There is a great Wall Street Journal article out today that highlights H.D. Moore and also gives important insight into Microsoft’s risk reduction strategy (quotes from Journal article):
- Wining and dining: "Microsoft plans to wine and dine Mr. Moore at a party at the fancy Palms Hotel." … ""You’re less willing to publicly humiliate someone you know in real life," he [H.D. Moore] says."
- Throw a kegger for bugfinders: "In 2003, the [Microsoft] executives threw an "appreciation" party for researchers at Black Hat."
- Suck up to bugfinders publicly: "Microsoft, Cisco Systems Inc., Oracle Corp. and other tech giants are engaging in a full charm offensive here as they seek to convince security researchers to work with, not against, them."
- Hire hackers: "Over the past year, he notes, Microsoft has hired some of his friends. "They’ve been on a hacker buying spree," says Mr. Moore."
- Offer to fly to their location to "talk things over": "He [Reavey] offered to fly to Austin to talk about it. Mr. Moore, saying a visit wasn’t necessary, offered to post vulnerabilities in non-Microsoft browsers for a few days instead."
This last line is the clincher and demonstrates exactly why risk is reduced – since bugfinders can choose whatever targets they want, it makes sense to convince them not to choose yours. So let’s see, I believe the equation goes something like this:
Wine + Dine + Suckup + Attention + Thanks = Lower Risk
Who would have thought the bugfinding community would be such pushovers? Maybe we can just skip the whole "more secure software" thing. I really like how the Wall Street Journal defines blackmail as a wish list: "A few days later, Mr. Moore sent Mr. Reavey a wish list of changes he hoped for from Microsoft. Among them: Give researchers more information about vulnerabilities and tone down the bulletins blaming researchers for disclosing flaws."
Btw, it is pretty likely (certain?) that Microsoft actually does have more secure software than it did in the past, it’s just that nobody seems to care to try to measure the extent of it. This entire article is great evidence for the randomness of target selection and the unpopularity contest that occurs in the aftermarket, so those numbers are pretty useless.
In addition, there is no denying the brilliance of Microsoft’s strategy (i.e. the risk really is reduced) – the real truth is, a little bit of Cialdini’s Influence techniques goes a long way. Now, I wonder what they are going to do about the recent rash of Undercover Exploits they’ve been hit with.