funsec mailing list archives
Software Giants Seek Friends Among Hackers
From: "Richard M. Smith" <rms () bsf-llc com>
Date: Thu, 3 Aug 2006 11:45:06 -0400
http://online.wsj.com/article/SB115456661360125253.html?mod=technology_featu red_stories_hs Software Giants Seek Friends Among Hackers By VAUHINI VARA August 3, 2006; Page B1 LAS VEGAS -- Not long ago, HD Moore was a thorn in the side of Microsoft <http://online.wsj.com/quotes/main.html?type=djn&symbol=msft> Corp. Mr. Moore finds flaws in computer software and posts programs on his Web site that help researchers -- and hackers -- exploit them. For years, Microsoft kept him at arm's length. But at this week's Black Hat conference in Las Vegas, an annual powwow where hackers and other "security researchers" share their work, Microsoft plans to wine and dine Mr. Moore at a party at the fancy Palms Hotel. A Microsoft security executive wants to meet with him to discuss his latest work. And earlier this year, the Redmond, Wash., company invited him to speak at a Microsoft-sponsored conference on security. [H.D. Moore] <http://online.wsj.com/public/resources/images/HC-GI451_Moore_20060802160439 .gif> "There were a few tense silences," says Mr. Moore, 24 years old, who lives in Austin, Texas. But he says the meetings put a human face on a company he once saw as impenetrable. "You're less willing to publicly humiliate someone you know in real life," he says. Microsoft, Cisco <http://online.wsj.com/quotes/main.html?type=djn&symbol=csco> Systems Inc., Oracle <http://online.wsj.com/quotes/main.html?type=djn&symbol=orcl> Corp. and other tech giants are engaging in a full charm offensive here as they seek to convince security researchers to work with, not against, them. In particular, the companies want "white hat" hackers like Mr. Moore to disclose the software flaws they find to the software makers first, so they have a chance to fix them before revealing them more widely. To that end, a significant number of the 3,200 attendees at Black Hat this year are representatives from Microsoft and other companies. Microsoft plans to host several sessions on Windows Vista, its new operating system, so that researchers can scour the software for security gaps and offer feedback. Cisco, meanwhile, is sending its chief security officer, John Stewart, to Black Hat, and has bought a top sponsorship slot at the event. That is a turnabout from last year, when Cisco attracted the scorn of attendees for trying to sue a researcher who presented a flaw in Cisco's routers. "We had the best of intentions, and it sort of came across wrong," says Mr. Stewart. "My goal this year was to show up and face the music." So far, these efforts appear to have yielded some positive results. Stephen Toulouse, a Microsoft security-program manager, says recent information from outside researchers about flaws in Microsoft's products helped the company address those issues -- and make changes to future releases -- more quickly than it otherwise would have. Because of the researchers' help, "we have discovered things during the development of these products that we might not have discovered otherwise," he says. At Microsoft, the company's approach to security began shifting in 2002. That year, company co-founder Bill Gates sent a memo telling his staff that security was Microsoft's top priority. Executives soon realized they could learn from people like Mr. Moore, who are experts in dissecting software, says Mr. Toulouse. Mr. Toulouse and his colleagues began talking more candidly with researchers at public events, then in one-on-one conversations. In 2003, the executives threw an "appreciation" party for researchers at Black Hat. "The night before, I was a wreck," says George Stathakopoulos, general manager of Microsoft's security-technology unit, "I didn't know if anyone was going to show up." The party was tense at first, say Microsoft executives, but helped the company improve relationships with researchers. Last year, Microsoft also invited researchers to give presentations to its employees at its own security conference. Now the company has surpassed other software vendors when it comes to currying favor with researchers, says Jon Ellch, a 24-year-old researcher in Monterey, Calif. -- "at least in terms of the number of beers (it) bought for me." Mr. Moore is experiencing this shift by Microsoft firsthand. As director of security research at Austin-based security company BreakingPoint Systems Inc., Mr. Moore has been a white-hat hacker since he found his first software flaw at the age of 14. By the time he was 17, he was doing contract work for the U.S. Air Force. (He says he was born with the name H.D.; the initials don't stand for any other names.) When he found vulnerabilities in Microsoft software, Mr. Moore says he felt it typically took too long for the company to get back to him. Often, they didn't fix the flaws after he reported them, he says. In 2002, when Microsoft spearheaded the creation of the Organization for Internet Security -- a group of security firms that had put together certain strict guidelines on disclosing software flaws -- and tried to get Mr. Moore and his small firm to join, he refused. Mr. Moore says he felt his ability to do independent research would be stifled. Microsoft's Mr. Toulouse declined to comment on Mr. Moore's refusal to join the Organization for Internet Security but calls the researcher, "extremely brilliant. We can be disappointed about some of his actions, but we have enormous respect for him." Mr. Moore says Microsoft started wooing him in earnest in 2003 when the company invited him to its Black Hat party. Last year, Microsoft also asked him to present to a group of its employees at its security conference, which is known as Blue Hat. After he spoke, Mr. Moore met some of the programmers behind the software he researches, as well as some members of the security group with whom he had exchanged heated emails in the past. Mr. Moore, who says he knew about 10 Microsoft employees previously, now knows close to 40 people who work for Microsoft or do contract work for the company. Over the past year, he notes, Microsoft has hired some of his friends. "They've been on a hacker buying spree," says Mr. Moore. Now when Mr. Moore discovers flaws in Microsoft code, he often sends a note directly to a Microsoft programmer, rather than relaying his findings to a general Microsoft email address that he used in the past. As a result, he is getting quicker responses from the company and his information makes it to the appropriate person without having to filter through the formal system. Microsoft executives have even offered to visit him. On July 3, Mr. Moore got an email from Mike Reavey, a manager at Microsoft's security-response center. Mr. Reavey was concerned that Mr. Moore's latest project -- a high-profile effort to catalog the bugs in Microsoft's Internet Explorer browser -- could give ammunition to hackers. He offered to fly to Austin to talk about it. Mr. Moore, saying a visit wasn't necessary, offered to post vulnerabilities in non-Microsoft browsers for a few days instead. A few days later, Mr. Moore sent Mr. Reavey a wish list of changes he hoped for from Microsoft. Among them: Give researchers more information about vulnerabilities and tone down the bulletins blaming researchers for disclosing flaws. Mr. Reavey responded in an email that "change is a bit slower than you might think." But as a final point, he added, "I really appreciate the dialogue." Write to Vauhini Vara at vauhini.vara () wsj com
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Software Giants Seek Friends Among Hackers Richard M. Smith (Aug 03)