Scott Charney: Microsoft's security chief reveals all

Shortly after the 9/11 bombings, Microsoft hired Scott Charney, a federal prosecutor for the US justice Department, to head up its Trustworthy Computing division. At AusCERT 2008, ZDNet.com.au caught up with Charney to hear his thoughts on how those events changed the security landscape and what he thinks about the current state of IT security.

The Trustworthy Computing division's sole task was to ensure that Microsoft made security the highest priority when developing products.

Scott Charney, VP of Microsoft's Trustworthy Computing Group

Charney was an interesting choice for Microsoft. In his role as lead federal prosecutor for the US Department of Justice's criminal division, he worked on every major hacking case in the United States between 1991 and 1999.

The first real evidence that Microsoft had changed its ways came with the release of Windows XP Service Pack 2, which contained an improved firewall, had auto-update turned on by default and consolidated security controls into a single "security centre". According to Microsoft, the update made Windows XP 15 times safer.

In this exclusive eight-part video interview, Charney discusses Microsoft's current approach to security, what challenges lie ahead and what has gone wrong in the past.

• 

  Security comes at the expense of privacy

  "We can craft ways to protect the values of privacy and security, although in some cases there are tensions to be worked out," says Charney.

• 

  Application vendors are the weakest security link

  Microsoft now builds security into products such as Vista, but attackers have shifted their focus to applications so software vendors are the weakest link.

• 

  Customers are the biggest hole in Microsoft's security

  Microsoft customers need to better authenticate applications they install on their PCs, so the next challenge for Microsoft is to figure out how to provide information so customers make a decision about whether something is good or bad, says Charney.

• 

  9/11 attacks made security an asset

  Until 9/11 security was simply a cost, says the VP of Microsoft's Trustworthy Computing Group — the stock exchange being knocked out suddenly changed this.

• 

  Measuring ROI should include culture

  Measuring investments in security should factor in costs and benefits affecting privacy, economics and culture, says Charney.

• 

  Penetration testing is not enough

  Penetration testing is a good way to audit whether your controls over standardised configurations are working, says Charney.

• 

  Microsoft admits Vista UAC prompts "need work"

  "If you give people too many prompts in too many situations, they view it as an impediment to getting their work done and they just start clicking OK on everything," says Charney.

• 

  Microsoft looks to hardware for protection

  Microsoft will start binding the operating system to hardware in order to reduce the effectiveness of today's security threats.

• Related stories

• Alerts

Add your opinion

Mwahahhahaaaaa........... Anonymous -- 27/05/08

Microsoft.....security....microsoft ?...security ????

Mwahahahhahahhahahaaaa.....!!!!!!!

*wipes eyes*

Ahhhhhhh........... thanks, I needed that.

• Reply to comment
• Reply to story
• Report offensive content

And everyone else is to blame. Anonymous -- 27/05/08

So it's the users and the applications that are the problem, not the shoddy OS they use or run on.
It's all so clear to me now!
So this means they're finally throwing in the towel and now not even bothering to try and defend their products, they're just going to try and shift the blame elsewhere.
'Yes Your Honour, it was the victims fault. If he hadn't have walked down that dark alleyway with that money then none of this would ever have happened. My client is blameless"

Oh, why did they put a lawyer in this position anyway? Surely someone with a clue about the issues would have been more appropriate? Having said that, I think his job is the most unenviable in the Redmond structure, that and chair replacement guy for Ballmer.

• Reply to comment
• Reply to story
• Report offensive content

hear hear Anonymous -- 27/05/08 (in reply to #320102713)

good call Anon.

• Reply to comment
• Report offensive content

MS Security - via Xenix! Bill Caelli -- 27/05/08

Ahh!! History and total amnesia at Microsoft.

In the 1980s to the 1990s Microsoft sold - wait for it - its own version of UNIX - named "Xenix" - still a trademark of Microsoft - and - more - it was largely used for internal systems at Microsoft at the time!

Now - guess what - that same Xenix became "Trusted XENIX" via a company called "Trusted Information Systems (TIS)" in the USA and it received a very high security "rating" of B2. John Ulett was the MS marketing manager for many years.

Then - of course - there was MS "Palladium", renamed NGSCB - Next Generation Secure Computing Base - project . What happened ??

No application can be any more secure than the operating system it runs upon... and that is the truth that Scott has to start admitting - and MS to start fixing! Yes - NGSCB gave us some direction with its "Nexus" trusted computing base direction. It should have been IN VISTA - now!

After all - we should well and truly be operating in some form of "Flexible Mandatory Access Control or FMAC" by now - the direction that SELinux and SUN's Solaris 10 are both moving into - with availability NOW.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials