At Microsoft, interlopers sound off on security
Independent computer security specialists were invited to Microsoft's headquarters to critique the flaws of Windows software.
"These are for the arrests," he said, with a brief smile.
Locked in a struggle with a shadowy "black hat" computer underground that exploits any flaw in its software, Microsoft has spent three and a half years trying to transform its engineering culture to make security the company's priority.
Recently there have indeed been some arrests for computer attacks that capitalized on Microsoft software flaws. But more important, during the last year the company has made measurable progress in improving the quality of its software code, according to many computer security specialists and customers.
That has in effect raised the bar for the computer outlaws seeking to exploit the company's software for data theft, extortion or simple mischief. It now appears that Microsoft can begin to celebrate--a little.
Last Thursday and Friday, the company held its second Blue Hat briefing, a meeting with a small group of about a dozen independent computer security specialists invited to the company's headquarters here to share detailed research on vulnerabilities in Windows software.
Microsoft managers chose the term blue hat to distinguish their outreach campaign from the usual division in the computer security world between warring communities of white hats and black hats. Whatever their hats, those invited here were a group not generally inclined to think highly of Microsoft.
On the first day of the meeting, the visitors made presentations to some of the company's top executives. The sessions were repeated on Friday for more than 500 of the company's approximately 9,000 programmers.
David Maynor, an intrusion detection expert at Internet Security Systems, based in Atlanta, began by giving Microsoft good marks for addressing conventional computer threats.
But Maynor cited a fundamental design error in the way Windows operating systems handle peripherals, making it theoretically possible for an attacker to insert a malicious program into a personal computer by attaching a hand-held device to a computer port.
"You trust stuff way too much," he said.
Microsoft had also erred in public assertions about the security of its coming Xbox 360 game console, he said, adding, "You're a huge target, and when you challenge people, they will prove you wrong."
It was clear from the presentations that Microsoft still has work to do to secure its programs, which are the most widely used on the Internet. But it was also the consensus of those attending that the company might have made progress in slowing the deluge of viruses, worms, spam and spyware that plagues its customers.
"It's not perfect, but compared to the competition, they've made significant progress," said Dan Kaminsky, a prominent independent computer security researcher who attended the meeting.
For the first time, Microsoft executives allowed a reporter to attend the meeting, although one research group making a presentation was unwilling to speak publicly.
Microsoft's decision to reach out to critics it would once have shunned shows its change in attitude about computer security. The effort began four years ago when Stathakopoulos, a veteran Microsoft security executive, attended Black Hat, an annual computer security conference focused on software vulnerabilities, in Las Vegas.
Although he found that Microsoft was broadly attacked at the meetings, Stathakopoulos returned the next year and even sponsored a party for the researchers to begin to build bridges.
He said he had second thoughts after scheduling the event. "I turned to another Microsoft executive and said: 'What did we do? This is going to be a disaster,'" he said.
In the end, disaster was averted. The Microsoft executives and the Black Hat researchers talked until 7 the next morning.
This year Microsoft has gone further. In March and again last week, it invited the outside specialists to its campus in an effort to learn more
from an insular community that studies the company's software for chinks in its armor.Microsoft had previously resisted efforts to open a dialogue even with "white hat" hackers like those in attendance here--computer security researchers who expose vulnerabilities but do not exploit them, and who have frequently been bitterly critical of Microsoft as indifferent to security.
Microsoft's stance changed in 2002 and 2003 when computer worms like Blaster and Slammer, preying on flaws in Microsoft software, spread worldwide and began to threaten the company's relations with consumers and corporate customers alike.
The situation became so grave that in 2002 Microsoft suspended its programming development for more than two months and sent all of its programmers to remedial security classes.
The wrenching change the company has gone through was an absolute necessity, said Kaminsky, the security researcher. "Security issues can kill Windows; you can't say it any other way," he said.
And Microsoft's willingness to engage its security critics directly has made a significant impression on many of them.
"The battleship is starting to turn," said George Spillman, a computer security researcher who calls himself Geo and whose card describes him as the minister of propaganda for the Toorcon Computer Security Conference. "The fact that I am here is a good indication of how much Microsoft has changed. They are starting to understand that our community cares as much about security as they do."
But Maynor cautioned that the company was on the brink of an era of threats that would prove far more vexing. He pointed to a world of mobile devices that make today's defense concepts obsolete. Such devices would allow remote attackers to leap past firewalls guarding corporate borders and jump from one network to another to get access to corporate networks.
The nature of attacks, he said, will also shift away from global Internet worms such as Blaster because of the increasing profitability of computer crime. A single bug can now bring as much as $50,000 in the computer underground and is likely to be used for data theft or extortion, not unleashed simply for widespread chaos.
"We're seeing the rise of designer malware," or malicious software, he said. "There will be a shift toward targeted attacks."
Another attendee, Brett Moore, chief technology officer of Security Assessment, a consulting firm in Auckland, New Zealand, said he had success in finding undiscovered vulnerabilities in some versions of Windows by looking for known bugs in different parts of programs or in other applications.
"In a couple of hours I found four vulnerabilities," he said.
Microsoft executives responded that they were trying to improve their code by using a similar technique in their development process. Known as fuzzing, it involves automatically testing tens of thousands of combinations in programs to hunt for flaws.
Microsoft executives and the independent researchers said that the company had bolstered security significantly with the release of Windows XP Service Pack 2 in 2004. The update, a free download, made the operating system much less vulnerable.
Microsoft executives also cite a decline in the number of security bulletins issued for major products like Windows Server and Office as evidence that the new engineering discipline is having an impact.
There were 69 such bulletins issued for Windows 2000 Server in two and a half years and only 41 for Windows Server 2003 in a comparable period, the company said.
Eleven bulletins were issued for the 2001 version of Office XP during the first 594 days after its introduction; for Office 2003, there were six bulletins in the same period. For the last two Windows XP updates, 35 bulletins were issued for Service Pack 1 in the year ended last June but only 18 for Service Pack 2.
Stathakopoulos takes pride in the achievement, as when he notes that he has been involved in shipping more compact discs--Windows software--than the Beatles, Rolling Stones and Madonna combined.