Hacking may have hurt key Microsoft strategy

[William Knowles <wk () C4I ORG>]

http://seattletimes.nwsource.com/cgi-bin/WebObjects/SeattleTimes.woa/wa/gotoArticle?zsection_id=268448455&text_only=0&slug=hack31&document_id=134243411

by Paul Andrews
Seattle Times Silicon Valley bureau
Tuesday, October 31, 2000, 12:00 a.m. Pacific

PALO ALTO, Calif. - The software worm that bored its way into
sensitive product-development areas of Microsoft's network over a
reported 12-day period may ultimately prove less damaging to the
company's intellectual property than to its strategic ambitions.

As it attempts its steepest corporate reinvention yet, Microsoft is
painting itself as the company with products large enterprises can
rely on to grow their businesses into the New Economy. Yet as
demonstrated by the hacker attack uncovered last week, Microsoft
itself cannot totally protect precious data from unwanted - and
illegal - incursion in a Windows-based environment.

Microsoft's Silicon Valley competitors, while acknowledging no company
is immune to hacker attacks, say Windows has greater security
challenges than older, more mature systems built on Unix and a Unix
spinoff, Linux.

"We believe Solaris offers a lot more security," Ed Zander, president
and chief operating officer at Sun Microsystems, said of the company's
Unix-based operating system.

Acknowledging "this could happen to anyone," Zander said, "We can't
evaluate specifics till we know exactly what did happen" in the
Microsoft case.

Microsoft, whose explanations have changed a number of times since
initial news reports about the incident, said it is withholding
numerous details to avoid hindering an FBI investigation.

The company said the intruder got only fleeting access to a future
product, not Windows or Office, and it narrowed the length of the
attack from weeks to 12 days.

As a precaution, however, Microsoft blocked employees from having
remote access to the corporate network over the weekend.

Regardless of what happened in the incident, it might be Microsoft's
ambitious corporate initiatives that are affected most in the long
run.

Since February's rollout of Windows 2000, Microsoft's most powerful
operating system to date, the company has championed the reliability
of Windows-powered business systems.

With the advent in June of its .NET strategy and line of high-powered
servers aimed at corporate networks linking to the Internet, the
volume has increased to the level of a corporate mantra.

At a high-profile event called Enterprise 2000 in San Francisco last
month, Chief Executive Steve Ballmer emphasized Microsoft had "come of
age" in the world of enterprise computing, the business of serving
huge corporations, government and institutions.

With its new products and initiatives, including Windows 2000
Datacenter server and the .NET enterprise server market, Microsoft has
the building blocks "required to run the biggest businesses in the
world," Ballmer said.

Of the company's more than 38,000 employees, 3,200 are involved in
consulting, 3,900 in enterprise support and more than 2,000 in
enterprise services, all contributing to what has become a $4 billion
annual business for Microsoft.

Something to prove

But longtime observers say Microsoft must hurdle doubts about security
if it is to become a big-enterprise player for banks, airlines, stock
brokerages, insurance companies and telephone companies that rely on
"unbreakable" computing services.

"The fact is, software kernels (key code) have to be absolutely
crack-proof, and that's a level of robustness that Microsoft has had
little experience with," said George Lindamood, former chief of
information systems for Washington state and a big-systems consultant.
"Given the experience with NT (Windows 2000's predecessor), I'm
dubious that they can make a silk purse out of that sow's ear."

Asked about the break-in disclosed last week by a program called QAZ
Trojan, privacy expert and author Simson Garfinkel said, "What do you
expect? It's Windows."

Features Microsoft has built into Windows to integrate popular Office
and Internet services have been repeatedly exploited by hackers -
notably the author of the infamous Outlook e-mail Love Bug.

Microsoft defended the integrity of its network security, noting that
hacking of corporate networks occurs regularly. On the other hand, the
company's request that the FBI investigate indicated this incident
held greater significance, apparently based on the company's inability
to track down or trap the intruder.

In the intellectual-property world of e-commerce, "companies need 100
percent assurance that their data is safe," said John Loiacono, chief
marketing officer at Sun Microsystems, a chief Microsoft competitor
based in Palo Alto.

Microsoft says it can meet corporate data needs by "clustering"
high-powered PCs together at a fraction of the cost of a Sun server.

"It's an appealing proposition at one level," Loiacono said. But
companies who rely on round-the-clock reliability, "tell us they're
not even looking at the (Microsoft) Datacenter (server) stuff," he
said.

Another Microsoft arch foe, database maker Oracle, likes to warn
clients of Windows 2000 reliability claims.

At the Windows 2000 launch, Chairman Bill Gates noted that a Windows
2000 server could be expected to experience a reboot or downtime only
after at least 90 days of uninterrupted performance. If a company
clusters 12 such systems together, Oracle said, that could
mathematically equate to an outage every 7-1/2 days.

Nobody's perfect

Microsoft can point to competitors' problems as well. Most recent was
a series of "glitches" on eBay, the high-traffic Web auction site.
Oracle issued a statement blaming the outages on a software upgrade to
its 8i database, a competitor to Microsoft's SQL Server database.

"This is what happens when you put all your resources into one big,
honking database," said Charles Fitzgerald, director of business
development for the developer-strategy group at Microsoft, as opposed
to spreading out among several "clustered" systems.

Memories of security holes tend to be short-lived. Asked if last
week's episode gives the company a black eye in the enterprise world,
a Microsoft spokesperson noted, "Only until some other big company
gets hit."

But the official acknowledged Microsoft still is proving its mettle in
enterprise computing.

"To win in the enterprise space requires a whole different world than
we've been used to," the executive said.

Adding that the company is "making progress," the executive noted,
"Before people were saying Windows couldn't do it at all. Now they're
saying here are the things it needs to do to succeed, and that list is
shrinking all the time."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".