Feeds

MS-commissioned secret audit clears MS over Hotmail holes

Huge victory for self-regulation, says Man in Suit

  • alert
  • submit to reddit

3 Big data security analytics techniques

Microsoft has been entirely exonerated over the ghastly cock-up that opened up the email of 50 million Hotmail users to all and sundry. The exoneration comes in a secret report of an audit that was carried out by a "big five accounting" firm which Microsoft won't name. One might of course speculate that this is the sort of thing that will torpedo industry attempts to self-regulate over privacy. In the wake of the discovery of the Hotmail security hole Microsoft and Web privacy overseer TRUSTe announced that Hotmail would undergo a voluntary review by a major accounting firm, and that the firm would not be named. Microsoft is one of TRUSTe's major funding sources, but then as Microsoft is a big software company, it would be, wouldn't it? TRUSTe also gets a lot from IBM and Novell. Nevertheless, by reacting to one of the biggest privacy screw-ups ever to hit the Net with a voluntary, secret audit TRUSTe was effectively, in the words of Junkbusters president Jason Catlett, saying "Trust me." Microsoft professes itself unable to name the auditors or release the final report because this would be prohibited under the guidelines set by the American Institute of Certified Public Accountants (AICPA). We can think of some companies whose auditors might like to take the fifth in this way as a matter of course, but under the circumstances it's remarkably convenient, as it lets Microsoft say "trust me" too. Microsoft released what we have to take on trust as being the report's findings in a press release yesterday. "TRUSTe and Microsoft have confirmed that Microsoft effectively resolved the Hotmail security issue and that Microsoft is in compliance with the TRUSTe licensing agreement. Microsoft also has implemented several quality-control procedures to help prevent future incidents of this kind." What these are, and whether they apply to, say, IE5 (aka Security Hole Central), we know not. Microsoft then goes on to tell the areas the report "details activities conducted by the accounting firm in each of the following areas," without elaborating on the activities themselves. Briefly, they looked at documentation on the nature, extent and cause of the problem. Then they looked at documentation describing the solutions implemented, then they talked to the people involved. Then (grief…) they checked the code to see the fix had been implemented, and then (double grief…) they checked to see the problem was no longer there. Is it any wonder the full report isn't being released? Maybe that is the full report, and it just says that Microsoft fixed it, and promises not to do it again. Bob Lewin, executive director of TRUSTe, gave himself a hearty slap on the back: "The significance of this report is clear: Our oversight and automated dispute resolution mechanism is effective, and moreover, the self-governance process works… I am confident that this serves as a model for effective oversight with the TRUSTe program. Finally, this action underscores the proven credibility and robustness of TRUSTe's privacy seal program on the Internet." Great stuff, eh? Junkbusters, which has been harrying MS and TRUSTe over this and other issues, takes a different view. "Suppose a space shuttle exploded and NASA commissioned an independent engineering firm to investigate, then claimed the problem was fixed but refused to even name the engineering firm. They would be ridiculed, and so should TRUSTe and Microsoft." ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.