The effects of the W32.Blaster worm have been felt throughout Microsoft during the past few weeks, but they have been particularly painful for Jim Allchin, a self-described perfectionist. The vice president of Microsoft's platforms group spoke with Computerworld about security matters. Excerpts follow:
Q: What sorts of plans are you formulating to deal with the effects of the Blaster worm?
I personally have spent a lot of time on this, because I think I've concluded that we have to take a different tack than what we've been taking. I have nothing to report now, but you can stay tuned because . . . I've had enough, and I'm going to do something about it. We have a team trying to propose some new approaches on this.
Q: Are you talking about internally holding individuals or groups of engineers accountable for specific code vulnerabilities?
No. All software has problems. We have to come at it with a different approach, and just stay tuned.
Q: When analyzing the Blaster case, what did you find, beyond the fact that some people didn't install a patch a month ago?
If everybody had the patch on in the entire universe, fine. But the question is: Can you really expect anybody to do that? I think that it's a very difficult proposition to expect people to do that perfectly. If it's done perfectly, you're home free, and frankly, I've talked to companies that did it perfectly.
Q: Let's suppose you didn't. What are the downsides of having one hole?
One machine gets into your environment, and you've got a problem. If your perimeter protection doesn't save you, then it's inside, and let's suppose there are just a few machines that haven't been patched for whatever reason. They were laptops, they never connected up to get the antivirus signatures, or whatever.
I think we're going to have to come at it from a different approach (than) expecting perfection by the distribution, even though we're going to give great distribution technology.
Q: Is it something that we can expect to see this year or next year?
I don't know.
Q: But there will be some form of technology that you will offer to IT professionals?
Q: Will it be a separate product?
I don't think a separate product.
Q: Do you have that technology now and just need to implement it, or do you need to develop that technology?
A combination. I think we can swing around to this pretty quickly.
Q: Historically, Microsoft has released software products that weren't secure by default. How far are you willing to go? Is the company willing to lock the system down completely?
There's lots of different answers to that. . . . The Internet Connection Firewall is in Windows XP. It has been in there all along.
Q: Why is it that people haven't turned it on?
Well, we didn't communicate it well enough, I guess, because it does protect. Honestly, I've never had a virus hit my machine. And the reason why is I do a few basic things that we haven't communicated.
Q: Do you feel that the security perceptions and realities that Microsoft faces threaten the business?
Yes. . . . I think it threatens business for everyone. It's not a Microsoft statement. I think that customers are afraid that their business is going to be jeopardized by the IT infrastructure, because they're so dependent on computers. That's a huge problem for the entire industry, and it's a huge problem for us. And I take it very, very seriously.
Q: When Microsoft signed the US$30 million contract with the Department of Homeland Security, in a lot of people's minds that took things up a notch beyond "the security of my company" to "the security of my country." Did that contract change Microsoft's thinking or approach in any way?
For me personally, no. It might have for others here in the company. . . . I think my personal sensitivity to this has been high for some time now.
Q: What do you see as the accomplishments vs. the disappointments with regard to Microsoft's Trustworthy Computing initiative in the past year and a half?
It's sort of funny to say this, because it's sort of asymptotic to perfection, but the first part of the curve is a huge jump, so I feel incredible progress. We trained everyone. We have people who have written textbooks. We have threat models that happened. We have all the work that we did in terms of the analysis tools, which are really phenomenal. We have some of the best people in the research team that are doing tools that analyze the code looking for issues.
The level of importance on, "If you know of such a problem, will you ever ship the product?" If there's an exploit . . . the answer is, you don't ship -- and have that permeate the company so deeply, it's great. Are we perfect? No. But if you look at the slope of what we've accomplished, it's pretty phenomenal. It may not be visible to everybody because oftentimes, once we turn the ship around, it may not be visible, but we have turned the ship.
(Windows Server) 2003 is a big step up. It's not enough, but it's a big, big step up. It's dramatically different than looking back just a few years. I mean, look at NT 4, look at Windows ME -- I mean, come on. It's quite a different world today. The ship has been turned, and I see all the progress inside.
We still demand more internally, and in terms of our processes, there's just so much more rigor about it in terms of the reviews that we do from external groups that come in. We have an academic review panel, so some of the best, world-renowned security people come and talk to us about what we're doing right and not doing right. All of those things are big steps ahead.
You asked about disappointments. Well, I am sort of a perfectionist, and we still have work to do. We know that. I just feel really bad personally about this worm. I wasn't impacted. I know how people could have avoided it, but they didn't. So I take -- the company takes -- responsibility. We've got to do better.