Microsoft: Trustworthy computing is years away

A year after Microsoft Corp. chairman Bill Gates called a companywide stand-down to focus on software security, chief technology officer Craig Mundie said it will take the rest of this decade to achieve trustworthy computing.

The company's trustworthy computing initiative calls for systems to be designed for reliability from the ground up and to operate securely out of the box.

Windows security has improved somewhat, Mundie said at Microsoft's Government Security Summit in Washington late last year. But not until around 2008 or 2010 will there be enough new hardware and software platforms with the degree of cross-system assurance that Microsoft is shooting for, he said.

That could mean a long ramp-up time for the new Homeland Security Department.

Jury-rigged quarantine

Information assurance will be key to interagency intelligence sharing. But until now, agencies have counted on air gaps and stovepipes to quarantine their sensitive information.

'We have no effective way to facilitate getting these things together,' Mundie said. 'That can't happen until complete systems are trustworthy.'

After repeated crises with its software security, Microsoft last February halted all Windows programming to concentrate on fixing problems. The stand-down lasted nine weeks, cost the company an estimated $100 million and delayed the release of .Net Server.

Among the improvements achieved, Mundie cited new default settings:
  • Visual Basic Script and access to unsecured wireless LANs are turned off in Office XP Service Pack 1.

  • Internet Connection Firewall is on in Windows XP Home Edition.

  • Internet Information Services server is turned off in .Net Server. If IIS is activated, many services are still turned off by default.

Mundie also said the company is developing an automated update service to push patches to small-enterprise users, and it is writing configuration guidelines to set baseline security and lock down IIS.

Windows 2000 is the first full operating system to receive international Common Criteria certification, he said, and 'we will aggressively pursue getting the evaluation done on .Net Server and XP Home.' Most work to date has been remedial, however.

'Many of the things we are working on cannot start with a clean sheet of paper,' Mundie said. Numerous elements get rolled over into new products, and software developed entirely under the new initiative still is years away.

'The way we still write software is too error-prone,' he said. 'We haven't had a revolution in the way we program machines.'

Palladium is the code name for the security architecture of the next Windows version. Under Palladium, core components will work on a newly open PC hardware platform with the same integrity now found only in closed systems.

Such systems will require strong authentication for machines, software and users. Mundie said an industrywide effort is under way to build Palladium-compliant hardware that will probably be ready around 2004.

But even if trustworthy systems reach critical mass by 2010, they still have to work with less secure legacy systems.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.