Microsoft to consult hackers

Up Close


Microsoft engineers will detail new security approaches in Windows Vista at an important technology conference in Las Vegas this week. But when it comes to grabbing attention, it won't be easy for them to top another session at the conference.

Its title: "Subverting Vista Kernel For Fun And Profit."

No, this is not your ordinary industry conference. In a first for Microsoft Corp., it will give a presentation at the Black Hat Briefings - an annual gathering in Las Vegas where hackers, researchers, government officials and corporate technology specialists unveil and analyze emerging computer security threats.

Microsoft's full day of sessions on Windows Vista reflects its effort to improve security in the new operating system and cut down on the bugs that have made previous versions of its flagship program notoriously vulnerable to online attacks.

The company will be showing the audience some of the key changes it has made in Windows Vista security, and seeking feedback from researchers on where it could still improve, said Stephen Toulouse, security program manager at Microsoft's Security Response Center.

Toulouse called it an extension of Microsoft's continuing interaction with security researchers. Among other things, the company has held a series of its own events with researchers.

"We want people to look at our assumptions and challenge them if they think they're wrong," he said. "At the same time, we want to show them that we've listened to the feedback they've provided us over the past several years. That's really what the presentations focus on."

The conference is expected to draw about 3,000 people. It doesn't promise to be an easy crowd for the company, but a Seattle security expert said Microsoft's efforts to improve security in recent years have improved its standing.

"I think in the past they would have been more ridiculed, but they seem to be following through on their statements" about security, said Black Hat Briefings director Jeff Moss, the security expert and conference founder. "They made some pretty bold statements, but they've been backing [them] up with a lot of money and a lot of effort, a lot of energy."

Windows Vista is the first version of the PC operating system to be developed entirely under the "Trustworthy Computing" initiative that Chairman Bill Gates launched in early 2002 after a series of high-profile vulnerabilities in Microsoft programs. The company says it has overhauled its process of developing software to emphasize security.

Vista also will come with a series of new technical approaches and designs to protect against malicious programs such as viruses and spyware, which can otherwise install and run on a computer undetected.

"We want it to be the most secure version of Windows ever, and the security researchers are going to help us do that," Microsoft's Toulouse said.

Microsoft cautions that it won't be possible to completely thwart online threats, given the complexity of software development and the changing tactics of attackers. And other experts say that the level of security in Vista won't be clear until it's released and widely used.

"You won't know until it's out there," said Bruce Schneier, chief technical officer at Counterpane Internet Security. "Is the code better quality? Will there be fewer vulnerabilities? ... They're doing this, they're doing that. Did they do it right? Who knows?"

Schneier described Black Hat as "a very hostile Microsoft audience." But he said it's critical for Microsoft to take part in such events, to get feedback that can help secure its products.

"They have to engage the hacker community - they can't ignore them," Schneier said. "I think they deserve a lot of credit for it, because it's hard."

Black Hat is commonly called a hacker convention, but that word often doesn't have the negative connotations in technology circles that it does in popular culture - instead referring to someone who modifies a system or finds ways to infiltrate computer programs, but not necessarily with malicious intent.

The phrase "black hat" describes a criminal or malevolent hacker, but its use in the conference name refers to the subject of the sessions, not the attendees or speakers. "We're briefing on what the black hats are up to," Moss explained.

Many of the researchers who attend Black Hat practice what's known as responsible disclosure, giving companies like Microsoft a chance to patch flaws before details of the problem are made public.

The "Subverting Vista Kernel For Fun And Profit" session is about a technology called Blue Pill, developed by security researcher Joanna Rutkowska of Singapore-based security firm COSEINC.

Rutkowska says she has come up with a way to insert "undetectable" malicious code into the Vista kernel - the place that controls the interaction between hardware and software - by taking advantage of technology that essentially divides a computer system so it can run multiple operating systems.

Despite the title of the session, Rutkowska said in an e-mail that she won't be providing the level of detail that would let someone subvert the Vista kernel on their own, if they weren't already able to figure it out. She said she hopes to spur the industry and processor vendors to try to mitigate the threat.

But past Black Hat Briefings haven't been without controversy. Last year, Cisco Systems Inc. went to court seeking an injunction after a researcher, over its objections, gave a presentation at Black Hat on a way to exploit a flaw in Cisco's router software.

At the same time, in the world of hacker conventions, Black Hat traditionally has more corporate involvement and a less renegade reputation than Def Con - a gathering in Las Vegas immediately after Black Hat that accepts only cash for admission, to avoid having any records that could be subpoenaed.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.