Microsoft in a pinch at security forum

Microsoft Corp. Chief Technology Officer Craig Mundie has one of the

most difficult jobs in a company full of difficult jobs. The tough-

speaking executive has found himself on several occasions addressing

red-hot issues at the time in which they were most heated -- such as

talking to a roomful of Linux developers in July, just weeks after

Microsoft executives had compared their operating system of choice to a

cancer.

Tuesday, just one week after an independent programmer managed to write

a program that could expose credit card information stored in

Microsoft's Passport authentication service database, Mundie found

himself in a similar pinch: standing before nearly 150 industry

executives and security experts talking about the security behind

Microsoft's lofty plan for the Internet, called .Net.

As seen in the recent security snafu with Passport, the key

authentication technology that will facilitate .Net, Microsoft still

has a ways to go before it can ensure that its plans for pervasive

computing will be secure. Speaking at Microsoft's campus here, where

the company is hosting a three-day Trusted Computing Forum, Mundie

conceded that and extended an olive branch to those who might be able

to help solve the problems.

"Despite best efforts by smart people, it is unlikely that computing

will ever be perfect," Mundie said, comparing the problems facing the

technology to those faced with several innovations in history, from the

telephone to the credit card. "I don't think the people who designed

these networks ever would have predicted the problems they would face.

"In a way you could say it was a bit naive," he said.

But programmers have found ways to exploit Microsoft's naivete,

spreading worms such as Code Red and Nimda through Microsoft's Internet

Information Server software, and this has raised serious questions

regarding how the company and the industry can progress without falling

victim to similar malicious computer attacks.

Still, growing industry support was witnessed here in the comments from

attendees, many of whom are Microsoft's biggest critics and competitors.

"There is a lot to be said about Microsoft's progress in cooperating

with the industry on privacy," said Tatiana Gua, senior vice president

of integrity assurance at America Online Inc., the Internet service

division of AOL Time Warner Inc., who attended Mundie's presentation.

Citing the addition of new security technologies in its products, such

as P3P (Platform for Privacy Preferences) and Microsoft's efforts to

step up its cooperation with industry standards groups, Gua expressed

some support for Mundie's presentation. Still, she criticized some of

the technical points in Microsoft's security strategy. "Unlike

Microsoft, we don't believe that one size fits all," she said.

Robert Hahn, a research director with the American Enterprise

Institute, a Washington, D.C.-based think tank, who studies privacy and

government regulation, noted a similar shift in Microsoft's actions in

regard to ensuring a balance of privacy and security in its products.

"Microsoft is clearly thinking about security and privacy very hard,

and they've realized they're not going to solve it by themselves," Hahn

said.

With government regulators and industry counterparts pressing down on

several aspects of Microsoft's business, from federal trust-busters to

industry chief technology officers who have been burned by the use of

Microsoft's bug-prone software, the company that arguably has been at

the center of the industry's security and privacy battle has now found

itself with a difficult choice.

If it gets too wrapped up addressing privacy -- appeasing critics such

as those who recently filed a claim with the U.S. Federal Trade

Commission regarding Microsoft's Passport service -- the company

endangers its ability to create secure products, Mundie said. If it

gets too wrapped up in security, devising Teflon products that are

impervious to malicious programmers, it could step on privacy.

"Compromise will be required," Mundie said.

As seen here in the vast complexity of the issues behind making a

secure and private computing network that also is a useful tool, Mundie

turned to analogies to identify many of the latest security and privacy

issues it is facing.

On hackers, Mundie compared the malicious coders who are poking holes

in Microsoft's software to the cells of terrorists that threaten the

safety of the U.S.: "The evolution of hacking is very, very akin to

this network of terror cells," he said. "And there is the potential to

treat them the way we treat terrorist cells."

On government's role in monitoring technology and the Internet, Mundie

says regulation has historically been done by policy makers who rely on

examples from the past. "It's like trying to drive a car looking

through the rear-view mirror," he said.

On government regulation of Microsoft's business practices and those of

other companies building similar Internet technology, Mundie compared

the company to goose that lays golden eggs. "Do we shoot the goose? Or

do we take more of a risk and let the goose keep running free for a

while?" he said.

With two days of discussion ahead, and presentations scheduled from

speakers including Federal Trade Commissioner Mozelle Thompson as well

as Richard Clarke, special advisor to President Bush for cyberspace

security, Microsoft is bringing the issues to the fore and looking for

some answers.

"This is not a simple problem, and no simplistic approach is in and of

itself going to yield the desired result," he said. "But we're up to

the task of meeting our commitment."

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies