Security gurus hail Gates' memo

Security experts hailed Microsoft Chairman Bill Gates' security initiative outlined in a memo to employees--but they withheld judgment on whether it can really deliver on its goals.
Written by Robert Lemos, Contributor
Security experts hope that this time Microsoft really, really means it.

A memo from Chairman Bill Gates, leaked Wednesday, exhorted Microsoft employees to make the company's products more secure and stated that a new initiative, which Gates called "Trustworthy Computing," is now the software giant's top priority.

The initiative, Gates wrote, aims to make computing and the Internet "as available, reliable and secure as electricity, water services and telephony."

While security experts gave Gates' message high marks, they withheld judgment on whether Microsoft--which has been pasted by a series of high-profile security blunders over the past year--can deliver.

"This gives me more hope," said Chris Wysopal, director of research and development for security company @Stake. "Nothing is a cure-all solution, but when you say we have an organization focused on getting security into different product groups, that's got to help."

Gates' message comes as Microsoft is betting its future on its .Net effort, an attempt to give consumers secure, easy and round-the-clock access to businesses via the Internet. Without better security, the software titan will have a hard time convincing developers, businesses and Web users to start using the new services, Wysopal said.

"Because of other (incidents) in the past, they have to make their software more secure if .Net is going to make it," Wysopal said.

Recent problems with Passport, the Microsoft Network and the company's Windows Update service--all considered embryonic versions of future .Net services--have angered consumers and caused security experts to wince.

And past initiatives have not delivered spectacular results, either. Despite Microsoft's Secure Windows Initiative and its Strategic Technology Protection Program, the company fell afoul of a major problem with its flagship Windows XP software. Microsoft has touted XP as its most secure operating system ever and intends to push it as the gateway to .Net.

While the company's new focus is welcome, some in the security community remain cautious. Microsoft--a company found to have abused its monopoly power--isn't exactly the poster child for trustworthiness, and some are wary of the new initiative.

"This comes from the same vendor that tried to settle an antitrust suit by finding a market segment they couldn't penetrate and giving their product away for free" in that market, said David Dittrich, senior security engineer at the University of Washington, referring to recent wrangling over the company's proposed "schools settlement."

In that instance, the company pitched its proposal as a charitable solution that would provide free software to needy schools. But competitors characterized the move as an effort to monopolize the education market.

Similarly, some wonder whether the new security initiative can be taken at face value. And even if it can, some are concerned it could wind up having a downside.

Dittrich points to the company's initiatives to hush up the disclosure of certain information about vulnerabilities in its products and says that, arguably, such an attitude can aid hackers and run counter to interests of security.

Gartner analyst John Pescatore says Microsoft has committed to making its products more secure and worthy of customers' trust. The philosophy outlined in a memo from Bill Gates this week lays out most of the imperatives that Gartner believes are necessary for Microsoft to change the software maker's long-established product management and development culture.

see commentary

Security experts and hackers who find bugs in software usually release the information to the public after notifying the program's creator of the flaws. However, the security community has long argued about how much information should be given, since malicious hackers could use details to write tools to help them break into computers using the flaw.

In November, Microsoft and five security companies announced they had formed a group to create a policy for ethical disclosure of such information.

"They should want their employees to know as much about a vulnerability as possible," Dittrich said.

Such apprehensions aside, though, security experts said it's a welcome signal that Microsoft is now taking security seriously enough to give it priority over new features.

"It's about time," said Mark Maiffret, chief hacking officer for network protection company eEye Digital Security. "This is something that Microsoft and other companies have needed to say for a while: Security needs to come before features."

eEye discovered the major hole in Microsoft's Web server software that online vandals used to spread the virulent Code Red worms and a serious hole in Windows XP that could have been exploited by Internet attackers to gain control of any person's PC.

"Finally," Maiffret said, "there is a wake-up call out there that security needs to come first."

Editorial standards