Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Microsoft to Publish Blue Hat Findings

Posted by Zonk on Thu Mar 16, 2006 02:29 PM
from the stylish-chapeau dept.
Microsoft Security
An anonymous reader wrote to mention an InfoWorld article about Microsoft's plan to publish some of the findings from last week's Blue Hat conference. From the article: "'Everything was fair game,' wrote SQL Server engineer Brad Sarsfield in a blog posting. 'Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view for the event.' The Blue Hat name is a play on the Black Hat conferences, which have occasionally been criticized by IT vendors. The 'Blue' part comes from the color of badges that Microsoft staffers wear on campus." They have descriptions of some of the sessions up on the site for your perusal.
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Microsoft to Publish Blue Hat Findings 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Blank passwords (Score:5, Insightful)

    by dedazo (737510) on Thursday March 16 2006, @02:31PM (#14935995) Journal
    I'm sure the executives started the whipping sessions with the person responsible for allowing SQL Server to function happily with a blank 'sa' password.

    • Re:Blank passwords (Score:5, Funny)

      by AKAImBatman (238306) * <akaimbatman.gmail@com> on Thursday March 16 2006, @02:37PM (#14936039) Homepage Journal
      Are you kidding me? That's Microsoft "innovation" at it's finest! Customers always complain to Microsoft that they can't remember their password. So Microsoft created an innovative new way to remember your password: Don't use one!

      Only Microsoft can bring you incredible innovation like this.

      • Re:Blank passwords (Score:2, Insightful)

        by dedazo (737510)
        Only Microsoft can bring you incredible innovation like this.

        I enjoy a good Microsoft bash (oh lololo m$ nevar innovates!!1!) but your comment tells me you have probably no idea how commercial software works.

        I think the blank password "feature" is supremely stupid, and yes, it was probably there because one of their big clients asked for it. A lot of functionality in Microsoft products come from big business feedback and most of the time it's appropriate because enterprise clients are the ones that real

        • Re:Blank passwords (Score:5, Interesting)

          by AKAImBatman (238306) * <akaimbatman.gmail@com> on Thursday March 16 2006, @03:07PM (#14936287) Homepage Journal
          I enjoy a good Microsoft bash (oh lololo m$ nevar innovates!!1!)

          Good to know.

          but your comment tells me you have probably no idea how commercial software works.

          I'm not quite sure how this statement follows from your first. Do you like a joke or not? Maybe, just maybe, I was only joking?

          The key is that it's an option that you (as the DB admin) can choose to turn off. The MySQL root account will also run with a blank password when you first install it from, say, Synaptic. It's up to you to tighten it down.

          The reason why the root/sa passwords start blank is so you can configure the server immediately after installation. Using a default username/password of some sort (ala Oracle) wouldn't change the security situation to any appreciable degree, and only serves to force the DB administrator to look up the default every time he does an installation. (Which is likely to be rare enough to prevent him from memorizing it.)

          Yeash. Way to spoil a joke.

    • Posturing (Score:5, Interesting)

      by EmbeddedJanitor (597831) on Thursday March 16 2006, @03:02PM (#14936247)
      Yawn... Heard all of these "I'm going to fix that Monday morning" stuff before so many times from so many companies, and seen so little action.

      This is a pretty standard way for companies to handle lynch mobs of unhappy people: Put an exec up on a stage and have everyone yell their guts out and promise to investigate it thoroughly. This is not done just for software security, but just about everything.

      Undoubtedly one or two simple, yet highly visible, things (eg. the password check) will be fixed to show that some action was taken.

      • It doesn't matter how much an exec huffs and puffs if the developers don't respect the priorities he sets for them.

    • Re:Blank passwords (Score:5, Funny)

      by ednopantz (467288) on Thursday March 16 2006, @04:05PM (#14936693)
      yeah, it's not like any other database product ships with a weak password you are supposed to change.

