News
ADTmag.com at RSA: Gates explains Microsoft security push
- By John K. Waters
- February 26, 2004
Bill Gates looked a bit like a mouse strolling into a room full of cats when he first took the stage to give his opening keynote on Tuesday at this week's RSA Security Conference. His audience was largely made up of the very people who have been dealing with the vulnerabilities and code leaks plaguing Microsoft recently.
Microsoft's chairman and chief software architect didn't exactly get his audience to purr, but his announcements about his company's ongoing efforts to improve the security of its world-dominating operating system were greeted warmly by the record crowd assembled at San Francisco's Moscone Center as well as criticized by executives at rivals like Sun Microsystems.
"[Security] is not at the top of the list of what should hold us back from innovating," Gates said. "I'm very optimistic about this, even though there are a lot of years of work ahead of us."
Security does seem to be at the top of Microsoft's to do list as Gates said the sphere now accounts for the biggest part of his company's R&D investment. "Our research group is making advances that are very important here," he said. Gates also referred to the Microsoft Trusted Computing initiative, which the company launched in 2002. "Over the last two years, I think we've made a lot of progress," he said.
During his presentation Gates unveiled a number of new security technologies that Microsoft plans to release in the coming months, including a code-scanning feature due in the next release of Visual Studio, a pop-up window blocker built in to Internet Explorer, and a brand new feature that centralizes and manages security settings, dubbed "Windows Security Control Center."
Among other things, Windows Security Control Center -- essentially a GUI-based management console -- will provide users with an overview of the security posture of their PCs. It will alert users about the status of antivirus software, the Windows Firewall and other security-related systems.
This feature will also manage the download of Active-X controls, which can become security risks if maliciously used. All of the features are managed through Active Directory group policy, said Zach Gutt, a technical product manager who demonstrated the features of Windows Security Pack 2.
Observers were not surprised that Sun officials expressed some skepticism about the Redmond, Wash., software giant's approach to network security.
"Network security is not the oxymoron our competitor would like you to believe," said Jonathan Schwartz, Sun's executive vice president of software, in an e-mail. "But it's time the industry admitted that the defensive approaches to PC security with bigger moats, taller walls and memos from the CEO have clearly failed."
According to Sun, the problem with Microsoft's approach is that it "retains the same PC-centric view of the world and a belief that building bigger walls is the answer. The expected product updates and new initiatives bill outlined are nice, but they're just more bricks in the wall."
"It's time we went on the offensive by proactively authenticating and differentiating service to the good guys," Schwartz said, "instead of always hunting the bad. This approach is more befitting a limitless Internet -- spanning all network devices and services, not just PCs -- and the products and technologies already in deployment by some of the highest security yet most open and interoperable network operators in existence. Infinite possibility requires infinite access based on simplicity, integration and automation."
Meanwhile, Microsoft's Gutt also demoed Active Protection Technology, which Microsoft claims will make networks resistant to worms and viruses with behavior-blocking technology during the RSA keynote. This feature is said to include new Dynamic System Protection technology, "which automatically raises the level of security of a computer based on the computer's state [of security updates]," Gutt said. In other words, he said, machines missing security patches will automatically get beefed up firewall protection until the patches are installed.
In addition, the technology is designed to detect configuration changes, application modifications and changes in the location of the machine, and to then adjust the PC's security posture accordingly, Gutt said.
Gates also outlined Microsoft's Coordinated Spam Reduction Initiative (CSRI), his company's master plan to stem the flood of spam. At the center of the plan is a set of technical specifications for the establishment of what Microsoft calls "Caller ID for E-Mail," a system that utilizes a verifiable identifier to make it harder for spammers to disguise their locations. The company believes the system will help to eliminate domain spoofing and increase the effectiveness of spam filters by verifying what domain a message came from. Microsoft is currently moving forward with plans for a pilot version in its Hotmail online e-mail service, Gates said.
Other companies, including America Online, are also working on ways to identify the true source of e-mail messages.
