RSA: Microsoft launches trusted Internet initiative; Aims for security dialogue

RSA: Microsoft launches trusted Internet initiative; Aims for security dialogue

Summary: Microsoft said Tuesday at the RSA security conference that it is launching a trustworthy Internet initiative much like its Trustworthy Computing plan launched in 2002.And like Microsoft's Trustworthy Computing initiative it all started with a whitepaper.

SHARE:
28

Microsoft said Tuesday at the RSA security conference that it is launching a trustworthy Internet initiative much like its Trustworthy Computing plan launched in 2002.

And like Microsoft's Trustworthy Computing initiative it all started with a whitepaper. That fact is what makes Microsoft's strategy and research chief's Craig Mundie's comments at RSA a bit strange. Microsoft was essentially announcing a white paper and a "dialogue" with the security community that will encompass technology, privacy and political implications.

Mundie called it "End to End Trust" encompasses the following:

  • Creation of a trusted stack where each element in the stack can be authenticated and is equally trustworthy, from the operating system to applications, people and data.
  • A system that enables people to preserve their identity claims while addressing issues of authentication, authorization, access and audit.
  • Closer alignment between technological, social, political and economic forces in order to make real progress.

Also see: Microsoft’s End to End trust vision: Can this identity, trusted stack thing work?

Mundie's speech was built on the whitepaper by Scott Charney, corporate vice president of Microsoft's Trustworthy Computing group. Microsoft's key positions include:

We believe there are three key pieces to creating greater trust on the Internet. The first is creation of a trusted stack where security is rooted in hardware and where each element in the stack (hardware, software, data and people) can be authenticated in appropriate circumstances. The second piece involves managing claims relating to identity attributes. We need to create a system that allows people to pass identity claims (sometimes a full name perhaps, but at other times just an attribute such as proof of age or citizenship). This system must also address the issues of authentication, authorization, access, and audit. Finally, we need a good alignment of technological, social, political and economic forces so that we make real progress. The goal is to put users in control of their computing environments, increasing security and privacy, and preserving other values that we cherish such as anonymity and freedom of speech.

That was Mundie's big windup for the whitepaper:

At this year's RSA, Microsoft will not announce a new company strategy. Rather, we will use this opportunity to ask all who care about online safety to join in a robust and meaningful discussion about building a more trusted Internet. At the same time, we know customers have concerns about threats today, so we will also talk about integrated solutions we are delivering to help customers address current needs for maintaining secure and private environments. To facilitate the dialogue, we are providing a whitepaper describing End to End Trust, Microsoft's proposed vision to help create a more trusted Internet.

You can almost hear the crickets. Here's what you'll hear from folks: Microsoft wants a dialogue about Internet security. So?

Actually, Microsoft's white paper is worth a read and could lead to bigger things. But we won't know for about a year when Microsoft goes to RSS and delivers its report card.

George Stathakopoulos, General Manager of Microsoft's Trustworthy Computing group, noted that the software giant expects to hear from the critics. Why should Microsoft be initiating this discussion? Can you trust it?

Stathakopoulos said that he expects most folks to enter the dialogue. No one disagrees that Internet must be secure soup to nuts. And the sooner people start talking about the security ecosystem the better.

Some key points from Stathakopoulos:

  • Internet security goes beyond one player. For instance, Stathakopoulos noted that there needs to be secure software, trusted devices and applications that are preapproved. If you had such a lineup--a trusted stack--you could book a hotel room, check in and enter your room via your cell phone. "That technology is interesting but by itself it will fail," said Stathakopoulos. "This technology will fail without all partners ecosystem coming together. There has to be alignment."
  • Privacy will be critical. Microsoft's scenarios could sound Big Brother-ish. Privacy will be a tough issue and require dialogue with political entities, security executives and the technology industry.
  • Who will the allies be? Stathakopoulos said that everybody is an ally on security--Mozilla, Apple, Symantec and other anti-virus vendors to name a few.