      -Scott Tiger
    • If Microsoft is so serious about security, could they please start by bringing their logging out of the dark ages and to what has been available on UNIX for some times. A UNIX system will log the difference between a bad username and a username with a bad password to the auth.error or auth.info facility, even if it delivers the same generic "Bad username or password" message to the user trying to log in. That's the information Windows actually logs, which makes realtime security monitoring a joke if you'r

  • Could it be...? (Score:4, Interesting)

    by filesiteguy (695431) <kai@perfectreign.com> on Thursday March 16 2006, @02:36PM (#14936028) Homepage
    Could MS actually be taking security seriously?

    Naaahh...

    I'm sure this was a very interesting conference - nice to see names like Johnny Long there ( Google Hacking for Penetration Testers ) http://books.slashdot.org/article.pl?sid=05/04/11/ 1750217&from=rss and other notables. I'm curious if MS will ever really look at what it is that causes so much to go wrong with their departmental OS.

    All the same, I'm sure the findings will be taken back, discussed among those who know and forgotten or buried by marketing executives.

    • well, I think that there's nothing wrong with a Blue Hat conference, it can even be useful, but trying to pretend that Blue Hatters will be attacking one's weak points is as disasterous as attacking Iraq or Iran and not expecting an ever-changing homebrewed guerilla warfare that adapts faster than one can plan.

      the reality is that the attackers will be Black Hats. Blue Hats may be useful, but they aren't the ones attacking you.

    • Re:Could it be...? (Score:4, Interesting)

      by tpgp (48001) on Thursday March 16 2006, @03:23PM (#14936397) Homepage
      Could MS actually be taking security seriously?

      Yes - yes they are.

      You see - MS's customers are demanding it - and MS is trying to deliver - after all, their competition [distrowatch.com] (mostly) is delivering. (See, this is why F/OSS is good for you even if you dont use it:)

      Anyway, I do think MS is making an attempt to take security seriously, but security needs are ultimately outshadowed by their marketing needs.

      Anyway, to bring things (mildly) back on topic, I'll repeat myself: [slashdot.org]

      Note to Microsoft

      We have more then enough hat colours as things stand.

      Blue Hat hacker sounds like an IBM employee anyway (or an Anti-Fedora agent?)

  • Anyone ask why SSL still doesn't do AES? I mean it's 2006 and Microsoft is really the only vendor who DOESN'T do AES or 256-bit encryption in SSL. (I know, they said they'd put it in Vista, but that doesn't help the millions of Windows XP users or Windows 2003 administrators out there.)
    • And also 3des, which we require for managing our Nokias. Gives me a good excuse to run Firefox at work, when the director asks why I can't use our standard browser :)

      • Microsoft SSL already does do 3DES. (Score:5, Informative)

        by xxxJonBoyxxx (565205) on Thursday March 16 2006, @03:11PM (#14936317)
        I believe Microsoft DOES support 3DES on SSL. My "FIPS 140-1" configurations require it. Look for this key in your windows registry - if you have this key, your SSL does 3DES:

        HHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\SecurityProviders\SCHANNEL\ciphers\Triple DES 168/168

      • So, you claim the NSA asked Microsoft to not put AES in IE? This doesn't make much sense either. Like I said, almost every other browser, client or server already supports AES on SSL (including those offered by IBM). It's just weird that Microsoft lags so far behind.

        • Not so weird (Score:5, Interesting)

          by abb3w (696381) on Thursday March 16 2006, @04:14PM (#14936755) Journal
          So, you claim the NSA asked Microsoft to not put AES in IE? This doesn't make much sense either. Like I said, almost every other browser, client or server already supports AES on SSL (including those offered by IBM). It's just weird that Microsoft lags so far behind.

          Not that weird. Yes, every other browser/client/server supports it. IE still has comfortably more than half [hitslink.com] of the browser market, even though it's in decline. So, if the NSA can't break AES, they ask M$ not to put it in, and a large chunk of the traffic remains readily readable.

          "But," you may say, "anyone who knows what they're doing will use something more secure." True. However on one hand, crooks and terrorists are often (albeit not always) stupid, and might not always do so; and on the other hand, the easily broken traffic can be quickly sorted out, leaving a smaller quantity of harder-to-break traffic where content analysis is neglected but traffic analysis [wikipedia.org] approaches become profitable. Limiting the capabilities of the drooling-luser set is helpful, because it makes it easier to pick out the bad guys who hide by leaving a smaller set of both the good and the bad guys who can hide. Rather than struggling to separate all the good from the bad, they can first quickly separate the smart from the stoooopid.

