back to article Microsoft: Finding flaws on our website is OK

In a first for a major company, Microsoft has publicly pledged not to sue or press charges against ethical hackers who responsibly find security flaws in its online services. The promise, extended Saturday at the ToorCon security conference in Seattle, is a bold and significant move. While researchers are generally free to …

COMMENTS

This topic is closed for new posts.
  1. PaulD
    Coat

    this just in....

    another microsoft spokeshead looks for a new job!

  2. Sceptical Bastard
    Jobs Horns

    World domination

    Quote: "This is actually really important because online services - that's our stuff"

    What? All of it? Including Google's?

    Arrogant tossers - they get it from Ballmer, I reckon

  3. calagan
    Thumb Up

    Bold move

    That's a really bold move, especially considering that in some cases, MS hosts some of its sites on newer versions of servers that have not yet been released to manufacturers. As an example, I recall that xbox.com was running on an unreleased version of MS CMS Server.

  4. Alex Timchula
    Thumb Up

    @ Skeptical Bastard

    Wow you really hate MS. I suppose the next time someone says they make cars you'll jump on them and tell them they don't make all cars.

    Get over yourself, go buy a tinfoil hat or something.

    I remain skeptical but this looks like a step in the right direction

  5. Pete
    Alert

    Fly-ing low

    "The philosophy here is if someone is being nice enough to point out your fly is down, they're really doing you a favor and you should thank them rather than calling the cops and saying you're a pervert."

    I'll say. Calling the cops and saying you're a pervert is a bit self-defeating.

  6. Anonymous Coward
    Anonymous Coward

    beware the wolf in sheeps clothing

    Microsoft agreeing not to sue people.... next they'll be refunding vista users.

    Step in the right direction though... just really surprised Microsoft is the first to state this publicly.

  7. Anonymous Coward
    Anonymous Coward

    @Pete

    >> "The philosophy here is if someone is being nice enough to point out your fly is

    >> down, they're really doing you a favor and you should thank them rather than

    >> calling the cops and saying you're a pervert."

    >>

    >> I'll say. Calling the cops and saying you're a pervert is a bit self-defeating.

    Indeed, "they" should be calling the cops and tell them that Ms. Moussouris is a dirty perve running around exposing herself.

    On a slightly more serious note, I think it must have been a freudian slip on Ms. Moussouris part because she realised that if anyone is guilty it is the one who is exposing themselves down in public, not the person who was exposed to them.

  8. Richard Neill

    Good fo MS

    It's not very often I have good words for Microsoft, but I I think they deserve our praise here. This is a very sensible idea.

  9. Anonymous Coward
    Coat

    "your fly is down"

    Dear Microsoft,

    Your arse is hanging out the window,

    signed,

    A. Hacker

    P.S.: No, there's no need to thank me...

  10. Anonymous Coward
    Linux

    They just want _someone_ to use their products

    I personally just think this is a desperate ploy to keep people using Microsoft services, they don't really care that those users are just whitehats or blackhats trying to find exploits as long as they've paid for the privilege ;)

  11. Scott

    XYZ

    Our software has less flies! (Still a steaming pile, though.)

  12. Pierre
    Paris Hilton

    Break the tubes?

    "We basically face a lot of issues that a lot of vendors haven't had to deal with. Not many vendors out there can break the [internet] if they mess up their patches."

    OMG OMG OMG. Better start running now, before a security hole in www.microsoft.com breaks tha Intarwub pipes. Seriously, she said that? Paris in disguise I'd say.

  13. Dr Wheetos
    Thumb Up

    Praise where praise is due

    It's nice that MS have come clean and implied their online services aren't secure.

    Sure, all online services have vulnerabilities but where's the dividing line between an ethical hacker / researcher and someone who's looking for that vulnerability that their next trojan can exploit? How does this stack up against the Computer Misuse Act in a court of English Law?

    I give them a big thumbs up though and wished others would follow suit. More people should take notice of what's posted daily on the xssed.com site too.

  14. heystoopid
    Paris Hilton

    Not the only ones

    Not the only ones , with all the new lock downs and security updates for the better class of the superior web 2.0 browsers , a number of web sites are actively reliant browser insecurity flaws of IE6/7 to work

    eg try http:// www.windowsmedia.com/mediaguide/radio with FF 2.0.0.14 running no script and see how far you get when you click on "more ...... stations" unless you invoke the IETab option even then the results can be very indifferent !

  15. Sara Peters
    Happy

    I'm pink from all the tickling.

    I'm delighted. I've been scratching my head and others' heads about this this Web research/ disclosure law thing ever since Daniel Cuthbert's conviction in 2005. It's nice to see some progress being made.

    Has anyone seen Microsoft's actual policy in writing, though? Is it on MS's site somewhere?

    It's all well and good to say "we won't sue you," but I'm sure MS's legal machine won't have allowed itself to write a policy that would weaken the company's case in court in the event that they DO decide to sue you.

  16. kain preacher

    could this be ??

    A change of a corporate philosophy ??

