Microsoft to Publish Blue Hat Findings

An anonymous reader wrote to mention an InfoWorld article about Microsoft's plan to publish some of the findings from last week's Blue Hat conference. From the article: "'Everything was fair game,' wrote SQL Server engineer Brad Sarsfield in a blog posting. 'Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view for the event.' The Blue Hat name is a play on the Black Hat conferences, which have occasionally been criticized by IT vendors. The 'Blue' part comes from the color of badges that Microsoft staffers wear on campus." They have descriptions of some of the sessions up on the site for your perusal.

Blank passwords

[dedazo]

I'm sure the executives started the whipping sessions with the person responsible for allowing SQL Server to function happily with a blank 'sa' password.

Anyone ask why SSL still doesn't do AES?

[xxxJonBoyxxx]

Anyone ask why SSL still doesn't do AES? I mean it's 2006 and Microsoft is really the only vendor who DOESN'T do AES or 256-bit encryption in SSL. (I know, they said they'd put it in Vista, but that doesn't help the millions of Windows XP users or Windows 2003 administrators out there.)

Which is it?

[$RANDOMLUSER]

> Microsoft's site will not have the kind of controversial material that has popped up at Black Hat. "All researchers at the BlueHat are responsible," Kornbrust said.

Does that mean domesticated or tame?

Re:Blank passwords

[dedazo]

Only Microsoft can bring you incredible innovation like this.

I enjoy a good Microsoft bash (oh lololo m$ nevar innovates!!1!) but your comment tells me you have probably no idea how commercial software works.

I think the blank password "feature" is supremely stupid, and yes, it was probably there because one of their big clients asked for it. A lot of functionality in Microsoft products come from big business feedback and most of the time it's appropriate because enterprise clients are the ones that really put the products through its paces. But it's not there because someone at Microsoft is stupid or because of "innovation" (or the lack thereof).

You pays your money and you take your chances. In this case it came back to bite them, like most "security relaxation features" their products tend to be afflicted with. As much as the "Microsoft is just stupid" line gets play, things are usually a bit more complicated than that.

The key is that it's an option that you (as the DB admin) can choose to turn off. The MySQL root account will also run with a blank password when you first install it from, say, Synaptic. It's up to you to tighten it down.

Re:Putting an Axe to Innovation

[jandrese]

Frankly, I'd rather have only a new media player and better video drivers if it means not having yet more security holes in the base OS.

The message shouldn't be: Don't implement new features. It should be: Think about security when implmenting new features. Remember that attacks come from below your level of abstraction as well.

Re:Black Hats or...?

[drinkypoo]

Makes sense, but using blue is utterly wrong from a marketing standpoint, for two reasons. First, a lot of us still remember IBM as the "Blue Suit" company. Blue is their color. Even their logo is still blue. Second, blue is the color of your screen when you run Windows [into the ground]. Well, unless you run XP. Then it just reboots without showing you the [useless] blue screen. I wouldn't be surprised if people started just calling Windows "Blue Hat Linux", sort of a pun indicating both the fact that Windows has been following Linux (or Unix in general) for some time now, and the blue screen thing.

Re:Anyone ask why SSL still doesn't do AES?

[Anonymous Coward]

IE doesn't do AES or 256-bit encryption in SSL because we were asked to hold off on that from a certain 3 lettered US government agency (hint: starts with N).
That's all I'm going to say on the matter, back to lurking.

Blame to Go Around

[vjmurphy]

"Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view"

Ah, good to know the culture of blame is still a backbone of American industry. Likely that those senior executives are the ones that requested said features originally. But that's okay, I'm sure they'll find some scapegoats.

Corporate Goonspeak...

[GeneralEmergency]

Microsoft's site will not have the kind of controversial material that has popped up at Black Hat. "All researchers at the BlueHat are responsible," Kornbrust said.

Translation: All presenters know what side of their bread is buttered and by whom.

Let's celebrate our new openness by censoring ourselves!

Somebody kick me in the shin please. I must be asleep and dreaming that I'm stuck on that Moron Planet again.

Re:The People Responsible

[kpat154]

Perhaps you meant Merzouga Wilberts? People forget that Jobs just stole the idea from Xerox before Gates stole it from him.

Poor executives.

[miffo.swe]

I find it perticulary funny that executives want to smack the ones resonsible for random features. From what i have read and understand the executives is the ones who constantly have demanded more features and not security.

Im sure the staff at Redmond is eagerly awaiting the executives bitchslapping eachother and themselves to the next monday. Im sure most of the marketing department will call in sick.

Re:The People Responsible

[Drizzt Do'Urden]

Well.. according to Wikipedia [wikipedia.org], it is false to say that Apple stole it from Xerox, because it extended a lot from the work done at Parc.

Re:Poor executives.

[AutopsyReport]

I find it perticulary funny that executives want to smack the ones resonsible for random features.

Oh it's very typical for management to put the heat on individuals, but problems like this come about because of an extremely poor process. While one may argue that an individual has a responsibility to follow standards, it is also management's responsibility to ensure everyone else does, too.

So when something like this leaks, you can blame management, not the programmer. He made the mistake, but the even larger mistake is that the process didn't catch it. There will be no success when the course of action is for an executive to call out a programmer, but it is strongly indicative that these problems will be repeated.