As a result, Anderson and his team walked away with some concrete ideas on how to make sure future versions of Windows are more resilient to wireless attacks. He also left the room with a new respect for the hackers behind the demonstration.
"It's not just a bunch of disaffected teenagers sitting in their mother's basement," he said. "These are professionals that are thinking about these issues."
The hackers, for their part, seemed equally impressed with the technical knowledge of the senior executives they encountered.
At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a heap overflow. When he asked the crowd, made up mostly of vice-presidents, whether they knew about this type of issue, 18 of 20 hands went up.
"I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said.
Yet regardless of the mutual admiration, some tense moments were inevitable during the confrontation.
Microsoft developers, for instance, were visibly uncomfortable when Moore demonstrated Metasploit — a tool that system administrators can use to test the reliability of their systems to intrusion. But Metasploit also includes a fair number of exploits, as well as tools that can be used to develop new types of attacks.
"You had these developers saying, 'Why are you giving the world these tools that make it so easy to do exploitation?'" Kaminsky said. They calmed down, he said, once the researchers were able to state their case.
"We do regression testing in the real world of software development," Kaminsky said. "If we say, 'This thing isn't going to break,' then we need to test that. What these tools give is the ability to do this kind of testing, to be able to say not just, 'We did the best we could,' but 'We tried stuff and nothing worked.'"
Talkback
If security is really that important to Microsoft then why can't their heavily budgetted dream "we invented everything, others are just trying to copy us" R&D team come up with fixes that work on both XP and W2K? Or even quick and dirty patches like IE7 for that matter?
Why is it always: if you want real security then buy our next/current product? But wasn't that one of the reasons why you bought the current/previous one?
Another thing. Blue hats might give an impression but are not the actual thing Microsoft needs to defend its products against. Again Microsoft managed to motivate those that can to make the next slap-in-the-face that much harder. And with tons of Microsoft engineers thinking that they only need to defense against Blue hat level of attacks (given that that is the focus of their management currently) things will become interesting in time.
How would the world fare if the black hats decided they hated Unix based systems as much as Microsoft????????
People have a choice in Life to do the right thing, cyber crime is no different to normal crime, people choose to commit not because they see a crappy front door on the house, but because they are criminals and thats what satisfys them.
Far be it from me to take Microsofts side, i think QoS is the most imporatant thing, because its your innocent customers who get hurt not a Company that is already making more money that most on the planet in a week.
So i think as a community of mixed cultures (Linux, Windows, Solaris, etc) we have a responsibility to our customers to stop the friggen criminals from damaging our crap by making the best system we can, and then support it, but quit fighting and bitching about he's better or worse or whatever, and lets get some unbreakable Opearting System code on the market, it is the year 2005.