REDMOND, Washington -- The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing centre recently at the company's sprawling campus outside Seattle.Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network.
"It was just silent," said Stephen Toulouse, a program manager in Microsoft's security unit. "You couldn't hear anybody breathe."
| "(Hackers are) not just a bunch of disaffected teenagers sitting in their mom's basement. These are professionals that are thinking about these issues." -- Noel Anderson Wireless networking engineer, Microsoft |
The demo was part of an extraordinary two days in which outsiders were invited into the heart of the Windows empire for the express purpose of exploiting flaws in Microsoft computing systems. The event, which Microsoft has not publicised, was dubbed "Blue Hat" -- a reference to the widely known "Black Hat" security conference, tweaked to reflect Microsoft's corporate colour.
The unusual March gathering, a summit of sorts between delegates of the hacking community and their primary corporate target, illustrates how important security has become to the world's most powerful software company.
Microsoft Chairman Bill Gates himself estimated earlier this year that the company now spends US$2 billion a year -- more than a third of its research budget -- on security-related issues. Security has also become one of the main themes of the company's developer conferences, including the recent TechEd US event, where Microsoft pitched security improvements in Windows to 11,000 attendees.
Blue Hat was significant for other, less tangible reasons as well. It provided a rare glimpse inside the netherworld of computer security, where the ethical lines are sometimes fuzzy in the technological arms race between network engineers and the hackers who challenge them. During the course of the event, each side witnessed for the first time the inner workings, culture and psychology of the other.
"I didn't know if we were going to end up with this massively adversarial experience or if this was going to be something of a collaborative mode between all of us," said Dan Kaminsky, one of the outsiders who presented at the conference. Like others in the hacker group -- many of whom are known as "security researchers" in their professions -- he noted that the relationship ended up being the collaborative sort.
Still, in such a charged atmosphere, it didn't take long for emotions to show.
Matt Thomlinson, whose job it is to help make Microsoft engineers create more secure code, noticed that some of the engineers were turning red, becoming obviously angry at the demo hacking incident. Yet as painful as the lesson was, he was glad to see the crowd of engineers taking things personally.
Thomlinson frequently makes similar entreaties to the engineers on the need for secure code, but he said his own lectures don't have the same effect. "It kind of hits people up here," Thomlinson said, pointing to his head. "Things are different when a group of programmers watches their actual code exploited. It kind of hits people in the gut."
1%
4%
