Information Security News mailing list archives
Hacking may have hurt key Microsoft strategy
From: William Knowles <wk () C4I ORG>
Date: Tue, 31 Oct 2000 22:48:20 -0600
http://seattletimes.nwsource.com/cgi-bin/WebObjects/SeattleTimes.woa/wa/gotoArticle?zsection_id=268448455&text_only=0&slug=hack31&document_id=134243411 by Paul Andrews Seattle Times Silicon Valley bureau Tuesday, October 31, 2000, 12:00 a.m. Pacific PALO ALTO, Calif. - The software worm that bored its way into sensitive product-development areas of Microsoft's network over a reported 12-day period may ultimately prove less damaging to the company's intellectual property than to its strategic ambitions. As it attempts its steepest corporate reinvention yet, Microsoft is painting itself as the company with products large enterprises can rely on to grow their businesses into the New Economy. Yet as demonstrated by the hacker attack uncovered last week, Microsoft itself cannot totally protect precious data from unwanted - and illegal - incursion in a Windows-based environment. Microsoft's Silicon Valley competitors, while acknowledging no company is immune to hacker attacks, say Windows has greater security challenges than older, more mature systems built on Unix and a Unix spinoff, Linux. "We believe Solaris offers a lot more security," Ed Zander, president and chief operating officer at Sun Microsystems, said of the company's Unix-based operating system. Acknowledging "this could happen to anyone," Zander said, "We can't evaluate specifics till we know exactly what did happen" in the Microsoft case. Microsoft, whose explanations have changed a number of times since initial news reports about the incident, said it is withholding numerous details to avoid hindering an FBI investigation. The company said the intruder got only fleeting access to a future product, not Windows or Office, and it narrowed the length of the attack from weeks to 12 days. As a precaution, however, Microsoft blocked employees from having remote access to the corporate network over the weekend. Regardless of what happened in the incident, it might be Microsoft's ambitious corporate initiatives that are affected most in the long run. Since February's rollout of Windows 2000, Microsoft's most powerful operating system to date, the company has championed the reliability of Windows-powered business systems. With the advent in June of its .NET strategy and line of high-powered servers aimed at corporate networks linking to the Internet, the volume has increased to the level of a corporate mantra. At a high-profile event called Enterprise 2000 in San Francisco last month, Chief Executive Steve Ballmer emphasized Microsoft had "come of age" in the world of enterprise computing, the business of serving huge corporations, government and institutions. With its new products and initiatives, including Windows 2000 Datacenter server and the .NET enterprise server market, Microsoft has the building blocks "required to run the biggest businesses in the world," Ballmer said. Of the company's more than 38,000 employees, 3,200 are involved in consulting, 3,900 in enterprise support and more than 2,000 in enterprise services, all contributing to what has become a $4 billion annual business for Microsoft. Something to prove But longtime observers say Microsoft must hurdle doubts about security if it is to become a big-enterprise player for banks, airlines, stock brokerages, insurance companies and telephone companies that rely on "unbreakable" computing services. "The fact is, software kernels (key code) have to be absolutely crack-proof, and that's a level of robustness that Microsoft has had little experience with," said George Lindamood, former chief of information systems for Washington state and a big-systems consultant. "Given the experience with NT (Windows 2000's predecessor), I'm dubious that they can make a silk purse out of that sow's ear." Asked about the break-in disclosed last week by a program called QAZ Trojan, privacy expert and author Simson Garfinkel said, "What do you expect? It's Windows." Features Microsoft has built into Windows to integrate popular Office and Internet services have been repeatedly exploited by hackers - notably the author of the infamous Outlook e-mail Love Bug. Microsoft defended the integrity of its network security, noting that hacking of corporate networks occurs regularly. On the other hand, the company's request that the FBI investigate indicated this incident held greater significance, apparently based on the company's inability to track down or trap the intruder. In the intellectual-property world of e-commerce, "companies need 100 percent assurance that their data is safe," said John Loiacono, chief marketing officer at Sun Microsystems, a chief Microsoft competitor based in Palo Alto. Microsoft says it can meet corporate data needs by "clustering" high-powered PCs together at a fraction of the cost of a Sun server. "It's an appealing proposition at one level," Loiacono said. But companies who rely on round-the-clock reliability, "tell us they're not even looking at the (Microsoft) Datacenter (server) stuff," he said. Another Microsoft arch foe, database maker Oracle, likes to warn clients of Windows 2000 reliability claims. At the Windows 2000 launch, Chairman Bill Gates noted that a Windows 2000 server could be expected to experience a reboot or downtime only after at least 90 days of uninterrupted performance. If a company clusters 12 such systems together, Oracle said, that could mathematically equate to an outage every 7-1/2 days. Nobody's perfect Microsoft can point to competitors' problems as well. Most recent was a series of "glitches" on eBay, the high-traffic Web auction site. Oracle issued a statement blaming the outages on a software upgrade to its 8i database, a competitor to Microsoft's SQL Server database. "This is what happens when you put all your resources into one big, honking database," said Charles Fitzgerald, director of business development for the developer-strategy group at Microsoft, as opposed to spreading out among several "clustered" systems. Memories of security holes tend to be short-lived. Asked if last week's episode gives the company a black eye in the enterprise world, a Microsoft spokesperson noted, "Only until some other big company gets hit." But the official acknowledged Microsoft still is proving its mettle in enterprise computing. "To win in the enterprise space requires a whole different world than we've been used to," the executive said. Adding that the company is "making progress," the executive noted, "Before people were saying Windows couldn't do it at all. Now they're saying here are the things it needs to do to succeed, and that list is shrinking all the time." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Hacking may have hurt key Microsoft strategy William Knowles (Nov 02)