Microsoft has said it wants to get more security researchers into Redmond to demonstrate flaws in its software, and it wants them to come back every six months.
In March, Microsoft invited several hackers to its Redmond, Washington, headquarters for the first time. The two-day meeting of Microsoft insiders with independent researchers provided each side with a glimpse into the other’s world. That get-together was such a success that Microsoft is planning more of the events.
“We want to try and do it twice a year,” Stephen Toulouse, a programme manager in Microsoft’s security unit, said in an interview. “It had a huge benefit to our developers.” The event gives executives and developers a different look at product security, he said.
At one point in the March meeting, a hacker lured a laptop running Windows onto a rogue wireless network. He did it in front of the people who developed the operating system. “You’re seeing how the technology that you created could potentially be misused, so you come out of that with a much deeper understanding,” Toulouse said.
Tip of the hat
Microsoft modelled and named Blue Hat after the widely known Black Hat security conference, which took place last week in Las Vegas. Many of the talks at the annual Black Hat dive deep into security flaws found in software. (The Blue Hat name is tweaked to reflect Microsoft’s corporate colour, in particular the blue badges worn by Microsoft employees at the company’s campus.)
“We sent over 80 people to Black Hat, but we have got many thousands more who could benefit from the perspective of a security researcher,” Toulouse said.
The first Blue Hat meeting focused on security in Windows. The next event could highlight security in products from other Microsoft groups, such as the Office productivity suite or its MSN online line-up, Toulouse said. “We are seeing interest from other groups. You could, in the future, see something like a Blue Hat about Office,” he said.
Security researchers are also showing interest in Blue Hat. The event wasn’t officially on Microsoft’s Black Hat calendar, but many researchers asked Toulouse and his colleagues about it and said they wanted to participate, he said.
Microsoft rented the Pure Nightclub in Caesars Palace on Thursday to treat the security community to a party with techno music and free cocktails. The company also threw an after-party at another Las Vegas hotel.
By hosting such parties and the Blue Hat event, Microsoft may be seeking to influence the security community. For example, Microsoft regularly preaches “responsible disclosure” of flaws, in which software makers are given time to repair a problem. Microsoft doesn’t want researchers to go public with information on vulnerabilities before the company has had a chance to provide a patch.
“We want to learn from them and let them know that the people inside Microsoft that are working on security are all individuals and very passionate about security. It is not some big invisible monolithic thing that you hear about, but you can’t see,” Toulouse said.
Security researcher Dan Kaminsky attended the first Blue Hat and supports the event. “It is so nice to be able to complain about something and have somebody stand up and take responsibility,” he said.
Kaminsky also said that Microsoft is listening to the security community. “We are at the point where all the obvious things we tell Microsoft to do, they already do it,” he said.
Reaching out to the security community is part of Microsoft’s efforts to improve the security of its products and fix up its reputation. The company said it was making security its top priority when it launched its Trustworthy Computing Initiative three years ago. Since then, it has overhauled its in-house development to bolster security and put its multibillion-dollar war chest and research budget to work.
The next Blue Hat is planned for the autumn, but no date has been set yet, Toulouse said.