          Of course, there's no proof the AC's assertion is true... but it doesn't matter much for the sake of arguement.

      • Yeah, Microsoft finally added AES to its core crypto stuff back in 2003 (I think), but for some odd reason they didn't extend support into the areas that would have used it most: SSL for IIS and SSL for IE. (Dunno if Outlook Express would have used it...probably.)

  • obligatory (Score:5, Funny)

    by endrue (927487) on Thursday March 16 2006, @02:38PM (#14936054)
    The 'Blue' part comes from the color of screens that Microsoft staffers see on campus.

    Someone had to say it, folks!

    - Andrew

    • Black Hats or...? (Score:4, Interesting)

      by Roadkills-R-Us (122219) on Thursday March 16 2006, @02:42PM (#14936089) Homepage
      And maybe they want to make sure when everyone thinks "$color hat" they *don't* think of "Red Hat".

      MS plays that sort of game a lot.
      • I think you may be right. They should try to stand apart though, maybe through a whole new article of clothing. "Blue Shoe" has a nice ring to it.

        - Andrew
      • Makes sense, but using blue is utterly wrong from a marketing standpoint, for two reasons. First, a lot of us still remember IBM as the "Blue Suit" company. Blue is their color. Even their logo is still blue. Second, blue is the color of your screen when you run Windows [into the ground]. Well, unless you run XP. Then it just reboots without showing you the [useless] blue screen. I wouldn't be surprised if people started just calling Windows "Blue Hat Linux", sort of a pun indicating both the fact that Wind

  • Putting an Axe to Innovation (Score:5, Funny)

    by Nuclear Elephant (700938) on Thursday March 16 2006, @02:40PM (#14936065) Homepage
    I want the people responsible for those features in my office early next week

    With quotes like that, it's no wonder Vista's long list of features has been dwindled down to a new Media Player and better video drivers.
    • Frankly, I'd rather have only a new media player and better video drivers if it means not having yet more security holes in the base OS.

      The message shouldn't be: Don't implement new features. It should be: Think about security when implmenting new features. Remember that attacks come from below your level of abstraction as well.

    • Re:Putting an Axe to Innovation (Score:4, Funny)

      by ArsenneLupin (766289) on Thursday March 16 2006, @04:09PM (#14936725)
      With quotes like that, it's no wonder Vista's long list of features has been dwindled down to a new Media Player and better video drivers.

      You mean, like video drivers that won't crash if you visit certain web sites [bluescreen.org.lu]?

      • Confusion cleared up here. (Score:5, Funny)

        by hey! (33014) on Thursday March 16 2006, @03:08PM (#14936298) Homepage Journal
        Ok, now Im confused. I thought the current /. theory about delays and feature cancellations in Vista was that the development team were to busy dodging chairs to get any coding done?

        OK, it's time to have mercy on you guys who haven't figured it out.

        There is no Microsoft.

        It's all a MMOG/interactive fiction thing where geeks pretend to be code monkeys in service to the evil empire. C'mon, the Gates was a bit subtle, I admit; you could almost believe he existed. But Ballmer should have clued you in. No real board would hire a guy like that unless they were running a side show and needed a "Wild Man of Borneo".

        The coolest part of the hack was when they started sending out boxes of their "product", complete with CDs and manuals (look closely -- a lot of it's just "ipsum lorem"). That was sheer brilliance. I picked one myself as a souveneir, I'm looking at the box up on my book shelf right now, it's very well done. Just the other I had to keep my elderly father-in-law, who was an engineer back in the day and no dummy, from "borrowing" my copy. Boy would he have been surprised.

        Oh... God Gad.

        You didn't actually install any of that shit, did you?

