Have You Hugged Your Hacker?

So, the big vendors are reaching out to...nah...embracing the hacker underground for help in plugging their vulnerable products. Big deal!

Microsoft and Cisco Systems may have made a big deal out of an altruistic gesture at last week's Black Hat conference, but it's really anticlimatic. The big software vendors have dealt with white, gray and black hats for years. The Microsoft Security Response Center literally receives thousands of tips and reports about programming flaws and vulnerabilities in their applications. The one difference is that they're being proactive—meaning they're letting the digital dark side get their hands on the code before it goes to market.

OK, Prediction #1: Windows Vista's ship schedule will slip again. I bet I'll get no takers on that bet (hmm, a bet about a bet?).

And, sorry Cisco, but breaking bread with the hackers won't win you points, as they demonstrated. Despite your goodwill, they still unveiled two serious vulnerabilities in your collaboration software and PIX firewall.

Back to Microsoft. The folks in Redmond have been collaborating with white and black hat hackers for years. They have strong relationships with people who have what many consider "unsavory" backgrounds. And they have long working ties with security and coding gurus who seek out and help resolve security problems.

While Microsoft may be trying to cover its bases on the Vista launch, it will probably backfire. Prediction #2: The white and gray hats Microsoft are embracing will rip Vista and other new products apart. They will make it their mission to smash and pummel every line of code, every module, every API, every buffer, to take over or crash the new operating system.

And this leads to Prediction #3: Microsoft Vista SP1, released three months after the launch—whenever that will be.

There's two reasons why this outreach will fail Microsoft, Cisco and other vendors that follow. Historically, hackers of every flavor thrive on publicity and, historically, vendors are painfully slow in responding to reports of security flaws.

The publicity issue: Bughunters want credit. They'll take credit either through acknowledgement by the vendor, which will usually get them written up in every account of the hole. Or, they'll take credit by releasing information on the vulnerability with or without the vendor's consent.

It's the second part that usually gets the vendor in trouble. Vendors, Microsoft in particular, are usually slow in responding, acknowledging or correcting security flaws. Wanting their moment in the limelight, hackers get impatient waiting for the vendor to act and release the flaw to the world.

Prediction #4: Some of Microsoft's newfound friends won't be able to resist temptation, and begin releasing notes about security flaws in Vista, further embarrassing Microsoft. Worse, the black hats who will get their hands on Beta 2 will start building tools to exploit undisclosed vulnerabilities.

Finally, after years of dismissing and deriding the digital underground, Microsoft and Cisco are opening their arms and waiting for big hugs from their adversaries. I will bet that white and gray hats will drink their expensive wine and listen to their rants, but—in the end—will still be loyal to their convictions. Microsoft, however, has blown its conviction and can no longer claim that its software is more secure than open-source Linux because, as CEO Steve Ballmer has said time and again, "we develop and test our own software."