In response to a recent firestorm of criticism regarding the security of its products, Microsoft (Nasdaq: MSFT) left a Web server with a beta version of Windows 2000 and the embattled Internet Information server (IIS) outside its firewall this week.
This enticing announcement openly invited members of the hacking community to crack the new program. Not only was there little hacker interest, but the server crashed and was unavailable for more than 24 hours.
Online security firms, including L0pht and eEye, have in recent months discovered numerous server vulnerabilities that have left the Redmond, Washington-based software titan scrambling to save face by making patches available and having to launch a major security initiative. With recent anti-trust lawsuits involving Caldera, another hi-tech firm, and the U.S. Government, Microsoft has learned to respond to potentially image-tainting revelations.
Creating a ‘capture the flag’ scenario, Microsoft placed several target files and user accounts on the server for hackers — who apparently now prefer to be known as crackers — to pilfer. No material compensation was offered to parties able to penetrate the Windows 2000’s security system, however. “We hope that this kind of open testing will allow us to ship our most secure OS (operating system) yet,” commented a Microsoft spokesman in a ZDNet report.
Another Public Embarrassment?
“This test site is available for security testing to help support our goal of delivering a great product that meets the most demanding customer needs,” read a Microsoft statement. However, soon after the Microsoft Windows 2000 beta went live, making it available online to potential attackers, technical difficulties with the test server caused a crash.
Microsoft, occasionally known for botched public demonstrations, indicated that “router problems” were to blame, and the project was put on hold for over a day. At press time, the beta was again available, but no report had been issued indicating the status of the testing.
The Challenge Still Stands
Hackers did respond to the open challenge, but not in the manner that Microsoft hoped for, apparently. The Hacker News Network, for instance, dismissed the software company’s move as “an obvious ploy to get free publicity.” A statement posted at the site added, sarcastically, that it is their hope “that this is not a primary testing method.”
An anonymous member of the Slashdot Community, an open-source software resource site, commented on the test: “Not only is attacking a system blind over the ‘net probably one of the hardest things to do, but the people who could actually accomplish this task have more important things to do. Of course a few months from now I’m sure we will hear how Windows 2000 stood up to X number of ‘hack’ attempts.”
OS and Web server integrity are critical issues to the livelihood of Internet-centric operations, and are key concerns for firms engaged in e-commerce. Security experts and other interested parties are encouraged to test the Windows 2000 beta.