AT&T Tech Support 360
"Blue Hat" brought together the world's most powerful software company and the security researchers who pick apart its products. Participants included:
Jim Allchin: Jim Allchin is Microsoft's group vice president in charge of the Windows
unit. His job is to oversee the development of current and future versions of the operating system.
Matt Thomlinson: As Microsoft's director of security engineering, Matt Thomlinson is in
charge of making sure programmers throughout the company are up to speed on current and emerging threats.
Noel Anderson: Noel Anderson is Microsoft's program manager for wireless, mobility and
home networking. He's one of the Windows programmers responsible for
managing the ways in which the operating system connects to wireless
networks.
Dan Kaminsky: Dan Kaminsky's recent research includes looking at the limitations of
hashing algorithms, as well as the potential for sending large files via
the Internet's Domain Name System. He is currently doing work for Avaya.
HD Moore: HD Moore is the creator of Metasploit, a tool that system administrators can use to test whether their systems are safe from intrusion.
During a recent talk in Redmond, security researcher Dan Kaminsky wasn't sure how geeky to get. After all, he was talking to a bunch of executives on the first day of Blue Hat, not Microsoft's rank-and-file engineers.
So he kept his comments brief when it came to a flaw in something called MD5--a "hashing" algorithm, or a kind of fingerprint used to authenticate documents. He figured it was probably too esoteric for his audience. The rest of his presentation was focused on a different security topic.
But when it came time for questions, "this one guy with a shock of white hair looks straight at me and just says, 'MD5.'" Kaminsky, who said the comment seemed more like an order than a request for information, complied by demonstrating how two Web pages could have the same "hash," as the man listened and nodded knowingly.
A week later, Kaminsky learned that his interrogator was Jim Allchin--one of the highest-ranking executives at Microsoft and, as the person in charge of the Windows operating system, one of the leaders in the technology industry as a whole. Allchin's questions made clear just how deep the technical knowledge runs among the most senior ranks of the world's biggest software company.
The brief encounter made a lasting impression on Kaminsky. "I was like, 'Who was that guy?'" he said.
--Ina Fried
Associate editor: Yvonne Guzman
Copy editors: Leslie Katz, Richard Defendorf
Design: Michelle White
Production: Michelle White, Mike Markovich
By Ina Fried
Staff Writer, CNET News.com
June 15, 2005 4:00AM PDT
REDMOND, Wash.--The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle.
Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network.
"It was just silent," said Stephen Toulouse, a program manager in Microsoft's security unit. "You couldn't hear anybody breathe."
Wireless networking
engineer, Microsoft
The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicized, was dubbed "Blue Hat"--a reference to the widely known "Black Hat" security conference, tweaked to reflect Microsoft's corporate color.
The unusual March gathering, a summit of sorts between delegates of the hacking community and their primary corporate target, illustrates how important security has become to the world's most powerful software company. Microsoft Chairman Bill Gates himself estimated earlier this year that the company now spends $2 billion a year--more than a third of its research budget--on security-related issues. Security has also become one of the main themes of the company's developer conferences, including last week's TechEd event, where Microsoft pitched security improvements in Windows to 11,000 attendees.
Blue Hat was significant for other, less tangible reasons as well. It provided a rare glimpse inside the netherworld of computer security, where the ethical lines are sometimes fuzzy in the technological arms race between network engineers and the hackers who challenge them. During the course of the event, each side witnessed for the first time the inner workings, culture and psychology of the other.
"I didn't know if we were going to end up with this massively adversarial experience or if this was going to be something of a collaborative mode between all of us," said Dan Kaminsky, one of the outsiders who presented at the conference. Like others in the hacker group--many of whom are known as "security researchers" in their professions--he noted that the relationship ended up being the collaborative sort.
Still, in such a charged atmosphere, it didn't take long for emotions to show.
Matt Thomlinson, whose job it is to help make Microsoft engineers create more secure code, noticed that some of the engineers were turning red, becoming obviously angry at the demo hacking incident. Yet as painful as the lesson was, he was glad to see the crowd of engineers taking things personally.
Thomlinson frequently makes similar entreaties to the engineers on the need for secure code, but he said his own lectures don't have the same effect. "It kind of hits people up here," Thomlinson said, pointing to his head. "Things are different when a group of programmers watches their actual code exploited. It kind of hits people in the gut."
For two days, Microsoft staffers took these body blows repeatedly as they learned of various exploits. On day one, several dozen executives, including some of the company's most senior ones, were exposed to this simulated wrath in a makeshift boot camp. Among the participants were Jim Allchin, Microsoft's Windows chief, and Brian Valentine, head of core Windows operating system development. The second day drew about 400 rank-and-file Windows engineers, including people who don't necessarily focus on security features in their day-to-day work.
Security researcher
Allchin is not just any high-ranking software executive: In the technology industry, his name has become largely synonymous with the Windows operating system he oversees. A strong supporter of Blue Hat, Allchin wanted the Windows group not just to hear about security issues, but to see them as well.
"I'd already been through lots of days of personal training on the tools that are used to do this," Allchin said about the work of the hackers. "I personally wanted to really do a deep dive and really understand from their perspective."
It was a relatively safe way to get the experience. In a world where "white hats" are the security do-gooders and "black hats" are the hard-core villains, the hackers at Blue Hat were hardly representative of the dark side; if they had any pigment at all, it was no more than a tinge of gray.
This could well be a significant reason Microsoft held the event--to woo an influential group that has the choice of reporting security flaws discreetly or going public with them. The software maker routinely preaches the benefits of what it calls "responsible disclosure."
To the researchers, Microsoft's motivation was less important than the opportunity to meet in person with those who hold the keys to the kingdom and explain why they do the things they do.
"It is rare that I can present to the people who are both responsible for and capable of fixing the issues that I cover," security researcher HD Moore said,
Continued ...
