Richard Defendorf
Design: Michelle White
Production: Michelle White, Mike Markovich
By Ina Fried
Staff Writer, CNET News.com
June 15, 2005 4:00AM PDT
REDMOND, Wash.--The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle.
Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network.
"It was just silent," said Stephen Toulouse, a program manager in Microsoft's security unit. "You couldn't hear anybody breathe."
Wireless networking
engineer, Microsoft
The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed "Blue Hat"--a reference to the widely known "Black Hat" security conference, tweaked to reflect Microsoft's corporate color.
The unusual March gathering, a summit of sorts between delegates of the hacking community and their primary corporate target, illustrates how important security has become to the world's most powerful software company. Microsoft Chairman Bill Gates himself estimated earlier this year that the company now spends $2 billion a year--more than a third of its research budget--on security-related issues. Security has also become one of the main themes of the company's developer conferences, including last week's TechEd event, where Microsoft pitched security improvements in Windows to 11,000 attendees.
Blue Hat was significant for other, less tangible reasons as well. It provided a rare glimpse inside the netherworld of computer security, where the ethical lines are sometimes fuzzy in the technological arms race between network engineers and the hackers who challenge them. During the course of the event, each side witnessed for the first time the inner workings, culture and psychology of the other.
"I didn't know if we were going to end up with this massively adversarial experience or if this was going to be something of a collaborative mode between all of us," said Dan Kaminsky, one of the outsiders who presented at the conference. Like others in the hacker group--many of whom are known as "security researchers" in their professions--he noted that the relationship ended up being the collaborative sort.
Still, in such a charged atmosphere, it didn't take long for emotions to show.
Matt Thomlinson, whose job it is to help make Microsoft engineers create more secure code, noticed that some of the engineers were turning red, becoming obviously angry at the demo hacking incident. Yet as painful as the lesson was, he was glad to see the crowd of engineers taking things personally.
Thomlinson frequently makes similar entreaties to the engineers on the need for secure code, but he said his own lectures don't have the same effect. "It kind of hits people up here," Thomlinson said, pointing to his head. "Things are different when a group of programmers watches their actual code exploited. It kind of hits people in the gut."
For two days, Microsoft staffers took these body blows repeatedly as they learned of various exploits. On day one, several dozen executives, including some of the company's most senior ones, were exposed to this simulated wrath in a makeshift boot camp. Among the participants were Jim Allchin, Microsoft's Windows chief, and Brian Valentine, head of core Windows operating system development. The second day drew about 400 rank-and-file Windows engineers, including people who don't necessarily focus on security features in their day-to-day work.
Security researcher
Allchin is not just any high-ranking software executive: In the technology industry, his name has become largely synonymous with the Windows operating system he oversees. A strong supporter of Blue Hat, Allchin wanted the Windows group not just to hear about security issues, but to see them as well.
"I'd already been through lots of days of personal training on the tools that are used to do this," Allchin said about the work of the hackers. "I personally wanted to really do a deep dive and really understand from their perspective."
It was a relatively safe way to get the experience. In a world where "white hats" are the security do-gooders and "black hats" are the hard-core villains, the hackers at Blue Hat were hardly representative of the dark side; if they had any pigment at all, it was no more than a tinge of gray.
This could well be a significant reason Microsoft held the event--to woo an influential group that has the choice of reporting security flaws discreetly or going public with them. The software maker routinely preaches the benefits of what it calls "responsible disclosure."
To the researchers, Microsoft's motivation was less important than the opportunity to meet in person with those who hold the keys to the kingdom and explain why they do the things they do.
"It is rare that I can present to the people who are both responsible for and capable of fixing the issues that I cover," security researcher HD Moore said,
Continued ...
them where they've been going wrong..
i sure as hell feel safe, knowing monkeys are coding.
why did they have to regularly be given talks to produce safer code;
obviously not listening.
It's like when you hide a present from your wife or kid thinking there is *no way* they will find it there and the next day they walk into your office holding the damn present you spent all that time hiding.
I'd like to introduce you to the world of IRC, Mr. Anderson. Please, step into the Internet's biggest cess pool -- where you will find the source of every single "hack", virus, worm, or scam.
