June 17, 2005 12:47PM  |
 Digg It!  Bookmark to del.cio.us |
I see all these things as somewhat sad attempts to pander to the media’s love of hacking, and a bit of wishful thinking along the lines of ‘maybe if we’re nice to the hackers they’ll be nice to us in return,’” is how Marcus Ranum, chief security officer of Tenable Network Security and inventor of the proxy firewall, described the event.
PlateSpin’s new PowerSolution for Disaster Recovery allows you to automatically scan and inventory production environments, generate disaster recovery plans and create fully redundant standby systems on virtual or physical environments – all at a fraction of the cost of traditional DR solutions. Turning Customer Experiences into Competitive Edge: Nikon’s Journey to Leadership.
 Microsoft recently invited hackers to descend upon Redmond for a chance to exploit Windows code openly. The event was billed as “Blue Hat” in reference to the popular Black Hat conferences that provide a public forum for security professionals and the hacking community to interface.The two-day Microsoft affair was another step toward Gates’ claim that Microsoft will create more secure products. Currently, the software giant estimates a third of its research budget — US$2 billion dollars — is spent annually on security-related matters. However, not all security professionals think the strategy of meeting with hackers will be effective for the company. “I see all these things as somewhat sad attempts to pander to the media’s love of hacking, and a bit of wishful thinking along the lines of ‘maybe if we’re nice to the hackers they’ll be nice to us in return,’” is how Marcus Ranum, chief security officer of Tenable Network Security and inventor of the proxy firewall, described the event.
Redmond heavyweights, including Brian Valentine, senior vice president of the Windows core operating system division and Jim Allchin — a member of the senior leadership team that includes Steve Ballmer and Bill Gates — were on hand for the first-person experience of exploits to the products they oversee. Also attending were about 400 Windows engineers, including those whose job descriptions don’t necessarily include security. On the other side of the table were security researchers responsible for outing vulnerabilities in Microsoft products, such as H.D. Moore, creator of Metasploit, and Dan “Effugas” Kaminsky, who enlightened Microsoft execs how two Web pages could have the same hash.
Both groups walked away from the conference with more of a psychological as well as technical understanding of each other. Despite feeling somewhat shown-up by their invited guests, Microsoft engineers watched in fascination as Moore demonstrated a VNC injection exploit. The engineers realized that hackers are no longer geeky teenagers with nothing better to do, but educated and seasoned technology professionals just like themselves. Likewise, security researchers gained a better perspective of the processes Microsoft engineers must go through when faced with vulnerabilities divulged by the hacking community. In an effort to continue their march toward more secure code, both Microsoft and security researchers felt opening the door to the dark side of computer security was a step in the right direction. “I think the approach they took was a right balance between expertise and getting valuable feedback,” said Dr. Eric Cole, author of Hackers Beware and Security Essentials Toolkit. “If you brought in true black hats, they would not share how they actually got in,” he said. “This is like saying a bank should hire actual bank robbers to test the security. If they do not get caught during the exercise, would they really tell you?” |
