Microsoft challenges hackers to crack Vista

[Larwee]

There are some people who are calling this a brilliant move while others are saying it is stupid and dangerous. No matter what you call it, the one thing for sure is that this is a different way to test.

During the past few years Microsoft has received a lot of criticism because of the security flaws in their operating system. It seems as if there was a constant stream of new ones being discovered. Microsoft wants to try to find ways to reduce the flaws and criticism.

About 3,000 people attended the Black Hat security conference. Microsoft challenged them to break Vista's security. They will be trying to do it with a beta version of the new operating system.

The general belief is that some flaws are going to be found. But this will give Microsoft a chance to fix them before it is released and therefore end up releasing a product with a lot less flaws.

One view of this is that if flaws are found Microsoft can say it was a beta and a beta can't expected to be perfect. At the same time they will have eliminated many of these bugs before release and saved themselves some embarrassment. After all, some of the best computer experts in the world will be looking for the flaws and will take pride in finding them.

This could also be some very good public relations work on the part of Microsoft because this surely could give the impression that they are very serious about security.

Here is a link to an article that has more information about this Network Security - Microsoft Dares Hackers To Test Vista

[sarahk]

You'd be very naive if you didn't expect Microsoft to be enlisting hackers to crack the system. Better they find out now, than later.

I worked with a big telco and sat by two teenage goths. They were on the full time payroll but took time off to study and I think they actually did stuff but most of their time was spent hacking the internal systems and looking for flaws. Better they found it before anyone else did

[Larwee]

What makes this a different way to test is not because Microsoft is trying to find some flaws before release, but the people they are having look for the flaws. These hackers are the ones attending the Black Hat security conference. A quote from the referenced article

Quote:

The move marks a radical strategic change by Microsoft. Never before has it subjected its software to this sort of independent analysis by some of the best computer experts in the world.

They have tested before release in the past, but a lot wasn't found and it really hurt their image. This time they are giving some of the best hackers in the world a chance at it. Every flaw probably won't be found this time either, but Microsoft's expectation is that these Black Hat security conference attendees will find more than would have otherwise been found.

But even if this is the case and there are constant security flaws being found after release, Microsoft is going to be in the same position as they were in the past.

[Larwee]

Probably not very many people are surprised, but Vista has been hacked. Microsoft issued a challenge to hackers at the Black Hat security conference and Vista was hacked in a demonstration at the conference in Las Vegas, Nevada.

A researcher by the name of Joanna Rutkowska show it was possible to bypass Vista security measures that are suppose to prevent unsigned code from running.

She also explained how to use virtualisation technology to make malicious code undetectable. Rutkowska code-named her malicious software Blue Pill.

Microsoft said it is working on solutions to prevent the attacks Joanna Rutkowska demonstrated before the final release of Windows Vista.

There is a lot more information related to this. I've linked to an article with those details Vista hacked at Black Hat: News - Security - ZDNet Australia

[sarahk]

Quote:

Originally Posted by Larwee

Microsoft said it is working on solutions to prevent the attacks Joanna Rutkowska demonstrated before the final release of Windows Vista.

I wonder what the long term benefits for the hackers are?

[Larwee]

That same thought entered my mind. I wondered if Microsoft made an offer to pay the hackers a good sum of money if they could hack Vista, since it is worth something to Microsoft and that might give more encouragement to the hackers.

Then I remembered how anonymous virus writers often would write a virus just for their own personal satisfaction. They proved to themselves that they could do it. Some also wanted to impress their peers by writing a virus that would spread more and/or do more damage than the ones written by them.

The same could be true for these hackers. They get the personal satisfaction of being able to do what they were challenged to do. They can also impress their peers. Some might actually do it because they feel they are helping the public by saving them from some potential damage by finding these flaws before it is released to the public. There is also the chance that a hacker could really impress some company that would want to hire them for a large sum of money to help them with their security issues. For some it just might be nothing more than having a little fun.

Most likely the hackers have a variety of reasons to be interested. The reasons covered in my speculation probably covers the most common reasons.

[sarahk]

That incentive will work for the first X hacks, after that it'll be "oh so you found one too?". The glory will go to the first people, like this Joanna Rutkowska.

Microsoft have to keep the energy focussed so hacker #53 feels there is still a point. Otherwise s/he'll shut up and wait until the release to see if the vulnerability still exists and do something much more "satisfying" with it.