Feeds

MS security memo a mere gesture

Sound and fury signifying nothing

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Opinion

By now, you've seen the news articles. Microsoft Founder and Chairman Bill Gates announced that security would have the 'highest priority' in MS products and that security is now 'more important' than any other part of the company's work. This is Microsoft's latest public attempt to address security concerns with its products and services.

Undoubtedly, history will remember 16 January 2002 as Microsoft Security Day -- harkening back to that wondrous day in 1995 when Chairman Gates announced that the Internet was to be part of all Microsoft products and services. That proclamation produced such well-known Redmond innovations as Melissa, I Love You, Code Red, SirCam, Code Red II, BadTrans, UPnP, and VBScript, among other notables, resulting in burned-out system administrators and a flourishing information security industry.

Gates is also reported to have said that the September 11 attacks are a major reason to stress security of America's critical infrastructures, including its computer systems. Huh? Has Chairman Gates been asleep at the keyboard for the past several years, knowing that while his bloated, buggy, and exploitable products were achieving marketplace dominance -- and monopoly status -- they were becoming a self-inflicted vulnerability on the wired world we currently inhabit? Security all of a sudden is important to Microsoft?

Perhaps this sudden change of heart has to do with the recent BBC report that the US National Academy of Sciences is calling for laws to punish software firms that produce insecure products. Or, could Microsoft's legal team be afraid that what the company produces and sells as "products" -- in actuality, shrink-wrapped denials of service and prepackaged network compromises -- could contribute to electronic criminal or terrorist acts against America's critical information resources? Could it be that Microsoft is actually scared of something?

Possible, but unlikely. Remember, this is the same company (a proven monopoly) that tried to settle an anti-trust case by offering to donate software that would increase its market penetration in a class of customers (K-12 schools) that otherwise couldn't pay full price for its products!

The simple truth is that Microsoft has a serious image problem when it comes to the reliability, security, and stability of its network services and products. As a security professional and skeptic, I feel this statement -- the Gates Declaration -- is simply a public relations blitz. We are, after all, as Homeland Security Chief Tom Ridge constantly says, in a state of "increased security" -- and Microsoft finally decided to ante up and join the popular pro-security bandwagon. (By the way, has anybody seen Dick Cheney this week?)

But perhaps there's more here than meets the eye.

I'll be the first one to say that security needs to be improved in Microsoft products across the board, but let's not forget that Microsoft is staking its future on Windows XP and its .NET series of network-centric, subscriber-based ventures.

Reportedly, neither venture is selling as well as the company anticipated, despite Microsoft's claims of "7 million XP licenses sold." (Incidentally, 'licenses sold' does not necessarily translate into copies of XP actually in-use by customers -- I'd be surprised if there are 1 million installed copies of XP in-use today, an amount that in no way makes up for its development and marketing costs.)

It doesn't take a business school graduate to figure out that until Microsoft proves both XP and .NET to be secure, trustworthy environments, few if any users or corporations are going to seriously consider using them. Thus Microsoft has a vested financial interest in wooing people to the ventures it is staking its corporate future on. Microsoft's spin-meisters must believe that appearing to address security concerns with its products is not only the patriotic thing to do, but the smart one, if the company ever hopes to accomplish its corporate strategy.

We should also remember that a good part of Microsoft code is developed overseas. From a security perspective, that's a significant risk, and one that must be addressed in an effective fashion as well. Unfortunately, there's really only one way to deal with this and other software security problems at Microsoft.

Given the decades-old proprietary patchwork of many Microsoft products, the only way to truly certify that Microsoft's internationally-developed products are indeed 'secure' and 'trustworthy' is to release the code to the security community at large for analysis. (Otherwise, we're stuck with the status quo....which goes back to my previously-published statements on the importance of community-based, public, and responsible full-disclosure.)

However, in a small act of penance, Microsoft could consider firing those product managers that repeatedly sacrifice security and good quality assurance for new product features, convenience, and marketshare, thus setting the example for corporate accountability instead of problem perpetuation.

According to an AP article, "compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are."

My questions to Microsoft is this: how can you prove a negative? Do you plan to review the number of Microsoft exploits making headlines on Slashdot, The Register, News.Com, Wired, etc., and compare that with previous years? Then, do all your engineers get their bonuses? What if there's an exploit discovered a year later? Do the engineers have to give some or all of their bonuses back? Next year, are we going to have to take your word that things are better than they were? How are you going to prove it? Are you expecting us to continue accepting your statements on faith alone? This has the makings of a great comedy sketch.

Security professionals I've spoken with have shared two reactions to yesterday's news -- "too little, too late," or "we'll see how well it happens, if it happens." I tend to agree with them, and am believing more and more that Microsoft Security Day is the software giant's latest attempt to cheaply use public policy concerns as propaganda for product marketing while hopefully currying patriotic kudos along the way from both the government and consumers.

While I am always hopeful that 'security' and 'Microsoft' will one day be seen not as an oxymoron, past observation leads me to believe the Gates Declaration is full of marketing sound and fury, but signifying nothing.

We can only hope for the best -- time will tell.

© 2002 InfoWarrior.org, all rights reserved.

Richard Forno is Chief Technology Officer for a Dulles, Virginia firm providing information assurance support to the national security and intelligence communities.

Internet Security Threat Report 2014

More from The Register

next story
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Post-Microsoft, post-PC programming: The portable REVOLUTION
Code jockeys: count up and grab your fabulous tablets
Twitter App Graph exposes smartphone spyware feature
You don't want everyone to compile app lists from your fondleware? BAD LUCK
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.