Trustworthy Computing At One Year

ackthpt writes "One year ago Bill Gates issued forth an email directing the company to work toward Trustworthy Computing, making Microsoft operating systems, applications and services secure and reliable. Where is that effort at today? vnunet has this Q&A with Microsoft security chief Stuart Okin. Slow, steady progress seems to be the result. They've targeted Security, Privacy, Reliability and Business Integrity, but so far have had a go at Privacy. Okin indicates the strategy may take 5 to 15 years, but more immediate milestones are targeted within the next two years and focusing on reducing vulnerabilities in the next version of Windows, rather than attempting to fix 2000 or XP. I'd chalk this up as a frank and honest interview, rather than madly spun, and paints a picture of the massive cat herding effort undertaken."

Article Text

Q+A: Stuart Okin, Microsoft UK's chief security officer

Emma Nash [26-02-2003]

It's been a year since Bill Gates sent an email to Microsoft's 50,000 staff, informing them that security was the company's new watchword and its Trustworthy Computing strategy was its newest and biggest priority.
Twelve months later and the company says it wants people to be able to trust computing infrastructures within the next 10 years. The software giant is doing all it can to shake off its reputation of having bug-ridden software that is inherently insecure.

Stuart Okin, Microsoft UK's chief security officer talked to Computing about the company's security vision.

How did the Trustworthy Computing strategy came to life at Microsoft and what does it mean?

Trustworthy Computing was born out of chief technology officer Craig Mundie's office in January last year. He coined the phrase and it lead on to a vision that resulted in the famous email that Bill Gates sent out. Trustworthy Computing is a vision of the future in five, 10 or 15 years, which says we want users to say they trust their computing platform.

Craig uses the analogy of the telephone: You can unplug a telephone and move it to another room and plug it in, and 99.9999 per cent of the time it will work. When we use it, we are pretty sure that we know who we are talking to, and we know we'll get a bill at the end of the month and we know what rate we'll be charged at, and we are protected by Oftel. That's the vision, and that's where we want to be.

We have come up with four pillars: security, privacy, reliability and business integrity. We are trying to develop a score card system for each one of these and put an improvement plan in place. To date we've had a go at privacy and we are trying to roll that out. The other three are more difficult.

What improvements have been made so far?

The largest impact has been on our consumer business. About 11,000 programme managers, developers and subsidiaries have received additional security training. A lot of this is about learning how to write secure code, and consider things like - do you need certain functions set as default? We've also seen an impact on our security bulletins.

Microsoft issued 72 security bulletins last year. That doesn't help your reputation, does it?

The problem with Microsoft is because we have a big deployment base out there, we go very, very public with any vulnerability, with patches. Some we actively alert the press about. We know it's going to cause negative press but we have to do it. That's a problem for us. But if you follow any of the vulnerabilities of our competitors, we are not as bad as them. It just takes one vulnerability to be exploited and it has a major effect.

It is a problem from a reputation point of view. And we know that we will never be able to get rid of every vulnerability. Anyone who says the opposite is not living on this planet. What we need to do is raise that bar and make sure these vulnerabilities are very obscure.

Will it be a big struggle to change people's perception of Microsoft and security?

There is a broad spectrum of people that like Microsoft, and there are those that don't like Microsoft. Microsoft is a very successful company and there's a lot of people that don't like success. In 10 or 15 years time we could achieve Trustworthy Computing and there will still be people that don't like us. That's fine. We can't win with everybody, but we can ensure we are transparent, honest and forthright.

How much of these security problems can be improved with education?

It's partly to do with education, but Trustworthy Computing is a roadmap. We will bring out the most secure software we have, but there will always be vulnerabilities. It's about what we can learn from them and then we can raise the bar again next time round.

Will we see a decline in the number of security vulnerabilities in the coming years?

I'm not sure we will see the number decrease particularly, because they go across all of our products. I hope we'll see them decrease in products like Windows 2003 rather than 2000 and XP. We have some internal aims and we work on the basis that we aim for zero, and we see where it goes from there. We have the people, processes and technology in place to get to zero.

Surely this is an industry undertaking and Microsoft cannot get the world to trust computers on its own?

We cannot do it alone. We have to do this with our partners, with the government and with our competitors, because there are things we can do with education and awareness. It's Microsoft's vision but it's not something we can do alone. We are working with our competitors through standards groups, such as Saint.

How progressed is the strategy?

We have done a lot in the last year but we need to do a lot more in the next two years. We need to do a lot more in the patch management area. The product groups are very much independent at the moment - Windows, SQL, Exchange are all pretty much separate. We have to work to common standards, which we've pretty much got licked because of the arrival of the internet and open standards.

The one we haven't got licked is patch management and engineering. Each division has their own engineering group. We have got to bring engineering to a point where all patches are together in a single deliverable way. We're looking to get to two installers in the next two years and then to one some time after that.

Special Report in Information Security Magazine

[Belluminari]

The February issue of Information Security has a special report by Lawrence Walsh titled "Trustworthy Yet?" that is a good companion to this article.

Re:Quote from article.

[aoteoroa]

I already trust my computer. My computer has no business "wondering" whether it trusts me or not.

That was a beautiful quote.

we go very, very public with any vulnerability

[Geekbot]

"we go very, very public with any vulnerability"

What a total piece of crap! They do not go public with every vulnerability, they do not go public with every "feature" where feature is a terrible hole in the system that they try conning people into believing is a useful tool (to who? russian mafia and script kiddies?). If they went public with every vulnerability, why do hackers have to post vulnerabilities on mailing lists before MS will even acknowledge them and call them features?

And since they don't patch every vulnerability, who cares if they admit to them. They don't admit to them in mainstream media where they lay down the Spin better than a politician. The average user isn't going to be aware of most of the vulnerabilities in MS and are not going to bother anyway, as MS wont patch them, or those patches will crash their system.

This guy is insulting. I am offended because he insults me by pretty much lying to me about the efforts of MS. Not that I don't know what MS is up to, but it's insulting for him to try pulling it anyway.