To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39131231,00.htm

Microsoft takes its hat off to hackers
Two-day event sees execs and geeks get up close and personal...

By Ina Fried

Published: Thursday 16 June 2005

Details of a two-day convention hosted by Microsoft with the aim of attempting to exploit flaws in their own computing systems have emerged.

The event, which Microsoft has not publicised, was dubbed "Blue Hat" - a reference to the widely known "Black Hat" security conference, tweaked to reflect Microsoft's corporate colour.

Hackers were invited into the heart of the Windows empire to pit their wits against the best work of the software giant's network engineers.

Within minutes after the meeting was convened, the hackers - or 'security researchers' as they are known - had successfully lured a Windows laptop onto a malicious wireless network.

"It was just silent," said Stephen Toulouse, a program manager in Microsoft's security unit. "You couldn't hear anybody breathe."

The unusual March gathering, a summit of sorts between delegates of the hacking community and their primary corporate target, illustrates how important security has become to the software behemoth.

Microsoft chairman Bill Gates himself estimated earlier this year that the company now spends $2bn per year - more than a third of its research budget - on security-related issues. Security has also become one of the main themes of the company's developer conferences, including last week's TechEd event, where Microsoft pitched security improvements in Windows to 11,000 attendees.

Blue Hat was attended by some of the company's most senior executives and about 400 rank-and-file Windows engineers, including people who don't necessarily focus on security features in their day-to-day work.

One executive in attendance, Microsoft's Windows chief Jim Allchin, said he wanted the Windows group to not just hear about security issues but to see them as well.

"I'd already been through lots of days of personal training on the tools that are used to do this," he said about the work of the hackers. "I personally wanted to really do a deep dive and really understand from their perspective."

The researchers also relished the opportunity to come face-to-face with 'the other side'. Security researcher HD Moore said: "It is rare that I can present to the people who are both responsible for and capable of fixing the issues that I cover."

Moore added that he gained a better understanding of why it takes Microsoft so long to create patches, and said his impression of the people who create the products has changed.

"I still may not agree with their security policies and how they handle bug reports but at least I know they actually believe what they are saying," he said.

Kaminsky, a security researcher who works for telecommunications company Avaya, also took his hat off to Microsoft's efforts to bolster its security strategy: "They are taking this subject seriously. It was really cool to see. At some point, there was a shift at Microsoft."

For their part, Microsoft executives said they came to a better understanding of what makes hackers tick.

Noel Anderson, Microsoft's program manager for wireless, mobility and home networking, said: "We have conversations where we say an attacker might do this or an attacker might do that. Now there is a face to some of those guys. They were just as much geeks as we were."

Ina Fried writes for CNET News.com