Software Giants Seek Friends Among Hackers

["Richard M. Smith" <rms () bsf-llc com>]

http://online.wsj.com/article/SB115456661360125253.html?mod=technology_featu
red_stories_hs
 

Software Giants Seek Friends Among Hackers

By VAUHINI VARA
August 3, 2006; Page B1


LAS VEGAS -- Not long ago, HD Moore was a thorn in the side of Microsoft
<http://online.wsj.com/quotes/main.html?type=djn&symbol=msft>  Corp. Mr.
Moore finds flaws in computer software and posts programs on his Web site
that help researchers -- and hackers -- exploit them. For years, Microsoft
kept him at arm's length.

But at this week's Black Hat conference in Las Vegas, an annual powwow where
hackers and other "security researchers" share their work, Microsoft plans
to wine and dine Mr. Moore at a party at the fancy Palms Hotel. A Microsoft
security executive wants to meet with him to discuss his latest work. And
earlier this year, the Redmond, Wash., company invited him to speak at a
Microsoft-sponsored conference on security.

 [H.D. Moore]
<http://online.wsj.com/public/resources/images/HC-GI451_Moore_20060802160439
.gif> 

"There were a few tense silences," says Mr. Moore, 24 years old, who lives
in Austin, Texas. But he says the meetings put a human face on a company he
once saw as impenetrable. "You're less willing to publicly humiliate someone
you know in real life," he says.

Microsoft, Cisco
<http://online.wsj.com/quotes/main.html?type=djn&symbol=csco> Systems Inc.,
Oracle <http://online.wsj.com/quotes/main.html?type=djn&symbol=orcl>  Corp.
and other tech giants are engaging in a full charm offensive here as they
seek to convince security researchers to work with, not against, them. In
particular, the companies want "white hat" hackers like Mr. Moore to
disclose the software flaws they find to the software makers first, so they
have a chance to fix them before revealing them more widely.

To that end, a significant number of the 3,200 attendees at Black Hat this
year are representatives from Microsoft and other companies. Microsoft plans
to host several sessions on Windows Vista, its new operating system, so that
researchers can scour the software for security gaps and offer feedback.

Cisco, meanwhile, is sending its chief security officer, John Stewart, to
Black Hat, and has bought a top sponsorship slot at the event. That is a
turnabout from last year, when Cisco attracted the scorn of attendees for
trying to sue a researcher who presented a flaw in Cisco's routers.

"We had the best of intentions, and it sort of came across wrong," says Mr.
Stewart. "My goal this year was to show up and face the music."

So far, these efforts appear to have yielded some positive results. Stephen
Toulouse, a Microsoft security-program manager, says recent information from
outside researchers about flaws in Microsoft's products helped the company
address those issues -- and make changes to future releases -- more quickly
than it otherwise would have. Because of the researchers' help, "we have
discovered things during the development of these products that we might not
have discovered otherwise," he says.

At Microsoft, the company's approach to security began shifting in 2002.
That year, company co-founder Bill Gates sent a memo telling his staff that
security was Microsoft's top priority. Executives soon realized they could
learn from people like Mr. Moore, who are experts in dissecting software,
says Mr. Toulouse.

Mr. Toulouse and his colleagues began talking more candidly with researchers
at public events, then in one-on-one conversations. In 2003, the executives
threw an "appreciation" party for researchers at Black Hat. "The night
before, I was a wreck," says George Stathakopoulos, general manager of
Microsoft's security-technology unit, "I didn't know if anyone was going to
show up."

The party was tense at first, say Microsoft executives, but helped the
company improve relationships with researchers. Last year, Microsoft also
invited researchers to give presentations to its employees at its own
security conference. Now the company has surpassed other software vendors
when it comes to currying favor with researchers, says Jon Ellch, a
24-year-old researcher in Monterey, Calif. -- "at least in terms of the
number of beers (it) bought for me."

Mr. Moore is experiencing this shift by Microsoft firsthand. As director of
security research at Austin-based security company BreakingPoint Systems
Inc., Mr. Moore has been a white-hat hacker since he found his first
software flaw at the age of 14. By the time he was 17, he was doing contract
work for the U.S. Air Force. (He says he was born with the name H.D.; the
initials don't stand for any other names.)

When he found vulnerabilities in Microsoft software, Mr. Moore says he felt
it typically took too long for the company to get back to him. Often, they
didn't fix the flaws after he reported them, he says. In 2002, when
Microsoft spearheaded the creation of the Organization for Internet Security
-- a group of security firms that had put together certain strict guidelines
on disclosing software flaws -- and tried to get Mr. Moore and his small
firm to join, he refused. Mr. Moore says he felt his ability to do
independent research would be stifled.

Microsoft's Mr. Toulouse declined to comment on Mr. Moore's refusal to join
the Organization for Internet Security but calls the researcher, "extremely
brilliant. We can be disappointed about some of his actions, but we have
enormous respect for him."

Mr. Moore says Microsoft started wooing him in earnest in 2003 when the
company invited him to its Black Hat party. Last year, Microsoft also asked
him to present to a group of its employees at its security conference, which
is known as Blue Hat. After he spoke, Mr. Moore met some of the programmers
behind the software he researches, as well as some members of the security
group with whom he had exchanged heated emails in the past.

Mr. Moore, who says he knew about 10 Microsoft employees previously, now
knows close to 40 people who work for Microsoft or do contract work for the
company. Over the past year, he notes, Microsoft has hired some of his
friends. "They've been on a hacker buying spree," says Mr. Moore.

Now when Mr. Moore discovers flaws in Microsoft code, he often sends a note
directly to a Microsoft programmer, rather than relaying his findings to a
general Microsoft email address that he used in the past. As a result, he is
getting quicker responses from the company and his information makes it to
the appropriate person without having to filter through the formal system.

Microsoft executives have even offered to visit him. On July 3, Mr. Moore
got an email from Mike Reavey, a manager at Microsoft's security-response
center. Mr. Reavey was concerned that Mr. Moore's latest project -- a
high-profile effort to catalog the bugs in Microsoft's Internet Explorer
browser -- could give ammunition to hackers. He offered to fly to Austin to
talk about it. Mr. Moore, saying a visit wasn't necessary, offered to post
vulnerabilities in non-Microsoft browsers for a few days instead.

A few days later, Mr. Moore sent Mr. Reavey a wish list of changes he hoped
for from Microsoft. Among them: Give researchers more information about
vulnerabilities and tone down the bulletins blaming researchers for
disclosing flaws.

Mr. Reavey responded in an email that "change is a bit slower than you might
think." But as a final point, he added, "I really appreciate the dialogue."

Write to Vauhini Vara at vauhini.vara () wsj com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.