10 years ago today: Bill Gates kicks arse over security

Trustworthy computing memo marked Microsoft turning point


Analysis Sunday marks the tenth anniversary of Bill Gates's trustworthy computing memo, which made securing applications from the ground up a key priority at Microsoft for the first time.

The directive followed a period during which Redmond took a sustained shelling over the instability and insecurity of its software, especially in Internet Explorer and Outlook, highlighted by the damage caused by high-profile malware outbreaks such as the rampaging Love Bug, Melissa and Nimda nasties.

The memo came after Microsoft had spent years fighting the Department of Justice's antitrust suit that centred on its Windows monopoly, in particular the bundling of IE with Windows, and two years after Redmond embraced web services with the launch of .Net.

The perception of insecurity was a problem for Microsoft as it weakened attempts to push its servers and associated applications into data centres, as well as nobbling its fight against Linux as a web server platform. It was hard for the Microsoft spindoctors to sell their products as reliable and always available if the software was easily susceptible to attack.

Gates's memo sought to tackle concerns about the security and reliability of Windows as well as addressing more general concerns about privacy and Microsoft's business practices more generally. As in so many fields of computing, the idea of trustworthy computing was coined years before Redmond latched onto the concept and began running with it.

In the wake of the missive, the corporation's developers boned up on the latest secure coding techniques. Microsoft attempted to emit products that were secure by design and by deployment. After regarding security researchers with an attitude approaching disdain, at best, the company became far more approachable, responsive and communicative. It has also worked with law enforcement agencies on botnet takedowns and other initiatives.

Notable achievements include adopting a security-focused lifecycle for software development and enabling the Windows firewall by default, something that eventually belatedly put pay to the spread of Blaster and Sasser worms.

Some things never change

Those measures were only put in place two years or so after the original trustworthy computing memo was issued on 15 January 2002. Ten years on and Windows malware is just as big a problem as it ever was and one of the key goals of the whole initiative - resilient computer systems - remains a long way off.

There have also been missteps and set-backs along the way, most notably the hated UAC (User Account Control) nagware that debuted with Windows Vista. Other demerits include Redmond's delayed guillotining of Autorun, which was only dropped from older versions of Windows years after it became a leading vector for malware infestation.

On the other hand, concerns about the security of Microsoft's applications have slowly abated while Adobe apps and Java have become the chief target of many hacking techniques. Privacy fears regarding Microsoft have been overtaken by sharper concerns over Google and Facebook.

While it has hardly been a resounding success, Microsoft's trustworthy computing initiative has made a positive impact on the industry and, to Redmond's credit, continues to produce fresh initiatives. For example, Microsoft is readying plans to provide a real-time threat intelligence feed, a move welcomed by security experts. The proposed free-of-charge service will distribute threat data from captured botnets and other sources. Redmond's security staffers are in the process of testing the service, Kaspersky Labs Threatpost reports.

Ten years ago Microsoft was the butt or punchline of security-themed jokes. A decade later it is seen as an engaged partner and even a security leader, whose example other IT giants (hello Apple and, yes, Oracle) would do well to follow. ®

Similar topics

Broader topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022