The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing centre recently at the company's sprawling campus outside Seattle.
Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network.
"It was just silent," said Stephen Toulouse, a program manager in Microsoft's security unit. "You couldn't hear anybody breathe."
The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicised, was dubbed "Blue Hat" — a reference to the widely known "Black Hat" security conference, tweaked to reflect Microsoft's corporate color.
The unusual March gathering, a summit of sorts between delegates of the hacking community and their primary corporate target, illustrates how important security has become to the world's most powerful software company. Microsoft chairman Bill Gates himself estimated earlier this year that the company now spends $2bn (£1bn) a year — more than a third of its research budget — on security-related issues. Security has also become one of the main themes of the company's developer conferences, including last week's TechEd event, where Microsoft pitched security improvements in Windows to 11,000 attendees.
Blue Hat was significant for other, less tangible reasons as well. It provided a rare glimpse inside the netherworld of computer security, where the ethical lines are sometimes fuzzy in the technological arms race between network engineers and the hackers who challenge them. During the course of the event, each side witnessed for the first time the inner workings, culture and psychology of the other.
"I didn't know if we were going to end up with this massively adversarial experience or if this was going to be something of a collaborative mode between all of us," said Dan Kaminsky, one of the outsiders who presented at the conference. Like others in the hacker group — many of whom are known as "security researchers" in their professions — he noted that the relationship ended up being the collaborative sort.
Still, in such a charged atmosphere, it didn't take long for emotions to show.
Talkback
If security is really that important to Microsoft then why can't their heavily budgetted dream "we invented everything, others are just trying to copy us" R&D team come up with fixes that work on both XP and W2K? Or even quick and dirty patches like IE7 for that matter?
Why is it always: if you want real security then buy our next/current product? But wasn't that one of the reasons why you bought the current/previous one?
Another thing. Blue hats might give an impression but are not the actual thing Microsoft needs to defend its products against. Again Microsoft managed to motivate those that can to make the next slap-in-the-face that much harder. And with tons of Microsoft engineers thinking that they only need to defense against Blue hat level of attacks (given that that is the focus of their management currently) things will become interesting in time.
How would the world fare if the black hats decided they hated Unix based systems as much as Microsoft????????
People have a choice in Life to do the right thing, cyber crime is no different to normal crime, people choose to commit not because they see a crappy front door on the house, but because they are criminals and thats what satisfys them.
Far be it from me to take Microsofts side, i think QoS is the most imporatant thing, because its your innocent customers who get hurt not a Company that is already making more money that most on the planet in a week.
So i think as a community of mixed cultures (Linux, Windows, Solaris, etc) we have a responsibility to our customers to stop the friggen criminals from damaging our crap by making the best system we can, and then support it, but quit fighting and bitching about he's better or worse or whatever, and lets get some unbreakable Opearting System code on the market, it is the year 2005.