[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-advocacy
Subject:    Enjoy (Was: FW: Trustworthy Computing)
From:       "Christian Edward Gruber" <cgruber () israfil ! net>
Date:       2002-07-19 14:34:17
[Download RAW message or body]

-----Original Message-----
From: Bill Gates [mailto:BillGates@chairman.microsoft.com] 
Sent: Friday, July 19, 2002 12:02 AM
To: Christian.Edward.Gruber@gmx.net
Subject: Trustworthy Computing


I'm writing to you, as a reader of one of Microsoft's customer
newsletters, about an issue of particular importance to those of us who
routinely use computers in our work and personal lives - making
computing more trustworthy. Trustworthy Computing involves a lot of
things - reliability, security, privacy and business integrity. 

Before I share my thoughts about this in more detail, I want to give you
some context on why I am sending this email. This is the first in an
occasional series of mails that CEO Steve Ballmer and I, and
periodically other Microsoft executives, will be sending to people who
are interested in hearing from us about technology and public-policy
issues that we believe are important to computer users, our industry and
everyone who cares about the future of high technology. This is part of
our commitment to ensuring that Microsoft is more open about
communicating who we are and what we are doing. 

As I mentioned at the outset, you are receiving this email as a
recipient of a Microsoft newsletter. If you would like to hear from me,
Steve and periodically from other Microsoft executives in the future,
please go to
http://register.microsoft.com/subscription/subscribeMe.asp?lcid=1033&id=
155. If you don't wish to hear from us again, you do not need to do
anything. We will not send you another executive email unless you choose
to subscribe at the link above.

************************************************************************
************************

As I've talked with customers over the last year - from individual
consumers to big enterprise customers - it's clear that everyone
recognizes that computers play an increasingly important and useful role
in our lives. At the same time, many of the people I talk to are
concerned about the security of the technologies they depend on. They
are concerned about whether their personal data is being protected.
Although they know that computers can do amazing things, they are
frustrated that their technology doesn't always work consistently. And
they want assurances that the high-tech industry takes these concerns
seriously and is working to improve their computing experience.

Six months ago, I sent a call-to-action to Microsoft's 50,000 employees,
outlining what I believe is the highest priority for the company and for
our industry over the next decade: building a Trustworthy Computing
environment for customers that is as reliable as the electricity that
powers our homes and businesses today. 

This is an important part of the evolution of the Internet, because
without a Trustworthy Computing ecosystem, the full promise of
technology to help people and businesses realize their potential will
not be fulfilled. Ironically, it is the growth of the Internet and the
advent of massive computing systems built from loose affiliations of
services, machines, communications networks and application software
that have helped create the potential for increased vulnerabilities. 

There are already solutions that eliminate weak links such as passwords
and fake email. At Microsoft we're combining passwords with "smart
cards" to authenticate users. We're also working with others throughout
the industry to improve Internet protocols to stop email that could
propagate misleading information or malicious code that falsely appears
to be from trusted senders. And we are making fundamental changes in the
way we develop software, in our operational and business practices, and
in our customer support efforts to make the computing experiences we
provide more trustworthy. 

For example, we've historically made our software and services more
compelling for users primarily by adding new features and functionality.
While we are continuing to invest significantly in delivering new
capabilities that customers ask for, we are now making security
improvements an even higher priority than adding features. For example,
we made changes to Microsoft Outlook to block email attachments
associated with unsafe files, prevent access to a user's address book,
and give administrators the ability to manage email security settings
for their organization. As a result of these changes, the number of
email virus incidents has dropped dramatically. In fact, email viruses
like the recent "Frethem" virus propagate only to systems that have not
been updated - underscoring the importance of updating them regularly.
 
We are also undertaking a rigorous and exhaustive review of many
Microsoft products to minimize other potential security vulnerabilities.
Earlier this year, the development work of more than 8,500 Microsoft
engineers was put on hold while we conducted an intensive security
analysis of millions of lines of Windows source code. Every Windows
engineer and several thousand engineers in other parts of the company
were also given special training in writing secure software. We
estimated that the stand-down would take 30 days. It took nearly twice
that long, and cost Microsoft more than $100 million. We've undertaken
similar code reviews and security training for Microsoft Office and
Visual Studio .NET, and will be doing so for other products as well.

THE TRUSTWORTHY COMPUTING FRAMEWORK

Trustworthy Computing has four pillars: reliability, security, privacy
and business integrity. "Reliability" means that a computer system is
dependable, is available when needed, and performs as expected and at
appropriate levels. "Security" means that a system is resilient to
attack, and that the confidentiality, integrity and availability of both
the system and its data are protected. "Privacy" means that individuals
have the ability to control data about themselves and that those using
such data faithfully adhere to fair information principles. "Business
Integrity" is about companies in our industry being responsible to
customers and helping them find appropriate solutions for their business
issues, addressing problems with products or services, and being open in
interactions with customers.

Creating a Trustworthy Computing environment requires several steps:

- Making software code more secure and reliable. Our developers have
tools and methodologies that will make an order-of-magnitude improvement
in their work from the standpoint of security and safety.

- Keeping ahead of security exploits. Distributing updates using the
Internet so that all systems are up to date. Windows Update and Software
Update Services, discussed below, provide the infrastructure for this.

- Early Recovery. In case of a problem, having the capability to restore
and get systems back up and running in exactly the same state they were
in before an incident, with minimal intervention. 

FIRST STEPS TOWARD MORE TRUSTWORTHY COMPUTING

There is still much work that Microsoft and others in our industry must
do to make computing more trustworthy. Here is a summary of some of the
progress we've made, six months after my email to Microsoft employees:

- We have changed the way we design and develop software at all phases
of the product development cycle. Our new processes should greatly
minimize errors in software, and speed up the development process for
new products and services.