  • Pretty optimistic, isn't he? (Score:4, Funny)

    by Weaselmancer (533834) on Thursday March 16 2006, @02:44PM (#14936109)

    Server engineer Brad Sarsfield in a blog posting. 'Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view for the event.'

    I'd be a little more worried if I was Brad. That feature your boss wants to know who's responsible for..what if it's 'Clippy'???

  • "The 'Blue' part comes from the color of badges that Microsoft staffers wear on campus."

    "Badges?"

    "We don't need no stink'n badges!"

  • Nobody Expects (Score:5, Funny)

    by gurutc (613652) on Thursday March 16 2006, @02:49PM (#14936146)
    the Seattle Inquisition!!!

  • Which is it? (Score:4, Insightful)

    by $RANDOMLUSER (804576) on Thursday March 16 2006, @02:51PM (#14936156)
    > Microsoft's site will not have the kind of controversial material that has popped up at Black Hat. "All researchers at the BlueHat are responsible," Kornbrust said.

    Does that mean domesticated or tame?

  • Red Hat vs. Blue Hat (Score:5, Funny)

    by digitaldc (879047) * on Thursday March 16 2006, @02:52PM (#14936168)
    This is your last chance. After this, there is no turning back.
    You put on the blue hat - the story ends, you wake up in your bed and believe whatever you want to believe.
    You put on the red hat - you stay in Wonderland and I show you how deep the security-hole goes.

  • The People Responsible (Score:5, Funny)

    by gurutc (613652) on Thursday March 16 2006, @02:54PM (#14936186)
    Now just how do they expect to get Steve Jobs in their office?

      • Re:The People Responsible (Score:4, Informative)

        by Drizzt Do'Urden (226671) on Thursday March 16 2006, @03:35PM (#14936474) Homepage
        They bought it from Xerox, but they were unhappy with the terms of the contract seeing what Apple did with it.

        This is why Apple won in court against Xerox. It is a urban legend that Apple stole it from Xerox.

        • Re:The People Responsible (Score:4, Informative)

          by kpat154 (467898) on Thursday March 16 2006, @03:46PM (#14936562)
          Well, not really. Apple gave Xerox stock in exchange for allowing the devs to see what was going on at Parc with the express understanding that Apple was attempting to create a UI. Xerox didn't expect Apple to completely rip off their work (which was stupid) and they later sued Apple for that fact. This is almost exactly what MS did to Apple.

          Also, Apple didn't win in court. When Apple sued MS for theft Xerox sued Apple for the same thing. Once Apple lost the suit against MS they simply settled out of court w/ Xerox.
  • Large company actually paying attention to what it's seeing
    yes we can all feel cynical based on many other similar stories.

    but every now and again a company will surprise it and attempt to actually <i>solve</i> problems.
    A lot of Microsoft's problems date from interesting "for the user" support features. This could be interesting to follow...

  • And The Big News Is.... (Score:3, Interesting)

    by Stephen Samuel (106962) <samuelNO@SPAMbcgreen.com> on Thursday March 16 2006, @03:19PM (#14936370) Homepage Journal
    Microsoft is happy to let us know the stuff that they're happy to let us know about the Blue Hat conference.
    (can you tell I've just been watching Red Vs Blue [roosterteeth.com]?

    I do hope that nobody actually paid for this news.

    "All researchers at the BlueHat are responsible,"
    guh.

  • Blame to Go Around (Score:5, Insightful)

    by vjmurphy (190266) on Thursday March 16 2006, @03:19PM (#14936373) Homepage
    "Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view"

    Ah, good to know the culture of blame is still a backbone of American industry. Likely that those senior executives are the ones that requested said features originally. But that's okay, I'm sure they'll find some scapegoats.

    • Re:Blame to Go Around (Score:4, Informative)

      by JaredOfEuropa (526365) on Thursday March 16 2006, @04:14PM (#14936757) Journal
      "Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view"
      "I want the people responsible for those features in my office early next week; I want to get to the bottom of this" is management-speak for "not it!".

  • Careful what you wish for (Score:5, Funny)

    by 955301 (209856) on Thursday March 16 2006, @03:20PM (#14936375) Journal

    "I want the people responsible for those features in my office early next week"

    The features with security issues? Isn't he risking a fire hazard by doing this? I thought buildings had maximum occupancy ratings?

