Microsoft Takes LSD to Test Vista Security
Modernizing Authentication — What It Takes to Transform Secure Access
LAS VEGASRemember the LSDor Last Stage of Deliriumhacking group?
Back in 2003, the group of four Polish security researchers discovered the RPC (Remote Procedure Call) interface vulnerability that would later be used to unleash the Blaster worm, but because of distrust over Microsoft's willingness to address software flaws at the time, LSD members had to be coaxed into sharing their findings.
Today, LSD is on Microsoft's payroll, working on what is being hailed as the "largest ever penetration test" of an operating system coming out of Redmond, Wash.
According to John Lambert, senior group manager in Microsoft's SWI (Secure Windows Initiative), LSD members are part of an "internal team of hackers" conducting simulated attacks against Windows Vista.
The group's members are all graduates of computer science from the Poznan University of Technology and have worked as the security team of the Poznan Supercomputing and Networking Center, in Poznan, Poland.
The hiring of third-party security research outfits and independent hackers is significant on many fronts. It underscores Microsoft's public push to embrace the hacking community and shed its image as a company with a lax approach to security.
The list of external security consultants hired to audit the Vista code to look for weaknesses, technical flaws and vulnerabilities reads like a who's-who list for the infosec industry. Lambert said about 20 well-known researchers who regularly appear at its "Blue Hat" conference have been given access to the full source code, specs and threat models for review.
"We're not blocking them from looking anywhere. They have access to everything. Go everywhere and find all the bugs you absolutely can," Lambert said.