Information Security News mailing list archives
Microsoft looks for consensus on security
From: InfoSec News <isn () C4I ORG>
Date: Thu, 7 Dec 2000 16:21:44 -0600
http://www.zdnet.com/eweek/stories/general/0,11011,2662376,00.html By Scott Berinato, eWEEK December 7, 2000 3:03 PM ET REDMOND, Wash. -- Microsoft Corp. Chairman Bill Gates kicked off the company's first-ever security summit here today, dubbed SafeNet 2000, calling for industry-wide involvement and hinting at some of the security features the company is developing. Microsoft is trying to establish some leadership in what it calls the "trust" issues -- security and privacy. But the event, which has attracted some of the country's leading security experts, was also designed to get industry-wide input on what issues need to be addressed. "These issues are real show-stoppers in terms of technology and how far it goes in terms of being useful to people," said Microsoft Chief Operating Officer Bob Herbold, who introduced Gates. "The task is to roll up your sleeves, give us your very best thinking and put us on track to deliver the trust we want to achieve." Gates' keynote, delivered before the experts broke out into working groups, stayed away from any overarching statements. Instead, he went right down into technology, suggesting many security issues can be resolved with software. For example, in the privacy realm, Gates focused less on policy and more on advances such as software agents, saying that these tiny programs that automate tasks such as categorizing and prioritizing e-mail should be employed to protect users' privacy. "The issue of freedom from intrusion is an area where a huge contribution can be made by software," Gates said. "When we meet on this topic three or four years from now, this is an issue we should be able to say we've made huge technical advances on." P3P and cookies When he talked about privacy, it was in the vein of standardizing policies through the P3P (Platform for Privacy Preferences) specification, which when implemented by Web sites creates a standard privacy policy that users can assume entails a certain level of technical security. The World Wide Web Consortium developed the spec. "We think this is a fundamental technology," Gates said, introducing a demo of Microsoft's Internet Explorer browser running on Whistler, the next version of Windows. The demo showed IE distinguishing between P3P-enabled and non-P3P-enabled sites, and doing different things with them as a result, such as blocking cookies at one site but not another. IE 6.0 also has an icon that, when clicked on, displays a site's privacy policy in plain English -- if the site is P3P-enabled. That's a significant advance from the cookie-blocking and privacy support in the current version of IE. After it added technology to IE that blocks third-party cookies but allows so-called first-party cookies, Microsoft met resistance from some vendors whose business relies on third-party cookies. The P3P-based system divorces cookie blocking from the type of cookie and instead relates it to the Web site's policy on what it uses cookies for. In short, instead of blocking third- or first-party cookies, users will be able to block cookies that aren't from a trusted site, no matter what type they are. "We were confusing people" with the previous cookie-control features, Gates said. "People really didn't know what those controls related to." "It's come a long way from where they were just arbitrarily blocking third-party cookies," said one source at the conference who disliked the earlier cookie-blocking technology. "But the question remains, on what policy will they block cookies now? Will it be any cookie that goes to a site that collects anonymous data? Or will it be any cookie that stores any personal information? No one knows." To that end, the source said, Microsoft is planning to hire an independent third party to define privacy parameters in its blocking technology. The source said the independent party could be PriceWaterhouseCoopers. Microsoft officials would not comment. "We are clearly seeing the mixing of policy and technology infrastructure taking place, and it's from the user control point of view," said Richard Purcell, Microsoft's chief security officer. Lessons learned? Gates also demonstrated smart cards used as an authentication device, which he said all network administrators within Microsoft will need to have access to when creating and deleting user accounts. Without the smart card plugged in, a user's rights are immediately taken away. This was a thinly veiled reference to the major hack of Microsoft's network in October, where it's believed the hackers elevated their access rights by creating new accounts. Whistler also includes a new feature called Fast User Switching. The "shut down" dialog box now includes a button that will allow users to switch their desktop profiles on the fly. But while Microsoft clearly views security as important to fix before online transactions become pervasive, the company is still not ready to give up all the technical advantages of a more open security model. For example, Michael Wallnet, who showed the IE 6.0 demo, said that while some sites such as health care sites will legally be "opt-in," "we don't think as a rule it's appropriate to set it that way," he said. And in terms of government involvement, Gates was cautiously supportive of the feds being involved. "There will be a role for the government in the privacy issue certainly when you get to things like medical records or tax records," he said. "And when someone says they will only use information in a certain way, they actually have to follow that. I would hate to see the current privacy taxonomy hard-coded into law, though. To me, the government's role is making sure that misrepresentation isn't taking place." The conference continues this afternoon with Forrester Research's John McCarthy lecturing on "The Internet's Privacy Migraine." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Microsoft looks for consensus on security InfoSec News (Dec 09)