Thursday, July 13, 2006
Episode 39 URLs & Notes (MP3) (AAC)
- Remember to send an e-mail to register for the free Foundations of Ajax books we’re giving away.
- Updates to epsisode #37
- Windows Genuine Advantage
- Judge calls SCOs lack of evidence against IBM Inexcusable
- OfficeMax bids farewell to mail-in rebates
- Microsoft exposing Vista at Black Hat 2006
- Microsoft planning WiFi-enabled portable media player
- Free, Legal and Ignored
I’ve been thinking about the Microsoft/Black Hat conference for a bit here. At first, I had the same reaction as Travis in that it could be really dumb, or really good. However, the more that I’ve thought about it, the more that I’ve realized there could be very little downside here. For one, Vista, for the most part, isn’t out in the wild; just beta, so if an exploit is found, there aren’t many people to update. It’s a case of MS saying, ‘Here’s our new OS. Beat on it and see where there are problems.’ My thinking is that the cracker community isn’t going to keep quiet about what they find. Or, at the very least, all it takes is one grey hat person to find the exploit and inform people for MS to learn about the problem.
What am I missing about risks?
These presentations, presumably, will supply more details than have ever been available, and then they’ll be observable forever. It’s very improbable that this information will cease to reveal vulnerabilities once Vista is released. Then, and only then, will the wisdom of this decision be accurately determined.
I’m not saying that it won’t continue to reveal things. What I’m saying is that XP has been out for five years now (according to Wikipedia) and we are still having announcements of zero-day exploits and various other computer problems. At the very least, I would hope that giving this presentation will give MS a jumpstart on fixing these problems before it’s released to the general public and, hopefully, they’ll be fixed the right way instead of just a quick hack job that’s pushed out to millions of people.
The only possible downside I can think of is very unlikely, in my opinion. If MSFT came to the table with a REALLY crappy OS with TONS of security holes, then they could be completely embarassed. On the other hand, even if they were humiliated in public, many new fixes would be found before Vista was released to the public. They would still suffer a public relations nightmare, but at least the OS would be better, technically.
One thing I was thinking of today if I were running Microsoft (well, besides buying myself a new computer) is that I would offer the hackers/crackers of the world this deal: $5000 to the first person to report a vulnerability.
Why $5000? *shrug* No real reason other than it’s a sufficiently high amount of money so that someone has a good reason to report other than take advantage of a vulnerability. Also, for all the cash that MS has, it’s pretty much a drop in the bucket. Finally, I’d offer to post the name/handle of the person who discovered the vulnerability to give them some recognition. It would also lead to some humerous conversations for MS:
‘I’m sorry, sir, but l337_h@x0r_42 is already taken…yes, and l337_h@x0r_43…’
Another use for the Mac sudden motion sensor:
Seismograph
via BoingBoing :)
Not bad. Here’s the image from their site:
Just finished up listening to the podcast, thought I should clear some things up for you…
Microsoft at Black Hat isn’t anything new. They have had a big presence at Black Hat for the past 3-4 years at least. Don’t let the ‘Black Hat’ name fool you, it’s a security industry conference. Meaning these aren’t the script kiddies that you might be thinking of. Every presenter works for a major security consulting company, university or software developer.
DefCon is another matter entirely (think bouncing scriptkiddie-wannabe… oops did I say that??).
I will be at both this year. Looking forward to it.