[LINK] Microsoft Plans Year Two of Trustworthy Computing

Bernard Robertson-Dunn brd@austarmetro.com.au
Mon, 24 Feb 2003 16:38:27 +1100

Statement: An operating system that keeps system functions separate from
application functions would be more secure that one that does not.


Or to put it another way: any "operating system" that lets applications
change system components (ie installs any code into the system folder,
either as new code or overwriting exiting code) is suspect.

Or to put it yet another way: Windows is fundamentally insecure and cannot
ever be made as secure as an operating system that rigidly segregates OS
from application. - like mainframe operating systems of the 1970s

Any comments?

I wonder what Microsoft's Chief Architect has to say about this - assuming
he understands the question. After all, Operating Systems are a little more
complicated than a BASIC compiler, on which he cut his baby teeth.


Microsoft Plans Year Two of Trustworthy Computing
By Matthew Aslett
DATE: 02/24/2003

With Microsoft Corp having completed the first year of its Trustworthy
Computing initiative, the company is now looking ahead and has made three
priorities for the coming year: simplified patch management, the
institutionalization of internal security training, and the publication of
more deployment and security guides and utilities.

Stuart Okin, the chief security officer for Microsoft UK, said that the
patch management issue is the top priority, and would see the company
aiming to reduce the number of installers in its product range. "Our
product teams are very independent which has a number of pros and cons. One
of the problems is around security, because each product group has its own
engineering division which deals with patches in its own way," he said.

While operating system patches are delivered to users via Microsoft's
Software Update Services, Office users have to visit Microsoft's Office web
site and scan for patch requirements, while SQL Server users are notified
of patches via alerts and then have to visit Microsoft's TechNet site.

"What we need is a single process, and that's something that we need to
address over the next year to two years," Okin continued. Microsoft
currently has about seven installers across its product range, said Okin,
and it would take time for the company to bring about the product changes
required to reduce that number to one.

"I don't think we'll get to a single installer [in two years], but we can
get to Windows Update and MSI," he added. "Eventually, given enough time,
we should be able to get down to a single installer, and hopefully ISVs
will be able to use that installer as well."

Meanwhile, the company is also looking to institutionalize its internal
security training following its 10 week development stand down during early
2002 as developers and testers downed development tools to check
Microsoft's code base for bugs and potential security holes and went
through internal security training programs. "The plan is to
institutionalize and productize the security stand down," said Okin. "Each
team did it slightly differently. Now we want to make it a standard program
and versionalize it."

The company is also in the process of implementing new scorecards through

its product teams can be graded on how their output matches up in terms of
security, privacy, reliability and business integrity. A scorecard for
privacy has been introduced that measures product managers on how well
their products meet five "NCASE" criteria - notification, choice, access,
secure, and enforce - and gives them objectives for the next release, said

Meanwhile, other scorecards are in development for security, reliability
and business integrity, for which Okin said it is more complicated to
identify the criteria by which product teams should be measured.

By far the trickiest of these, according to Okin, will be business
integrity, by which Microsoft hopes to persuade customers that it is a
company to be trusted. "Business integrity is the trickiest one, I think,"
he said. "How do I give you the feeling that you should trust Microsoft?
The first way is by being transparent, and the second is by doing what we
say we are going to do."

Okin admitted that this transparency will not always work in the company's
favor, and said that its announcement of early plans for the controversial
Palladium security-on-a-chip system - now renamed "next generation secure
computing base" - was evidence of that. "We went really early with this and
there was a lot of confusion about what we were doing," he said, "but we
were trying to be transparent."

Microsoft's third priority for the next stage of Trustworthy Computing is
to continue the delivery of new deployment guides and utilities, Okin said,
that give customers the guidelines and tools to develop and deploy
Microsoft technologies in a secure and reliable infrastructure.

While these three priorities set out Microsoft's Trustworthy Computing
plans for the next 12 to 24 months, Okin was quick to maintain that there
was no quick fix to the problem. "Windows 2003 Server will be the most
secure operating system ever, but it will have some problems we didn't
notice," he said. "Does that mean we've failed Trustworthy Computing? It
doesn't. It's a journey. Trustworthy Computing is a vision of the future,
where computing is as trusted to use as a utility or a telephone," he
continued. "We think it will take us five, 10 or even 15 years to get to
that end point."

A little learning is a dangerous thing; drink deep, or taste not the
Pierian spring: there shallow draughts intoxicate the brain, and drinking
largely sobers us again.
-- Alexander Pope 1688-1744


Bernard Robertson-Dunn
Canberra Australia