Microsoft invites hackers to test Vista
Goal is to better prepare system for real-world risks
LAS VEGAS -- Microsoft Corp. is inviting some of the world's best-known computer experts to try to poke holes in Vista, the next generation of its Windows operating system.
Microsoft made a test version available to 3,000 security professionals yesterday as it detailed the steps it has taken to fortify the product against attacks that can compromise bank accounts and other sensitive data.
``You need to touch it, feel it," Andrew Cushman, Microsoft's director of security outreach, said at the Black Hat security conference.
Microsoft has faced blistering criticism for security holes that have led to network outages and business disruptions for its customers. After being accused for not putting enough resources into shoring up its products, the software maker is trying to convince outsiders that it has changed.
``They're going directly to the bear in the bear's lair," says Jon Callas, chief technology officer at PGP Corp., which makes encryption software and other security products. ``They are going to people who don't like them, say nasty things, and have the incentive to find the things that are wrong."
Due early next year, Vista is the first product to be designed from scratch under a Microsoft program dubbed secure development life cycle, which represents a sea change in the company's approach to bringing out new products. Instead of placing the addition of compelling new features at the top of engineers' priority list, Microsoft now requires them to consider how code might be misused.
A security team with oversight of every Microsoft product -- from its Xbox video game console to its Word program for creating documents -- has broad authority to block shipments until they pass security tests. The company also hosts two internal conferences a year on computer attacks.
Internal conferences are one matter; taking Vista to Black Hat, where some of the world's foremost security gurus make sport of ripping through programming code to find bugs, is another. ``The fact that they're releasing it here is probably a bold statement," said security expert Mike Janosko.
