Microsoft gets good reception at Black Hat

Talks go down well with hackers looking to find out just what the company's doing to make Vista its most secure operating system ever.

Joris Evers
Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

3 min read
LAS VEGAS--Microsoft's presentations on Windows Vista are not the typical Black Hat talks, but attendees are welcoming the look behind the scenes at the software giant.

The annual Black Hat Briefings security confab here traditionally focuses on hunting for bugs and attacking computers. But this year, for the first time in the event's 10-year history, several sessions are focused on the security--rather than the insecurity--of a single vendor's product. Microsoft, a platinum sponsor, is giving presentations on Vista.

There had been some concern that the Black Hat crowd would balk at what could be a giant infomercial presented by a major event sponsor. But the talks on Thursday morning came close to filling a giant ballroom at Caesars Palace, attracting a bigger audience than many of the typical Black Hat sessions.

"I haven't felt it as a marketing pitch. It was a very technical discussion about how code review is done at Microsoft," said Josh Hoover, a veteran Black Hat attendee from Phoenix who works in security at a large financial institution. "Of course, it is all lip service at this time, until we get to test it," he added.

Microsoft is handing out an early version of Vista at Black Hat and is soliciting feedback from attendees. "We hope that they will look at it and if they find any security issues we hope they will tell us," Steven Lipner, senior director for security engineering strategy at Microsoft, said in an interview.

The version of Vista being released at Black Hat wasn't specifically designed for the conference, but a recent stable build of the operating system, Lipner added.

Inside Vista
Microsoft's Black Hat presentations cover various aspects of security in the operating system update, including broad talks on fundamentals and security engineering, and specific sessions on networking technology, Wi-Fi, heap management enhancements, and Internet Explorer 7. Vista is the successor to Windows XP and is slated to be broadly available in January.

In a session on Thursday morning, John Lambert, a group manager at Microsoft, talked about the focus on security in the company's engineering process. Vista is the first client operating system release to have gone through Microsoft's Security Development Lifecycle, a process designed to prevent flaws and vet code before it ships.

Lambert said the company has examined all of the security alerts it had to send out for flaws in previous versions of Windows. "We looked at all the security bulletins that we issued and why we did not catch those bugs in design," he said.

Other parts of Microsoft's effort to make Vista the "most secure version of Windows yet," in the words of Windows chief Jim Allchin, include looking for new bugs and using scanning tools. It also means calling on human hacking power, both inside and outside Microsoft, Lambert said. He mentioned the "Blue Hat" events, where Microsoft has invited hackers to come to its headquarters to talk security.

"This is the largest commercial penetration test in history," Lambert said, speaking about the security tests Microsoft is putting Vista through before its release.

The audience appeared very interested in the presentation, and at times people broke out in laughter, for example when Lambert talked about the public disclosure of a serious flaw right after the release of the Beta 2 of Internet Explorer 7. How did Microsoft react to that? Lambert showed an animation of a man banging his head on a keyboard.

But after the initial embarrassment, Microsoft realized that it had actually found the IE 7 flaw a couple of months earlier, it just had not been addressed in that beta release, Lambert said. Before final release, bugs like that will be fixed, he said.

Several attendees, including Hoover, said they found the talk appealing. "I didn't come here to learn how to hack," he said. "I am here to learn how Microsoft is making the world better for us. If they are doing what they say they are, they are definitely headed in the right direction."

Others agreed with Hoover's assessment. "It is education about Vista security, and that's always better to get directly from Microsoft," said Ross Mackenzie, a security specialist for an Australian bank and a first-time Black Hat attendee.

Richard Bjerregaard, a systems administrator at IBM in Denmark, was happy to hear that Microsoft is using code-auditing tools. "They are doing a lot of things right," he said.

Though some might perceive Microsoft's Black Hat sessions as a sales pitch, the reality is that the company already owns the market, Hoover said. "Obviously, they want you to upgrade," he said. "But as much as people like to pick on Microsoft, most of the known world uses it."