Microsoft's presentations on Windows Vista are not the typical Black Hat talks, but attendees are welcoming the look behind the scenes at the software giant.
The annual Black Hat Briefings security confab in Las Vegas traditionally focuses on hunting for bugs and attacking computers. But this year, for the first time in the event's 10-year history, several sessions are focused on the security — rather than the insecurity — of a single vendor's product. Microsoft, a platinum sponsor, is giving presentations on Vista.
There had been some concern that the Black Hat crowd would balk at what could be a giant infomercial presented by a major event sponsor. But the talks on Thursday morning came close to filling a giant ballroom at Caesars Palace, attracting a bigger audience than many of the typical Black Hat sessions.
"I haven't felt it as a marketing pitch. It was a very technical discussion about how code review is done at Microsoft," said Josh Hoover, a veteran Black Hat attendee from Phoenix who works in security at a large financial institution. "Of course, it is all lip service at this time, until we get to test it," he added.
Microsoft is handing out an early version of Vista at Black Hat and is soliciting feedback from attendees. "We hope that they will look at it and if they find any security issues we hope they will tell us," Steven Lipner, senior director for security engineering strategy at Microsoft, said in an interview.
The version of Vista being released at Black Hat wasn't specifically designed for the conference, but a recent stable build of the operating system, Lipner added.
Inside Vista
Microsoft's Black Hat presentations cover various aspects of security in the operating system update, including broad talks on fundamentals and security engineering, and specific sessions on networking technology, Wi-Fi, heap management enhancements, and Internet Explorer 7. Vista is the successor to Windows XP and is scheduled to be broadly available in January.
In a session on Thursday morning, John Lambert, a group manager at Microsoft, talked about the focus on security in the company's engineering process. Vista is the first client operating system release to have gone through Microsoft's Security Development Lifecycle, a process designed to prevent flaws and vet code before it ships.
Lambert said the company has examined all of the security alerts it had to send out for flaws in previous versions of Windows. "We looked at all the security bulletins that we issued and why we did not catch those bugs in design," he said.
Other parts of Microsoft's effort to make Vista the "most secure version of Windows yet", in the words of Windows chief Jim Allchin, include looking for new bugs and using scanning tools. It also means calling on human hacking power, both inside and outside Microsoft, Lambert said. He mentioned the "Blue Hat" events, where Microsoft has invited hackers to come to its headquarters to talk security.
"This is the largest commercial penetration test in history," Lambert said, speaking about the security tests Microsoft is putting Vista through before its release.
The audience appeared very interested in the presentation, and at times people broke out in laughter, for example when Lambert talked about the public disclosure of a serious flaw right after the release of the Beta 2 of Internet Explorer 7. How did Microsoft react to that? Lambert showed an animation of a man banging his head on a keyboard.
But after the initial embarrassment, Microsoft realised that it had actually found the IE 7 flaw a couple of months earlier, it just had not been addressed in that beta release, Lambert said. Before final release, bugs like that will be fixed, he said.
Several attendees, including Hoover, said they found the talk appealing. "I didn't come here to learn how to hack," he said. "I am here to learn how Microsoft is making the world better for us. If they are doing what they say they are, they are definitely headed in the right direction."
Others agreed with Hoover's assessment. "It is education about Vista security, and that's always better to get directly from Microsoft," said Ross Mackenzie, a security specialist for an Australian bank and a first-time Black Hat attendee.
Richard Bjerregaard, a systems administrator at IBM in Denmark, was happy to hear that Microsoft is using code-auditing tools. "They are doing a lot of things right," he said.
Though some might perceive Microsoft's Black Hat sessions as a sales pitch, the reality is that the company already owns the market, Hoover said. "Obviously, they want you to upgrade," he said. "But as much as people like to pick on Microsoft, most of the known world uses it."
Talkback
In reality though the real test is the test of time. This wouldn't be the first time that something received a warm welcome and spirits of hope but nevertheless history later showed the opposite. NT Workstation 4, Windows 2000, Windows XP, IE5, IE6. All 'very secure' products in various testing scores but each and every time the greed to give into customer functionality demands got the better of them. Of course the finger of blame was pointed to developers, third party software houses, administrators and everybody else. But just try to life up to the security advisories and actually keep your customers and co-workers happy. Not the brightest of futures that.
As for 'most of the known world uses it'. Right, 'most of the known world' used to smoke. At one time even believing that it was healthy. 'Most of the known world' used to drive without safety belts. 'Most of the known world' used to spill chemical waste where and when they liked. Coal smog, poisened food, dangerous medical drugs. In all of these cases it took government intervention to get the commercial companies behind it to behave more civilized. The list goes on and on. 'Most of the known world'. C'mon, is that the best reason you can think of? Because if so things have gotten very sad indeed. They got excepted.
You are not a technical specialist in English are you?