Feeds

MS security memo a mere gesture

Sound and fury signifying nothing

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Opinion

By now, you've seen the news articles. Microsoft Founder and Chairman Bill Gates announced that security would have the 'highest priority' in MS products and that security is now 'more important' than any other part of the company's work. This is Microsoft's latest public attempt to address security concerns with its products and services.

Undoubtedly, history will remember 16 January 2002 as Microsoft Security Day -- harkening back to that wondrous day in 1995 when Chairman Gates announced that the Internet was to be part of all Microsoft products and services. That proclamation produced such well-known Redmond innovations as Melissa, I Love You, Code Red, SirCam, Code Red II, BadTrans, UPnP, and VBScript, among other notables, resulting in burned-out system administrators and a flourishing information security industry.

Gates is also reported to have said that the September 11 attacks are a major reason to stress security of America's critical infrastructures, including its computer systems. Huh? Has Chairman Gates been asleep at the keyboard for the past several years, knowing that while his bloated, buggy, and exploitable products were achieving marketplace dominance -- and monopoly status -- they were becoming a self-inflicted vulnerability on the wired world we currently inhabit? Security all of a sudden is important to Microsoft?

Perhaps this sudden change of heart has to do with the recent BBC report that the US National Academy of Sciences is calling for laws to punish software firms that produce insecure products. Or, could Microsoft's legal team be afraid that what the company produces and sells as "products" -- in actuality, shrink-wrapped denials of service and prepackaged network compromises -- could contribute to electronic criminal or terrorist acts against America's critical information resources? Could it be that Microsoft is actually scared of something?

Possible, but unlikely. Remember, this is the same company (a proven monopoly) that tried to settle an anti-trust case by offering to donate software that would increase its market penetration in a class of customers (K-12 schools) that otherwise couldn't pay full price for its products!

The simple truth is that Microsoft has a serious image problem when it comes to the reliability, security, and stability of its network services and products. As a security professional and skeptic, I feel this statement -- the Gates Declaration -- is simply a public relations blitz. We are, after all, as Homeland Security Chief Tom Ridge constantly says, in a state of "increased security" -- and Microsoft finally decided to ante up and join the popular pro-security bandwagon. (By the way, has anybody seen Dick Cheney this week?)

But perhaps there's more here than meets the eye.

I'll be the first one to say that security needs to be improved in Microsoft products across the board, but let's not forget that Microsoft is staking its future on Windows XP and its .NET series of network-centric, subscriber-based ventures.

Reportedly, neither venture is selling as well as the company anticipated, despite Microsoft's claims of "7 million XP licenses sold." (Incidentally, 'licenses sold' does not necessarily translate into copies of XP actually in-use by customers -- I'd be surprised if there are 1 million installed copies of XP in-use today, an amount that in no way makes up for its development and marketing costs.)

It doesn't take a business school graduate to figure out that until Microsoft proves both XP and .NET to be secure, trustworthy environments, few if any users or corporations are going to seriously consider using them. Thus Microsoft has a vested financial interest in wooing people to the ventures it is staking its corporate future on. Microsoft's spin-meisters must believe that appearing to address security concerns with its products is not only the patriotic thing to do, but the smart one, if the company ever hopes to accomplish its corporate strategy.

We should also remember that a good part of Microsoft code is developed overseas. From a security perspective, that's a significant risk, and one that must be addressed in an effective fashion as well. Unfortunately, there's really only one way to deal with this and other software security problems at Microsoft.

Given the decades-old proprietary patchwork of many Microsoft products, the only way to truly certify that Microsoft's internationally-developed products are indeed 'secure' and 'trustworthy' is to release the code to the security community at large for analysis. (Otherwise, we're stuck with the status quo....which goes back to my previously-published statements on the importance of community-based, public, and responsible full-disclosure.)

However, in a small act of penance, Microsoft could consider firing those product managers that repeatedly sacrifice security and good quality assurance for new product features, convenience, and marketshare, thus setting the example for corporate accountability instead of problem perpetuation.

According to an AP article, "compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are."

My questions to Microsoft is this: how can you prove a negative? Do you plan to review the number of Microsoft exploits making headlines on Slashdot, The Register, News.Com, Wired, etc., and compare that with previous years? Then, do all your engineers get their bonuses? What if there's an exploit discovered a year later? Do the engineers have to give some or all of their bonuses back? Next year, are we going to have to take your word that things are better than they were? How are you going to prove it? Are you expecting us to continue accepting your statements on faith alone? This has the makings of a great comedy sketch.

Security professionals I've spoken with have shared two reactions to yesterday's news -- "too little, too late," or "we'll see how well it happens, if it happens." I tend to agree with them, and am believing more and more that Microsoft Security Day is the software giant's latest attempt to cheaply use public policy concerns as propaganda for product marketing while hopefully currying patriotic kudos along the way from both the government and consumers.

While I am always hopeful that 'security' and 'Microsoft' will one day be seen not as an oxymoron, past observation leads me to believe the Gates Declaration is full of marketing sound and fury, but signifying nothing.

We can only hope for the best -- time will tell.

© 2002 InfoWarrior.org, all rights reserved.

Richard Forno is Chief Technology Officer for a Dulles, Virginia firm providing information assurance support to the national security and intelligence communities.

Next gen security for virtualised datacentres

More from The Register

next story
Why has the web gone to hell? Market chaos and HUMAN NATURE
Tim Berners-Lee isn't happy, but we should be
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Sin COS to tan Windows? Chinese operating system to debut in autumn – report
Development alliance working on desktop, mobe software
Microsoft boots 1,500 dodgy apps from the Windows Store
DEVELOPERS! DEVELOPERS! DEVELOPERS! Naughty, misleading developers!
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
This is how I set about making a fortune with my own startup
Would you leave your well-paid job to chase your dream?
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.