I’m finally finished with all the Microsoft talks for this week. It was a lot of fun this week - I had more and more fun as the week went on, which also coincidentally coincides with my health improving (had a bad cold this week). Thankfully, I was up for today, because I had a really good meeting, but let’s start from the beginning.
The first two talks went well. They were to the executives. Unfortunately they were also pretty short so I didn’t go into nearly as much technical meat as I would have liked to, but it was a nice high level overview on how small holes are really a big deal in the webappsec space. I ended up spending most of my time talking with a few key people in MSRC, and IE while I was there. There was a big reception party that night, which I barely remember because I was so sick, but I got to meet Dan Kaminsky from Ioactive amongst the sea of blue. There were actually a lot of hackers and security researchers there, it turned out. Caleb Sima from SPI, for instance was there. There were some good tech talk - but an elephant could have been in the room and I probably wouldn’t have noticed - I was that out of it.
The next morning I felt 1000x better. I was the last presenter. Rob Thomas kicked off the day with a talk on the hacker economics. It was a nice high level whirlwind of what bad guys are up to. The Flexilis guys demonstrated a bunch of bluetooth 0day and also demonstrated their bluetooth sniper rifle that can steal info off of a cell phone from over a mile away (how they got that thing on the plane still amazes me). David Maynor and Robert Graham had a really nice demo on reverse engineering exploits. It was fast and furious but very nicely done. I wasn’t the only one who was sick that day though, Bunnie was also recovering from some serious jetlag but those guys managed to pull of a really good speech on why DRM isn’t interesting. I would have to agree.
I was able to deliver my full presentation in the main convention hall (which incidentally looks a lot like the senate in Star Wars). Cool convention center. My speech went off without a hitch. I demonstrated some of the obvious holes, like the MHTML stuff, which they are very much committed to fixing now, among other known issues. Ultimately, it went really well. After it was over we all split up for the most part. Only a handful of us stayed. The Errata guys and I headed over to get some food with Caleb, Dragos and some of the Ioactive crowd. Funny stories, too much to go into but by the end of the night, it was just the Errata guys, Caleb and me. Not a crowd you want to bring home to mama.
I managed to crawl into bed around 3:30 after punching out some emails. Today I went over to MS again, solo this time. I met with the IE team so they could do a Q&A with me. And when I mean the IE team, I mean the whole IE team. It was such a good turn-out that we had to take multiple pictures to get everyone in it. See here and here (and that’s after a bunch of people bailed too). It was a really great showing and I think we got more work done in that hour than I did the entire time I was here this week.
After it was over I got a chance to sit down and watch a preso by Bob Fish on Microsoft’s XSS library. The interesting part is how serious they are taking this (thankfully). Bob’s speech basically laid down the law on the fact that MS was to use this framework for all it’s new websites and eventually retroactively start using it on every site. I’ve mentioned it before, but if you run ASP.NET go check out the anti-XSS library. Cool stuff.
After it’s all said and done, I really get a great deal of confidence in what MS is doing (not that it couldn’t deal with improvements here and there, but at least they aren’t going on the wrong path). Yes, like any massive company they have flaws, and some of those flaws are holy-crap type flaws but thankfully, it’s clear they’re committed to doing the right thing where possible. And since they control the vast population of unwashed internet users, they also have the most potential for fixing the problems. Anyway, feel free to check out the rest of the pics. I’ll be talking at Toorcon tomorrow.