Feeds

Microsoft's Trick or Treat

Limping towards security

  • alert
  • submit to reddit

Intelligent flash storage arrays

In the gothic novel of public opinion, Microsoft is a veritable "Dr. Jekyll and Mr. Hyde." The general business community regards Microsoft as a prominent and respected corporation with a substantial product line which has literally changed the face of modern-day computing. It's stock is on the rise (presumably in reaction to the highly publicized launch of XP), and quarterly earnings over the past year have met or exceeded industry projections.

In the last quarter, roughly 85 per cent of analysts have classified MSFT as a "buy" with more than half of those putting the stock in the "strong buy" category. With several technology companies posting losses in the billions alongside employee lay-offs into the thousands, some think Microsoft is looking pretty good. Many consider it a family of Shiny Happy People who want to buy the world a Coke and keep it company.

Saying that some in the information security community have a different view would be an understatement reminiscent of DNA's structure being described as "biologically interesting."

There are substantial numbers of people out there that openly despise Microsoft with an almost religious furor, describing it as a purveyor of garbage, devoid of any security knowledge, absorbed in an horrifying monopolistic quest for world domination. To them, Microsoft is a group of Evil Troglodytes on coke who want to make the world their company.

The vast majority of us are somewhere in the middle. To embrace Microsoft technologies is to engage in a bittersweet relationship between function and form, cost and capability, and simplicity and security. The latter is what tends to bite most of us in the back pocket. In between good and evil, we find ourselves with a job to do and a limited amount of time to do it in.

So when security issues arise that threaten our networks, they divert us from our goals, potentially expose resources, and rob us of our profits. However, we have to realize that security problems are part of the deal; they are the Yin intermingled with our Local Area Yang and will exist across the board.

In an amazing coincidence of almost serendipitous timing, my last "everything has security issues" article was immediately followed by multiple security advisories for varied distros of Linux, including issues with Apache. Sun also issued multiple advisories against different versions of Solaris and SunOS.

You see, security issues are here to stay. I'm not surrendering to the machine; I'm just accepting that it will always have to be oiled.

But there is hope on the horizon for MS shops. Microsoft has taken a look at the process through Code Red colored glasses, and has seen the light. In an unprecedented initiative, the company has been rolling out security provisions one after another in an effort to illustrate its commitment to security, and quell the fears of its customers.

Beauty in the Beast

Within a very short period of time, we saw the release of HFNetChk, IISLockdown, and URLScan. Shortly thereafter, details of the new Strategic Technology Protection Program (STPP) and its "Get Secure, Stay Secure" offerings were released. While there are some to whom this news will be as exciting as a conversation with Ben Stein after a bong hit, I think it is an important step for the company, if not the entire industry.

Some say it's "too little too late" or they're "closing the barn doors after the horses have left," but I don't there is such a thing when dealing with evolving technologies. While there may be plenty of historical evidence to dispute Microsoft's concern or capacity to secure its past products, I am optimistic about the "from here, forward" directive.

While the Microsoft security team has been beating against products for some time in an effort to increase their security, I have been of the mindset that true security in the product line can only be gained from a change in the development model -- and that change must be in the form of an Executive Decree.

This is now all taking place. Brian Valentine, Senior VP of the Windows division has made some very clear promises about what is to come: The company is committing resources, unifying divisions, and creating consortiums that will even include competitors, if that is what it takes.

SP3 for Win2k, due in February, promises to yield fixes based on a complete code-level review of all sensitive processes. And Bill Gates himself has been quoted as saying that there is "no higher priority for us than closing security holes." Some might simply consider this to be lip service or corporate rhetoric, but I don't think so. Special support services are being carved out, and enterprise tools created and distributed -- all for free.

Besides, I think they know that this is something that has to be done. The success of .Net depends upon it, and Microsoft knows it.

Given the vast range of public opinion about Microsoft, Robert Louis Stevenson himself would have difficulty fully describing the persona that is The Microsoft Monster. Only time will tell whether it will be man or beast.

© 2001 SecurityFocus.com, all rights reserved.

Tim Mullen is CIO of AnchorIS, a developer of secure, enterprise-based accounting software.

Secure remote control for conventional and virtual desktops

More from The Register

next story
That dreaded syncing feeling: Will Microsoft EVER fix OneDrive?
Microsoft's long history of broken Windows sync
Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority
Let’s Encrypt to give HTTPS-everywhere a boost in 2015
SLURP! Flick your TONGUE around our LOLLIPOP – Google
Android 5 is coming – IF you're lucky enough to have the right gadget
Nokia's N1 fondleslab's HIDDEN BRILLIANCE: The 'Z Launcher'
Sugarcoating Android's Lollipop makes tab easier to swallow
Bug fixes! Get your APPLE BUG FIXES! iOS and OS X updates right here!
Yosemite fixes Wi-Fi hiccup, older iOS devices get performance boost
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
Meet Windows 10's new UI for OneDrive – also known as File Explorer
New preview build continues Redmond's retreat to the desktop
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.