Black Hat, Vista - Jamshed's blog - Site Home

Earlier this week hackers from around the country met in Vegas at the annual Black Hat event. Vista is the first Microsoft operating system built from the ground up with security in mind i.e. using Microsoft's Secure Development Lifecycle. At Black Hat, Microsoft handed over around 3000 copies of Vista to hackers.

This IMHO is fantastic for all concerned. Microsoft will have the best hackers out there poking at Vista trying to find holes in it, while the hackers have an opportunity to flex their muscles too. Since the hackers may at least indirectly help Microsoft in securing Vista further, they will hopefully be a little kinder in the future when a vulnerability is reported.

Mind you I say when, and not if, because there is no operating system so secure that someone given enough time and resources cannot find a security vulnerability in it. Going by the obnoxious Apple ads on TV, one might assume that an Apple never catches a virus or worm, is never infected by spyware, and is absolutely secure. This is far from the truth as demonstrated by Jon Ellch and David Maynor during a presentation earlier this week.

Operating systems are huge complicated pieces of code. Microsoft has several additional burdens - the operating system has to run on a very wide range of hardware over which Microsoft has very little control if any. The success of its operating system also means a new OS version is expected to maintain a high level of compatability with previous versions so that most applications that have been developed for an earlier operating systems will continue to run with minimal changes if any. Mind you no one is complaining about the success of Windows, but this is a burden our competitors that own the entire stack viz. the hardware, the OS, and the applications do not have to be concerned about. The complicated nature of the operating system naturally increases the possibility that a piece of code somewhere that under normal circumstances is secure, may misbehave when an exact set of conditions are met.

I doubt any OS vendor will ever be able to honestly claim that their platform is a hundred percent secure and has zero vulnerabilities. If someone claims zero vulnerabilities have been found, this only means that the vulnerabilities may be lurking just around the corner ready to hit them like a pie in the face.