Microsoft walks into security minefield as .NET goes mobile

Can you CE what it is yet?...

Microsoft today unveiled its latest operating system for embedded devices, Windows CE.NET, a mobile version of its .NET initiative. CE.NET is the operating system behind a new class of devices, named Mira, which Bill Gates launched at the Consumer Electronics Show in Las Vegas yesterday. Mira is meant to bring PC-type functions to other parts of the home. Essentially, this equates to a PC with a detachable smart screen that can be used in other parts of the house. As part of Gates' vision to develop software as a web-based service, CE.NET incorporates many internet-based features of .NET, such as the .NET compact framework application development environment, which is designed to allow an application developed for one .NET device to run on any other. Passport authentication, native support for Microsoft Instant Messenger, and universal Plug and Play are also included. While they are innovative features, they have all been at the root of big security problem. In addition, when you consider that CE.NET is designed to run in a mobile environment, often wirelessly, then you have the capacity for a major security scare. For example, when the portable screen of a Mira device is detached from the body of the device, the wireless connection is handled with the notoriously insecure 802.11b wireless LAN standard. Jose Lopez, security analyst at Frost and Sullivan, said: ".NET has had some well publicised security problems. Security in a wireless environment is always more difficult." Scott Horn, director of the embedded and appliance platform group at Microsoft, insisted the company had a range of measures to guarantee security for CE.NET, from support for the Extensible Authentication Protocol (EAP), Kerberos, authentication of 802.11b data traffic and SSL authentication. However, it seems unlikely that CE.NET will ship without a vulnerability being exposed at some point, if only because it is next to impossible to develop bug-free software to a commercial timescale. Frost and Sullivan's Lopez added: "Microsoft operating systems always have bugs in them. If Microsoft wanted to develop a truly bug-free operating system, it would take them 10 years." CE.NET is the release version of the project known as Talisker. The malt whisky aficionados are still in charge of choosing codenames, it seems, as the next version, scheduled for release in 2003, is codenamed Macallan. CE.NET replaces CE 3.0, the operating system used in a range of devices from handheld computers to retail point-of-sale systems and portable data collectors. CE.NET will also be the core around which the next version of Microsoft's Pocket PC operating system is built. The existing version, Pocket PC 2002, is based on the earlier version of CE. The smartphone operating system, Stinger, will also be based on CE.NET.