I know it's "wrong" but I love it when Microsoft is embarrassed with things like this. Maybe it will force them to take security more seriously in the future, and maybe that attitude will bleed over a little into their retail products.

It's not just MS (sadly). I heard about a linux box was put up not to long ago to demonstrate the server's security as it had been optimized to prevent hacking. It took only 15 minutes before the hackers had Root.

I heard this story about the Windows 2000 beta at a conference. Microsoft put a box on the web and said "Try to find bugs/security holes in this." The /. crowd hammered on it. Then someone posted, "What are we doing? We're helping Microsoft!"

So for about three days there were no attacks. Then Microsoft posted, "Nobody has found a hole in three days!" Suddenly everyone was back hammering on it again.

Lorax, do you have a reference for that one?

bird, I'll ask my co-worker for the info since he's the one who told me. He's big into security stuff and read it on some discussion board I believe. I'll get back to you next week unless he decides to check his email this weekend!

So for about three days there were no attacks. Then Microsoft posted, "Nobody has found a hole in three days!" Suddenly everyone was back hammering on it again.

Seems like an ego thing... at both ends! :)

Why dont these companies hire hackers crack the system and then fix the problem before release?

If they leave it to be discovered after release, they don't have to pay the hackers a salary to do it.

I guess putting out a product with holes is a good thing. I know a guy whos been fighting hackers for 3 weeks, hes about ready to pop. Well mivox you have a point. If the company puts it out and the hackers have their way with it, then the company will learn the holes. The only problem there is the customer gets messed over trying to find out what the hackers did. It seems eaiser to me to get the bugs worked out and then release it to the public not the other way around. Customer support will be on the line all times of day, so either way you cut it you will spend money.

The only problem there is the customer gets messed over trying to find out what the hackers did. It seems eaiser to me to get the bugs worked out and then release it to the public not the other way around.

Well, that would be the nice way to go about it... but I guarantee a company like Microsoft would have to pay most self-respecting hackers a lot more money to "come to the dark side" and help them QA their products than they have to pay a wage-slave phone support "tech."

Phone support is a high turn-over cr@p job that pays garbage... like the McDonalds job of the tech industry. A good security expert would be a premium employee, who'd have to get paid enough to drown out the little voice in the back of his head whispering, "sell out!" whenever he tried to sleep. ;)

bird, et al,
I stand corrected. I misunderstood my coworker - totally! The server in question was actually several servers - part of the honeynet project. I believe the server installs were default installs. Here's the link for those of you who want more information.

[honeynet.org...]

Just goes to show how much I need my morning coffee.:)

Best,
Gregg

Thanks lorax, you earned your coffee... ;)