Posted on 01/30/2002 3:48:59 PM PST by damnlimey
Is Bill Gates Sincere About Security?
By Paul Desmond
In the past few years, Bill Gates has used email to communicate to Microsoft employees two dramatic shifts in the company's direction. The first was when Microsoft decided the Internet was everything and the second came about two years ago, launching the .NET vision.
On Jan. 15, Gates issued an email memo that marks a third landmark shift, this one an all-out effort to make security job one.
I can sense the skepticism in the air, but I've seen the memo and I believe Gates really gets it. Whether he will be able to translate his vision for "Trustworthy Computing" to his legions of developers is another question, but I don't see how this initiative can be anything but positive for security professionals and the public in general. (Full disclosure: As an independent writer and editor, I do work for publications funded by Microsoft, but this Web site isn't one of them.)
"There are many changes Microsoft needs to make as a company to ensure and keep our customers' trust at every level from the way we develop software, to our support efforts, to our operational and business practices," Gates wrote. "As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company."
True enough. Microsoft indeed has a perception problem when it comes to security, with the likes of Gartner Group advising folks a few months ago to rip out their IIS Web servers in favor of something more secure. Likewise, Microsoft products, usually Outlook, have been the target of some of the most insidious viruses we've seen to date, including Code Red. If there is a flaw in a Microsoft product that opens a door to hackers or virus writers, you can bet it will be uncovered eventually. Security Begins With the Code
Gates realizes this can't go on if his .NET strategy is going to fly. Given its current track record, few companies are going to be comfortable with the idea of taking code piecemeal from all across the Internet and running it for even one second on an internal server. In his memo, Gates notes that security is "a key foundation element" of .NET and that Visual Studio .NET is "the first multi-language tool that is optimized for the creation of secure code."
That's an important point, as it shows that Gates recognizes security begins with writing secure code. In the past, Microsoft was clearly more interested in getting products out the door quickly than in making sure they were secure. It appears this is about to change.
"Now, when we face a choice between adding features and resolving security issues, we need to choose security," he wrote.
The logical question that statement raises is, "How?" How do thousands of programmers who are used to writing code with features and functionality as their primary concern suddenly change course and think of security above all else?
That point is not addressed in the Gates memo, but reports published in The New York Times and elsewhere suggest Microsoft is going to call a massive time-out, until all its programmers are schooled in secure coding.
"The new emphasis on making software safe from malicious intruders will include stopping the development of new operating system software for the entire month of February and sending the company's 7,000 systems programmers to special security training," according to the Times. I hope that's true, as that is exactly the kind of investment we need to turn the security tide. It makes far more sense to invest dollars in teaching secure programming techniques than it does to spend those same dollars cleaning up after virus attacks.
Gates also seems to finally be on board with an idea security professionals have known for some time: Services that make a system potentially vulnerable should be turned off by default, not the other way around, as has typically been the Microsoft way.
"Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve," Gates wrote.
Gates' Trustworthy Computing vision also goes beyond security, to address availability and privacy as well. Indeed, these three disciplines should go hand in hand, as security breaches result in availability problems as well as privacy concerns.
Last fall, Microsoft took its first big step toward addressing its security problems with the launch of its Strategic Technology Protection Program, which is largely intended to help customers ensure they are patching all known vulnerabilities in Microsoft products. The Trusworthy Computing initiative is a logical next step, as it is intended to ensure that fewer vulnerabilities find their way into those products to be begin with.
Paul Desmond is a writer and editor based in Framingham, Mass. He is managing editor of eSecurityPlanet, an INT Media Group site that will launch later this week.
| January 29, 2002 |
The track record is that once Bill Gates speaks, the legions of developers he employs just go berserk and, if anything, go a heck of a lot further than what he had in mind. Microsoft nearly died in the mid-1990s, because Bill stayed focused on the desktop when the network became king. He realized his error, proclaimed a strategy of "embracing and extending" the Internet, and suddenly, Microsoft became very Internet "with-it."
He's ABSOLUTELY sincere about security. Hell, he's monomaniacal in all he does.
Poohbah's Prediction: by 2005, Microsoft will be known as the maker of the most abso-effing-lutely secure OS and apps ever seen in human history.
Could this possibly herald the introduction of Linux equipped HP and Compaq boxes for the masses.
If Gates commits to security and linux goes mainstream then things are looking up for consumers.
If you just read the memo, maybe this sounds reasonable. There are other things to consdier, however:
The proposed anti-trust settlement (comment period ended this past Monday) requires MS to release full documentation for most of their software code UNLESS that software is related to security.
And Bill has now decreed that EVERYTHING is related to security.
How convenient. I'm sure the timing is pure coincidence. (Can you still sense the skepticism?)
Interestingly, if MS won't even release documentation, those people who are qualified to judge the security of the code outside MS, have nothing to judge by, unless MS releases the code itself.
They're unlikely to do that. Therefore, no matter what they actually do about code security, the rest of the world will be required to just take their word for it that it's REALLY secure this time.
No thanks. This is not a good basis for trust.
Security is not jus another "feature" that can be added to an Operating system.
A security flaw in Netscape's Navigator Web browser can let malicious Web site operators view the information stored in cookies on a user's computer, according to a security note published on Netscape's Web site.
The vulnerability affects Navigator Versions 6 through 6.2, as well as Version 0.9.6 and earlier versions of the open-source version of Navigator, Mozilla, according to an analysis written by Marc Slemko, who discovered the bug. The bug, Slemko said in his analysis, can be exploited by causing users to visit a Web address inserted into HTML code on a Web page or in an HTML-formatted e-mail. If the user were to view the malicious Web site, cookies could be stolen off the user's computer, Slemko said.
My point was that the troops tend to take anything from Gates as Holy Writ, and they tend to go berserk. By 2005, MS will probably roll out an OS that hits B2+ on the Orange Book criteria. I'm willing to bet that by 2008, they'll have one that hits A1. Neither of these goals is doable with Linux or any other UNIX-based OS.
I am familiar with SE Linux. It only scores B1 on the Orange Book scale, and that's as high as you can go without starting to break the core UNIX structures.
I doubt that seriously.
I'm willing to bet that by 2008, they'll have one that hits A1.
I'll take that bet any day!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.