Microsoft’s presentations on Windows Vista are not the typical Black Hat talks, but attendees are welcoming the look behind the scenes at the software giant. “I haven’t felt it as a marketing pitch. It was a very technical discussion about how code review is done at Microsoft,” said Josh Hoover, a veteran Black Hat attendee from Phoenix who works in security at a large financial institution. “Of course, it is all lip service at this time, until we get to test it,” he added.
I believe if Microsoft has solicited the help of some of the finest security specialists in the world to help clean up their product,its only fitting they consider putting back into the community by lowering the cost of it.
They didn’t get help, they offered an insight how they do code-reviews. The security experts that are actually working on it are getting paid.
“Microsoft is handing out an early version of Vista at Black Hat and is soliciting feedback from attendees. “We hope that they will look at it and if they find any security issues we hope they will tell us,” Steven Lipner, senior director for security engineering strategy at Microsoft, said in an interview.”
They didn’t get help,
No but they seem to want to get help, from the “best”, and for free. Wondering how those experts at ms whose job this would be are feeling in their shoes. On one hand, it can be good, since Vista could be better (the problem is that this, like everything, is so much relative), but on the other hand I very much don’t like when big buck companies think that building a community means asking other people to do the job for free but keeping the product closed and sell it.
Professionals co-operate. The “black hats” microsoft is working with charge for their work as well.
Don’t be silly.
How the above post is at 4 I will never know. Microsoft is not getting help from the best for free.
Their fave beehatch, why wouldn’t they be welcome. Probably brought some cool shwag too.
The history of software engineering is very short, and the era of ubiquitous networked computing has been even shorter. The software giants created a monster that they weren’t equipped to deal with, and Microsoft’s monster is the biggest of all. It’s take some time, but Microsoft finally gets it, and they’re ready to do serious battle with their security woes.
In most aspects of the software engineering, there is real merit to the “good enough” principle. We often forget that the open source mantra of “release early, release often” is an extension of this principle, not an alternative. Security bugs, however, are an exception to the rule. Releasing software with known vulnerabilities is not only unethical, but it’s bad for business. Microsoft finally gets it; their death grip on the OS market is being challenged in a meaningful way because of their application of the “good enough” principle to security.
Microsoft must lead the proprietary software industry toward sound software engineering practices that consistently result in secure software. Most proprietary software vendors are still merely dipping their toes in the water when it comes to aggressively refactoring their development processes so as to be accountable for quality and security issues. They want to bolt-on a static analysis tool or additional managerial oversight in order to bolster quality and drive down defect rates. However, this usually does little more than increase overhead and hurt morale amongst the development teams.
There are many ways to find bugs before they reach the customer, but they all have the same tradoff: cost. Costs can be classified in two categories: costs associated with development, licensing, integration, and/or execution of such methods; and costs associated with additional workload due to higher pre-release defect rates. It is very much the case that there is no free lunch when it comes to increasing software quality and security. The lack of a silver bullet leads management to believe that the technology of automated software analysis tools isn’t quite there yet, but it very clearly is.
Software engineering firms need to realize that the sheer size and scope of their markets makes these large investments in quality absolutely essential to competing in today’s software industry. Microsoft finally gets it. They will lead the software industry toward a new era of quality software engineering, or they will collapse under the weight of enormous market forces.
Microsoft clearly has the cash to make this happen, but many software vendors don’t. Watch for the entry barriers in the proprietary software indsutry to increase dramatically over the next 10 years as customers come to expect higher quality and more secure software products.
Watch for smaller proprietary software vendors to open their code as the only way to avoid the tremendous expense of modern software engineering. As I’ve said several times before, developing and delivering proprietary software can be very profitable, but it much more difficult and expensive than developing and delivering open source software. For many reasons, OSS development distributes costs more efficiently–and over a broader population.
Microsoft finally gets it, and they realize that they will have to outspend the OSS ecosystem by an impressive ratio just to keep up, let alone catch up. They also aren’t growing faster than the market, so it’s not like this money is gunna come easy. Watch for Microsoft’s profit margins to recede markedly from the absurd to the reasonable. On both counts, it’s about time.
The history of software engineering is very short
That’s because there is no such thing. Calling what we do “engineering” doesn’t make it engineering.