    *ducks*

  • Corporate Goonspeak... (Score:5, Insightful)

    by GeneralEmergency (240687) on Thursday March 16 2006, @03:22PM (#14936390) Journal


    Microsoft's site will not have the kind of controversial material that has popped up at Black Hat. "All researchers at the BlueHat are responsible," Kornbrust said.

    Translation: All presenters know what side of their bread is buttered and by whom.

    Let's celebrate our new openness by censoring ourselves!

    Somebody kick me in the shin please. I must be asleep and dreaming that I'm stuck on that Moron Planet again.

    • Somebody kick me in the shin please. I must be asleep and dreaming that I'm stuck on that Moron Planet again.

      Before you wake up, please tell us how you managed to leave it. Please?

  • What Blue Hat Means... (Score:5, Funny)

    by benjamin_pont (839499) on Thursday March 16 2006, @03:29PM (#14936434)
    The Blue Hat name is a play on the Black Hat conferences, which have occasionally been criticized by IT vendors. The 'Blue' part comes from the color of badges that Microsoft staffers wear on campus.

    Actually the Blue Hats are a symbolic salute to their employer's greatest technical accomplishment: The Blue Screen of Death

  • Poor executives. (Score:3, Insightful)

    by miffo.swe (547642) <daniel@NOsPAM.solle.se> on Thursday March 16 2006, @03:38PM (#14936507) Homepage Journal
    I find it perticulary funny that executives want to smack the ones resonsible for random features. From what i have read and understand the executives is the ones who constantly have demanded more features and not security.

    Im sure the staff at Redmond is eagerly awaiting the executives bitchslapping eachother and themselves to the next monday. Im sure most of the marketing department will call in sick.

    • Re:Poor executives. (Score:5, Insightful)

      by AutopsyReport (856852) on Thursday March 16 2006, @04:13PM (#14936752)
      I find it perticulary funny that executives want to smack the ones resonsible for random features.

      Oh it's very typical for management to put the heat on individuals, but problems like this come about because of an extremely poor process. While one may argue that an individual has a responsibility to follow standards, it is also management's responsibility to ensure everyone else does, too.

      So when something like this leaks, you can blame management, not the programmer. He made the mistake, but the even larger mistake is that the process didn't catch it. There will be no success when the course of action is for an executive to call out a programmer, but it is strongly indicative that these problems will be repeated.

  • 'I want the people responsible for those features in my office early next week'

    Somebody is going to practice throwing chairs during the weekend..and many others are gonna practice ducking them...

  • Reminds me of a story... (Score:3, Interesting)

    by gregarican (694358) on Thursday March 16 2006, @04:07PM (#14936708) Homepage
    'I want the people responsible for those features in my office early next week'

    I recall maybe 8-9 years ago at my large former employer. There were some screw-ups going on coming from an IT subdepartment at corporate headquarters. After trying in vain to work around things on my end I finally picked up the phone and called up the person in charge. Before I could launch into my tirade the person said, "I'm in charge, but I'm not responsible." Reminds me of what will happen Monday morning amidst the chair-littered corridors of Redmond. Lots of finger pointing and ducking...

  • Irresponsible responsibility (Score:5, Interesting)

    by redelm (54142) on Thursday March 16 2006, @07:23PM (#14938049) Homepage
    Comments like "I want those people on my carpet" are just foolish. The beatings will continue until morale improves.

    People do things for reasons. Hammering them for things that turn out badly just produces CYA, fear and paralysis. Red in tooth-and-claw management always devours itself.

    • Re:Description please? (Score:5, Funny)

      by Tackhead (54550) on Thursday March 16 2006, @02:49PM (#14936141)
      > Way to quote some random guy and talk about blue badges and go on for four sentences without giving any indication of what the conference is actually about.

      We could tell you, but we'd have to throw a chair at you.

      (It's really a conspiracy against Red Hat)
      /ducks chair
      //adjusts tinfoil hat.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.