Matt Thomlinson, whose job it is to help make Microsoft engineers create more secure code, noticed that some of the engineers were turning red, becoming obviously angry at the demo hacking incident. Yet as painful as the lesson was, he was glad to see the crowd of engineers taking things personally.
Thomlinson frequently makes similar entreaties to the engineers on the need for secure code, but he said his own lectures don't have the same effect. "It kind of hits people up here," Thomlinson said, pointing to his head. "Things are different when a group of programmers watch their actual code exploited. It kind of hits people in the gut."
For two days, Microsoft staffers took these body blows repeatedly as they learned of various exploits. On day one, several dozen executives, including some of the company's most senior ones, were exposed to this simulated wrath in a makeshift boot camp. Among the participants were Jim Allchin, Microsoft's Windows chief, and Brian Valentine, head of core Windows operating system development. The second day drew about 400 rank-and-file Windows engineers, including people who don't necessarily focus on security features in their day-to-day work.
Allchin is not just any high-ranking software executive: In the technology industry, his name has become largely synonymous with the Windows operating system he oversees. A strong supporter of Blue Hat, Allchin wanted the Windows group not just to hear about security issues, but to see them as well.
"I'd already been through lots of days of personal training on the tools that are used to do this," Allchin said about the work of the hackers. "I personally wanted to really do a deep dive and really understand from their perspective."
It was a relatively safe way to get the experience. In a world where "white hats" are the security do-gooders and "black hats" are the hard-core villains, the hackers at Blue Hat were hardly representative of the dark side; if they had any pigment at all, it was no more than a tinge of grey.
This could well be a significant reason Microsoft held the event — to woo an influential group that has the choice of reporting security flaws discreetly or going public with them. The software maker routinely preaches the benefits of what it calls "responsible disclosure".
Talkback
If security is really that important to Microsoft then why can't their heavily budgetted dream "we invented everything, others are just trying to copy us" R&D team come up with fixes that work on both XP and W2K? Or even quick and dirty patches like IE7 for that matter?
Why is it always: if you want real security then buy our next/current product? But wasn't that one of the reasons why you bought the current/previous one?
Another thing. Blue hats might give an impression but are not the actual thing Microsoft needs to defend its products against. Again Microsoft managed to motivate those that can to make the next slap-in-the-face that much harder. And with tons of Microsoft engineers thinking that they only need to defense against Blue hat level of attacks (given that that is the focus of their management currently) things will become interesting in time.
How would the world fare if the black hats decided they hated Unix based systems as much as Microsoft????????
People have a choice in Life to do the right thing, cyber crime is no different to normal crime, people choose to commit not because they see a crappy front door on the house, but because they are criminals and thats what satisfys them.
Far be it from me to take Microsofts side, i think QoS is the most imporatant thing, because its your innocent customers who get hurt not a Company that is already making more money that most on the planet in a week.
So i think as a community of mixed cultures (Linux, Windows, Solaris, etc) we have a responsibility to our customers to stop the friggen criminals from damaging our crap by making the best system we can, and then support it, but quit fighting and bitching about he's better or worse or whatever, and lets get some unbreakable Opearting System code on the market, it is the year 2005.