Microsoft looks for consensus on security

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/eweek/stories/general/0,11011,2662376,00.html

By Scott Berinato, eWEEK
December 7, 2000 3:03 PM ET

REDMOND, Wash. -- Microsoft Corp. Chairman Bill Gates kicked off the
company's first-ever security summit here today, dubbed SafeNet 2000,
calling for industry-wide involvement and hinting at some of the
security features the company is developing.

Microsoft is trying to establish some leadership in what it calls the
"trust" issues -- security and privacy. But the event, which has
attracted some of the country's leading security experts, was also
designed to get industry-wide input on what issues need to be
addressed.

"These issues are real show-stoppers in terms of technology and how
far it goes in terms of being useful to people," said Microsoft Chief
Operating Officer Bob Herbold, who introduced Gates. "The task is to
roll up your sleeves, give us your very best thinking and put us on
track to deliver the trust we want to achieve."

Gates' keynote, delivered before the experts broke out into working
groups, stayed away from any overarching statements. Instead, he went
right down into technology, suggesting many security issues can be
resolved with software.

For example, in the privacy realm, Gates focused less on policy and
more on advances such as software agents, saying that these tiny
programs that automate tasks such as categorizing and prioritizing
e-mail should be employed to protect users' privacy.

"The issue of freedom from intrusion is an area where a huge
contribution can be made by software," Gates said. "When we meet on
this topic three or four years from now, this is an issue we should be
able to say we've made huge technical advances on."

P3P and cookies

When he talked about privacy, it was in the vein of standardizing
policies through the P3P (Platform for Privacy Preferences)
specification, which when implemented by Web sites creates a standard
privacy policy that users can assume entails a certain level of
technical security. The World Wide Web Consortium developed the spec.

"We think this is a fundamental technology," Gates said, introducing a
demo of Microsoft's Internet Explorer browser running on Whistler, the
next version of Windows.

The demo showed IE distinguishing between P3P-enabled and
non-P3P-enabled sites, and doing different things with them as a
result, such as blocking cookies at one site but not another. IE 6.0
also has an icon that, when clicked on, displays a site's privacy
policy in plain English -- if the site is P3P-enabled. That's a
significant advance from the cookie-blocking and privacy support in
the current version of IE.

After it added technology to IE that blocks third-party cookies but
allows so-called first-party cookies, Microsoft met resistance from
some vendors whose business relies on third-party cookies. The
P3P-based system divorces cookie blocking from the type of cookie and
instead relates it to the Web site's policy on what it uses cookies
for. In short, instead of blocking third- or first-party cookies,
users will be able to block cookies that aren't from a trusted site,
no matter what type they are.

"We were confusing people" with the previous cookie-control features,
Gates said. "People really didn't know what those controls related
to."

"It's come a long way from where they were just arbitrarily blocking
third-party cookies," said one source at the conference who disliked
the earlier cookie-blocking technology. "But the question remains, on
what policy will they block cookies now? Will it be any cookie that
goes to a site that collects anonymous data? Or will it be any cookie
that stores any personal information? No one knows."

To that end, the source said, Microsoft is planning to hire an
independent third party to define privacy parameters in its blocking
technology. The source said the independent party could be
PriceWaterhouseCoopers. Microsoft officials would not comment.

"We are clearly seeing the mixing of policy and technology
infrastructure taking place, and it's from the user control point of
view," said Richard Purcell, Microsoft's chief security officer.

Lessons learned?

Gates also demonstrated smart cards used as an authentication device,
which he said all network administrators within Microsoft will need to
have access to when creating and deleting user accounts. Without the
smart card plugged in, a user's rights are immediately taken away.
This was a thinly veiled reference to the major hack of Microsoft's
network in October, where it's believed the hackers elevated their
access rights by creating new accounts.

Whistler also includes a new feature called Fast User Switching. The
"shut down" dialog box now includes a button that will allow users to
switch their desktop profiles on the fly.

But while Microsoft clearly views security as important to fix before
online transactions become pervasive, the company is still not ready
to give up all the technical advantages of a more open security model.
For example, Michael Wallnet, who showed the IE 6.0 demo, said that
while some sites such as health care sites will legally be "opt-in,"
"we don't think as a rule it's appropriate to set it that way," he
said.

And in terms of government involvement, Gates was cautiously
supportive of the feds being involved.

"There will be a role for the government in the privacy issue
certainly when you get to things like medical records or tax records,"
he said. "And when someone says they will only use information in a
certain way, they actually have to follow that. I would hate to see
the current privacy taxonomy hard-coded into law, though. To me, the
government's role is making sure that misrepresentation isn't taking
place."

The conference continues this afternoon with Forrester Research's John
McCarthy lecturing on "The Internet's Privacy Migraine."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".