What is Digg?Sponsored by Double Your Dating
Get Her To Pick YOU Up view!
doubleyourdating.com - An easy way to get a woman to start a conversation with you - no fancy lines required...
37 Comments
- falloutsyndrome, on 10/12/2007, -7/+33This is news? Any good software team has a group of hackers to find exploits.
- mc4_a, on 10/12/2007, -7/+32This is standard operating procedure in the industry. No digg.
- hchaudh1, on 10/12/2007, -4/+23In other news, MS has some programmers on its payroll to write software and some receptionists to greet visitors. Should I go on....
- whiteguysamurai, on 10/12/2007, -1/+13It's nice to see microsft getting serious about security.
Seeing as that's the main sticking point about windows. - fartingbob, on 10/12/2007, -0/+4"The code review also turned up what Lambert called "failure of imagination," process handicaps and several comical and unwise file names."
Lol anybody else interested in finding out what these unfortunate files were called?
And i wonder how many mac fanboys brag about its "lack of imagination"... - alwaysmc2, on 10/12/2007, -1/+4I don't think the hakers get to look at the source code...
- teamparadox, on 10/12/2007, -2/+5No standard operating procedure is to have people look for exploits. Most companies arent hiring hackers from the "scene" to do the dirty work. MS is taking a step in the right direction here. This and the public beta tests is what they need to make Vista secure and if it means a couple more delays then so be it.
- radiofrequency, on 10/12/2007, -0/+3The main difference being that, working for Microsoft, the hackers are instructed and paid to keep quiet about security vulnerabilities in Microsoft's flagship product.
- chris9902, on 10/12/2007, -1/+3it's funny, one looked just like your comment.
- alwaysmc2, on 10/12/2007, -0/+2@ JQP123
Plus, the programmers are the ones who wrote the code, which at first makes it seem like they would be the best people for finding holes, but then again, they wrote the buggy code in the first place, so if they saw a hole, they would have fixed it already. Not only is this great because these other people are skilled hackers, but also because they have a fresh perspective on the whole project. - gmillerd, on 10/12/2007, -0/+2What are the people that aren't "hackers" doing at Microsoft? Is it executives, hackers, lawyers, and janitors over there?
- Ryland, on 10/12/2007, -2/+3Microsoft finally seems to be getting the idea: the more eyes there are looking at your code, the more bugs and security holes they find. They also realize that open source software is a threat to their business model. Maybe someday they'll connect those two ideas.
- MrViklund, on 10/12/2007, -0/+1Well, I guess they need it. It's really inportant for Microsoft to show that Vista is a secure system and the most secure Windows ever and I think that the hackers will try everything to show the opposite. It will be a interesting war to watch and when Vista gets it first patch after the release it will generate BIG headlines.
- kubudubudubuntu, on 10/12/2007, -0/+1Like someone said at a blackhat meeting "some exploit's can be worth up to six figure sums" , this approach from Microsoft will still not be flawless.
- l1wulf, on 10/12/2007, -0/+1The original article suffers from a poorly done headline. I assume it's supposed to grab attention and instill shock in the Average Joe. Additionally, LSD is/was pretty high profile and the fact that MS hired them verses lesser a lesser known or "professional" security group (which they did in addition to using LSD, per the article).
Truth be told, very little of the article deals with the "shocker" of LSD being on MS payroll, and more on Microsoft's attempt to find and fix security issues before final release. - MrViklund, on 10/12/2007, -0/+1http://webcontent.harpercollins.com/images/large/0060734779.jpg ^^
- CyberSmackdown, on 10/12/2007, -0/+1Keep your friends close, and your enemies closer.
Sun-tzu - Tsujigiri, on 10/12/2007, -0/+1Eh, most mid sized companies and up that I worked with in the Bay Area during my time at a Telco had a h4ckz0r department for testing security and trying to break stuff pre-release. And that was 7 years ago. For network, hardware, software... they all did this for the most part.
- lcohiomatty86, on 10/12/2007, -1/+2the files.... hmmm
admin_password.txt
root_access_instructions_readme.txt
we_pwn_you.txt
sounds about right - JQP123, on 10/12/2007, -0/+1"Microsoft finally seems to be getting the idea: the more eyes there are looking at your code, the more bugs and security holes they find."
