But this was not a pain-free learning exercise. Indeed, Microsoft paid a steep price in the coin of user dissatisfaction--and in some cases, lasting mistrust.
In September 2001, the Nimda worm spread throughout networks worldwide, leading corporate customers--including many financial firms--to chastise Microsoft for failing to plug vulnerabilities in its code.
Two years later, the MSBlast worm and a variant of the program infected Windows computers and corporate networks, once again bringing consumer and corporate wrath on the Redmond, Washington-based company.
But the attacks also compelled Microsoft to rethink how to provide improved security.
Nimda resulted in the Trustworthy Computing Initiative, a companywide program designed to prod Microsoft's development teams toward producing more secure code.
In the aftermath of MSBlast, Microsoft has refocused on security for its next update to the Windows XP operating system, Windows XP Service Pack 2. The changes feature an improved firewall, the ability to turn off pop-up ads and ActiveX controls in Internet Explorer and a control panel that will display the current state of a PC's security.
"One of the things that we really learned after August and Blaster is that...it is not enough to have the technology there; it has to be accessible as well," said Neil Charney, director of product management for Microsoft's Windows Client Group.
The aim is to bring ease-of-use concepts to security. The Windows Security Center will have a simple set of status displays, showing whether the PC is protected by a firewall and has the most recent patches. It will also make sure that the antivirus software is turned on and updated. Users also will be urged to turn on the basic security protections.
The company still hasn't put an indicator on the desktop for the most basic security function: backing up data.
Yet the service pack represents a solid step toward helping the overwhelming majority of customers who are not security-conscious enough to secure themselves.
Microsoft's focus on ease of security also offers an instructive example for the Linux world.
Historically, Linux has enjoyed an advantage in design and user education. Linux inherited its strength in design from Unix. In contrast, Microsoft has had to make sure that its products remained backward-compatible with its original Windows infrastructure, which treated security as an afterthought. Moreover, Windows users tend to be far less tech-savvy than those who use Linux.
However, from its Protect Your PC campaign to the coming service pack, Microsoft appears to have "got religion" about the subject. If Linux is to appeal to the general public, security must get easier.
Linux does have a wide variety of tools to secure a computer running the open-source operating system, but administering a system using the tools is relatively difficult. One tool, Nmap, checks for open data channels, known as ports, that could be vulnerable to an attacker; the tool, however, does not analyse which ports might be threats.
Another tool, Tripwire, creates a digital fingerprint of each important file on a computer and tracks changes to those files. While the software provides good security, it is so hard to configure and use that most users don't try to run the security check. (A company, also called Tripwire, makes a full-featured commercial version that is much easier to use.)
And a good backup utility that doesn't require magnetic tape is still hard to find.
As Linux slogs toward becoming a viable desktop alternative to Windows, proponents know that the battle may hinge on the ability of developers to integrate such security into major distributions. What's more, they must find ways to represent the results in an accessible way for average users. Speaking about the Linux user interface in general, Linux luminary Eric Raymond said as much in a blog that posted recently.
"None of this is rocket science," he wrote, referring to a problem he was having installing printer software using the application's user interface. "The problem isn't that the right things are technically difficult to do...The problem is that the (software) designers' attitude was wrong. They never stepped outside their assumptions."
Some projects are doing it right. A good example of a tool that has focused on ease-of-use is Nessus, which scans a network for signs of vulnerabilities and not only tells the user what it has found--but also explains why the issue poses a security problem.
Still, any Linux version that claims to be for the desktop might want to borrow a page from Microsoft's textbook and give users a central place to see the status of their data and computer system.
In the high-society circuit, they say you can never be too rich or too thin. So it goes that when developing operating systems, you can't ever make a product too accessible or too conscious about security.
From:
http://linuxtoday.com/news_story.php3?ltsn=2004-03-12-001-26-OP-MS-DV-0004
Check out his picture. What's with the look?
.....In three months, Microsoft users will finally reap benefits from the company's new focus on security.
And we really, Really, REALLY mean it this time.
Not like that time TWO YEARS AGO when Bill Gates said that THIS TIME they would get the security right.
Bulwinkle J. Moose: "This time fer sure!"
.....In September 2001, the Nimda worm spread throughout networks worldwide, leading corporate customers-- including many financial firms--to chastise Microsoft for failing to plug vulnerabilities in its code.
-and-
.....Nimda resulted in the Trustworthy Computing Initiative, a companywide program designed to prod Microsoft's development teams toward producing more secure code
.
-but-
.....Two years later, the MSBlast worm and a variant of the program infected Windows computers and corporate networks, once again bringing consumer and corporate wrath on the Redmond, Wash.-based company.
So, you've waited TWO YEARS for it and it is only THREE MONTHS away!
Bulwinkle J. Moose: "This time fer sure!"
.....In the aftermath of MSBlast, Microsoft has refocused on security for its next update to the Windows XP operating system, Windows XP Service Pack 2.
Okay, so Microsoft focused on security TWO YEARS ago and then had ANOTHER huge problem so this is making them REFOCUS on security now.
Bulwinkle J. Moose: "This time fer sure!"
.....If Linux is to appeal to the general public, security must get easier.
Huh? How much EASIER should it be? The FIRST thing to do is to TURN OFF ANYTHING THAT ISN'T ACTUALLY BEING USED.
.....As Linux slogs toward becoming a viable desktop alternative to Windows, proponents know that the battle may hinge on the ability of developers to integrate such security into major distributions.
Then again, it may not. Then again, Linux may already have that functionality. Then again,
... may ....
..... Speaking about the Linux user interface in general, Linux luminary Eric Raymond said as much in a blog that posted recently.
Ummm, that was about a printer install. And he's been ripped apart over confusing who is responsible for what.
.....Still, any Linux version that claims to be for the desktop might want to borrow a page from Microsoft's textbook and give users a central place to see the status of their data and computer system.
#1. That functionality STILL doesn't exist in Windows.
#2. Windows machines are FAR MORE LIKELY to be cracked than a Linux machine.
#3. That practice is akin to putting a band-aid on a sucking chest wound. Instead of focusing on pretty lights to give the end user a sense of security, why not ship the system in a more secured mode to begin with?
.....In the high-society circuit, they say you can never be too rich or too thin. So it goes that when developing operating systems, you can't ever make a product too accessible or too conscious about security.
The average home Win2K machine is very simple to protect. It even prompts you to download updates. Yet MOST people don't even do that.
Making it easier for them to download updates isn't going to do much to improve the situation.
If it REQUIRES user input, it will NOT be done.
The ONLY way to make it more secure for the home user is to TURN OFF THOSE SERVICES.
NO automatically executed attachments in email.
NO services listening on ports.
LIMIT the out-of-the-box functionality.
-but-
This practice specifically contradicts Microsoft's aim for ease-of-use.