Security is our ‘biggest ever challenge’ – Gates

Haven't we been here before?

Bill Gates reiterated Microsoft's commitment to improving security yesterday in an email which charts the progress of the firm's two-year old Trustworthy Computing initiative.

There are few headline-grabbing initiatives in Gates' 3,200 word missive - beyond a promise to host a series of security summits across the US later this year.

But the email does a good job of summing up Microsoft's recent security-related announcements. Reading between the lines, we can see a shift in Microsoft's thinking on security.

Beyond fire fighting

Gates writes that "security is as big and important a challenge as our industry has ever tackled", and a problem that will not be licked overnight.

"It is not a case of simply fixing a few vulnerabilities and moving on. Reducing the impact of viruses and worms to an acceptable level requires fundamentally new thinking about software quality, continuous improvement in tools and processes, and ongoing investments in resilient new security technologies designed to block malicious code before it can wreak havoc."

He singles out four recent viral epidemics: Slammer, Blaster, Sobig and Mydoom. These show how viruses and worms can spread more rapidly than ever before. Blaster in particular shows the threats posed by malicious code are evolving. In response, software vendors have to make it easier for users (particularly consumers) to keep themselves secure.

Unlike his colleague Steve Ballmer - who has a tendency to make Wild West analogies when talking about security - Gates has come to (correctly) describe the process of improving security as a process, and not a destination. Also, he has dropped the hostage to fortune he handed out when he promised to rid the world of spam within two years. That pledge was wisely discarded around the time of February's RSA Conference.

Mostly harmless

With two notable exceptions (biometric IDs and Windows vs Linux security), there's little to dispute in Microsoft's latest security manifesto. Microsoft motives for improving security are arguably entirely selfish (removing a possible barrier to sales). But if its efforts result in fewer zombie PCs, compromised Web servers and less spam, then that's good. Right?

SP2 puts up more solid defences

Chief among these efforts is Windows XP Service Pack 2. Due out in summer, XP SP2 promises far-reaching changes to improve the ability of Windows XP-based computers to withstand malicious attacks from hackers, viruses and worms.

Features include: Windows Security Centre; automatically turning on Windows Firewall; browsing enhancements to Internet Explorer (providing far more control of ActiveX, for example); and automatic pop-up blocking. Security Centre will let users check the status of their firewall, anti-virus protection and automatic software updates from a single point.

Microsoft also promises better file attachment handling in Outlook Express and Windows Messenger instant messaging, a move designed to reduce the chance of users unwittingly opening malicious code.

Buffer overflow slaying

Most significant off all in the longer terms is revamped memory protection to prevent buffer overruns, the perennial source of so many security problems. AMD already supports this technology with a range of its chips and Intel is also committed to introducing support in microprocessors due out from autumn this year onwards.

With XP SP2 Microsoft is applying the security philosophy (secure by default etc.) it introduced with Windows Server 2003 to its three year-old client OS.

That process goes both ways, it seems.

Gates said Microsoft plans to ship security advances in Windows Server 2003 Service Pack 1 in the second half of 2004 that will include the server-relevant security technologies found in Windows XP SP2. This service pack will also remove older, unused technology in a bid to reduce the potential for vulnerabilities.

Patches, patches, who’s for my lovely patches

Gates continues to trot out a statistic, first mentioned by Steve Balmer, which has been attacked as misleading by open source advocates.

He says the number of "critical" or "important" security bulletins issued for Windows Server 2003, compared to Windows 2000 Server, dropped from 40 to nine in the first 320 days each product was on the market.

Even if you accept this statistic at face value, patches are still a necessity of IT security, whatever the platform. Last November, Microsoft moved to monthly releases of updates to improve predictability and manageability.

"We also are improving testing processes to minimize update inconsistencies and recall rates, and by this summer most of our updates will have full rollback capabilities," Gates writes.

Passwords out – biometric in

Improving authentication and access control is another key aspect as Microsoft’s security manifesto. Gates writes of the need to move away from passwords to more secure technologies like two-factor authentication and smartcards.

"Farther out, a Tamper-Resistant Biometric ID Card system will provide an innovative, simple and affordable solution for providing cryptographically secure photo-ID cards using a unique combination of public key cryptography, compression and barcode technologies," he says.

Active prevention

Looking further ahead, Microsoft is investing R&D budget in developing "active prevention" technologies including application-aware firewall and intrusion prevention technologies as well as technologies that can dynamically adjust to an environment a user is working from.

Intrusion prevention, along with SSL VPNs, are the hottest areas of the security landscape just now. But security vendors shouldn't worry too much because Microsoft's plans in this area remain vague, at least at present.

On which note - there's still no indication about what Microsoft intends to do with GeCAD, the Romanian anti-virus firm is acquired last year.

Education for free!
In his email, Gates also stressed the need for user education. By the end of 2004, Microsoft aims to reach 500,000 business customers worldwide with information on how to optimise their systems and networks for security.