It's not the quantity of eyeballs but rather the quality and focus. This is the reason they're hiring security professionals and hackers instead of just more programmers. If programmers were really focused and good at this sort of thing, security holes would be virtually non-existent but we all know that this is not the case. - inactive, on 10/12/2007, -0/+0External Pen testing is standard outsourcing. However the TwC Threat Models they have on some products are a JOKE. Half assed one line attempts at descriptions that when it comes around to a test pass, nobody has a clue. Also be aware that external pen testing contracts are basic and just run a set of usual exploits but they never follow up when its actually fixed as their contract is OVER at that point after their write up.
- wallclimber, on 10/12/2007, -1/+1whiteguysamurai: "It's nice to see microsft getting serious about security.
Seeing as that's the main sticking point about windows."
===============================================
Umm...well, no. That's not the main "sticking point" for EVERYbody. Security's certainly an issue, but Windows isn't impossible to lock down with a little common sense and effort.
The MAIN sticking point is the intrusive and sneaky behavior towards their customers...as in pushing non-critical "updates" disguised as "critical" patches that aren't patches at all, much less critical.
Another main sticking point (at least with me) is non-standard file formats, refusal to support open standards...
Oh yes, and lock-in, and spying, and the seeming need to control everything, the chummy attitudes towards the RIAA and MIAA, and their participation in the bullying tactics of the BSA, and the compulsive need to squash any business that remotely might become competition someday.
Or maybe the main sticking point is a company that has entirely too much power.
I have several Genuine Windows CDs, bought and paid for...but I'll allow Microsoft to check on my computer regularly - to make sure I don't disobey any of their subject-to-change-without-notice-rules, about like I'd let WalMart plant a camera in my kitchen to make sure I don't use that microwave for anything they don't approve of. It just ain't gonna happen.
I've never used XP, and I'll never use Vista. Microsoft has LOTS more problems than security. Even if they get that right, they still have a long way to go to get my respect back. - drakethegreat, on 10/12/2007, -1/+1Agreed. Most obviously think this is lamo and not really news but it is when you consider how unserious Microsoft took this stuff in the past. Considering how they have a schedule to releasing security fixes rather then as soon as possible after their discovery. Honestly if Windows gets more secure then it makes it easier to secure a market that Linux and Apple can never touch.
- hollerback, on 10/12/2007, -0/+0it doesnt really make sense to hire LSD. Sooner or later anyone could find a flaw.
Joanna Rutkowska just hacked VISTA at the blackhat conference on a much higher level using rootkits in virtual environments. (remember the matrix?)
And I have serious doubts that just coz they found a flaw they are capable of developing new concepts for attacking systems. - bizarretist, on 10/12/2007, -0/+0Not news, welcome to last century.
Just as a small example, when my friend discovered and exploited the port 139 OOB problem on Windows, back in the 90s, Microsoft hired him for an internship. He was later hired specifically to hack Windows NT and make it less sucky. - Slayback, on 10/12/2007, -2/+1Besides just software companies, what large corporation DOESN'T have hackers on the payroll? I'm not talking just script kiddies, but hackers that really know vulnerability testing. If they don't, they must not have assets they really want to protect all that bad...
- inactive, on 10/12/2007, -3/+1This is part of testing. Cannot see the news here.
- furan, on 10/12/2007, -3/+1This isn't assdot.
- miles01110, on 10/12/2007, -3/+0Maybe their voice-recognition demonstration was hacked :-)
- butlershouse, on 10/12/2007, -4/+1this reminds me of wally writing his way to a minivan
http://www.flubu.com/comics/dilbert2.gif - chris9902, on 10/12/2007, -6/+3If you can't beat 'em join 'em
- inactive, on 10/12/2007, -5/+0This kind of stratedgy only works to improve security if you have very good, if not the best crackers out there. How do you identify and recruit those individuals?
Are crackers ( not hackers, that means something different ) that can break windows security necessarily the best,...or even the better crackers out there?
How does MS pay these people. If they are smart these people get paid fat FAT bonuses for actually finding ways through the security. The bonuses should be big enough to make a significant difference in the cracker's income ( or reward system ) - theone3, on 10/12/2007, -7/+1Standard Operating Procedure in the industry? Let's face it, as far as robustly secure commercial consumer operating systems with wide user bases go, there is only one real player. (OSX is unix based)
- ReubADoob, on 10/12/2007, -10/+1Dupe:
http://digg.com/security/Black_Hat_hackers_take_Vista_apart - FreakTrap, on 10/12/2007, -25/+8@hemphill81
I'll second him. - raingrove, on 10/12/2007, -25/+5except that the standard operating procedure you speak of wasn't going all that well so far at Microsoft.
- hemphill81, on 10/12/2007, -41/+13You just referred to Microsoft as a good software team.
© Digg Inc. 2009
— Content created and posted by Digg users is 
