August 1, 2005 3:04 PM PDT

Microsoft wants to meet more hackers

Microsoft wants its "Blue Hat" date with hackers to become a regular affair, with twice-yearly events where outsiders demonstrate flaws in Microsoft's product security.

In March, Microsoft invited several hackers to its Redmond, Wash., headquarters for the first time. The two-day meeting of Microsoft insiders with independent researchers provided each side with a glimpse into the other's world. That get-together was such a success that Microsoft is planning more of the events.

"We want to try and do it twice a year," Stephen Toulouse, a program manager in Microsoft's security unit, said in an interview. "It had a huge benefit to our developers." The event gives executives and developers a different look at product security, he said.

At one point in the March meeting, a hacker lured a laptop running Windows onto a rogue wireless network. He did it in front of the people who developed the operating system. "You're seeing how the technology that you created could potentially be misused, so you come out of that with a much deeper understanding," Toulouse said.

Tip of the hat
Microsoft modeled and named Blue Hat after the widely known Black Hat security conference, which took place last week in Las Vegas. Many of the talks at the annual Black Hat dive deep into security flaws found in software. (The Blue Hat name is tweaked to reflect Microsoft's corporate color, in particular the blue badges worn by Microsoft employees at the company's campus.)

"We sent over 80 people to Black Hat, but we have got many thousands more who could benefit from the perspective of a security researcher," Toulouse said.

The first Blue Hat meeting focused on security in Windows. The next event could highlight security in products from other Microsoft groups, such as the Office productivity suite or its MSN online lineup, Toulouse said. "We are seeing interest from other groups. You could, in the future, see something like a Blue Hat about Office," he said.

"We have got many thousands...who could benefit from the perspective of a security researcher."
--Stephen Toulouse, program manager, Microsoft's security unit

Security researchers are also showing interest in Blue Hat. The event wasn't officially on Microsoft's Black Hat calendar, but many researchers asked Toulouse and his colleagues about it and said they wanted to participate, he said.

Microsoft rented the Pure Nightclub in Caesars Palace on Thursday to treat the security community to a party with techno music and free cocktails. The company also threw an after-party at another Las Vegas hotel.

By hosting such parties and the Blue Hat event, Microsoft may be seeking to influence the security community. For example, Microsoft regularly preaches "responsible disclosure" of flaws, in which software makers are given time to repair a problem. Microsoft doesn't want researchers to go public with information on vulnerabilities before the company has had a chance to provide a patch.

"We want to learn from them and let them know that the people inside Microsoft that are working on security are all individuals and very passionate about security. It is not some big invisible monolithic thing that you hear about, but you can't see," Toulouse said.

Security researcher Dan Kaminsky attended the first Blue Hat and supports the event. "It is so nice to be able to complain about something and have somebody stand up and take responsibility," he said.

Kaminsky also said that Microsoft is listening to the security community. "We are at the point where all the obvious things we tell Microsoft to do, they already do it," he said.

Reaching out to the security community is part of Microsoft's efforts to improve the security of its products and fix up its reputation. The company said it was making security its top priority when it launched its Trustworthy Computing Initiative three years ago. Since then, it has overhauled its in-house development to bolster security and put its multibillion-dollar war chest and research budget to work.

The next Blue Hat is planned for the fall, but no date has been set yet, Toulouse said.

4 comments

Join the conversation!
Add your comment
Will it actually work?
I myself think that it would not only be hard to find these hackers,
but also to actually get them to come and meet with Microsoft and
show them what they do with their time. Do they get in any trouble
if they do something illegal in the process of their hack?
Posted by (23 comments )
Reply Link Flag
MSFT Should Pay the Blue Hatters
The key line in the article is: "Microsoft doesn't want reseachers to go public with information on vulnerabilities before the company has had a chance to provide a patch." Well, of course they don't want people to see how slow they maybe on the uptake. And heck - this is, after all, a great deal for MSFT. Inviting a passle of hackers for a drink is a dirt-cheap way to get these folks to show them the difficiencies in MSFT programs. But pre-screen the group a bit better, offer those who make the cut a big consulting fee and just watch how to optimize the MSFT Blue Hat confab. :) I trust that MSFT offers critical patches - those that they are aware are urgently needed - without the intervention of outside consultants. :(
Posted by malabrm1 (36 comments )
Reply Link Flag
microsoft has cool trash bins
when i was just a young punk kid with my first
car a friend and I drove out to the campus to
pick up garbage.. and microsoft by far had the
most high tech dumpsters in the neighborhood..
man.. like a safe! thats cool that microsoft
wants to be social.. I should just go over there
and loiter
Posted by (187 comments )
Reply Link Flag
Stinger!
Cat in the Hat. Green eggs and ham meat for breakfast mice! Technically speaking any of these sorts of hackers that show up are in violation of law and apprehensible! Would this be considered aiding and abetting known criminals? Sort of like "the US Army wants you gang-banger"!
Posted by (24 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.