Starting in April, Microsoft will host the first of 21 Security Summits in cities across the US, "intended to provide deep technical security training for IT and Developer professionals". This training will be offered at no charge (our emphasis), Gates promises. ®

External link

Gates' latest message to users on security

Related stories

MS bigs up Windows XP SP2
Beefed-up firewall, new version of Update for XP SP2
MS takes fight to the spammers
Microsoft enters AV market
Ballmer's new MS security fix - same patches, but 'nicer'
Ballmer on why Windows is more secure than Linux
Ballmer to crackers: this PC ain't big enough for the both of us

Other stories you might like

  • You need to RTFM, but feel free to use your brain too
    But I was only following the procedures!

    Who, Me? Monday is here, and with it a warning that steadfast determination to ignore instructions might not be such a silly thing after all. Welcome to Who, Me?

    Today's story comes from a reader Regomized as "Sam" and takes us back to his first proper IT job following his departure from the education system.

    Sam found himself on the mainframe operations team for a telecommunications company. The work was, initially, pretty manual stuff. The telco wasn't silly, and had its new recruits start by performing offline duties, such as gathering tapes and job tickets for batch runs, handling payslips, "basically anything involving a bit of leg work," he told us.

    Continue reading
  • Tropical island paradise ponders tax-free 'Digital Nomad Visa'
    Live and work in Bali, pay tax at home

    The government of Indonesia has once again raised the idea of creating a "digital nomad visa" that would allow foreign workers to live and work in the tropical paradise of Bali, tax free, for five years.

    The idea was raised before the COVID-19 pandemic, but understandably shelved as borders closed and the prospect of any digital nomads showing up dropped to zero.

    But in recent interviews Sandiaga Uno, Indonesia's minister for Tourism and the Creative Economy, said the visa was back on the drawing board.

    Continue reading
  • Small in Japan: Hitachi creates its own (modest) cloud
    VMware-powered sovereign cloud not going to challenge hyperscalers, but probably won't be the last such venture

    Hitachi has taken a modest step towards becoming a public cloud provider, with the launch of a VMware-powered cloud in Japan that The Register understands may not be its only such venture.

    The Japanese giant has styled the service a "sovereign cloud" – a term that VMware introduced to distinguish some of its 4,000-plus partners that operate small clouds and can attest to their operations being subject to privacy laws and governance structures within the nation in which they operate.

    Public cloud heavyweights AWS, Azure, Google, Oracle, IBM, and Alibaba also offer VMware-powered clouds, at hyperscale. But some organizations worry that their US or Chinese roots make them vulnerable to laws that might allow Washington or Beijing to exercise extraterritorial oversight.

    Continue reading
  • Beijing probes security at academic journal database
    It's easy to see why – the question is, why now?

    China's internet regulator has launched an investigation into the security regime protecting academic journal database China National Knowledge Infrastructure (CNKI), citing national security concerns.

    In its announcement of the investigation, the China Cyberspace Administration (CAC) said:

    Continue reading
  • Cerebras sets record for 'largest AI model' on a single chip
    Plus: Yandex releases 100-billion-parameter language model for free, and more

    In brief US hardware startup Cerebras claims to have trained the largest AI model on a single device powered by the world's largest Wafer Scale Engine 2 chip the size of a plate.

    "Using the Cerebras Software Platform (CSoft), our customers can easily train state-of-the-art GPT language models (such as GPT-3 and GPT-J) with up to 20 billion parameters on a single CS-2 system," the company claimed this week. "Running on a single CS-2, these models take minutes to set up and users can quickly move between models with just a few keystrokes."

    The CS-2 packs a whopping 850,000 cores, and has 40GB of on-chip memory capable of reaching 20 PB/sec memory bandwidth. The specs on other types of AI accelerators and GPUs pale in comparison, meaning machine learning engineers have to train huge AI models with billions of parameters across more servers.

    Continue reading
  • Zendesk sold to private investors two weeks after saying it would stay public
    Private offer 34 percent above share price is just the thing to change minds

    Customer service as-a-service vendor Zendesk has announced it will allow itself to be acquired for $10.2 billion by a group of investors led by private equity firm Hellman & Friedman, investment company Permira, and a wholly-owned subsidiary of the Abu Dhabi Investment Authority.

    The decision is a little odd, in light of the company's recent strategic review, announced on June, which saw the board unanimously conclude "that continuing to execute on the Company's strategic plan as an independent, public company is in the best interest of the Company and its stockholders at this time."

    That process saw Zendesk chat to 16 potential strategic partners and ten financial sponsors, including a group of investors who had previously expressed conditional interest in acquiring the company. Zendesk even extended its discussions with some parties but eventually walked away after "no actionable proposals were submitted, with the final bidders citing adverse market conditions and financing difficulties at the end of the process."

    Continue reading

Biting the hand that feeds IT © 1998–2022