Microsoft announces corporate strategy shift toward security and privacy

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/docs/news/svfront/058088.htm

BY D. IAN HOPPER AND TED BRIDIS
Associated Press Writers 
Wednesday, Jan. 16, 2002 

WASHINGTON (AP) -- Microsoft Chairman Bill Gates announced a major
strategy shift across all its products, including its flagship Windows
software, to emphasize security and privacy over new capabilities.

In an e-mail to employees obtained Wednesday by The Associated Press,
Gates referred to the new philosophy as ``Trustworthy Computing'' and
said his highest priority is to ensure that computer users continue to
venture across an increasingly Internet-connected world.

Gates compared the significance of his 1,600-word message, sent
Tuesday, to his so-called ``tidal wave'' e-mails during the mid-'90s,
which changed the course of Microsoft, and much of the software
industry, to focus its products on the Internet.

He said this new emphasis on security for Microsoft was ``more
important than any other part of our work. If we don't do this, people
simply won't be willing -- or able -- to take advantage of all the
other great work we do.''

``When we face a choice between adding features and resolving security
issues, we need to choose security,'' Gates continued. ``Our products
should emphasize security right out of the box.''

The dramatic change comes after the discovery of major security
problems in Microsoft products, such as flaws in the latest versions
of Windows that allow hackers to seize control of a user's computer.  
Another problem allowed the Code Red viruses to cripple hundreds of
thousands of computers running Microsoft products.

``Gates saying that security needs to come before features is a huge
statement for the software industry, not just a huge statement for
Microsoft,'' said Marc Maiffret, the founder of eEye Digital Security
Inc., which discovered both the XP flaws and the Code Red viruses.  
``If anybody has the ability to shape the software industry, he's the
man.''

David Smith, vice president of Internet Strategy at Gartner Inc., an
analysts firm, welcomed the move but said the strategy shift may be
coming too late. Smith faulted Microsoft for developing broad,
Internet-based strategies without paying enough attention to security.

``It's about time, perhaps overdue,'' Smith said.

In the e-mail, Gates also referred to the Sept. 11 terror attacks as a
reason to focus on security. He noted that last year's events
``reminded every one of us how important it is to ensure the integrity
and security of our critical infrastructure, whether it's the airlines
or computer systems.''

Other Microsoft executives declined to comment late Wednesday.

Shares of Microsoft were down $1.68 Wednesday to close at $67.87 on
the Nasdaq Stock Market, but they gained 38 cents in extended trading.

Microsoft products can be found in almost every government facility,
from the White House to aircraft carriers at sea. One person with
knowledge of the change said new products and features will be tested
for security risks before going any further -- if they fail, the
feature won't be included.

``Things are going to have to go through a crucible, and the crucible
will be security-first,'' according to this person, who spoke only on
condition of anonymity.

Compensation plans of Microsoft product engineers, such as raises and
bonuses, will also be tied to how secure their products are.

Russ Cooper, a security expert with TruSecure Corporation, said the
change occurred in part after a new security team assigned to attend
every product meeting met resistance from product teams.

Microsoft has long been criticized for focusing on making products
more feature-rich rather than emphasizing security and stability. For
example, Windows XP added DVD player-software, a rudimentary Internet
security utility and a new instant messaging program.

Customers could also see a downside, though. Other than fewer new
features, product upgrades could come less frequently or could be
pushed back.

Privacy is also a focus.

``Users should be in control of how their data is used,'' Gates wrote.  
``It should be easy for users to specify appropriate use of their
information including controlling the use of e-mail they send.''



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.