Bill's Bull, Part 3

Thu Jan 17 08:52:01 EST 2002

http://www.nytimes.com/2002/01/17/technology/17SECU.html?pagewanted=print

January 17, 2002

Microsoft Makes Software Safety a Top Goal

By JOHN MARKOFF

AN FRANCISCO, Jan. 16 - Seeking to remove the tarnish from Microsoft
(news/quote)'s reputation for developing secure and reliable software,
Microsoft's chairman, Bill Gates, distributed a companywide memorandum on
Tuesday to call on employees to put more emphasis on making the company's
products "trustworthy."

The new emphasis on making software safe from malicious intruders will
include stopping the development of new operating system software for the
entire month of February and sending the company's 7,000 systems
programmers to special security training.

The company also plans to re-examine all of its Windows operating system
code in an effort to find security flaws.

Microsoft executives said the memorandum resembled previous broadsides that
have been fired off by Mr. Gates, the company's co-founder and chairman,
when he thought that the company's strategic direction needed radical
changes.

In 1995, for example, Mr. Gates sent a companywide e-mail message exhorting
employees to turn the direction of the Microsoft "battleship" and focus all
the company's efforts on the threat of the Internet to Microsoft's business.

The new memorandum was sent on Tuesday afternoon. Mr. Gates was away on one
of his "think weeks," periods when he retreats to consider issues facing
the company.

The document calls on the company's software developers to make fundamental
changes in the balance they strike between adding features to software and
making those programs secure, according to several Microsoft executives.

As the world's largest supplier of personal computer software, Microsoft
has increasingly been criticized in recent years over the design and
security of its products. Last September, for example, a stinging report
from the Gartner consulting firm called on corporations to replace the
Microsoft Internet Information Server, known as I.I.S., immediately because
of successful attacks on the product by several malicious programs, like
the Nimda worm.

"Using Internet-exposed I.I.S. Web servers securely has a high cost of
ownership," the report stated. "Nimda has again shown the high risk of
using I.I.S. and the effort involved in keeping up with Microsoft's
frequent security patches."

Last month the company was again stung when an embarrassing security flaw
was found in a feature known as Universal Plug and Play in Windows XP, its
new operating system.

"The Universal Plug and Play thing was what put me over the edge," said Jim
Allchin, Microsoft's group vice president for operating systems. "I said
enough's enough."

He said the company was trying to change the culture of its software
developers, who have been putting their emphasis on adding features to the
company's software to increase its value.

"Every developer is going to be told not to write any new line of code,"
Mr. Allchin said, "until they have thought out the security implications
for the product."

Microsoft's reordering of its software development priorities comes at a
crucial time for the company, which is trying to compete more directly in
the market for large corporate computers against companies like
International Business Machines (news/quote), the Oracle Corporation
(news/quote) and Sun Microsystems (news/quote).

Last year, Microsoft unveiled its .NET software initiative, which is
intended to make software applications more versatile by letting them share
functions and data over the Internet. Such an approach raises thorny new
security and privacy challenges, and some independent computer security
experts say the company has not yet proved that it can offer high-security
software for these new technologies.

Microsoft is also trying to be the repository and guardian of vast amounts
of personal information as part of its Passport Internet software. Passport
lets a consumer use one log-in name and password at participating Web
sites, and by keeping track of things like credit card numbers, it can also
make it easier for a consumer to make purchases at those sites.

Last year the company began emphasizing "trustworthy computing," said Craig
Mundie, Microsoft's chief technology officer. He said Microsoft planners
had begun working last summer on a framework that focuses on issues like
computer security and data privacy.

After the terrorist attacks on Sept. 11, questions about computer security
became crucial as a national policy issue, Mr. Mundie said in a telephone
interview from China, where he is traveling on business.

The company has taken several other steps in an effort to grapple with the
repeated discoveries of security holes in its products, he said.

One example of the new approach will be seen in the way the company will
ship its Internet Information Server Version 6 and the new .NET server to
customers. They will be shipped in a lockdown mode, with features that
raise security issues - like Web access, file sharing and e- mail - turned
off. The computer user will have the option of turning on functions like
those.

Last month, Mr. Mundie said, the company delayed the final release of its
.NET development system, Visual Studio .Net, while it did a comprehensive
security audit.

Later this year, Mr. Allchin said, Microsoft will change the way it
provides security updates to home users of Windows XP. They will be able to
choose to get automatic security updates from Microsoft as the company
learns of potential problems.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com