A limo speeds away from Seattle's Pioneer Square carrying an unlikely party on an unusual quest. A group of security researchers and a member of Microsoft's security response team have bonded, in search of--a haircut.
The expedition, held in September, was part of the Limo Races, a citywide scavenger hunt serving as the informal end to Blue Hat, the internal Microsoft security conference that started two years ago. The conference has become a twice-yearly event bringing some of the world's top hackers inside Microsoft's walls for two days of presentations before the software maker's executives and engineering ranks.
"It is a really human problem. The human element plays a massive role."
--George Stathakopoulos, head of Microsoft's security response efforts
In the end, the team that included Microsoft's Andrew Cushman and IOActive's Dan Kaminsky failed in its mission. They found several tattoo parlors open for business, but no all-night barbers. None of them was really up for a buzz cut, anyway.
But while Cushman may have failed to win the Limo Races competition, he and his colleagues met a larger goal. Once again, Microsoft had succeeded in its twin aims for Blue Hat--becoming a more accepted part of the security community and ensuring that the people writing Microsoft's code are acutely aware of the threats facing its products.
The company has realized that security issues are about more than preventing buffer overruns and keeping up to date with the latest fuzzing tools.
"It is a really human problem," said George Stathakopoulos, the head of Microsoft's security response efforts. "The human element plays a massive role."
These days, Microsoft's security strategy is one that focuses on both people and technology. While Microsoft spends a fortune on automated testing and creating institutional processes to avoid bugs, it also spends money reaching out to its front-line engineers as well as to the security community that finds the bugs that Microsoft misses.
That attitude represents a sea change from where the company was a decade ago. At that time, Microsoft took a hands-off stance toward the security research community. In its earliest days of security issues, the company didn't even disclose the extent of vulnerabilities.
"We had almost a cold-shoulder approach," Stathakopoulos said. The idea of talking more to the outside world was controversial, prompting meetings with "many raised voices," he said.
Stathakopoulos admits his was one of the voices arguing against such transparency.
"People already think our products are bad and if we start talking about those issues more and more, people will think we are horrible," Stathakopoulos said he argued at the time. But his boss, Mike Nash, persisted, arguing that the move would pay big dividends over time.
http://news.zdnet.com/2424-9595_22-178674.html
0 Comments:
Post a Comment
<< Home