Microsoft to Publish Blue Hat Findings 154
An anonymous reader wrote to mention an InfoWorld article about Microsoft's plan to publish some of the findings from last week's Blue Hat conference. From the article: "'Everything was fair game,' wrote SQL Server engineer Brad Sarsfield in a blog posting. 'Hearing senior executives say things like: 'I want the people responsible for those features in my office early next week; I want to get to the bottom of this' was at least one measure of success from my point of view for the event.' The Blue Hat name is a play on the Black Hat conferences, which have occasionally been criticized by IT vendors. The 'Blue' part comes from the color of badges that Microsoft staffers wear on campus." They have descriptions of some of the sessions up on the site for your perusal.
Blank passwords (Score:5, Insightful)
Anyone ask why SSL still doesn't do AES? (Score:2, Insightful)
Which is it? (Score:4, Insightful)
Does that mean domesticated or tame?
Re:Blank passwords (Score:2, Insightful)
I enjoy a good Microsoft bash (oh lololo m$ nevar innovates!!1!) but your comment tells me you have probably no idea how commercial software works.
I think the blank password "feature" is supremely stupid, and yes, it was probably there because one of their big clients asked for it. A lot of functionality in Microsoft products come from big business feedback and most of the time it's appropriate because enterprise clients are the ones that really put the products through its paces. But it's not there because someone at Microsoft is stupid or because of "innovation" (or the lack thereof).
You pays your money and you take your chances. In this case it came back to bite them, like most "security relaxation features" their products tend to be afflicted with. As much as the "Microsoft is just stupid" line gets play, things are usually a bit more complicated than that.
The key is that it's an option that you (as the DB admin) can choose to turn off. The MySQL root account will also run with a blank password when you first install it from, say, Synaptic. It's up to you to tighten it down.
Re:Putting an Axe to Innovation (Score:3, Insightful)
The message shouldn't be: Don't implement new features. It should be: Think about security when implmenting new features. Remember that attacks come from below your level of abstraction as well.
Re:Black Hats or...? (Score:3, Insightful)
Re:Anyone ask why SSL still doesn't do AES? (Score:1, Insightful)
IE doesn't do AES or 256-bit encryption in SSL because we were asked to hold off on that from a certain 3 lettered US government agency (hint: starts with N).
That's all I'm going to say on the matter, back to lurking.
Blame to Go Around (Score:5, Insightful)
Ah, good to know the culture of blame is still a backbone of American industry. Likely that those senior executives are the ones that requested said features originally. But that's okay, I'm sure they'll find some scapegoats.
Corporate Goonspeak... (Score:5, Insightful)
Microsoft's site will not have the kind of controversial material that has popped up at Black Hat. "All researchers at the BlueHat are responsible," Kornbrust said.
Translation: All presenters know what side of their bread is buttered and by whom.
Let's celebrate our new openness by censoring ourselves!
Somebody kick me in the shin please. I must be asleep and dreaming that I'm stuck on that Moron Planet again.
Re:The People Responsible (Score:1, Insightful)
Poor executives. (Score:3, Insightful)
Im sure the staff at Redmond is eagerly awaiting the executives bitchslapping eachother and themselves to the next monday. Im sure most of the marketing department will call in sick.
Re:The People Responsible (Score:3, Insightful)
Re:Poor executives. (Score:5, Insightful)
Oh it's very typical for management to put the heat on individuals, but problems like this come about because of an extremely poor process. While one may argue that an individual has a responsibility to follow standards, it is also management's responsibility to ensure everyone else does, too.
So when something like this leaks, you can blame management, not the programmer. He made the mistake, but the even larger mistake is that the process didn't catch it. There will be no success when the course of action is for an executive to call out a programmer, but it is strongly indicative that these problems will be repeated.