COMMENTARY--One year ago, Bill Gates challenged his Microsoft troops to make the company's products more trustworthy. What's been accomplished? A bit. What still needs to be done? A lot.
If Bill Gates were running for office (rather than just trying to sell it), the question the opposition would be asking this week is simple: Are you better off now than you were a year ago?
That's how long it's been since Gates sent out his now-famous e-mail rallying the company to solve security problems.
Bill's Jan. 15, 2002, message came in the wake of Sept. 11, but was more directly a response to the embarrassment the Nimda and Code Red incidents caused his company by shutting down its customers' servers and networks. There was also that embarrassing little business about Gartner, the big IT research firm, telling its customers not to use Microsoft Web servers because they were too insecure.
Microsoft looked like it was lax on the security issue. Clearly something had to be done. The question, a year later, is: Has Microsoft done it?
Last thursday, Bill sent out another e-mail focusing on the results of the security initiative. I'll save you the details, which you can read in his e-mail.
The bottom line: According to Bill, the company has put 11,000 engineers through security training--at a claimed cost of US$200 million in lost productivity. More broadly, MS has created a corporate-wide security apparatus that is there to challenge everyone--from the Windows group on out--to write more secure code.
But it's not enough to train employees. The company has to do more than just make security patches available. Both Nimba and Code Red exploited vulnerabilities Microsoft had already fixed; ditto for this past weekend's SQL Slammer. Customers with up-to-date patches never noticed the outbreaks, at least not on their own machines.
Unfortunately, most users and, especially, corporate customers remain leery of patches in general, which frequently create as many problems as they solve. Mike Nash, the Microsoft VP responsible for the security business unit, said the quality of patches has improved, but significant customer resistance remains.
For corporations, Microsoft has created new tools for patching entire networks at once. For you and me, the company has beefed up Windows Update to make it harder for users not to patch their machines. In the future, expect new operating systems and service packs to turn updates into background processes that happen unless customers specifically opt out of them.
While members of the paranoid club get all excited about Microsoft "secretly" downloading software to their machines, anything that solves the huge, Internet-wide vulnerability created by unpatched systems should be considered an important step forward.
Still, much of what Microsoft has worked on this past year to improve security won't really be seen until 2005 or so, when next-generation servers and applications become available. The most controversial of these forthcoming technologies is called Palladium, which would change the design of personal computers to include special security chips and secure memory.
Again, some see this as Microsoft trying to take control of everyone's computer. But those people are, frankly, nuts. Still, there are aspects of Palladium that bother me, and I remain concerned that it could be used to end the fair use of copyrighted content.
Microsoft still fears a repeat of the public outcry that greeted its Hailstorm proposal back in 2001. Those who say the company isn't responsive should consider the company's subsequent retreat, as well as the more recent changes it made to the copy protection systems in the first Media Center PCs, as examples of a company that's actually pretty quick to change directions on security issues when customers get upset.
So how has Microsoft's goal of "trustworthy computing" changed my life thus far? Not very much, although I was doing most of what I should have been doing even before Nimda and Code Red.
True, I find I have a harder time sending certain attachments (such as .exe and .zip files) using Microsoft e-mail clients, something that bugs me to no end. And the Outlook 11 client, now in beta, blocks HTML e-mail by default; since many of you get my newsletter in that format, that potentially threatens my livelihood.
Besides that, I've installed all the patches and service packs available for my machines, though I'd be hard-pressed to tell you what they really do. What I do know is that, while friends and colleagues were hit with Nimda and Code Red, I happily continued my work, wondering why so many people hadn't taken the same precautions, and installed the same patches that I had.
In that vein, let me remind you--actually I hope most readers don't have to be reminded, but will use this as an occasion to remind family, friends, and coworkers--of the three most important things you can do to protect yourself:
- Make sure you have all the patches. Microsoft makes this easy using Windows Update, which is already in the Start menu of every Windows computer.
- Run antivirus software and make sure it automatically updates itself the way the publisher recommends. I use, and have been very happy with, Norton Antivirus. Sometimes I open suspect files just to watch the Norton alarms go off--that's how well-protected I feel.
- If you're using a broadband connection and don't have a firewall built into your gateway, install a software firewall on your machine. Microsoft has included a simple one in XP; a number are available for third parties. Again, I use a Norton product for this.
At the end of its first year, I'd say Microsoft's security initiative has, for the most part, been a success in the same sense that Homeland Security has so far been successful: Until this past weekend's SQL Slammer attack, there hadn't been any major security disasters. That is in some ways both the most and least important measure of security, since we will never know how many attacks were foiled.
Despite this weekend's attack, I feel more secure today that I did a year ago, thanks to the emphasis MS is now placing on writing more secure code and the release of tools like the latest Visual Studio, which makes it easier for everyone to write more secure programs.
But I don't feel 100 percent safe. Microsoft's best guess is that trustworthiness is a decade away. I think progress will accelerate after this first year of baby steps.
So I expect to feel a lot more secure in a few years. But maybe I'm just kidding myself. The war against the bad guys will probably continue as long as we use PCs and networks. And in the future, I'm sure there will be occasions when the bad guys will win. All we can do is make it more difficult for them and more secure for us.
6%
1%
