Microsoft Invites Hackers to Test Vista
After suffering embarrassing security exploits over the past several years,
Microsoft Corp. is trying a new tactic: inviting some of the world's best-known
computer experts to try to poke holes in Vista, the next generation of its Windows
Microsoft made a test version of Vista available to about 3,000 security professionals
Thursday as it detailed the steps it has taken to fortify the product against
attacks that can compromise bank account numbers and other sensitive information.
"You need to touch it, feel it," Andrew Cushman, Microsoft's director
of security outreach, said during a talk at the Black Hat computer-security
conference. "We're here to show our work."
Microsoft has faced blistering criticism for security holes that have led to
network outages and business disruptions for its customers. After being accused
for not putting enough resources into shoring up its products, the software
maker is trying to convince outsiders that it has changed.
"They're going directly to the bear in the bear's lair," says Jon
Callas, the chief technology officer at PGP Corp., which makes encryption software
and other security products. "They are going to people who don't like them,
say nasty things and have the incentive to find the things that are wrong."
Due early next year, Vista is the first product to be designed from scratch
under a Microsoft program dubbed secure development life cycle, which represents
a sea change in the company's approach to bringing out new products. Instead
of placing the addition of compelling new features at the top of engineers'
priority list, Microsoft now requires them to first consider how code might
A security team with oversight of every Microsoft product -- from its Xbox video
game console to its Word program for creating documents -- has broad authority
to block shipments until they pass security tests. The company also hosts two
internal conferences a year so some of the world's top security experts can
share the latest research on computer attacks.
Cushman said the presentations have already paid off. One talk, delivered in
March by a security expert named Johnny Long, detailed a new way to identify
security holes using Google. Shortly after the talk, a Microsoft manager applied
the technique and discovered a customer was at risk because it hadn't properly
set up a computer that was running SQL, a database program that competes with
business programs sold by Oracle Corp.
But internal conferences are one matter. Taking Vista to Black Hat, where some
of the world's foremost security gurus annually make sport of ripping through
programming code to find bugs, is another.
"The fact that they're releasing it here is probably a bold statement,"
said Mike Janosko, a security expert with Ernst & Young who has been reviewing
Vista for several months.