Microsoft: Trustworthy computing is years away
- By William Jackson
- Mar 05, 2003
A year after Microsoft Corp. chairman Bill Gates called a companywide stand-down to focus on software security, chief technology officer Craig Mundie said it will take the rest of this decade to achieve trustworthy computing.
The company's trustworthy computing initiative calls for systems to be designed for reliability from the ground up and to operate securely out of the box.
Windows security has improved somewhat, Mundie said at Microsoft's Government Security Summit in Washington late last year. But not until around 2008 or 2010 will there be enough new hardware and software platforms with the degree of cross-system assurance that Microsoft is shooting for, he said.
That could mean a long ramp-up time for the new Homeland Security Department.Jury-rigged quarantine
Information assurance will be key to interagency intelligence sharing. But until now, agencies have counted on air gaps and stovepipes to quarantine their sensitive information.
'We have no effective way to facilitate getting these things together,' Mundie said. 'That can't happen until complete systems are trustworthy.'
After repeated crises with its software security, Microsoft last February halted all Windows programming to concentrate on fixing problems. The stand-down lasted nine weeks, cost the company an estimated $100 million and delayed the release of .Net Server.
Among the improvements achieved, Mundie cited new default settings:
- Visual Basic Script and access to unsecured wireless LANs are turned off in Office XP Service Pack 1.
- Internet Connection Firewall is on in Windows XP Home Edition.
- Internet Information Services server is turned off in .Net Server. If IIS is activated, many services are still turned off by default.
Mundie also said the company is developing an automated update service to push patches to small-enterprise users, and it is writing configuration guidelines to set baseline security and lock down IIS.
Windows 2000 is the first full operating system to receive international Common Criteria certification, he said, and 'we will aggressively pursue getting the evaluation done on .Net Server and XP Home.' Most work to date has been remedial, however.
'Many of the things we are working on cannot start with a clean sheet of paper,' Mundie said. Numerous elements get rolled over into new products, and software developed entirely under the new initiative still is years away.
'The way we still write software is too error-prone,' he said. 'We haven't had a revolution in the way we program machines.'
Palladium is the code name for the security architecture of the next Windows version. Under Palladium, core components will work on a newly open PC hardware platform with the same integrity now found only in closed systems.
Such systems will require strong authentication for machines, software and users. Mundie said an industrywide effort is under way to build Palladium-compliant hardware that will probably be ready around 2004.
But even if trustworthy systems reach critical mass by 2010, they still have to work with less secure legacy systems.
William Jackson is a Maryland-based freelance writer.