Security exploits: Who's to blame?

Joris Evers and Marguerite Reardon CNET News.com

Published: 06 Sep 2005 16:40 BST

...a malicious person, may also have found the same flaw and might be using it to attack users, Ferris said.

Often lambasted for bugs in its products, Microsoft is doing its best to win the respect of the security community. The company has "community outreach experts" who travel the world to meet with security researchers, hosts parties at security events and plans to host twice-annual "Blue Hat" events with hackers at its headquarters. At Blue Hat, hackers are invited to Microsoft's headquarters to demonstrate flaws in Microsoft's product security.

"Security researchers provide a valuable service to our customers in helping us to secure our products," said Stephen Toulouse, a program manager in Microsoft's security group. "We want to get face to face with them to talk about their views on security, our views on security, and see how best we can meet to protect customers."

Many companies are getting better at dealing with security researchers, said Michael Sutton, director of iDefense Labs, which deals with researchers and software makers. "The environment has definitely changed from two or three years ago, though there are vendors who are going in the opposite direction," he said.

While Microsoft sometimes is still referred to as the "evil empire", it appears to be successfully wooing security researchers.

"We are at the point where all the obvious things we tell Microsoft to do, they already do it," Dan Kaminsky, a security researcher who participated in Microsoft's first Blue Hat event last March, has said.

Balancing act
Other technology companies still struggle with hacker community relations. Cisco especially has managed to alienate itself from the hacker community to the extent that T-shirts with anti-Cisco slogans were selling well at on of this year's largest international hacking events, the Defcon conference in Las Vegas. Oracle also isn't a favourite, researchers said.

Recently, Cisco sued security researcher Michael Lynn after he gave a presentation on hacking router software at the Black Hat security conference, which was also held in Las Vegas. The company had previously tried to stop Lynn from giving his talk in the first place.

"It was definitely a surprise to see Cisco's reaction," iDefense's Sutton said. "I don't think...

For more, click here...