File it under the category of "be careful what you wish for." In early August at the Black Hat Conference, an annual meeting of computer security experts in Las Vegas, Microsoft Corp. (MSFT) handed out 3,000 test copies of its new operating system, Windows Vista, and challenged attendees to help spot security glitches. A short time later, Joanna Rutkowska obliged. In a packed ballroom at Caesar's Palace (HET), the 25-year-old Polish programming whiz delivered a devastating presentation in how to hack an earlier but similar test version of Vista. Before a crowd of fellow researchers and hackers, she bypassed security measures and implanted a potentially undetectable piece of malicious code called "Blue Pill." The presentation, titled "Subverting Vista Kernel for Fun and Profit," was rewarded with a hearty round of applause.
The exercise wasn't much fun for Microsoft security mavens. They put on a brave face: "We'll take a look and see if there are ways we can mitigate it," says Stephen Toulouse, program manager for Microsoft's 650-member Security Response Center. But Rutkowska's demo was the latest reminder of how difficult it will be for Microsoft to make the new version of its flagship product truly secure.
Microsoft went to full battle stations over PC security four and a half years ago, when Chairman William H. Gates III acknowledged in a memo to his staff that the plague of viruses and worms afflicting Windows and other products had gotten out of hand and something drastic had to be done. Henceforth, Gates decreed, security would be the top priority. All programming was temporarily halted as Microsoft embarked on an effort to make its products safe.
Soon we'll know if the delay was worth it. The business version of Windows Vista will arrive late this year, with a consumer version due in early 2007. Vista is Microsoft's first new PC operating system in five years and the first version of its flagship product to get a full security makeover. Hackers are expected to probe Vista relentlessly for vulnerabilities after final versions come out. But already there are signs that Microsoft may fall short of Gates's goal -- at a time when it's facing pressure from a resurgent Apple Computer Inc. (AAPL), which suffers few security problems.
For Rutkowska, the Black Hat Conference was just another day at the office. She works for Singapore-based COSEINC, specializing in technologies used by hackers to cloak their activities. Her job is to anticipate the moves of criminals. "I see this as a continuous process, an endless game of chess, where nobody can really ultimately win. It's essential, then, to enjoy the game itself," says Rutkowska. She says she has always been a "white hat" programmer and never created malicious code like "black hat" hackers do.
Toulouse points out that revelations such as Rutkowska's are exactly why Microsoft engages in a running conversation with security folks: "We realize we don't know everything. These people hold the keys to making our products more secure."
Indeed, independent security researchers are fast becoming the tech industry's first line of defense against viruses and other hacks. They typically get paid for staging test attacks on company computing systems and gain bragging rights by spotting flaws and showing how to exploit them. "You'd rather have the vaccine from researchers than a malicious attacker giving you the real disease," says Phil Zimmermann, a security pioneer.
Microsoft had received only a smattering of feedback from other Black Hat attendees as of press time. But reviews are trickling in from established security companies, with mixed appraisals. Symantec Corp. (SYMC) recently issued two white papers analyzing Vista's strengths and weaknesses. "Overall, it's very solid," says Vincent Weafer, senior director at Symantec Security Response. Still, he warns that the need to make Vista compatible with applications written for earlier versions of Windows "creates some holes." Bruce Schneier, chief technology officer for consultancy Counterpane Internet Security Inc., is less charitable: "It's more complex than the last one, and complexity is the worst enemy of security. If you want security, buy a boat, not a cruise ship."
Even Microsoft admits that Vista won't be perfectly safe. "You can't get the code 100% right," says Toulouse. He points out, however, that Windows Server 2003 was more secure than Windows Server 2000, thanks to an extra year of security work tacked onto the end of the development process. Toulouse believes Vista will do even better.
We'll see. A few days after the Black Hat Conference wrapped up, Rutkowska was back at her desk in Warsaw coming up with new ways to bedevil Microsoft. And you can bet that others will work just as hard, with less noble intentions.
By Steve Hamm