Home Phone and Internet $60/mo(continued from previous page)
"Blue Hat" brought together the world's most powerful software company and the security researchers who pick apart its products. Participants included:
Jim Allchin: Jim Allchin is Microsoft's group vice president in charge of the Windows
unit. His job is to oversee the development of current and future versions of the operating system.
Matt Thomlinson: As Microsoft's director of security engineering, Matt Thomlinson is in
charge of making sure programmers throughout the company are up to speed on current and emerging threats.
Noel Anderson: Noel Anderson is Microsoft's program manager for wireless, mobility and
home networking. He's one of the Windows programmers responsible for
managing the ways in which the operating system connects to wireless
networks.
Dan Kaminsky: Dan Kaminsky's recent research includes looking at the limitations of
hashing algorithms, as well as the potential for sending large files via
the Internet's Domain Name System. He is currently doing work for Avaya.
HD Moore: HD Moore is the creator of Metasploit, a tool that system administrators can use to test whether their systems are safe from intrusion.
Over the years, security has become an increasingly bigger concern for Microsoft. Some key events:
WinInsider
SearchWindowsSecurity
eWeek
Associate editor: Yvonne Guzman
Copy editors: Leslie Katz, Richard Defendorf
Design: Michelle White
Production: Michelle White, Mike Markovich
(continued from previous page)
adding that he doesn't plan to change his practice of giving companies 30 days before going public with issues. "I still have no desire to play e-mail tag with the (security response team) for a year for every bug that I find."
But Moore did gain a better understanding of why it takes Microsoft so long to create patches and said his impression of the people who create the products have changed. "I still may not agree with their security policies and how they handle bug reports, but at least I know they actually believe what they are saying," he said.
Director of security
engineering, Microsoft
Others agreed. "They are taking this subject seriously. It was really cool to see," said Kaminsky, a security researcher who does work for telecommunications company Avaya. "At some point, there was a shift at Microsoft."
That shift began in earnest with a well-publicized memo written by Gates on the concept of "
"The security faults we are seeing could end up bringing an end to the era of personal computing," Kaminsky said. "The ability to customize our computers is under attack from those who are customizing it against our will."
It was this kind of impassioned rhetoric that won respect even among some of the more wary Microsoft participants.
Noel Anderson, a wireless networking engineer on Microsoft's Windows team, became suspicious as soon as he walked into the hacking demo--and saw the giant wireless antenna at the front of the auditorium.
Anderson decided that he should leave his laptop turned off, an instinct that saved him the embarrassment of falling into the hackers' trap, even though the hackers focused on a demo laptop. But under different circumstances, he thought to himself, "I might have even fallen for that."
As a result, Anderson and his team walked away with some concrete ideas on how to make sure future versions of Windows are more resilient to wireless attacks. He also left the room with a new respect for the hackers behind the demonstration.
"It's not just a bunch of disaffected teenagers sitting in their mom's basement," he said. "These are professionals that are thinking about these issues."
The hackers, for their part, seemed equally impressed with the technical knowledge of the senior executives they encountered.
At one point, researcher Matt Conover was talking about a fairly obscure type of problem called a "heap overflow." When he asked the crowd, made up mostly of vice presidents, whether they knew about this type of issue, 18 of 20 hands went up.
"I doubt that there is another large company on this planet that has that level of technical competency in management roles," Moore said.
Yet regardless of the mutual admiration, some tense moments were inevitable during the confrontation.
Microsoft developers, for instance, were visibly uncomfortable when Moore demonstrated
"You had these developers saying, 'Why are you giving the world these tools that make it so easy to do exploitation?'" Kaminsky said. They calmed down, he said, once the researchers were able to state their case.
"We do regression testing in the real world of software development," Kaminsky said. "If we say, 'This thing isn't going to break,' then we need to test that. What these tools give is the ability to do this kind of testing, to be able to say not just, 'We did the best we could,' but 'We tried stuff and nothing worked.'"
Nevertheless, he understands why not all Microsoft developers were satisfied with the explanation.
"I'm also sure Ford wasn't too happy with (Ralph) Nader's reports in the late '60s," he said. "What do you mean you are telling people our cars can blow up?"
Security researcher
By the end of the two days, those on both sides felt they had just scratched the surface and were more than willing to meet again.
And executives such as Toulouse and Anderson said they came to a better understanding of what makes hackers tick.
"We have conversations where we say an attacker might do this or an attacker might do that. Now there is a face to some of those guys," Anderson said. "They were just as much geeks as we were."
The next time a Blue Hat event is held, as promised by Microsoft, Kaminsky said he would jump at the chance to return--assuming Microsoft lets him back.
"I'll be there next time, no matter what," he said. "I have some really interesting and devious plans coming up." 