- Software Update Services (SUS) is a security management tool for
business customers that enables IT administrators to quickly and
reliably deploy critical updates from inside their corporate firewall to
Windows 2000-based servers and desktop computers running Windows 2000
Professional and Windows XP Professional.

- Microsoft Baseline Security Analyzer is a new tool that customers can
use to analyze Windows 2000 and Windows XP systems for common security
misconfigurations, and to scan for missing security hot fixes and
vulnerabilities on a variety of products, including newer versions of
Internet Information Server, SQL Server and Office.

- In addition to providing customers with tools and resources to help
them maximize the security of Windows 2000 Server environments, we are
committed to shipping Windows .NET Server 2003 as "secure by default."
We believe it's critical to provide customers with a foundation that has
been configured to maximize security right out of the box, while
continuing to provide customers with a rich set of integrated features
and capabilities.

- The error-reporting features built into Office XP and Windows XP are
giving us an enormous amount of feedback and a much clearer view of the
kinds of problems customers have, and how we can raise the level of
reliability in those products - and that of products made by other
companies. As part of this effort, we recently created a secure Web site
where software and hardware vendors can view error reports related to
their drivers, utilities and applications that are reported through our
system. This enables the vendors who work with us to identify recurring
problems and address them far more quickly than in the past. All of our
server software products will incorporate these error-reporting features
in subsequent versions of the products.

- With Microsoft Windows Update, we are completing the customer-feedback
loop based on the error-reporting features mentioned above. This
globally available Web service delivers more than 300 million downloads
per month of the most current versions of product fixes, updates and
enhancements. When customers connect to the site, they can choose to
have their computer automatically evaluated to check which updates need
to be applied in order to keep their system up-to-date, as well as
identify any critical updates to keep their system safe and secure.

- We are working on a new hardware/software architecture for the Windows
PC platform, code-named "Palladium," which will significantly enhance
users' system integrity, privacy and data security. This new technology,
which will be included in a future version of Windows, will enable
applications and application components to run in a protected memory
space that is highly resistant to tampering and interference. This will
greatly reduce the risk of viruses, other attacks, or attempts to
acquire personal information or digital property with malicious or
illegal intent. Our goal is for the Palladium development process to be
a collaborative industry initiative. 

- We've incorporated what is known as P3P (Platform for Privacy
Preferences) technology in the Internet Explorer browser technology in
Windows XP, which enhances a user's ability to set privacy levels to
suit his or her needs. The P3P standard enables a user's browser to
compare any P3P-compliant Web site's privacy practices to that user's
privacy settings, and to decide whether to accept cookies from that
site. 

Identifying and addressing critical Trustworthy Computing issues will
require significant collaboration across our industry. One example of
the kind of cross-industry effort we need more of is the recent creation
of the Web Services Interoperability (WS-I) Organization
(http://www.ws-i.org/). Founded by IBM, Microsoft and other industry
leaders including Intel, Oracle, SAP, Hewlett-Packard, BEA Systems and
Accenture, WS-I's mission is to enable consistent and reliable
interoperability of XML-based Web services across a variety of
platforms, applications and programming languages. Among other things,
WS-I will create a suite of test tools aimed at addressing errors and
unconventional usage in Web services specifications implementations,
which in turn will improve interoperability among applications and
across platforms.

WHAT YOU CAN DO

Given the complexity of the computing ecosystem, and the dynamic nature
of the technology industry, Trustworthy Computing really is a journey
rather than a destination. Microsoft is fully committed to this path,
but it is not something we can do alone. It requires the leadership of
many others in our industry and a commitment by customers to establish
and maintain a secure and reliable computing environment. For customers,
the most important first step is understanding what it will take to make
their computers and networks more reliable and safe. Below are some
suggestions on what individuals and businesses can do to create a more
Trustworthy Computing environment for themselves and others.

- Give us feedback by using the error-reporting features built into
Office XP and Windows XP.

- Use Microsoft Windows Update (http://windowsupdate.com/) to ensure
that you have the most up-to-date and accurate versions of product
updates, enhancements and fixes.

- Businesses customers can take advantage of Software Update Services to
download critical updates from Windows Update.
(http://www.microsoft.com/windows2000/windowsupdate/sus/)

- Use Microsoft Baseline Security Analyzer to analyze Windows XP and
Windows 2000 for common security misconfigurations.
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
rity/tools/Tools/MBSAhome.asp)

- Enterprise Systems Integrators can take advantage of the Systems
Integrator Source Licensing Program
(http://www.microsoft.com/licensing/sharedsource/).

- Hardware, software or systems vendors can sign up for Microsoft's
Windows Logo Program at http://www.microsoft.com/winlogo/ to ensure a
high-quality user experience.

- Find more information about computing security at
http://www.microsoft.com/security/.

- Our White Paper on Trustworthy Computing is at
http://www.microsoft.com/PressPass/exec/craig/05-01trustworthywp.asp.

- If you don't already have Internet Explorer 6.0, download it for free
at http://www.microsoft.com/windows/ie/evaluation/overview/ to take
advantage of its increased reliability and security and privacy
features. 

We are doing everything we can at Microsoft to make software as
trustworthy as possible. By building awareness, through collaborative
work and with a long-term commitment, I am confident we can and will
create a truly Trustworthy Computing environment. 

Bill Gates


For information about Microsoft's privacy policies, please go to:
http://www.microsoft.com/info/privacy.htm.

[prev in list] [next in list] [prev in thread] [next in thread]