LAS VEGAS--It's easy now to look back at Microsoft's Windows Vista and berate
the company for the operating system's shortcomings, but the truth is far more
complex, according to one security researcher. At the second ugg boots outlet day of the
annual Black Hat conference here, Chris Paget, chief hacker at the security
company Recursion Ventures, discussed her independent contracting work for
Microsoft on Vista prior to its release for the first time. Before Recursion
took on the contract, all members of the team that worked on Vista were made to
sign non-disclosure agreements that took five years to expire.
Chris
Paget, talking about her experiences with Windows Vista at Black Hat
2011.
(Credit:
Seth Rosenblatt/CNET)
Microsoft hired her team as a final measure to verify
that the operating system was safe to ship. The move was so unusual for Redmond
that the company had actually never done it before, said Paget. "There were
process christian louboutin
replica and tool improvements. This was the first time that Microsoft
brought in an outside team," she said.
Her team had to upgrade the hard
drive of the test computer that Microsoft sent her before they could even
install the operating system, she said with a slightly incredulous laugh. The
process was so atypical for Microsoft that they weren't sure what to expect.
"They expected us to come in and find nothing. This was the final check."
Recursion looked at code kernel and the user space but was told not to
look at legacy code. Microsoft didn't add legacy code vetting until Windows 7,
Paget said. "They got verification, not remediation." She said that her team was
so good at finding critical flaws in Vista code that Vista was actually delayed
because of one critical bug she found, and another Microsoft employee referred
to them as a "rape gang" because they were beating up Vista so much.
Despite the security problems that Paget and company discovered in
Vista, she also had high praise for Microsoft. She discussed Microsoft's bug
track system and how Microsoft's own security team had created an extensive list
of features ranked by risk. Risk, she said, was defined as whether the feature
required credentials. If you had to enter a password, like an administrative
password, there was a greater risk naturally associated with the feature. So
because of Microsoft's work on this end, she was able to begin looking at
features critically from beginning of the contract.
The moncler
jackets for men experience, she said, showed her that by the time Microsoft
had far better procedures in place for security vetting than she would have
thought otherwise. Paget said that at home, she's more of a Unix fan and only
uses Windows for gaming. "I would dearly love to see a Windows Lite, with all
the unmaintained code removed."
"'World-leading' is entirely
appropriate" when discussing Microsoft's security procedures, she said at the
start of her talk. "Microsoft's security process is spectacular." And toward the
end, she reiterated the point. "If security is a process, not a product,
Microsoft deserves a lot of credit. Vista was a giant leap in the right
direction."
The other major change in 2003 was the Fizzer infection.
"Fizzer, which nobody here remembers, is one of the most important viruses in
history. It was the first virus written with one purpose only: making money."
Fizzer spread e-mail spam in an effort to rake in the dough. Hypponen said that
when other virus writers realized they too could earn some bucks from writing
malicious code, it was game on.
This began to have even more serious
real-world implications, as some virus writers were found to have used their
money to buy equipment for fighters in Iraq.
"We also began to see a
geographical shift [in] where viruses were written," he said. "From 1986 to
2003, it wholesale abercrombie
fitch was mostly Western countries, the U.S., Western Europe, Japan. From
2003 on, it was Russia, Eastern Europe, Ukraine, China (of course), and South
America, especially Brazil."
However, Hypponen said the problem was not
only limited to criminals. He called out the president of Sony BMG, Thomas
Hesse, to calls of derision from the audience. Hesse was instrumental in
approving a DRM system that surreptitiously installed a rootkit on your computer
when you played a CD from that computer. "Sony gets a lot of hate, and they
deserve it. Of course, some would claim that if you listen to Celine Dion, you
get what you deserve," Hypponen quipped.
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/26147898/viewspace-704395/,如需转载,请注明出处,否则将追究法律责任。