The whitepaper isn't a strategy paper, it's a conversation starter. "This whitepaper was possible due to the goodwill established over the last few years," said Stathakopoulos. "We need a dialogue to help to stay on focus and on track and not get derailed by vendor politics."

Topics: Security, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • First troll

    n/t
    Duke E. Love
    • Waste of space

      I see you're full of imagination there smarty boy?
      Got any money to back up the mouth?
      Place your bets..
      topsecret@...
      • Apparently not

        Your not that bright huh?
        Duke E. Love
  • So what did Trust Worthy Computing do again?

    Refresh my memory of linked goodness about how this did or did not help us, because other than the inital launch and the occasional PC saying it is protected by the Trustworthy Computing Initiative, I haven't heard a thing about it. And that is pretty sad being that I like to do development.
    nucrash
  • RE: RSA: Microsoft launches trusted Internet initiative; Aims for security dialogue

    Microsoft is going in the right direction with this. Security is really becoming the thing Microsoft will be known for and this initiative should help. Its going to get quite interesting once they start implementing this.
    Loverock Davidson
    • If...

      ...MS got into Auto Manufacturing or Paramedicals, would you also say they are going in the right direction? How about if they bought a third world country or two? So far I have never heard you do anything other than praise MS and bash Linux. Apparently MS can do no wrong.
      philpenn
  • Trusted by whom?

    I really don't care if outsiders trust the software that runs on my computer.
    John L. Ries
  • RE: RSA: Microsoft launches trusted Internet initiative; Aims for security dialogue

    Trusted dialogue is great first move. Who can argue with one starting off by inviting others to have a trusted dialogue? Again, great move by Microsoft. David Jemeyson
    ccisat1dxj
  • Can it work? Fat chance!

    Let's get real here - they've had how long? And we're still no better off. You'd have to be out of your mind to hire those guys to come up with a security solution - look where it's got us so far.........
    You can do better than that.
    topsecret@...
  • Microsoft itself is the problem

    why this initiative seems a bit ridiculous and expected of
    them. Microsoft's notoriously insecure platform is the very
    reason for practically the whole problem with malware and
    lack of reliability.

    You could also say that the situation is the result of the
    monopoly. If the market-forces had worked better then
    Microsoft would either had been forced to improve their
    software much more and much more rapidly.

    Much like with the trusted computing initiative is this
    mostly smoke and deceitful promises designed to hold on
    to their tired customers.
    Mikael_z
    • Microsoft itself is the problem

      I totally agree with you!!
      mrdt
  • RE: RSA: Microsoft launches trusted Internet initiative; Aims for security

    I am forced to evaluate who is doing the offering and why? With the appropriateness of there Window's what
    will it be any where else?
    yupin1
  • RE: RSA: Microsoft launches trusted Internet initiative; Aims for security

    Microsoft, the one that took active steps (spelled ActiveX) to make internet computing so untrustworthy all those years ago, now wants us to believe it can bring about a trustworthy internet (on its terms, of course) ... ROTFL ... Now, someone serious might want to peruse the discussion forum "Web of Trust" at news.securecomp.org
    Tumbleweed_Biff
    • Why should we believe?

      I tend to agree with the overall theme of "Why should we believe and/or trust the company that has viloated or trust time and time again?".

      We have been fooled by MS enough -- they are really going to have to work hard to gain enough industry trust to really get an initiative like this to work (other than as a marketing ploy for MS).

      As noted by several of the other post, it has been tried before. MS, in my opinion, does not have enough trust or support to really make this initiative work.
      dodo666
  • RE: RSA: Microsoft launches trusted Internet initiative; Aims for security

    This was tried back in the 80s - its a rehash of the Trusted Network Interpretation (TNI) of the Orange Book. It will fail for the same reason - any chain of security fails totally if one element fails, since it has to be a chain by definition. You cant trust a street vendor, either, but we manage to get by.
    spin99
  • Here we go again?

