News

Users Enthusiastic About Microsoft Security Initiative

• By Stephen Swoyer
• January 22, 2002

“As problems with [its approach to software development] have surfaced over the years, Microsoft patched the utility or application in question rather than reconsidering the basic architecture which left these avenues of attack open,” comments Dan Kusnetzky, director of worldwide operating environments for IDC. “Since Microsoft users have been loudly complaining about this for quite some time, it's surprising that Microsoft is only now ‘hearing’ user demands to make security a key design goal.”

End users, on the other hand, have on the whole reacted more warmly to news of Gates’ companywide directive that Microsoft employees make security a top priority. “I believe that Bill Gates is serious, and all I can say is: ‘It's about time,’” responds Andrew Baker, director of Internet operations for the New York-based educational testing service Princeton Review Inc.

Microsoft doesn’t typically garner much sympathy on USENET, even in the context of its own newsgroups, but over the past week, discussion in Microsoft-centric USENET groups – such as microsoft.public.security – has for the most part been positive, as well.

“I personally would hate to be in Microsoft's shoes,” wrote John Selph, a network manager at Ouachita Baptist Univeristy in Arkansas. “On one hand, consumers start to whine because your products aren't Internet savvy, because there's not enough features, and because products are never integrated. So you integrate all your products, you add features like a full IE browser inside email, you integrate products to work seamlessly with each other. Then people whine because they got what they asked for!”

IT managers are a cynical lot by nature – it comes with the territory – and last week more than a few Windows administrators seemed disinclined to believe that Gates’ memo marked a major reversal-of-course for Microsoft.

"I've heard that before,” laments John Roberts, a LAN administrator currently employed as a contract worker with Bank of America’s Windows 2000 migration. “NT was supposed to be a very secure OS, then Windows 2000 was supposed to be a more secure OS, then XP, and the soon to be Windows.Net is supposed to be even more secure. All of which have had major security problems.”

But users such as Ouachita Baptist’s Selph argue that Gates’ “Trustworthy Computing” memorandum is similar in scope and in importance to a famous directive in December 1995 in which he urged employees to integrate Internet technologies into Microsoft’s products on all levels.

“I think Microsoft is in the position that they can't afford to ignore security problems any longer. They've been aggressive at making powerful software for a while now, but they threw Internet and product integration in rather late in the game. I think the security problems resulted from that fact,” Selph suggests. “But Bill Gates is a man that has always gotten the job done (when he said Microsoft would increase Internet support, they did and then some). I personally think he's going to make sure they get security right this time.”

Princeton Review’s Baker agrees.

“Based on past experiences, such as with the focus on the Internet in '95, Microsoft has responded well to these major directional shifts by Bill Gates, and it is a welcome situation this time around,” he asserts.

Most experts anticipate that Microsoft will have its work cut out for it, however. IDC’s Kusnetzky, for his part, says that because the software giant has traditionally concentrated on ease-of-use at the expense of security, it must revamp its product lines from top-to-bottom if Gates’ directive is to be realized.

“People have been exploiting [Microsoft’s tendency to concentrate on ease-of-use at the expense of security] for quite some time. This is one of the reasons why there is a thriving software business for virus protection, security software, backup/restore software, and desktop configuration management software targeting Microsoft's desktop operating systems and sever operating systems,” Kusnetzky says.

Russ Cooper, editor of the Windows NT Bugtraq Mailing list, suggests that the recurrence of specific problems – malformed data denial-of-service attacks, buffer overrun exploits – could point to systemic design problems inside of Microsoft itself. “[This is] something that Microsoft has not been able to get a handle on yet, which is that their server products do not respond well to malformed data. We’ve had problems like this with RPC and [with] practically anything that listens,” he says.

Hector Santos, CEO and CTO of software development firm Santronics Software Inc., says that Gates’ memorandum also leaves a lot of questions still unanswered.

“I have some mixed feelings as to what they are applying the new policies to. Is it for .NET only or for the entire [Microsoft] product lines?” Santos asks. “Either way, I come from a software engineering background so to me, quality always came before features and rushed deadlines. So I personally welcome Gates’ new direction for Microsoft.”