To the researchers, Microsoft's motivation was less important than the opportunity to meet in person with those who hold the keys to the kingdom and explain why they do the things they do.
"It is rare that I can present to the people who are both responsible for and capable of fixing the issues that I cover," security researcher HD Moore said, adding that he doesn't plan to change his practice of giving companies 30 days before going public with issues. "I still have no desire to play email tag with the (security response team) for a year for every bug that I find."
But Moore did gain a better understanding of why it takes Microsoft so long to create patches and said his impression of the people who create the products have changed. "I still may not agree with their security policies and how they handle bug reports, but at least I know they actually believe what they are saying," he said.
Others agreed. "They are taking this subject seriously. It was really cool to see," said Kaminsky, a security researcher who does work for telecommunications company Avaya. "At some point, there was a shift at Microsoft."
That shift began in earnest with a well-publicised memo written by Gates on the concept of "trustworthy computing" in 2002. Security had long been a concern at Microsoft, but the issue became imperative after several high-profile attacks exposed the degree of its vulnerabilities.
"The security faults we are seeing could end up bringing an end to the era of personal computing," Kaminsky said. "The ability to customise our computers is under attack from those who are customising it against our will."
It was this kind of impassioned rhetoric that won respect even among some of the more wary Microsoft participants.
Noel Anderson, a wireless networking engineer on Microsoft's Windows team, became suspicious as soon as he walked into the hacking demo — and saw the giant wireless antenna at the front of the auditorium.
Anderson decided that he should leave his laptop turned off, an instinct that saved him the embarrassment of falling into the hackers' trap, even though the hackers focused on a demo laptop. But under different circumstances, he thought to himself, "I might have even fallen for that."
Talkback
If security is really that important to Microsoft then why can't their heavily budgetted dream "we invented everything, others are just trying to copy us" R&D team come up with fixes that work on both XP and W2K? Or even quick and dirty patches like IE7 for that matter?
Why is it always: if you want real security then buy our next/current product? But wasn't that one of the reasons why you bought the current/previous one?
Another thing. Blue hats might give an impression but are not the actual thing Microsoft needs to defend its products against. Again Microsoft managed to motivate those that can to make the next slap-in-the-face that much harder. And with tons of Microsoft engineers thinking that they only need to defense against Blue hat level of attacks (given that that is the focus of their management currently) things will become interesting in time.
How would the world fare if the black hats decided they hated Unix based systems as much as Microsoft????????
People have a choice in Life to do the right thing, cyber crime is no different to normal crime, people choose to commit not because they see a crappy front door on the house, but because they are criminals and thats what satisfys them.
Far be it from me to take Microsofts side, i think QoS is the most imporatant thing, because its your innocent customers who get hurt not a Company that is already making more money that most on the planet in a week.
So i think as a community of mixed cultures (Linux, Windows, Solaris, etc) we have a responsibility to our customers to stop the friggen criminals from damaging our crap by making the best system we can, and then support it, but quit fighting and bitching about he's better or worse or whatever, and lets get some unbreakable Opearting System code on the market, it is the year 2005.