At Microsoft, Interlopers Sound Off on Security

REDMOND, Wash., Oct. 14 - In a windowless war room where Microsoft manages worldwide computer security crises, George Stathakopoulos, the general manager for security, opened a small refrigerator, revealing three bottles of Champagne.

"These are for the arrests," he said, with a brief smile.

Locked in a struggle with a shadowy "black hat" computer underground that exploits any flaw in its software, Microsoft has spent three and a half years trying to transform its engineering culture to make security the company's priority.

Recently there have indeed been some arrests for computer attacks that capitalized on Microsoft software flaws. But more important, during the last year the company has made measurable progress in improving the quality of its software code, according to many computer security specialists and customers.

That has in effect raised the bar for the computer outlaws seeking to exploit the company's software for data theft, extortion or simple mischief. It now appears that Microsoft can begin to celebrate -- a little.

Last Thursday and Friday, the company held its second Blue Hat briefing, a meeting with a small group of about a dozen independent computer security specialists invited to the company's headquarters here to share detailed research on vulnerabilities in Windows software.

Microsoft managers chose the term blue hat to distinguish their outreach campaign from the usual division in the computer security world between warring communities of white hats and black hats. Whatever their hats, those invited here were a group not generally inclined to think highly of Microsoft.