Feeds

MS security memo a mere gesture

Sound and fury signifying nothing

  • alert
  • submit to reddit

HP ProLiant Gen8: Integrated lifecycle automation

Opinion

By now, you've seen the news articles. Microsoft Founder and Chairman Bill Gates announced that security would have the 'highest priority' in MS products and that security is now 'more important' than any other part of the company's work. This is Microsoft's latest public attempt to address security concerns with its products and services.

Undoubtedly, history will remember 16 January 2002 as Microsoft Security Day -- harkening back to that wondrous day in 1995 when Chairman Gates announced that the Internet was to be part of all Microsoft products and services. That proclamation produced such well-known Redmond innovations as Melissa, I Love You, Code Red, SirCam, Code Red II, BadTrans, UPnP, and VBScript, among other notables, resulting in burned-out system administrators and a flourishing information security industry.

Gates is also reported to have said that the September 11 attacks are a major reason to stress security of America's critical infrastructures, including its computer systems. Huh? Has Chairman Gates been asleep at the keyboard for the past several years, knowing that while his bloated, buggy, and exploitable products were achieving marketplace dominance -- and monopoly status -- they were becoming a self-inflicted vulnerability on the wired world we currently inhabit? Security all of a sudden is important to Microsoft?

Perhaps this sudden change of heart has to do with the recent BBC report that the US National Academy of Sciences is calling for laws to punish software firms that produce insecure products. Or, could Microsoft's legal team be afraid that what the company produces and sells as "products" -- in actuality, shrink-wrapped denials of service and prepackaged network compromises -- could contribute to electronic criminal or terrorist acts against America's critical information resources? Could it be that Microsoft is actually scared of something?

Possible, but unlikely. Remember, this is the same company (a proven monopoly) that tried to settle an anti-trust case by offering to donate software that would increase its market penetration in a class of customers (K-12 schools) that otherwise couldn't pay full price for its products!

The simple truth is that Microsoft has a serious image problem when it comes to the reliability, security, and stability of its network services and products. As a security professional and skeptic, I feel this statement -- the Gates Declaration -- is simply a public relations blitz. We are, after all, as Homeland Security Chief Tom Ridge constantly says, in a state of "increased security" -- and Microsoft finally decided to ante up and join the popular pro-security bandwagon. (By the way, has anybody seen Dick Cheney this week?)

But perhaps there's more here than meets the eye.

I'll be the first one to say that security needs to be improved in Microsoft products across the board, but let's not forget that Microsoft is staking its future on Windows XP and its .NET series of network-centric, subscriber-based ventures.

Reportedly, neither venture is selling as well as the company anticipated, despite Microsoft's claims of "7 million XP licenses sold." (Incidentally, 'licenses sold' does not necessarily translate into copies of XP actually in-use by customers -- I'd be surprised if there are 1 million installed copies of XP in-use today, an amount that in no way makes up for its development and marketing costs.)

It doesn't take a business school graduate to figure out that until Microsoft proves both XP and .NET to be secure, trustworthy environments, few if any users or corporations are going to seriously consider using them. Thus Microsoft has a vested financial interest in wooing people to the ventures it is staking its corporate future on. Microsoft's spin-meisters must believe that appearing to address security concerns with its products is not only the patriotic thing to do, but the smart one, if the company ever hopes to accomplish its corporate strategy.

We should also remember that a good part of Microsoft code is developed overseas. From a security perspective, that's a significant risk, and one that must be addressed in an effective fashion as well. Unfortunately, there's really only one way to deal with this and other software security problems at Microsoft.

Given the decades-old proprietary patchwork of many Microsoft products, the only way to truly certify that Microsoft's internationally-developed products are indeed 'secure' and 'trustworthy' is to release the code to the security community at large for analysis. (Otherwise, we're stuck with the status quo....which goes back to my previously-published statements on the importance of community-based, public, and responsible full-disclosure.)

However, in a small act of penance, Microsoft could consider firing those product managers that repeatedly sacrifice security and good quality assurance for new product features, convenience, and marketshare, thus setting the example for corporate accountability instead of problem perpetuation.

According to an AP article, "compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are."

My questions to Microsoft is this: how can you prove a negative? Do you plan to review the number of Microsoft exploits making headlines on Slashdot, The Register, News.Com, Wired, etc., and compare that with previous years? Then, do all your engineers get their bonuses? What if there's an exploit discovered a year later? Do the engineers have to give some or all of their bonuses back? Next year, are we going to have to take your word that things are better than they were? How are you going to prove it? Are you expecting us to continue accepting your statements on faith alone? This has the makings of a great comedy sketch.

Security professionals I've spoken with have shared two reactions to yesterday's news -- "too little, too late," or "we'll see how well it happens, if it happens." I tend to agree with them, and am believing more and more that Microsoft Security Day is the software giant's latest attempt to cheaply use public policy concerns as propaganda for product marketing while hopefully currying patriotic kudos along the way from both the government and consumers.

While I am always hopeful that 'security' and 'Microsoft' will one day be seen not as an oxymoron, past observation leads me to believe the Gates Declaration is full of marketing sound and fury, but signifying nothing.

We can only hope for the best -- time will tell.

© 2002 InfoWarrior.org, all rights reserved.

Richard Forno is Chief Technology Officer for a Dulles, Virginia firm providing information assurance support to the national security and intelligence communities.

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.