Microsoft fancies more Blue Hats

Microsoft wants its "Blue Hat" date with hackers to become a regular affair, with biannual events where outsiders demonstrate flaws in Microsoft's product security.

In March, Microsoft invited several hackers to its Redmond, Washington, headquarters for the first time. The two-day meeting of Microsoft insiders with independent researchers provided each side with a glimpse into the other's world. That get-together was such a success that Microsoft is planning more of the events.

Stephen Toulouse, a program manager in Microsoft's security unit, said in an interview: "We want to try and do it twice a year. It had a huge benefit to our developers." The event gives executives and developers a different look at product security, he added.

At one point in the March meeting, a hacker lured a laptop running Windows onto a rogue wireless network. He did it in front of the people who developed the operating system. Toulouse said: "You're seeing how the technology that you created could potentially be misused, so you come out of that with a much deeper understanding."

Microsoft modelled and named Blue Hat after the widely known Black Hat security conference, which took place last week in Las Vegas. Many of the talks at the annual Black Hat dive deep into security flaws found in software. (The Blue Hat name is tweaked to reflect Microsoft's corporate colour, in particular the blue badges worn by Microsoft employees at the company's campus.)

Toulouse said: "We sent over 80 people to Black Hat but we have got many thousands more who could benefit from the perspective of a security researcher."

The first Blue Hat meeting focused on security in Windows. The next event could highlight security in products from other Microsoft groups, such as the Office productivity suite or its MSN online line-up, Toulouse said. "We are seeing interest from other groups. You could, in the future, see something like a Blue Hat about Office," he said.

Security researchers are also showing interest in Blue Hat. The event wasn't officially on Microsoft's Black Hat calendar but many researchers asked Toulouse and his colleagues about it and said they wanted to participate, he said.

Security researcher Dan Kaminsky attended the first Blue Hat and supports the event. "It is so nice to be able to complain about something and have somebody stand up and take responsibility," he said.

Kaminsky also said Microsoft is listening to the security community. "We are at the point where all the obvious things we tell Microsoft to do, they already do it," he said.

The next Blue Hat is planned for the autumn but no date has been set yet, Toulouse said.

Joris Evers writes for CNET News.com