Feeds

MS security memo a mere gesture

Sound and fury signifying nothing

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Opinion

By now, you've seen the news articles. Microsoft Founder and Chairman Bill Gates announced that security would have the 'highest priority' in MS products and that security is now 'more important' than any other part of the company's work. This is Microsoft's latest public attempt to address security concerns with its products and services.

Undoubtedly, history will remember 16 January 2002 as Microsoft Security Day -- harkening back to that wondrous day in 1995 when Chairman Gates announced that the Internet was to be part of all Microsoft products and services. That proclamation produced such well-known Redmond innovations as Melissa, I Love You, Code Red, SirCam, Code Red II, BadTrans, UPnP, and VBScript, among other notables, resulting in burned-out system administrators and a flourishing information security industry.

Gates is also reported to have said that the September 11 attacks are a major reason to stress security of America's critical infrastructures, including its computer systems. Huh? Has Chairman Gates been asleep at the keyboard for the past several years, knowing that while his bloated, buggy, and exploitable products were achieving marketplace dominance -- and monopoly status -- they were becoming a self-inflicted vulnerability on the wired world we currently inhabit? Security all of a sudden is important to Microsoft?

Perhaps this sudden change of heart has to do with the recent BBC report that the US National Academy of Sciences is calling for laws to punish software firms that produce insecure products. Or, could Microsoft's legal team be afraid that what the company produces and sells as "products" -- in actuality, shrink-wrapped denials of service and prepackaged network compromises -- could contribute to electronic criminal or terrorist acts against America's critical information resources? Could it be that Microsoft is actually scared of something?

Possible, but unlikely. Remember, this is the same company (a proven monopoly) that tried to settle an anti-trust case by offering to donate software that would increase its market penetration in a class of customers (K-12 schools) that otherwise couldn't pay full price for its products!

The simple truth is that Microsoft has a serious image problem when it comes to the reliability, security, and stability of its network services and products. As a security professional and skeptic, I feel this statement -- the Gates Declaration -- is simply a public relations blitz. We are, after all, as Homeland Security Chief Tom Ridge constantly says, in a state of "increased security" -- and Microsoft finally decided to ante up and join the popular pro-security bandwagon. (By the way, has anybody seen Dick Cheney this week?)

But perhaps there's more here than meets the eye.

I'll be the first one to say that security needs to be improved in Microsoft products across the board, but let's not forget that Microsoft is staking its future on Windows XP and its .NET series of network-centric, subscriber-based ventures.

Reportedly, neither venture is selling as well as the company anticipated, despite Microsoft's claims of "7 million XP licenses sold." (Incidentally, 'licenses sold' does not necessarily translate into copies of XP actually in-use by customers -- I'd be surprised if there are 1 million installed copies of XP in-use today, an amount that in no way makes up for its development and marketing costs.)

It doesn't take a business school graduate to figure out that until Microsoft proves both XP and .NET to be secure, trustworthy environments, few if any users or corporations are going to seriously consider using them. Thus Microsoft has a vested financial interest in wooing people to the ventures it is staking its corporate future on. Microsoft's spin-meisters must believe that appearing to address security concerns with its products is not only the patriotic thing to do, but the smart one, if the company ever hopes to accomplish its corporate strategy.

We should also remember that a good part of Microsoft code is developed overseas. From a security perspective, that's a significant risk, and one that must be addressed in an effective fashion as well. Unfortunately, there's really only one way to deal with this and other software security problems at Microsoft.

Given the decades-old proprietary patchwork of many Microsoft products, the only way to truly certify that Microsoft's internationally-developed products are indeed 'secure' and 'trustworthy' is to release the code to the security community at large for analysis. (Otherwise, we're stuck with the status quo....which goes back to my previously-published statements on the importance of community-based, public, and responsible full-disclosure.)

However, in a small act of penance, Microsoft could consider firing those product managers that repeatedly sacrifice security and good quality assurance for new product features, convenience, and marketshare, thus setting the example for corporate accountability instead of problem perpetuation.

According to an AP article, "compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are."

My questions to Microsoft is this: how can you prove a negative? Do you plan to review the number of Microsoft exploits making headlines on Slashdot, The Register, News.Com, Wired, etc., and compare that with previous years? Then, do all your engineers get their bonuses? What if there's an exploit discovered a year later? Do the engineers have to give some or all of their bonuses back? Next year, are we going to have to take your word that things are better than they were? How are you going to prove it? Are you expecting us to continue accepting your statements on faith alone? This has the makings of a great comedy sketch.

Security professionals I've spoken with have shared two reactions to yesterday's news -- "too little, too late," or "we'll see how well it happens, if it happens." I tend to agree with them, and am believing more and more that Microsoft Security Day is the software giant's latest attempt to cheaply use public policy concerns as propaganda for product marketing while hopefully currying patriotic kudos along the way from both the government and consumers.

While I am always hopeful that 'security' and 'Microsoft' will one day be seen not as an oxymoron, past observation leads me to believe the Gates Declaration is full of marketing sound and fury, but signifying nothing.

We can only hope for the best -- time will tell.

© 2002 InfoWarrior.org, all rights reserved.

Richard Forno is Chief Technology Officer for a Dulles, Virginia firm providing information assurance support to the national security and intelligence communities.

Secure remote control for conventional and virtual desktops

More from The Register

next story
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
Yes, Virginia, there IS a W3C HTML5 standard – as of now, that is
You asked for it! You begged for it! Then you gave up! And now it's HERE!
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.