The Bluehat Sessions

C|Net is carrying a story this morning about the Bluehat summit we held at the Microsoft campus a few months back. Bluehat is a bit like Blackhat: we can’t fly everyone to Blackhat, so why not have some of the speakers come to Redmond and speak instead? Our ID badges are blue, hence the term “Bluehat.” Good job our IDs are not red 🙂

The first day of Bluehat was for VPs at Microsoft, I’ve always believed that if your *REALLY* want to make a difference, you have to have 100% buy-in from the execs, if your execs don’t get why security is important, you will not make progress. This is why we’re seeing such great progress at Microsoft – the execs (from BillG down) get it. Believe me, thet GET IT!

The second day was for engineering folks – I attended all the sessions and was fortunate enough to be the MC during the final Q&A session with all the attendees and speakers. It was fun, candid, open and very lively.

Anyway, here’s the link to the story, it’s a great read

One quote that caught my eye:

They are taking this subject seriously. It was really cool to see …. “At some point, there was a shift at Microsoft.” – Dan Kaminsky

and this which speaks to my comment about executive support:

“I doubt that there is another large company on this planet that has that level of technical competency in management roll.” – HD Moore

Comments (5)

  1. ThirdEyeBlind says:

    Well if Microsoft "gets it" and security is so important, then please tell us how even today after W2K3 SP1 there are still buffer overflow vulnerabilities being discovered in Windows 2003? –

    "What causes the vulnerability?

    An unchecked buffer in the PNG image rendering library in Internet Explorer."

    So I thought Windows 2003 SP1 was recompiled totally with the /GS switch? How do things like these slip throught then? There should really be no excuse for still showing up buffer overflows anymore.

  2. Dan Kaminsky says:

    One of the things talked about at Blue Hat was how to evade many of Microsoft’s existing compiler-based protections… 🙂

    They’re listening, now more than ever.

  3. Ted says:

    /GS is making exploitation harder – as told already, it does not prevent overflows coming in the code itself.

  4. /GS is an extra defense – it does not solve BOs. The PNG issue is a heap overflow, and we have defenses in the heap that can help mitigate these issues.

  5. ThirdEyeBlind says:

    Well what can I say if your own security bulletins do not make it clear that it was a heap overflow? Certainly its more diffcult to find and fix those but even then …

    BTW what’s the deal with the faux pas over this IE6 vulnerability revealed yesterday with a public exploit? –

    If you believe the timeline given here –

    it could seem that Microsoft tried to shoo them away by saying "go away this is not serious or exploitable". So then they go ahead and publish with full disclosure on bugtraq and the very next day Microsoft comes up with a warning that this is serious. Come on now isn’t it irresponsible of MS to do this and put millions of customers at risk? At least investigate all security flaw reports seriously and work with the discoverers to keep customers safe. Dismissing them or doing a shoddy job of investigating it will do nothing … Doesn’t look like all of Microsoft still "gets it" does it?