MS security memo a mere gesture
Sound and fury signifying nothing
By now, you've seen the news articles. Microsoft Founder and Chairman Bill Gates announced that security would have the 'highest priority' in MS products and that security is now 'more important' than any other part of the company's work. This is Microsoft's latest public attempt to address security concerns with its products and services.
Undoubtedly, history will remember 16 January 2002 as Microsoft Security Day -- harkening back to that wondrous day in 1995 when Chairman Gates announced that the Internet was to be part of all Microsoft products and services. That proclamation produced such well-known Redmond innovations as Melissa, I Love You, Code Red, SirCam, Code Red II, BadTrans, UPnP, and VBScript, among other notables, resulting in burned-out system administrators and a flourishing information security industry.
Gates is also reported to have said that the September 11 attacks are a major reason to stress security of America's critical infrastructures, including its computer systems. Huh? Has Chairman Gates been asleep at the keyboard for the past several years, knowing that while his bloated, buggy, and exploitable products were achieving marketplace dominance -- and monopoly status -- they were becoming a self-inflicted vulnerability on the wired world we currently inhabit? Security all of a sudden is important to Microsoft?
Perhaps this sudden change of heart has to do with the recent BBC report that the US National Academy of Sciences is calling for laws to punish software firms that produce insecure products. Or, could Microsoft's legal team be afraid that what the company produces and sells as "products" -- in actuality, shrink-wrapped denials of service and prepackaged network compromises -- could contribute to electronic criminal or terrorist acts against America's critical information resources? Could it be that Microsoft is actually scared of something?
Possible, but unlikely. Remember, this is the same company (a proven monopoly) that tried to settle an anti-trust case by offering to donate software that would increase its market penetration in a class of customers (K-12 schools) that otherwise couldn't pay full price for its products!
The simple truth is that Microsoft has a serious image problem when it comes to the reliability, security, and stability of its network services and products. As a security professional and skeptic, I feel this statement -- the Gates Declaration -- is simply a public relations blitz. We are, after all, as Homeland Security Chief Tom Ridge constantly says, in a state of "increased security" -- and Microsoft finally decided to ante up and join the popular pro-security bandwagon. (By the way, has anybody seen Dick Cheney this week?)
But perhaps there's more here than meets the eye.
I'll be the first one to say that security needs to be improved in Microsoft products across the board, but let's not forget that Microsoft is staking its future on Windows XP and its .NET series of network-centric, subscriber-based ventures.
Reportedly, neither venture is selling as well as the company anticipated, despite Microsoft's claims of "7 million XP licenses sold." (Incidentally, 'licenses sold' does not necessarily translate into copies of XP actually in-use by customers -- I'd be surprised if there are 1 million installed copies of XP in-use today, an amount that in no way makes up for its development and marketing costs.)
It doesn't take a business school graduate to figure out that until Microsoft proves both XP and .NET to be secure, trustworthy environments, few if any users or corporations are going to seriously consider using them. Thus Microsoft has a vested financial interest in wooing people to the ventures it is staking its corporate future on. Microsoft's spin-meisters must believe that appearing to address security concerns with its products is not only the patriotic thing to do, but the smart one, if the company ever hopes to accomplish its corporate strategy.
We should also remember that a good part of Microsoft code is developed overseas. From a security perspective, that's a significant risk, and one that must be addressed in an effective fashion as well. Unfortunately, there's really only one way to deal with this and other software security problems at Microsoft.
Given the decades-old proprietary patchwork of many Microsoft products, the only way to truly certify that Microsoft's internationally-developed products are indeed 'secure' and 'trustworthy' is to release the code to the security community at large for analysis. (Otherwise, we're stuck with the status quo....which goes back to my previously-published statements on the importance of community-based, public, and responsible full-disclosure.)
However, in a small act of penance, Microsoft could consider firing those product managers that repeatedly sacrifice security and good quality assurance for new product features, convenience, and marketshare, thus setting the example for corporate accountability instead of problem perpetuation.
According to an AP article, "compensation plans of Microsoft product engineers, such as raises and bonuses, will also be tied to how secure their products are."
My questions to Microsoft is this: how can you prove a negative? Do you plan to review the number of Microsoft exploits making headlines on Slashdot, The Register, News.Com, Wired, etc., and compare that with previous years? Then, do all your engineers get their bonuses? What if there's an exploit discovered a year later? Do the engineers have to give some or all of their bonuses back? Next year, are we going to have to take your word that things are better than they were? How are you going to prove it? Are you expecting us to continue accepting your statements on faith alone? This has the makings of a great comedy sketch.
Security professionals I've spoken with have shared two reactions to yesterday's news -- "too little, too late," or "we'll see how well it happens, if it happens." I tend to agree with them, and am believing more and more that Microsoft Security Day is the software giant's latest attempt to cheaply use public policy concerns as propaganda for product marketing while hopefully currying patriotic kudos along the way from both the government and consumers.
While I am always hopeful that 'security' and 'Microsoft' will one day be seen not as an oxymoron, past observation leads me to believe the Gates Declaration is full of marketing sound and fury, but signifying nothing.
We can only hope for the best -- time will tell.
© 2002 InfoWarrior.org, all rights reserved.
Richard Forno is Chief Technology Officer for a Dulles, Virginia firm providing information assurance support to the national security and intelligence communities.