I'd also like to inform you that Microsoft Security regularly monitors their gateways for any outbound traffic to ports 6660-6667. Hmmm, could I be simply talking smack, or is there an actual POINT to Microsoft's concern with IRC?
Good day, Mr. Anderson.
What are you guy's thinking.....a true hack never gives away the juciest of secrets. hmphf
Your true hacker is one that relies on excisting sploits, else he wouldnt care about juicy secrets, he'd make them himself.
First, the word 'hacker' is here just to draw readers, inspire fear and awe and to mislead.
Second, why are we supposed to be impressed if the guy in charge of Windows knows about MD5? OF COURSE, he's supposed to know about MD5- but Ina Reid seems to imply that we should be impressed because he does!
in order to lure them in...
Shame on MS for having the religion of security but not strong enough in their faith at the top levels to convert and fully inspire their employees to fight the battle against insecurity in such a way that they would need such a wake up call from hackers coming into their offices for them to see what is happening in the real world.
Never been hacked or infected.
Do you thinnk giving away something called "economic security" and golden parachutes can buy loyalty?
Too big is too big!
Want real security? Stop paying salaries to security people.
Remember Bin Laden?
How about the Chinese, North Vietnamese, North Koreans, Iranians and Arabians.
Cultural differences engender secrecy
Sanskrit, Ancient Hebrew, and the unwritten languages using verbal analogies, implications, and time based iflections top mention few variables which change each time they are used?
British MI5 and MI6 agents (British equivalent to CIA agents in the USA), have been caught shooting Iraqi Police, the men we're suppose to be training to secure the place when we pull the troops out in the distance future -never going to happen-.
<a class="jive-link-external" href="http://www.prisonplanet.com/articles/september2005/200905stagedterror.htm" target="_newWindow">http://www.prisonplanet.com/articles/september2005/200905stagedterror.htm</a>
<a class="jive-link-external" href="http://news.bbc.co.uk/1/hi/world/middle_east/4264614.stm" target="_newWindow">http://news.bbc.co.uk/1/hi/world/middle_east/4264614.stm</a>
Lets not forget an interesting part of why President Kennedy was probably shot - Operation Northwoods!!! ABC News <a class="jive-link-external" href="http://abcnews.go.com/US/story?id=92662&page=1" target="_newWindow">http://abcnews.go.com/US/story?id=92662&page=1</a> and Baltimore, Maryland did an article <a class="jive-link-external" href="http://web.archive.org/web/20030126125150/www.sunspot.net/templates/misc/printstory.jsp?slug=bal-te.md.nsa24apr24" target="_newWindow">http://web.archive.org/web/20030126125150/www.sunspot.net/templates/misc/printstory.jsp?slug=bal-te.md.nsa24apr24</a>
BBC article about a 'plane bomber' being a CIA agent <a class="jive-link-external" href="http://news.bbc.co.uk/1/hi/world/americas/4535661.stm" target="_newWindow">http://news.bbc.co.uk/1/hi/world/americas/4535661.stm</a>
The truth is stranger than fiction!!!
coverage. Keep it up.
The idea behind ANY sort of 'hashing' is to be a 'one-way' encryption. For instance if you divide two numbers and toss the remainder or the quotient and keep the rest, you just lost data! You can't get back to the original input of the method. Keep applying this over and over and before long the output is so 'mangled' that it's unique.
Now, MD5 has been proven and tested to the point where it would take a hell of a lot longer than 3 minutes (the time it took to take over that laptop), to generate an identical MD5 for a file with identical filesizes as a legit file.
Microsoft's using MD5 as the 'scapegoat' to this step in their lack of security, goes to show you just how much they hate Open Source Software, the GNU.org GPL (General Public License), and how much they use FUD (Fear, Uncertainty, and Doubt) attacks to point the finger of blame onto others.
How Linux programmers around the world who don't all speak English and barely break the language barrier with translation tools like Altavista's BableFish engine, can beat a team of over paid all English speaking idiots who claim this and that.
