Feeds

MS-commissioned secret audit clears MS over Hotmail holes

Huge victory for self-regulation, says Man in Suit

  • alert
  • submit to reddit

Seven Steps to Software Security

Microsoft has been entirely exonerated over the ghastly cock-up that opened up the email of 50 million Hotmail users to all and sundry. The exoneration comes in a secret report of an audit that was carried out by a "big five accounting" firm which Microsoft won't name. One might of course speculate that this is the sort of thing that will torpedo industry attempts to self-regulate over privacy. In the wake of the discovery of the Hotmail security hole Microsoft and Web privacy overseer TRUSTe announced that Hotmail would undergo a voluntary review by a major accounting firm, and that the firm would not be named. Microsoft is one of TRUSTe's major funding sources, but then as Microsoft is a big software company, it would be, wouldn't it? TRUSTe also gets a lot from IBM and Novell. Nevertheless, by reacting to one of the biggest privacy screw-ups ever to hit the Net with a voluntary, secret audit TRUSTe was effectively, in the words of Junkbusters president Jason Catlett, saying "Trust me." Microsoft professes itself unable to name the auditors or release the final report because this would be prohibited under the guidelines set by the American Institute of Certified Public Accountants (AICPA). We can think of some companies whose auditors might like to take the fifth in this way as a matter of course, but under the circumstances it's remarkably convenient, as it lets Microsoft say "trust me" too. Microsoft released what we have to take on trust as being the report's findings in a press release yesterday. "TRUSTe and Microsoft have confirmed that Microsoft effectively resolved the Hotmail security issue and that Microsoft is in compliance with the TRUSTe licensing agreement. Microsoft also has implemented several quality-control procedures to help prevent future incidents of this kind." What these are, and whether they apply to, say, IE5 (aka Security Hole Central), we know not. Microsoft then goes on to tell the areas the report "details activities conducted by the accounting firm in each of the following areas," without elaborating on the activities themselves. Briefly, they looked at documentation on the nature, extent and cause of the problem. Then they looked at documentation describing the solutions implemented, then they talked to the people involved. Then (grief…) they checked the code to see the fix had been implemented, and then (double grief…) they checked to see the problem was no longer there. Is it any wonder the full report isn't being released? Maybe that is the full report, and it just says that Microsoft fixed it, and promises not to do it again. Bob Lewin, executive director of TRUSTe, gave himself a hearty slap on the back: "The significance of this report is clear: Our oversight and automated dispute resolution mechanism is effective, and moreover, the self-governance process works… I am confident that this serves as a model for effective oversight with the TRUSTe program. Finally, this action underscores the proven credibility and robustness of TRUSTe's privacy seal program on the Internet." Great stuff, eh? Junkbusters, which has been harrying MS and TRUSTe over this and other issues, takes a different view. "Suppose a space shuttle exploded and NASA commissioned an independent engineering firm to investigate, then claimed the problem was fixed but refused to even name the engineering firm. They would be ridiculed, and so should TRUSTe and Microsoft." ®

Boost IT visibility and business value

More from The Register

next story
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
Airbus promises Wi-Fi – yay – and 3D movies (meh) in new A330
If the person in front reclines their seat, this could get interesting
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
Want to beat Verizon's slow Netflix? Get a VPN
Exec finds stream speed climbs when smuggled out
Samsung threatens to cut ties with supplier over child labour allegations
Vows to uphold 'zero tolerance' policy on underage workers
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.