Microsoft to Publish Blue Hat Findings

An anonymous reader wrote to mention an InfoWorld article about Microsoft's plan to publish some of the findings from last week's Blue Hat conference. From the article: "'Everything was fair game,' wrote SQL Server engineer Brad Sarsfield in a blog posting. 'Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view for the event.' The Blue Hat name is a play on the Black Hat conferences, which have occasionally been criticized by IT vendors. The 'Blue' part comes from the color of badges that Microsoft staffers wear on campus." They have descriptions of some of the sessions up on the site for your perusal.

Microsoft SSL already does do 3DES.

[xxxJonBoyxxx]

I believe Microsoft DOES support 3DES on SSL. My "FIPS 140-1" configurations require it. Look for this key in your windows registry - if you have this key, your SSL does 3DES:

HHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\SecurityProviders\SCHANNEL\ciphers\Triple DES 168/168

Re:The People Responsible

[Drizzt Do'Urden]

They bought it from Xerox, but they were unhappy with the terms of the contract seeing what Apple did with it.

This is why Apple won in court against Xerox. It is a urban legend that Apple stole it from Xerox.

Re:The People Responsible

[kpat154]

Well, not really. Apple gave Xerox stock in exchange for allowing the devs to see what was going on at Parc with the express understanding that Apple was attempting to create a UI. Xerox didn't expect Apple to completely rip off their work (which was stupid) and they later sued Apple for that fact. This is almost exactly what MS did to Apple.

Also, Apple didn't win in court. When Apple sued MS for theft Xerox sued Apple for the same thing. Once Apple lost the suit against MS they simply settled out of court w/ Xerox.

Re:Anyone ask why SSL still doesn't do AES?

[way0utwest]

Can't speak for SSL, but SQL Server 2005 has AES, RC4 (128 bit) RSA, and Triple DES built in for it's internal encryption possibilities.

Yeah, AES went into core crypto, but not SSL.

[xxxJonBoyxxx]

Yeah, Microsoft finally added AES to its core crypto stuff back in 2003 (I think), but for some odd reason they didn't extend support into the areas that would have used it most: SSL for IIS and SSL for IE. (Dunno if Outlook Express would have used it...probably.)

Re:Blame to Go Around

[JaredOfEuropa]

"Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view"

"I want the people responsible for those features in my office early next week; I want to get to the bottom of this" is management-speak for "not it!".