Windows 7: Marc Maiffret--the quick rise of a teen hacker (Q&A)

At eEye you caused quite a stir over at Microsoft. Tell me about that.

Maiffret: Yeah. First and foremost, we were building a vulnerability assessment product that could scan your company network and tell you here's all the ways a hacker could break in and here's how to fix it. I was focused on Windows and Microsoft platforms in the beginning. I had been interested in vulnerability research since 1997and more serious stuff in 1998 and 1999. I started to discover some of the more critical remote Microsoft vulnerabilities where you could compromise any Microsoft Web server. That kicked off some of the first real intense looks at Microsoft from a security perspective.

How would you characterize the state of security at Microsoft products at the time?

Maiffret: At that time they didn't even have a dedicated security team. One guy acted as a liaison between marketing and engineering and they treated it very much as a marketing problem, not as a technical problem and not one they needed to focus on addressing. Their attitude was, "if we can keep evil research guys quiet no one will talk about it and we won't have to be distracted trying fix these things." We were not OK with that. We were outspoken, which was unique for a business with tens of millions of dollars in revenue.

Most businesses bite their tongue, because it's not beneficial to speak out against the largest software company in the world. But if you truly cared about improving the world's security you had to do things for the IT community and not just worry about selling products. We did that by holding Microsoft's feet to the fire and holding them accountable for what they were doing wrong.



It started to shift away from being a marketing nuisance and started mattering to them as a company when Bill Gates released his Trustworthy Computing memo [in January 2002]. He stated this was the No. 1 objective of the company, to have the software become secure to the point where people actually trust it. There was a lack of faith in Microsoft and security, especially after all the computer worms like Code Red and Slammer. Banks were talking to Microsoft about switching. Now when you look at Microsoft today they do more to secure their software than anyone. They're the model for how to do it. They're not perfect; there's room for improvement. But they are definitely doing more than anybody else in the industry, I would say.

Are they the model that other companies are following?

Maiffret: From an internal process in how they go about auditing their code and securing software from a technical perspective, they do have one of the best models. The area they still have room for improvement is around time lines of how long it takes for them to fix things. We see time and time again when somebody responsibly reports a security problem to Microsoft it takes many, many months, if not upwards of a year, to get these things resolved. Should there be some new zero day critical emergency, we see they are able to get something out within a couple of weeks. You look at companies like Adobe and they are where Microsoft was 10 years ago.