Microsoft Development Manager Gavin Jancke demonstrated "tamper-resistant" biometric ID-card software. The Microsoft-created software is designed to be used by both small- and large-sized companies to create ID cards using a digital camera, inkjet printer and a business-card scanner. Jancke drew some laughs from the audience when he used the big screen to display an encrypted driver's license created with the software showing a picture of Bill Gates as a teenager.
Gates drew the biggest applause with his announcement that Microsoft has joined with conference-sponsoring company RSA Security Inc. to develop a SecurID technology specifically for Windows. SecurID is RSA's token-base, two-factor authentication solution that is designed to eliminate dependence on user passwords. The system employs a random number generator -- which the company calls a user token or keychain "fob" -- that generates a six-digit number every 60 seconds to serve as a one-time user passcode. The passcode is used in conjunction with a personal PIN to allow user sign-on.
"It's great to see a big company like Microsoft putting its weight behind a security solution like this," said Ray Wagner, research director in information security strategies at Gartner. "There has been a drag in security spending because companies don't want to spend money on it. What they want is a ubiquitous solution and they want to get rid of passwords. This seems to be a step in the right direction."
Solutions like SecurID will eventually make passwords obsolete, Microsoft's Gates said. "There is no doubt that over time, people are going to rely less and less on passwords," he said. "People use the same password on different systems, they write them down and they just don't meet the challenge for anything you want to secure."
Interestingly, Gates admitted that Microsoft would not be using the SecurID system internally because the company already uses a smartcard-based system. That system was implemented with the help of RSA, he added.
According to RSA President and CEO Art Coviello, the new RSA SecurID for Microsoft Windows solution will be available in limited quantities for beta testing in Q2/2004. The company expects general availability in the third quarter of this year.
Before Gates took the stage, ABC News Chief Congressional Correspondent Cokie Roberts warmed up the overflow RSA crowd with shots at both the Republicans and Democrats. Roberts said she couldn't help but laugh when she read the conference agenda.
"Hacks, attacks and flaws," she said. "I thought, 'This is my world.' I'm surrounded by hacks. There are always plenty of political attacks. And let's not even talk about the character flaws! And identity theft? Every one of the Democratic candidates is trying to steal Bill Clinton's identity. Without Monica, of course."
Roberts got the biggest laugh of the day with her analysis of the reasons for George W. Bush's victory in the 2000 presidential election. Gore's supporters, she said, ". . . were probably at home with the Internet -- which he had invented."
When it comes to security, Microsoft is something of a victim of its own success, Gartner's Wagner said. "There's no question that Microsoft is a very large and well-targeted organization," Wagner told ADTmag.com. "You just don't see virus attacks and major denial of service attacks against Macintosh and Linux. The fact of the matter is that attacking a system is generally a print opportunity. You don't get any press by attacking 6% of the market. Consequently, Microsoft is going to get attacked more often than others, but clearly, they're working on it."
Microsoft recently confirmed that a relatively small portion of Windows 2000 and NT 4.0 source code was leaked to the Internet two weeks ago. The code was reportedly stolen from a vendor partner. So far, no breach of internal security or of Microsoft's internal network has been reported.
That code theft was unlikely to put Windows at any greater threat than it currently endures, according to a panel of cryptographers who discussed the problem during the RSA show. "This is an issue for script kiddies and vandals," said panelist Paul Kocher, president and chief scientist at Cryptography Research Inc.
Forrester analyst Jonathan Penn saw Gates' presentation as part of Microsoft's ongoing efforts to reassure its vast constituency that its Trusted Computing Initiative is bearing fruit.
"For a company as large and as diverse as Microsoft, you need to show backing at this level," Penn said. "And it's going to need some constant attention by the upper-level people. For all that they've done, and all the effort they've put into it internally, and all that they've accomplished in terms of more stabile code and a focus on security, people are still being affected by Microsoft vulnerabilities. Until that pain is relieved, the people at Microsoft will need to continue to show that they're not done yet and that they understand."