Want CNET to notify you of price drops and the latest stories?

Microsoft wants to meet more hackers

Software giant plans to invite hackers back for twice-annual meetings to show developers flaws discovered in Microsoft products.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
Microsoft wants its "Blue Hat" date with hackers to become a regular affair, with twice-yearly events where outsiders demonstrate flaws in Microsoft's product security.

In March, Microsoft invited several hackers to its Redmond, Wash., headquarters for the first time. The two-day meeting of Microsoft insiders with independent researchers provided each side with a glimpse into the other's world. That get-together was such a success that Microsoft is planning more of the events.

"We want to try and do it twice a year," Stephen Toulouse, a program manager in Microsoft's security unit, said in an interview. "It had a huge benefit to our developers." The event gives executives and developers a different look at product security, he said.

At one point in the March meeting, a hacker lured a laptop running Windows onto a rogue wireless network. He did it in front of the people who developed the operating system. "You're seeing how the technology that you created could potentially be misused, so you come out of that with a much deeper understanding," Toulouse said.

Tip of the hat
Microsoft modeled and named Blue Hat after the widely known Black Hat security conference, which took place last week in Las Vegas. Many of the talks at the annual Black Hat dive deep into security flaws found in software. (The Blue Hat name is tweaked to reflect Microsoft's corporate color, in particular the blue badges worn by Microsoft employees at the company's campus.)

"We sent over 80 people to Black Hat, but we have got many thousands more who could benefit from the perspective of a security researcher," Toulouse said.

The first Blue Hat meeting focused on security in Windows. The next event could highlight security in products from other Microsoft groups, such as the Office productivity suite or its MSN online lineup, Toulouse said. "We are seeing interest from other groups. You could, in the future, see something like a Blue Hat about Office," he said.

"We have got many thousands...who could benefit from the perspective of a security researcher."
--Stephen Toulouse, program manager, Microsoft's security unit

Security researchers are also showing interest in Blue Hat. The event wasn't officially on Microsoft's Black Hat calendar, but many researchers asked Toulouse and his colleagues about it and said they wanted to participate, he said.

Microsoft rented the Pure Nightclub in Caesars Palace on Thursday to treat the security community to a party with techno music and free cocktails. The company also threw an after-party at another Las Vegas hotel.

By hosting such parties and the Blue Hat event, Microsoft may be seeking to influence the security community. For example, Microsoft regularly preaches "responsible disclosure" of flaws, in which software makers are given time to repair a problem. Microsoft doesn't want researchers to go public with information on vulnerabilities before the company has had a chance to provide a patch.

"We want to learn from them and let them know that the people inside Microsoft that are working on security are all individuals and very passionate about security. It is not some big invisible monolithic thing that you hear about, but you can't see," Toulouse said.

Security researcher Dan Kaminsky attended the first Blue Hat and supports the event. "It is so nice to be able to complain about something and have somebody stand up and take responsibility," he said.

Kaminsky also said that Microsoft is listening to the security community. "We are at the point where all the obvious things we tell Microsoft to do, they already do it," he said.

Reaching out to the security community is part of Microsoft's efforts to improve the security of its products and fix up its reputation. The company said it was making security its top priority when it launched its Trustworthy Computing Initiative three years ago. Since then, it has overhauled its in-house development to bolster security and put its multibillion-dollar war chest and research budget to work.

The next Blue Hat is planned for the fall, but no date has been set yet, Toulouse said.