Gates says Microsoft security push cost $100 mln

[InfoSec News <isn () c4i org>]

http://www.forbes.com/technology/newswire/2002/07/18/rtr667718.html

By Elinor Mills Abreu
Reuters
07.18.02

SAN FRANCISCO (Reuters) - Microsoft Corp. Chairman Bill Gates Thursday
said the company's high-profile campaign to improve the security of
its software had cost at least $100 million this year, but said the
expense was paying off in better products.

In the early months of this year, Microsoft interrupted the
development work of more than 8,500 engineers and sent many on special
training to improve the security of its Windows operating system. That
"stand-down" took nearly two months and cost at least $100 million,
Gates said Thursday.

"We estimated that the stand-down would take 30 days," Gates wrote in
an e-mail sent to more than a million customers who subscribe to
Microsoft newsletters and provided to Reuters. "It took nearly twice
that long, and cost Microsoft more than $100 million.

"We've undertaken similar code reviews and security training for
Microsoft Office and Visual Studio .NET, and will be doing so for
other products as well," he said in the e-mail, in which he touted the
progress that has been made since January when he proclaimed security
as Microsoft's top priority.

At the time, Gates sent a rare e-mail to Microsoft's 50,000 employees
that said the future of the company depended on ensuring that its
products were secure from hackers and viruses.

Over the past six months, the Redmond, Washington-based software giant
has changed the way it designs and develops software, and has
committed to shipping Windows .NET Server 2003 as "secure by default,"  
with settings in the position of the highest level of safety, the
e-mail said.

Microsoft also now offers tools which allow users to quickly install
updates and patches and analyze systems for incorrectly configured
software and missing fixes, he said.

The company has incorporated technology into its Internet Explorer
browser software in Windows XP that allows people to set privacy
preferences and easily review Web site privacy policies.

And most recently, the company released information about a new
project dubbed "Palladium" in which it will work with microprocessor
and PC manufacturers to embed security features into the hardware,
among other actions.

STILL COMPLAINTS

Despite the efforts, the company still ends up releasing security
fixes on a weekly, sometimes daily, basis.

Just this week the company announced a vulnerability in its SQL Server
2000 software that could allow an attacker to run malicious code on
the computer.

In mid-June, a security program manager for the company's Security
Response Center said officials had released 30 security bulletins
since the beginning of the year, equal to about half the total sent
out last year.

Some of Microsoft's moves to improve the security of its products have
actually been criticized as being too intrusive.

For instance, certain automatic update features can pass data from the
computer back to the company, but Microsoft executives insist they
aren't collecting information about individual users.

In addition, Microsoft's new Palladium plan has been criticized by
privacy advocates who say it poses potential for abuse and by
cyber-libertarians who say it is designed to allow copyright holders
more effective ways to prevent piracy through digital copyright
management.

However, Microsoft executives have insisted that their aim with
Palladium is to offer customers better security and privacy.

The e-mail is the first in an "occasional series of mails" that Gates,
Chief Executive Steve Ballmer and other Microsoft executives will be
sending to people on technology and public policy issues, Gates wrote.

"This is part of our commitment to ensuring that Microsoft is more
open about communicating who we are and what we are doing," he said.  
"Trustworthy Computing really is a journey rather than a destination."

Earlier in the day, Microsoft reported a 10 percent rise in
fourth-quarter sales and higher earnings on strong corporate demand
for its products.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.