Microsoft Takes LSD to Test Vista SecurityBy Ryan Naraine | Posted 2006-08-04 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Microsoft recruits some high-profile third-party security consultants to simulate attacks against Windows Vista. Among the pen testers are members of the "Last Stage of Delirium" hacking group that discovered the flaw that caused the Blaster w
LAS VEGASRemember the LSDor Last Stage of Deliriumhacking group?
Back in 2003, the group of four Polish security researchers discovered the RPC (Remote Procedure Call) interface vulnerability that would later be used to unleash the Blaster worm, but because of distrust over Microsoft's willingness to address software flaws at the time, LSD members had to be coaxed into sharing their findings.
Today, LSD is on Microsoft's payroll, working on what is being hailed as the "largest ever penetration test" of an operating system coming out of Redmond, Wash.
According to John Lambert, senior group manager in Microsoft's SWI (Secure Windows Initiative), LSD members are part of an "internal team of hackers" conducting simulated attacks against Windows Vista.
The group's members are all graduates of computer science from the Poznan University of Technology and have worked as the security team of the Poznan Supercomputing and Networking Center, in Poznan, Poland.
The hiring of third-party security research outfits and independent hackers is significant on many fronts. It underscores Microsoft's public push to embrace the hacking community and shed its image as a company with a lax approach to security.
The list of external security consultants hired to audit the Vista code to look for weaknesses, technical flaws and vulnerabilities reads like a who's-who list for the infosec industry. Lambert said about 20 well-known researchers who regularly appear at its "Blue Hat" conference have been given access to the full source code, specs and threat models for review.
"We're not blocking them from looking anywhere. They have access to everything. Go everywhere and find all the bugs you absolutely can," Lambert said.
Read the full story on eWEEK.com: Microsoft Takes LSD to Test Vista Security