Microsoft Security Push Faces Skepticism

[InfoSec News <isn () c4i org>]

http://www.reuters.co.uk/news_article.jhtml?type=technologynews&StoryID=641941

27 February, 2002 17:57 GMT  
By Elinor Mills Abreu 

SAN JOSE (Reuters) - The last time the world's largest software
company announced a major shift in strategy, it went on to muscle its
way from nowhere to dominance of the market for Internet browsers over
industry favorite Netscape.

Now with Microsoft Corp.'s MSFT.O founder and resident visionary Bill
Gates hammering home the message that computing must be made more
"trustworthy," could anti-virus and other computer security companies
be facing a Netscape-like fate?

Not likely, observers say. Many industry watchers remain skeptical
that Microsoft, famous for loading its software with bells and
whistles, can learn to put security first.

Others question whether it will be technically possible to build
hacker-proof software, especially given the sophistication of
Microsoft's upcoming Web services offerings.

Those services will allow consumers to use a single name and password
to log on to a range of online services from banking to travel. But
one key to their success, experts have said, will be convincing
consumers that their financial information is safe from prying
hackers.

"Microsoft and security is an oxymoron," said Howard Lev, group
product manager of appliances at Symantec Corp. SYMC.O "Historically,
they haven't been that interested."

Jim Bidzos, chairman of the conferences unit of RSA Security Inc.  
RSAS.O , a leading computer security company, could not resist taking
a jab at Microsoft at a recent conference in San Jose, Calif.

"I love the Microsoft security story. I loved it the first time I
heard it in 1991," he said as the crowd of computer security
professionals erupted in laughter. "The day people who stop products
from going out the door because they're not secure enough become
heroes then we'll know they're serious."

"We managed to embarrass Microsoft into doing something," said Bruce
Schneier, chief technology officer of security monitoring firm
Counterpane Internet Security. "When push comes to shove we'll see
what they do. I'm hopeful, but not optimistic."

RIPPLES THROUGH INDUSTRY

New Microsoft initiatives tend to ripple through the computer security
industry, with many companies bracing for competition from a rival
they don't want. Anti-virus companies were nervous, for example, when
Windows 95 came out, thinking the new Microsoft offering would cut
into their market, according to experts.

It was widely believed that the operating system would end virus
infestations, and it did for a while, David Perry, director of
education at anti-virus company Trend Micro Inc., said.

But then came macro viruses and other malicious code that the old
software could not stop. Now, there are more than a dozen major virus
types, and new ones cropping up all the time, including ones that take
advantage of advanced features in Microsoft software, Perry said.

"If Microsoft gets its act together, in three years, we'll still have
viruses," said Rob Rosenberger, editor of computer security site
Vmyths.com.

By reducing the number of security bugs in its products, Microsoft
could take away some demand for products like intrusion detection and
firewall software. But experts say there will always be new security
problems whenever new technology is introduced.

"People who think that any kind of technological trick is going to end
malicious software are committing an error that one can find in
classical Greek literature -- hubris," Perry said.

PRESSURE FROM CUSTOMERS

Even if perfectly secure software is out of reach, software companies,
most notably Microsoft, face pressure from key customers to do
something to make its products less susceptible to hacking.

Noting that the U.S. government is the single largest consumer,
Richard Clarke, the White House cyber security czar, made the stakes
clear at a recent conference: "We're going to stop buying products
unless they're secure."

The demands of the marketplace, ultimately, are what will make
software makers provide security, and Microsoft has a long history of
sniffing out consumer demand and creating products that meet it. David
Hughes, president of the U.S. subsidiary of British-based anti-virus
firm Sophos, said that Gates has a track record of success when he
stakes out clear goals for Microsoft, as he did in a company-wide
e-mail announcing the security push.

"When Bill says they are going to do something, they do it. He
realizes it's a high priority issue for customers," he said.

But others say the public relations risks are skewed against the
company this time since even a single hack could loom larger than a
host of quiet improvements in its software.

"Microsoft is in a no-win situation," said Lawrence Walsh, managing
editor of Information Security Magazine. "They have to do something.  
But perception is stronger than reality. If they suffer one hack,
people will think they didn't do their job."

During an interview in Tokyo with Reuters last week, Gates, who has a
record of confounding naysayers, said Microsoft welcomed the scrutiny
of its software and the level of their security.

"Microsoft products get looked at harder than any other products and
that's a good thing, he said.

"We have these 24-hour response teams and we're the guys who are
serious about this," Gates said. "We've put into place infrastructure
to update things so it's certainly a key issue for the industry."

(Additional reporting by Reed Stevenson in Tokyo.)



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.