Microsoft Engaging With Hackers

**wildwood** · 7th October 2006 01:50 PM

In a few weeks time Microsoft is expected to launch Vista, its new operating system, and in January we will all get to play with the finished version. But how safe will this brave new world be?

Given the number of attacks Windows usually attracts it is not surprising that Microsoft has been speaking to anyone they think can help.

A team from Microsoft headquarters went to Malaysia for Asia's biggest gathering of hackers - not to confront the enemy - but to throw the hackers a party.

But behind the charm offensive, said Microsoft's Security Programme Manager Sarah Blankinship, lies a serious purpose.

"We come to conferences like Hack in the Box to engage with the security researcher community, to deepen our existing relationships, to understand new technologies, tools and methodologies, and ultimately to help us make our products more secure and to keep our customers safer."

Open relationship

Hack in the Box brings together hackers, security professionals and the companies who rely on their expertise.

Together they may determine whether 2007 is a good or bad year for Microsoft, because security will probably make or break Vista, its first new operating system since XP's security-plagued release six years ago.

I still don't feel that Microsoft is going to take it very seriously
Joanna Rutkowska, Security Researcher

As Mike Davis from Honeynet explained, there has been a shift of culture that has led Microsoft to open up and engage with the hackers.

"Everybody sees them as the big evil empire that nobody's ever going to be able to change, but in actuality they are changing. They're making a lot of strides to communicate more with researchers, the community.

"They're inviting people into their home, to the Microsoft campus to tell them what's wrong with their code, how they can fix it.

"They're asking for help instead of just standing at the top of their mountain and saying 'we are the best'."

The Microsoft team's top priority is a discussion about an apparent flaw in Vista security.

They say they are here to listen - but are they? Joanna Rutkowska, a security researcher for Coseinc, is not so sure.

"After I presented my findings at the Ciscern conference in Singapore in July, about how to bypass Vista kernel protection, I still don't feel that Microsoft is going to take it very seriously.

"I talked to some Microsoft engineers a couple of days ago and they say they're not sure that they're going to do anything about this."

Competition concerns

At Hack in the Box, Microsoft's Doug MacIver gave an insiders take on security flaws in Vista. He is an expert in the platform's BitLocker Drive Encryption.

Integrating tighter security features into the new OS seems a logical step, but is it fair?

The European Union has already voiced concern that by including features traditionally bought from independent suppliers, Microsoft is being anti-competitive.

John Viega from McAfee also seems to think so: "I think it's pretty unfortunate that Microsoft is here to cosy up to the security industry when they're working so hard to lock security vendors off their platform.

"With Vista, their new operating system, they're trying to keep vendors off by putting security technologies on that ensure that they have control over who can offer protection and who can't."

While the security software firms may feel cold-shouldered, the hackers are happy to enjoy a drink with Microsoft, especially when the "evil empire" is buying.

But the question is: will the hackers still respect Microsoft in the morning? If there was an answer at Hack in the Box it was a resounding "maybe".

They like the charm offensive, they are just not sure how long it is going to last.