Feeds

MS-commissioned secret audit clears MS over Hotmail holes

Huge victory for self-regulation, says Man in Suit

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Microsoft has been entirely exonerated over the ghastly cock-up that opened up the email of 50 million Hotmail users to all and sundry. The exoneration comes in a secret report of an audit that was carried out by a "big five accounting" firm which Microsoft won't name. One might of course speculate that this is the sort of thing that will torpedo industry attempts to self-regulate over privacy. In the wake of the discovery of the Hotmail security hole Microsoft and Web privacy overseer TRUSTe announced that Hotmail would undergo a voluntary review by a major accounting firm, and that the firm would not be named. Microsoft is one of TRUSTe's major funding sources, but then as Microsoft is a big software company, it would be, wouldn't it? TRUSTe also gets a lot from IBM and Novell. Nevertheless, by reacting to one of the biggest privacy screw-ups ever to hit the Net with a voluntary, secret audit TRUSTe was effectively, in the words of Junkbusters president Jason Catlett, saying "Trust me." Microsoft professes itself unable to name the auditors or release the final report because this would be prohibited under the guidelines set by the American Institute of Certified Public Accountants (AICPA). We can think of some companies whose auditors might like to take the fifth in this way as a matter of course, but under the circumstances it's remarkably convenient, as it lets Microsoft say "trust me" too. Microsoft released what we have to take on trust as being the report's findings in a press release yesterday. "TRUSTe and Microsoft have confirmed that Microsoft effectively resolved the Hotmail security issue and that Microsoft is in compliance with the TRUSTe licensing agreement. Microsoft also has implemented several quality-control procedures to help prevent future incidents of this kind." What these are, and whether they apply to, say, IE5 (aka Security Hole Central), we know not. Microsoft then goes on to tell the areas the report "details activities conducted by the accounting firm in each of the following areas," without elaborating on the activities themselves. Briefly, they looked at documentation on the nature, extent and cause of the problem. Then they looked at documentation describing the solutions implemented, then they talked to the people involved. Then (grief…) they checked the code to see the fix had been implemented, and then (double grief…) they checked to see the problem was no longer there. Is it any wonder the full report isn't being released? Maybe that is the full report, and it just says that Microsoft fixed it, and promises not to do it again. Bob Lewin, executive director of TRUSTe, gave himself a hearty slap on the back: "The significance of this report is clear: Our oversight and automated dispute resolution mechanism is effective, and moreover, the self-governance process works… I am confident that this serves as a model for effective oversight with the TRUSTe program. Finally, this action underscores the proven credibility and robustness of TRUSTe's privacy seal program on the Internet." Great stuff, eh? Junkbusters, which has been harrying MS and TRUSTe over this and other issues, takes a different view. "Suppose a space shuttle exploded and NASA commissioned an independent engineering firm to investigate, then claimed the problem was fixed but refused to even name the engineering firm. They would be ridiculed, and so should TRUSTe and Microsoft." ®

Internet Security Threat Report 2014

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
DOUBLE BONK: Testy fanbois catch Apple Pay picking pockets
Users wail as tapcash transactions are duplicated
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
In the next four weeks, 100 people will decide the future of the web
While America tucks into Thanksgiving turkey, the world will be taking over the net
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.