Before delving into Microsoft’s epiphanic embrace of security, let’s make something clear: Little if any important information leaks out of Redmond.
So when an “internal memo” from Bill Gates to his staff urging his minions to refocus on security finds its way into the newspaper, as it did in January, you can bet this is not a corporate communications oops. This is Public Relations.
Two months after Windows XP was exposed for having insecure, lazily crafted code, CIOs weren’t getting an inside glimpse at Microsoft saying “our bad” with the Gates memo. They were getting spin.
As PR goes, the Gates security memo was wildly successful. National media outlets rehashed the details with about as much scrutiny as a pro wrestling referee. They picked up on Microsoft’s brand name for the effort,
Trustworthy Computing, which Gates happened to include in the internal document. And Microsoft, which measures these things, probably saw a spike in consumer confidence about the company.
But there’s no reason to deem Microsoft more trustworthy today than before Gates’s memo. Even if Gates could by fiat make every new Microsoft product secure (and of course he can’t), there are tens of millions of legacy systems that will live long into the future. They’ll continue to expose their owners and those who are networked to them, ensuring that the patch it-break it-patch it-break it cycle will live long into the future as well. This became extraordinarily clear earlier this month, when Microsoft released another patch for two-year-old Internet Information Server IIS 5.0. It covered nearly a dozen vulnerabilities that were “as bad as they get,” according to one security researcher who investigated the weaknesses. “This one was really amazing,” the researcher said, adding it was “every administrator’s nightmare.”
CIOs shouldn’t suppose Microsoft developers will suddenly learn the fundamentals and intricacies of creating secure systems simply because Gates says he wants them to. In fact, our friend the security researcher (who asked to remain nameless because of business dealings with Microsoft) believes learning how to build secure systems will take years of training and redevelopment, not an epiphany from Gates. Some would even argue that without starting over and building security in from the start, products can never be secured. “I don’t think they’ve gotten better [at] writing the code,” the researcher says. “They’ve switched to having outside people look at the code, and having internal teams do code reviews. At this point I think they’ve realised how bad it is.”
At CIO’s Perspectives conference last week, I asked Cliff Reeves, a member of Microsoft’s .Net product management group, if Microsoft realised how bad it is. He copped to the fact that Microsoft needs to do better, but he said he fully believes the Gates memo will propel the company into action. “I am amazed at how quickly this company assimilates ideas,” Reeves said. “I really think this means something.”
Indeed, there might be some signs of improvement. The same security researcher who panned the IIS 5.0 vulnerability said that IIS 6.0 (in beta testing now) “is astoundingly different and much better” and that it has a fundamentally different security architecture, down to the kernel level. (Of course, this means that to get better security, you’ll have to upgrade to a new version of IIS. Isn’t that a lovely trick? Imagine if, when an automaker had a recall, they made you buy a new SUV.)
There is also a Machiavellian argument to support Microsoft. No matter how clumsy the means by which the company injected the “news” that it was refocusing on security, the end result is that the company has in fact entered a conversation that it irresponsibly ignored for years. It might be advertising the fact it has set some internal bar, the argument goes, but at least it’s saying it has set a bar at all.
Maybe. You have to forgive reporters for being cynical about things like Trustworthy Computing. Those who cover this company witness all manner of PR schemes. Trustworthy Computing actually ranks more like a gimmick compared with some of its past exploits, like entering fudged video tapes as evidence and using dead people’s identities in letters sent to government officials asking the government to go easy on Microsoft in the trial. Microsoft has given reporters no reason to believe anything it says.
And despite the notorious memo from Gates, the company has given CIOs no reason to believe it is building trustworthy systems. Remain sceptical until Microsoft proves it’s something other than a vendor that builds insecure software and is belatedly realising how bad it is.