    As I recall, the "trusted computing" idea was that I would trust corporations to allow Me access to My documents and applications. I thought that the most ridiculous idea I had ever heard. Even after the Dubya presidency, this idea is still up there! <BR><BR>

    If Google Apps fails, well, I did not spend anything on it, did I? And I do back up My data don't I? Don't I? [Say "yes"!] <BR><BR>

    Google makes automatic backups, and allows restoring to old copies, something possible with normal applications, but which most people don't do. Of course, no one tells people HOW to do that, either. <BR><BR>

    But if I pay a zillion dollars for PhotoShop, then I expect it to be at My beck and call whenever I feel like using it. NOT when someone I will never ever see decides I may use it. <BR><BR>

    Even more daunting is the fact that it has to be open source--to be sure there are no backdoors, trojan horses, virii, trackers, or other malware in it. Also, it has to be secure against governments (NSA, CIA, MI5, etc.), corporations (telcos for starters, spy companies, etc.), and other criminals. Ideally, it would keep out hackers, too! <BR><BR>

    THEN there is the fact that the software system has to be able to update itself. Without downloading malware in any form. <BR><BR>

    It has to be possible for the system to follow one around without spies following, too. Government people say "We wouldn't know where anybody is!". Damn right, and there is no reason for you to know. <BR><BR>

    In the eighteen-fifties, the government did not know where anyone was, and We were all pretty safe. Now the government are tracking Us, and We are NOT safe! The conclusion is obvious. <BR><BR>

    GPS in devices can send a location to 911 centers in case of an emergency. Again, 911 centers, credit card use, hospitals, and just about everything else, has to be protected against spies. <BR><BR>

    Even in the case of air safety: All the airport needs to know is that the person getting on is who he says he is, and that he is not carrying bombs, babies, or other contraband. <BR><BR>

    Of course, most misbehavior by the Department of Homeland Terrorism, and the airlines, will have no more excuse for its existence. This is long past due, too! <BR><BR>

    I hope, therefore, that the open source communities are developing secure-device and secure-device-communication protocols right now.
    Master Dave
  • ROTFLMAO..Trust Microsoft?

    That's like trusting your daughter with Charles Manson in the room.
    itanalyst2@...
  • RE: RSA: Microsoft launches trusted Internet initiative; Aims for security

    I had been using WIN XP since 2000, when I had to reformat the hard drive, I noticed that I had collected
    almost 200 MS updates...I'm sure they were mostly for "security" (?)
    bluabove@...
  • RE: RSA: Microsoft launches trusted Internet initiative; Aims for security

    If it is all the same to you guys, I trust no one, use neither Apple nor Microsoft products, and am happy and stress free. I will watch for future developments, though, should be good for some chuckles.
    richdave
  • RE: RSA: Microsoft launches trusted Internet initiative; Aims for security

    Shirley Bassey sang it as "History Repeating"!
    How often do we get these simple delaying tactics from Microsoft. They had - yes - Palladium / NGSCB years ago and even - with TIS Inc - "Trusted XENIX" - a "B2" level secure OS (Oops - yes - Virginia - Microsoft did sell and support UNIX - it was called XENIX - and is still their trademark !)
    To put it simply - it's the OS stupid! No application/comms stack/middleware or anything else can be more secure than the hardware and OS base. That is why Intel, from the 286 onwards, gave us the 4 protection ring structure (ignored by Microsoft and LINUX/UNIX), protected memory segments to stop overflow etc (also ignored by Microsoft and LINUX), strong memory typing - code, data, stack separation at the segment level ( also ignored).... and on.. and on.
    MULTICS, 40 years ago, was a better system - strange isn't it?
    Well - now what - we now have SELinux courtesy of the NSA and it is there in RedHat 5 and elsewhere. In the web world we need a new interpretation of "mandatory access control (MAC)" and with SELinux we see it. The problem is that Microsoft doesn't see it! Why the call for help? SELinux is there - and it is there NOW. Let's build on what we have.
    w.caelli@...