I for one question the existance of all this Anti-Virus software for Windows... If you could simply fix the exploits at the root of the problem. Why doesn't Microsoft just do that then? If they cared so much about increasing their monopoly, make a better Operating System than Linux! Instead of buying out the parts of the Linux community that'll give in and partnering with hardware companies so they don't make software drivers in Linux. Only instead, they create a market out of EXPLOITS for companies like Panda/Macafee/Norton/and ofcourse MICROSOFT! Where the fixes are always 'RE-ACTIVE' not 'PRO-ACTIVE' like Linux. Where the system has to constantly scan everything for 'viral' activity. When the system could simply check for this stuff on the fly internally to prevent exploits from occurring.
Actions should speak louder than words people, and if that's the case here then, CLEARLY, Microsoft sucks! Wake up people!
Finally someone has spoken out. See "Is Linux For Losers":
"It's terrible," Theo de Raadt says. "Everyone is using it, and they don't realize how bad it is. And the Linux people will just stick with it and add to it rather than stepping back and saying, 'This is garbage and we should fix it.'"
<a class="jive-link-external" href="http://www.forbes.com/technology/2005/06/16/linux-bsd-unix-cz_dl_0616theo.html" target="_newWindow">http://www.forbes.com/technology/2005/06/16/linux-bsd-unix-cz_dl_0616theo.html</a>
I've never known webpages to use MD5 on the actual page content. Most client/servers use ETags, which are based off the INode (location of the hard drive), filesize, and last modified date/time in Unix Epoch relative timestamp form.
I think Microsoft just made the claim of MD5 being the cause because it's Free Software, and Linux/GNU/Free Software (Foundation) is their biggest competitor.
As close to PROOF as you can possibly come to this, the Halloween Documents (memoes from Microsoft to it's employees) <a class="jive-link-external" href="http://opensource.org/halloween/" target="_newWindow">http://opensource.org/halloween/</a>
And the links spread out on this page <a class="jive-link-external" href="http://microsuck.com/content/whatsbad.shtml" target="_newWindow">http://microsuck.com/content/whatsbad.shtml</a>
Are all excellent reads. You will learn just how Microsoft manages to make Linux and Free Software in general look 'evil' and 'costly', with lies that are believable, so that you 'obey' like a slave to their Fear-Uncertainty-Doubt (FUD) attacks. For when you compete with Microsoft, there is no level playing field!
They have been more prepared by virtue of security threats and outright attacks than they ever were from simply an honest technical need.
I still find that most every network is vulnerable. I know some people will say this publicly and follow it up with comments along the lines of a computer unplugged and submerged in concrete, etc.
I don't mean vulnerable in that sense...
I mean vulnerable in the sense that a "hacker/cracker/attacker/etc." is reading your e-mail and contemplating what to do with that list of passwords and credit card info deom some list on your computer.
This is only the first skin of the onion and when any company is faced by a thorugh determined mind that is resolved to attack it by any means necessary, then that company will simply be at the mercy of said assailant.
Now, this sounds like talk. And actually it is written words, but do not discount my words as "warning" for a warning they are not. A truth is a truth in that it can simply be proven "true" or "false".
With that said, I would remind everyone from Redmond to Washington to tighten your own borders and do so in a thorough scorched earth fashion.
I typically build a concentric network defense from a layered model with keypoints that observe other selected keypoints.
I suggest the same approach by taken but also with physical security, biometrics if available, policy and training.
These items should be mandatory, too often they are not because they conflict with corporate policy or they upset the executives in one manner or another.
Someone once told me "There are ways to protect a network, software, code, etc. ...".
To whom I replied, "They better be some good ones"
Think about it...
In defense, the networks of today are more secure than they have ever been.
However, are they as secure as they could be?
Let your consience be your guide...
In the end each company is as secure as someone reports it is...
Who reports to whom?
All you need is iptables to block ports you don't want access to, no if/ands/or buts. Then research the best most secure daemons for web/ftp/pop3/smtp, whatever your server is going to require. Enable options for secure RSA/SSL encryptions ONLY, meaning, nobody can access the server without encryption. Make sure your kernel is up to date, your daemons are always up to date, now you've got one bullet proof little box.
