Feeds

Security ‘impossible’ for Win9x, buy XP now, says MS exec

Company to begrudgingly forsake compatibility, it says here...

  • alert
  • submit to reddit

HP ProLiant Gen8: Integrated lifecycle automation

Yesterday Microsoft senior VP and head trustworthy computing honcho Craig Mundie delivered his 'annual report' on the company's trustworthy computing initiative. He had much to say about the progress that has been made since Microsoft discovered security, but the bit that interested us was way down the bottom of this, where he explained why people are going to have to ditch their old MS stuff and buy lots of lovely new MS stuff instead.

He begins with a graph, which regrettably we do not have, but clearly it illustrates the deployed population of different versions of Windows within a total active user base of approximately 400 million. He notes that the "single largest bump on this graph is Windows 95," while "the newest systems, the ones that have had all this work [all what work? Security work, allegedly, anyway] done to them are down here in these little slices. They're the ones that are in the earliest stages of deployment."

This is not good. Not good for security, not good for Microsoft, not good for the economy. "And what society is doing and we're doing as a business is dragging around behind us a giant tail of systems that, of course, were built and deployed quite a long time ago." Tut. Society is to blame. As well as Microsoft, that is.

"If we wanted to go out, and some days I think about the challenge that we face and we say, oh, if you have to do this with the conscious effort of real people it would be roughly many times worse than just saying, okay, we just want to get every single person in New York City to do the same thing today to their computer system, please to fix it today. And even if it was just New York City you'd have a tough time. The reality is we have the equivalent of about 30 or 40 New York Cities that all want to in some sense move together or get repaired in one fell swoop."

And here comes the axe: "So we know that in practice it's impossible for us to remediate the threats that we know exist in the world today in systems that were designed in 1991, '2 and '3 and deployed in '95 and which are actively still in use today... Now, we know that these waves just keep rolling through and they will ultimately change, but it shows how long the threat exists of bad things happening and why it's not completely possible to fix every old system.

"The message here is that there will have to be two tradeoffs that have to be made, and to some extent the events of last September have facilitated us in making one of those tradeoffs or changes."

Windows 95, and presumably the decidedly similar Windows 98, will be tossed to the wolves, reluctantly and begrudgingly: "We have decided that we will begrudgingly forsake certain app compatibility things when, in fact, they don't allow us to have a default configuration that opts for more security. In the past, the biggest thing that happened to us was IT managers would come to the company and say, hey, all those new features, they're great, all that new security stuff, that's great, but whatever you do don't break my app. So just turn it all off and trust me, we'll fix the apps and then we'll turn it all on. And the reality is that never happened.

"And so we're going to tell people that even if it means we're going to break some of your apps we're going to make these things more secure and you're just going to have to go back and [here comes the tab] pay the price."

Naturally, being secure is going to cost money, but if you are insecure because you're unprepared to fot that bill, then your insecurity stems from your own irresponsibility: "And the other thing is that the customers, whether they're individuals or corporations, are going to have to make a decision about when and how much they spend to get these machines to be more secure. And to some extent you can do it by insulating them, to some extent you can do it by putting things around them or in front of them that protect them, you know, firewalls in some sense. And then in some cases, you can just replace them when you get new machines or new software or both that have intrinsically better capabilities.

"But I think one of the things that we say, and even if you look at the national cyber security plan that was put forth, Dick Clark and the people at the White House have realized that security is going to cost some money, whether it's having a new transportation safety authority to make people feel like they have more security in the airport or spending other things on homeland defense. It isn't free, and to some extent as the threat models continue to emerge in new ways, then we are all going to collectively have to spend more, both in the development and maintenance of these machines if we're going to be secure."

Mundie also, incidentally, had a few words to say about Longhorn, first indicating that it was still a couple of years off, then this:

"So Longhorn, which will be the next big version of Windows -- the rights management architecture, the underlying Palladium, which is the codename for our system working with the hardware folks to create a trusted security environment within the hardware framework -- all of these things will be there."

The "rights management architecture" is a particularly interesting component, because it sounds rather like it will be the Windows half of the Palladium deal we reported on last week. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.