And no, OSS doesn’t “distribute costs more efficiently”; it just does a better job of hiding them.
A company with the cash reserves that Microsoft has isn’t going to have problems finding the money to spend on whatever technology they want.
I’ve always had a problem with the term “computer science” being used to describe programming. Sure, there are computer scientists out there, making hypotheses, implementing/analyzing them, and producing conclusions. But most computer programmers are engineers. They receive specifications, and they implement them. I like to say that computer programming is part art, part engineering, and rarely science.
The difference between computer science and computer engineering is huge, and it underlies the reason why most CS majors are dreadfully unprepared for real-world software development.
True, true, which brings to question, not whether these problems are hidden, but whether they’re willing to find and fix them.
When you work for a company, you obviously have an incentive to debug and work on the most mundane crap in the software development stack because thats what you’re paid to do – you may hate it, but you can atleast say to yourself that you’re taking home a cheque.
If you’re an opensource developer, its only natural that since you’re spending your own time working on it, its obvious that you’ll want to spend your time working on the sexy exciting things like adding new features or optimising performance, not on mundane house keeping like giving key components audits to weed out bugs and potential security issues.
As for the issue at hand, I think people here need to divorce security issues firstly relating to bad design, and secondly relating to bad implementation of the idea.
Not all of Microsoft security issues relate to crappy code or design, sometimes its a combination of both, sometimes its one or the other; with that being said, to understand why some of the decisions were made, you need to understand the approach, the company culture, and most importantly, the way things were done when it was implemented; many things that are biting Microsoft in the ass today, could never have been envisioned 16-20 years ago.
As for the article at hand; its stupid to say the least; its, ‘LOOK! I CAN INSTALL MALICIOUS CODE!’ then she admits she was requested authorisation to carry out the said malicious code insertion. Sorry, there is a WORLD of difference between something being able to get inserted without user knowledge, and someone being asked for administrator access for a said application.
If I were a true “Black Hat” and had malicious intentions and was given the opportunity to audit the next version of Windows, which is guaranteed to inherit a huge install base off of PCs preloaded with Vista next year, the last thing I would do is actually inform Microsoft of any serious problems. I would wait Vista to be released and in the hands of millions and then release exploits or keep them to myself for my own gains. I’d wager that there is going to be several 0-Day exploits come around when Vista does ship.
<noise of hand smacking against forehead> It is a conference dealing with Black Hats, not for Black Hats. So strange that Hurrican emergency Procedure meetings are attended by so few Hurricans…
I gave you a +1 for stating the obvious in a way that gave me the biggest laugh of the day … 😀
^
Stop watching Hacker Movies.
Trying to con a multi-billion dollar corporation?
Yeah right!
These days, Microsoft has tons of static analysis and basically anything that was written recently has to go through it. The main tool is called PREfast and it uses annotations in the source code to improve its analysis (take a look at any recent Platform SDK headers or the VC2005 CRT headers to see what I mean). They also invest time into modeling threats and trying to add layers to minimize the effect of a single security error.
On the other hand, there are still flaws that slip through and patching is the only way to handle that. I don’t think any commercial systems are going to be totally secure on the first shot and the only way to make it better is to iteratively improve security as new vulnerabilities are found. I think we’re going to see a number of Vista TCP/IP vulnerabilities until about SP1, for instance.
Anyone want to put place numbers on how long it will take the actual `Black Hats` to puncture Micro Silly’s latest offering? Then a secondary one on when the first security patch will be issued?
Edited 2006-08-05 20:30
“Anyone want to put place numbers on how long it will take the actual `Black Hats` to puncture Micro Silly’s latest offering?”
While we are betting, I’m taking bets on how long it will take for the 2.6 kernel to hit 100 secunia advisories.
http://secunia.com/product/2719/
I’m not at all sure how long it’s going to take. With 80 plus percent of the market running Windows, not long. What I am sure of; MS is taking some huge steps to become a much smaller target.
When MS force feeds IE7 to it’s XP users, they will seriously cut down on their exposure for those not upgrading to Vista. Vista users are going to get IE7, Defender, and some other protection with the package.
You can hate MS, and this opinion all ya want..
But, IE7 is going to cure a lot of XP’s problems at no cost to the users.
Except compatibility and speed… I think IE7 isn’t quite as fast as 6.