  17. Steve Sorensen

    Complaint brought by Mr. Schwartz's client, the Intel Corporation

    So, who's ready to be anchored to the eighth ring of Hell for 12 years? Well, speak up!

    http://www.lightlink.com/spacenka/fors/

  18. Anonymous Coward
    Anonymous Coward

    they could break the internet

    "OMG OMG OMG. Better start running now, before a security hole in www.microsoft.com breaks tha Intarwub pipes. Seriously, she said that? Paris in disguise I'd say."

    If you don't believe that if a ms automatic patch sent to every XP & vista box that accidentally flood pinged their default router wouldn't pretty much break the internet for everybody... you would be very wrong.

    I'm not a ms lover, but I'm not blinded by anger either. I truly believe a bad patch could DDOS the net on a scale so massive, that the internet would have to be fractured into bits and pieces to try and get it going again. overwelm all the routers on pretty much all networks simultaneously... running mac/linux/*bsd won't help you.

  19. Anonymous Coward
    Coat

    Breaking the tubes

    "We basically face a lot of issues that a lot of vendors haven't had to deal with. Not many vendors out there can break the [internet] if they mess up their patches."

    So Microsoft are patching the internet now are they. Well, that explains why it seems to have gotten slower over time. I think it needs a reboot. Next time you pass Internet Central can you hit the reboot key?

    Mines the slow tubular one with the patches.

  20. Charles Calthrop
    Stop

    Where are teh h8ters?

    I love it that if we all sat down and said "If company X did this it would be good" but when Microsoft do it, all of a sudden everyone is desperate to find holes in the semantics of it. "break teh internet lolz" "But, but, they're micro$haft...they...they..splutter. etc..can you see what I did by subsituting the "S" for a dollar sign" ad fucking nauseaum

    The Mac boys are a bit quiet here as well. Come on, hasn't Apple got an even shinier policy here which you could crow about or is it that their legal threats are so big they wouldn't fit in an internal mail envelope?

  21. Mister Cheese
    Go

    @Charles Calthrop

    Na, the standard httpd with the Mac server is Apache, which is open-source anyway - kinda defeats all the excitement of trying to break it.

  22. Anonymous Coward
    Coat

    they could break the internet

    from a good TV Show :)

    If you Type Google in To Google you can break the internet

    i wonder if that works with MS

    ........ goes off to type Microsoft in to Microsoft webiste and see if the internet or Microsoft dies :)

  23. Pierre
    Gates Horns

    Break the Intarwub indeed (@AC)

    "If you don't believe that if a ms automatic patch sent to every XP & vista box that accidentally flood pinged their default router wouldn't pretty much break the internet for everybody... you would be very wrong."

    I must be very wrong then. The good old "ping of death" approach would only prevent the incriminated box from accessing the Intarwub tubes, not break them, provided your sysadmin desserves his salary. You might also want to consider that she was supposed to talk about vulns in MS own websites... Paris H she is!

    "I'm not a ms lover, but I'm not blinded by anger either."

    I'm not a ms lover at all, but I'm not angry (nor blind). Just a tad sarcastic.

    "I truly believe a bad patch could DDOS the net on a scale so massive, that the internet would have to be fractured into bits and pieces to try and get it going again. overwelm all the routers on pretty much all networks simultaneously... running mac/linux/*bsd won't help you."

    Actually it would take much more than a genuine error in a patch to DDOS the whole net (not to mention how stupid "DDOS the net" sounds. Let's admit it was a shortcut). Especially considering the way MS patches are released these times. And running "mac/linux/*bsd" would prevent me from being blocked at the router level -if not genuinely at the DHCP server level- by my sysadmin (who happens to be me anyway). Now we need a version of l3dgeworld specifically flagging the MS machines. Bring it on!

  24. Pierre
    Paris Hilton

    h8ters - @ Charles H

    Steve Ballmer is not allowed to fart, because it would destroy earth, hm? Mind you, his chair-throwing activities didn't cause a major earthshake. A hole in MS websites won't disrupt anything appart from the fanbuoys trust (and even that is unlikely, they'll find a good excuse). I spent whole nights shouting "bloody Steve" at my mirror, he didn't show up tu gut me. Sure, the whole world relies on MS patches for its stability. See how things went in Iraq because MS failed to release Vista SP1 on time! Also, Katrina was caused by a security hole in WinXP (which -thank Dog- has been patched before the world was destroyed)!

    Now let's have a look at facts: The world is overwhelmed by spam and DDOS attacks due to security holes in various versions of Windows (does "botnet" ring a bell?). I strongly doubt that MS could make things worst without actively trying. The Intarwub is still working though. Kinda.

  25. Pierre
    Thumb Down

    footnote

    The w3 parser found 26 HTML errors on www.microsoft.com. Surely it's a flaw that I should report. Especially as MS is part of the w3 consortium.

  26. Pierre

    erratum -ping o'death

    It seems I typed something like:

    "The good old "ping of death" approach would only prevent the incriminated box from accessing the Intarwub tubes, not break them"

    as an answer to AC who said that flood-pinging the router would disrupt the intarwub. That's actually not quite true. Sorry. The HTTP traffic for the incriminated machine will not be blocked (not automatically, not with my settings, that is). Still, the intarwub tubes won't be affected.

This topic is closed for new posts.