Security is about more than an image problem

Microsoft's latest hacker bounty won't solve the problem - it'll only divert public attention away from the core security problem that users face

Microsoft recently announced rewards in exchange for information leading to the arrest and conviction of those who exploit its flagship Windows product through viruses, worms and other forms of malicious code.

After years of sitting idle, Microsoft is suddenly committed to improving security. Hence the company's mad rush to inject "security" into every product, speech and statement to reassure customers that Windows is still a worthy operating environment to purchase.

But rather than address its own problems, the company has decided to use creative marketing as a substitute for good security and software development. The problem isn't that virus writers are exploiting Windows; it's that Microsoft makes Windows easy to exploit by anyone with a modicum of programming know-how. Instead of accepting responsibility, the company is trying to pass the blame for such problems off onto others.

Creating a rewards programme is a clever, low-cost way of diverting public attention away from the many problems stemming from a history of exploit-friendly programming practices. Microsoft can avoid addressing the root causes that forced the creation of the rewards program while portraying itself as taking the moral high ground (albeit illusory) in its approach to proactive product security.

The rewards programme builds on the company's recent announcement to convert its traditional as-necessary security bulletin and patch-release process into a predictable monthly one. Interestingly, Microsoft's October 2003 white-paper discussion of the new security release process says this will make it easier for customers to stay current through a single cumulative monthly patch that fixes reported problems in Windows.

That sounds perfectly reasonable, until one reads that "Microsoft will make an exception to the above release schedule, if we determine that customers are at immediate risk from viruses, worms, attacks or other malicious activities. In such a situation, Microsoft may release security patches as soon as possible to help protect customers."

Given that the majority of Microsoft security bulletins deal with these very problems, I wonder whether this new policy really improves security. Or does it mean that Microsoft will be more selective about what it deems an "immediate risk" to customers, as it strives to reduce the number of security bulletins (and associated negative media coverage?)

Microsoft will probably seldom release a bulletin patch outside its assigned monthly schedule. That would undermine its new policy and put the company in the unfortunate position of having to defend what makes one problem "more critical" than another and warrant a special release.

Admittedly, a monthly patch release schedule may make it easier for customers to stay current. But it also means that a potential adversary knows exactly when to release his next malicious code or exploit technique to the world. Network administrators likely will resent being kept in the dark between monthly patches, never knowing if their networks are endangered until the next security bulletin is announced.

Patching aside, it's more interesting -- and very convenient -- to learn that the company responsible for so many digital headaches is now offering a remedy in the form of Trustworthy Computing and the next version of Windows, code-named Longhorn. In other words, pay for your "protection" or be "at risk" (wink-wink) until you do.

An anomaly? Hardly. More than a decade ago, the company intentionally caused early versions of Windows to display error messages if installed on anything other than the Microsoft version of DOS. Once users installed MS-DOS, the error messages disappeared.

More recently, Microsoft forced users to accept the imposition of new and controversial digital rights management (DRM) software as part of the security "fix" in the Windows Media Player. Of course, users were free to not install the fix if they didn't want the DRM software on their systems. That also would leave them vulnerable to attack and exploitation from any number of criminals on the Internet.

All this raises the question of how the definition of "security" is changing to fit marketplace needs.

The MSDN Web site says DRM is a core "security" function of Longhorn that runs in what Microsoft calls the Secure Execution Environment. The very fact that an operating system -- the engine that runs our computers and touches everything we do on them -- is based on a DRM foundation (with "hooks" for third parties including Microsoft to determine what may be done with what information on a computer) is frightening. DRM should not be viewed as a function of security but rather as an add-on function of revenue protection for industries based on digital content.

Home and business users alike should not be forced into a protection agreement to be secure in cyberspace. Nor should the fundamental definition of security be extended -- or twisted -- to include invasive mechanisms of profit protection for industries unable to adapt their business models for the Information Age. Until Microsoft takes a realistic view of security and defines effective real-world ways of improving product security in the present day -- such as cleaning up the existing Windows code instead of greedily forcing mass upgrades -- customers will be reluctant to adopt a newer version of the Windows product line, no matter what the speeches and marketing material promise.

CEO Steve Ballmer recently said the rewards programme makes it clear that Microsoft is "taking security seriously." What he meant to say was that it's clear that Microsoft is taking its security reputation seriously. That's a big difference.

Richard Forno, former chief security officer at Network Solutions, is currently a security technologist. He is the author of "Weapons of Mass Delusion: America's Real National Emergency".