"Microsoft used to follow an 'us versus them' strategy. Hackers were exclusively considered adversaries who could ideally be ignored", said Sarah Blankinship, describing the company's relationship with the security community. Blankinship used to be the head of the Outreach team, a handful of Microsoft employees who establish and maintain contact with the global hacker community. It is probably no coincidence that Microsoft preferably positions intelligent and attractive women such as Blankinship, Window Snyder and Katie Moussouris at this interface to the hacker world.
In any case, Redmond is now successfully co-operating with hackers, for instance, since 2005, the company has invited hackers to its internal Blue Hat hacker conference. The conference allows independent experts to discuss and share their knowledge with developers.
The company also hires hackers to test the security of new products. During the development of Windows Vista, around 30 hackers, including prominent ones such as Dan Kaminsky and Chris Paget, were given the task of tracking down potential security problems. For this purpose, they were given access to the system's source code and allowed direct contact with the responsible developers. "Microsoft promised that we could discuss our findings with any development team on the Microsoft campus within 24 hours", Kaminsky remembers. The developers say that thousands of bugs were discovered and fixed this way before the product even hit the shelves.
Some hackers even ended up on Microsoft's payroll for example, the core members of the Polish "Last Stage of Delirium" hacker crew. The LSD group became famous for discovering and disclosing the critical hole in Windows' Remote Procedure Calls that the Blaster worm subsequently exploited to infect thousands of computers.
Ten Years After
The "Trustworthy Computing" promise has proved to be more than just lip service to IT security. While Bill Gates' target that Microsoft products be "as available, reliable and secure as electricity, water services and telephony" is still some way off, the software corporation has taken clear steps in the right direction over the past ten years; the former whipping boy in terms of security is now even considered a role model by many experts. However, there is room for further improvement. For example, Chaouki Bekrar complains that Microsoft often takes too long to fix vulnerabilities that are reported by independent security researchers. The CEO of Vupen said: "Despite all the improvements since the launch of TwC, Microsoft, like many other major software vendors, is still taking an overly long delay to react and fix coordinated vulnerabilities while promptly fixing in-the-wild flaws."