Microsoft: Finding flaws on our website is OK

World domination

Quote: "This is actually really important because online services - that's our stuff"

What? All of it? Including Google's?

Arrogant tossers - they get it from Ballmer, I reckon

Bold move

That's a really bold move, especially considering that in some cases, MS hosts some of its sites on newer versions of servers that have not yet been released to manufacturers. As an example, I recall that xbox.com was running on an unreleased version of MS CMS Server.

@ Skeptical Bastard

Wow you really hate MS. I suppose the next time someone says they make cars you'll jump on them and tell them they don't make all cars.

Get over yourself, go buy a tinfoil hat or something.

I remain skeptical but this looks like a step in the right direction

Fly-ing low

"The philosophy here is if someone is being nice enough to point out your fly is down, they're really doing you a favor and you should thank them rather than calling the cops and saying you're a pervert."

I'll say. Calling the cops and saying you're a pervert is a bit self-defeating.

"your fly is down"

Dear Microsoft,

Your arse is hanging out the window,

signed,

A. Hacker

P.S.: No, there's no need to thank me...

They just want _someone_ to use their products

I personally just think this is a desperate ploy to keep people using Microsoft services, they don't really care that those users are just whitehats or blackhats trying to find exploits as long as they've paid for the privilege ;)

Break the tubes?

"We basically face a lot of issues that a lot of vendors haven't had to deal with. Not many vendors out there can break the [internet] if they mess up their patches."

OMG OMG OMG. Better start running now, before a security hole in www.microsoft.com breaks tha Intarwub pipes. Seriously, she said that? Paris in disguise I'd say.

Praise where praise is due

It's nice that MS have come clean and implied their online services aren't secure.

Sure, all online services have vulnerabilities but where's the dividing line between an ethical hacker / researcher and someone who's looking for that vulnerability that their next trojan can exploit? How does this stack up against the Computer Misuse Act in a court of English Law?

I give them a big thumbs up though and wished others would follow suit. More people should take notice of what's posted daily on the xssed.com site too.

Not the only ones

Not the only ones , with all the new lock downs and security updates for the better class of the superior web 2.0 browsers , a number of web sites are actively reliant browser insecurity flaws of IE6/7 to work

eg try http:// www.windowsmedia.com/mediaguide/radio with FF 2.0.0.14 running no script and see how far you get when you click on "more ...... stations" unless you invoke the IETab option even then the results can be very indifferent !

I'm pink from all the tickling.

I'm delighted. I've been scratching my head and others' heads about this this Web research/ disclosure law thing ever since Daniel Cuthbert's conviction in 2005. It's nice to see some progress being made.

Has anyone seen Microsoft's actual policy in writing, though? Is it on MS's site somewhere?

It's all well and good to say "we won't sue you," but I'm sure MS's legal machine won't have allowed itself to write a policy that would weaken the company's case in court in the event that they DO decide to sue you.

Breaking the tubes

"We basically face a lot of issues that a lot of vendors haven't had to deal with. Not many vendors out there can break the [internet] if they mess up their patches."

So Microsoft are patching the internet now are they. Well, that explains why it seems to have gotten slower over time. I think it needs a reboot. Next time you pass Internet Central can you hit the reboot key?

Mines the slow tubular one with the patches.

Where are teh h8ters?

I love it that if we all sat down and said "If company X did this it would be good" but when Microsoft do it, all of a sudden everyone is desperate to find holes in the semantics of it. "break teh internet lolz" "But, but, they're micro$haft...they...they..splutter. etc..can you see what I did by subsituting the "S" for a dollar sign" ad fucking nauseaum

The Mac boys are a bit quiet here as well. Come on, hasn't Apple got an even shinier policy here which you could crow about or is it that their legal threats are so big they wouldn't fit in an internal mail envelope?

@Charles Calthrop

Na, the standard httpd with the Mac server is Apache, which is open-source anyway - kinda defeats all the excitement of trying to break it.

they could break the internet

from a good TV Show :)

If you Type Google in To Google you can break the internet

i wonder if that works with MS

........ goes off to type Microsoft in to Microsoft webiste and see if the internet or Microsoft dies :)

Break the Intarwub indeed (@AC)

"If you don't believe that if a ms automatic patch sent to every XP & vista box that accidentally flood pinged their default router wouldn't pretty much break the internet for everybody... you would be very wrong."

I must be very wrong then. The good old "ping of death" approach would only prevent the incriminated box from accessing the Intarwub tubes, not break them, provided your sysadmin desserves his salary. You might also want to consider that she was supposed to talk about vulns in MS own websites... Paris H she is!

"I'm not a ms lover, but I'm not blinded by anger either."

I'm not a ms lover at all, but I'm not angry (nor blind). Just a tad sarcastic.

"I truly believe a bad patch could DDOS the net on a scale so massive, that the internet would have to be fractured into bits and pieces to try and get it going again. overwelm all the routers on pretty much all networks simultaneously... running mac/linux/*bsd won't help you."

Actually it would take much more than a genuine error in a patch to DDOS the whole net (not to mention how stupid "DDOS the net" sounds. Let's admit it was a shortcut). Especially considering the way MS patches are released these times. And running "mac/linux/*bsd" would prevent me from being blocked at the router level -if not genuinely at the DHCP server level- by my sysadmin (who happens to be me anyway). Now we need a version of l3dgeworld specifically flagging the MS machines. Bring it on!

h8ters - @ Charles H

Steve Ballmer is not allowed to fart, because it would destroy earth, hm? Mind you, his chair-throwing activities didn't cause a major earthshake. A hole in MS websites won't disrupt anything appart from the fanbuoys trust (and even that is unlikely, they'll find a good excuse). I spent whole nights shouting "bloody Steve" at my mirror, he didn't show up tu gut me. Sure, the whole world relies on MS patches for its stability. See how things went in Iraq because MS failed to release Vista SP1 on time! Also, Katrina was caused by a security hole in WinXP (which -thank Dog- has been patched before the world was destroyed)!

Now let's have a look at facts: The world is overwhelmed by spam and DDOS attacks due to security holes in various versions of Windows (does "botnet" ring a bell?). I strongly doubt that MS could make things worst without actively trying. The Intarwub is still working though. Kinda.

footnote

The w3 parser found 26 HTML errors on www.microsoft.com. Surely it's a flaw that I should report. Especially as MS is part of the w3 consortium.