If you want even more security, pay your on site server maintainer to go through the daemon source code and check for buffer overruns. One can avoid buffer overruns simply by replacing sprintf() with snprintf(), which defines the size of the buffer as to not overflow.
Clearly you don't know as much as you would have us think you know if you don't know the difference between a hacker and a cracker. Hackers are the 'good guys', we like to figure out how stuff works, to learn just for the sake of learning. An activity which is purely intellectual aka reverse engineering. Crackers are the people who break into networks, steal or destroy data. But that's mostly only if they know howto program. People who use the work of the Hackers on the net without caring how it works or why it works code wise, are often referred to as 'script-kiddies'. Because most of the time what they use is a script, whether it's bash/bsh/ksh/csh/perl/python/java/java script/php or whatever. I am a Hacker, and I love learning new things about computers everyday. I never attack anybody else's server, just my own (private LAN), just for experimentation only. Stop being ignorant and blaming hackers for your incompetance!
I also have a saying though, if it's exploitable, it deserves to be exploited! Take these new Voice over IP (VoIP) systems that allow like Timer Warner's Digital Phone or Vonage phone service to make calls through the internet. What people don't realize with these systems is how easy it is to spoof your outgoing phone number and caller ID name to anything you want it to read out as. More and more people are using Linux software to make these type of annoying calls to people in the USA everyday. But I don't blame the people exploiting the system, I blame the people who made the system along with these exploits, and FAIL to do anything to fix it! Does Uncle Sam honestly give a damn about trying to fix it? NO! HE DOESN'T!
You can make the same comparison between Apple and Windows (but don't judge me as one of those Apple zealots, I still use a PC with Linux). Apple knew their OS up into OS 9 was a piece of crap. So they spent 2 to 3 years writing a new OS entirely from the ground up using the Darwin kernel as a base model. This evolved over time into what was the first OS X! The security and stability of Unix with the ease of an Apple OS GUI! TADA!
Microsoft can afford to do the same thing... they have the money and the talent working for them (at least I think they might). So why don't they? Even your precious Windows NT kernel in 2000/XP/Vista is running off of code from the 1980's... everytime you download a patch for something in Windows, which isn't even a real patch because it's more of a DLL OS request filter which adds to the number of CPU cycles the system has to perform to verify a request is valid instead of a real patch that modifies the kernel binary data, you're still not fixing the bugs at the ROOT of the problem! Anti-Virus software is the same way pretty much, it stops the problems at the branches, NOT AT THE ROOT! So, I don't blame the people who write viruses for Windows machines, I blame Microsoft for half-assing their wannabe security while they try to make Linux sound just as stupid as they are and for making the morons of the net who use Windows believe their lies about Windows being more secure. Which in the meantime they go about patenting every last thought of concept/idea/method so they can sue people for trying to come up with the 'next big idea' that'll earn them some money. Here's a patent Microsoft has for you, the concept of 'double-clicking', has been patented by MICROSOFT! Tens of thousands if not hundreds of thousands of patents just like this are here today! And also in other countries that support patent/copyright documents. Remember, solute your dictator when he passes you by. *Nazi solute* Hail Gates!!! Hail Gates!!!
Perhaps the ultimate problem with Windows is they strive most of all to make it so easy any moron can use it to do simple things, (ex. play games/check email/etc.). For it's when you remove challenge from people's lives that they often become the most lazy! Whether it's mental or physical laziness, it still leads to dependency.
I have tried everything I can think of to try to stop this form happening, but it seem that the school will not and neither will the FBI put a stop to this I now have no access to my yahoo accounts. which has important information in regards to the hacking. furthermore it seems that they wish to interfere with my education as I am a student and have changed my pass word last night or this morning after I changed it. the following accounts have been effected Joeguncis@yahoo.com, br2malec@yahoo.com, bald_geek_2000@yahoo.com, and brmalec@eiu.edu. I can be reached at this email address.
thank you for your time
So many tons of code and hours of programming for absolutely nothing. Programmers should better learn how to build good looking programs. Unless it is a secret tactic of microsoft's coders to get paid to do nothing but come on, haven't the director notticed nothing changed?
I received a mail from microsoft bluehat program that would made me laugh if it wasn't so pathetic...