Comments on: It's Windows vs. Windows as Microsoft battles piracy

In effort to up sales of Windows, firm has sights set on nearest rival: Not Linux, not the Mac--Windows itself.

Have you seen this guy HE is WANTED

http://www.microsoft.com/athome/images/ces/CES_hero_1.jpg

Thugs

Building Trust in Technology

For computing to achieve its full potential -- and to enrich the daily lives of people and businesses everywhere -- it must first be made as secure and reliable as it can be, says Bill Gates

by Bill Gates

January 23, 2003

Not so long ago, most people paid little attention to cybercrime. Malicious hackers, hi-tech bank robbers and identity thieves were the stuff of science fiction novels; few outside the industry of information technology had more than a passing knowledge of their damaging potential. As recently as 20 years ago, the role of computers was mostly behind the scenes. The data they contained were relatively easy to secure because they were rarely moved or communicated to other machines.

That is not to say that the computer industry ignored security. In fact, it has worked to address security and reliability issues for decades, helping to ensure that banks could safely process transactions, that flight control systems functioned flawlessly and that sensitive data remained in the hands of those authorized to use them. But this all went on behind the scenes -- and the average citizen knew little about it.

The past few years have seen all that change. The amazing growth of PCs connected to the Internet transformed the nature of computing, setting information free and creating tough new security challenges.

A number of malicious and highly publicized computer viruses demonstrated the importance of ensuring the integrity and security of these increasingly interconnected computer networks.

And the terrorist attacks of September 2001 reminded us that our computing infrastructure is as critical to our econ­omy as our physical infrastructure -- and that the safety of each is at least partly dependent on the other.

The convergence of these three developments -- and the increasingly central role that computing will play in our lives in the coming years -- has led to a renewed focus on ensuring that our computing systems and information are safe from harm. Yet security is just one of a broader set of challenges that must be addressed to realize fully the vast potential of computing. As people increasingly depend on computers, they need to be sure that computing systems are available and functioning properly whenever and wherever they need them.

They must also be sure that they protect their sensitive information from theft or loss, and that the companies providing services and handling personal information are adhering to fair information principles.

To make this happen, our computing systems cannot just be secure -- they should be unfailingly trustworthy. We should be able to rely on them as we in the developed world rely on electricity or a telephone service today.

Although complete trustworthiness has yet to be achieved by any technology -- power systems still fail, water and gas pipes rupture and telephone lines sometimes drop calls -- these systems are usually there when we need them and they do what we need them to do. For computers to play a truly central role in our lives, they must achieve this level of trust.

Protecting cyberspace

As we move from a world of stand-alone desktop computers to an interconnected, decentralized global network, we face a number of new challenges.

The growth of the Web has encouraged businesses to make large amounts of business data available on the Inter-net, so that they can work better with partners and suppliers and build deep customer connections.

Consumers are conducting more and more business online, sending sensitive personal and financial information over the network. And businesses are increasingly motivated to make their internal business data securely available to employees at home or on the go.

These trends create vast new opportunities to enrich our lives and rewire our economy, but they also offer a tempting target for vandals, criminals and terrorists. To meet these challenges, we must change the way we create software.

Many desktop applications were not designed to operate in a networked environment, and the core protocols of the Internet were not initially designed to serve the 500 million users who rely on them today.

Much of this software has performed well in this new environment, but a lot of it must be refined, improved and rebuilt with security at the core.

At Microsoft we halted development on several key products and invested more than $100 million to evaluate our existing software for security issues, and to train our developers to build security into our future products from the ground up.

At the same time, the entire computer industry is working with government, law enforcement and business leaders to deter cybercrime at its source and build a secure digital future.

As the Internet became a viable platform for commerce -- another use not anticipated by its original design ? the amount of sensitive personal and financial information exchanged on the Web has skyrocketed.

This has led many consumers to be concerned about the safety of their information and the potential for misuse, fraud and identity theft. In fact, such fears continue to hold back growth in Internet-based commerce.

Existing industry standards, business practices and regulations already do much to ensure that people can retain control over how their personal information is obtained and used by others.

Standards such as P3P help consumers understand and manage the disclosure of their personal information to trusted parties. Microsoft is collaborating with industry partners to develop sophisticated new tools that will enable companies to implement and assess their own privacy policies.

Nonetheless, industry and government must continue to improve the software and tools that preserve individual privacy. And industry must keep working closely with govern­ment to ensure that laws and regulations which protect consumers are followed.

Security and privacy are the most immediate short-term challenges today, but achieving trustworthy computing involves a host of other issues. For example, we must continue to tackle the complexity and stability issues that affect many systems today, both at home and at work.

Just as a homeowner has no fear that fitting a new lamp will break his refrigerator, computer users should not have to worry that installing new applications will destabilize their system.

Companies should feel confident about embracing e-commerce, knowing that they can always depend on their software to meet their evolving needs reliably. That is why Microsoft, along with a host of other companies and researchers, is working aggressively to create computing systems that will be self-managing, self-repairing and inher­ently resilient. Put simply, they will just work.

We are in the early years of a time I call the "digital decade" -- an era in which computers move beyond being merely useful and become a significant and indispensable part of everyday life.

In the years ahead people will increasingly rely on computers to communicate and to be entertained, to run their lives and their businesses. This transformation has tremendous potential for enriching and enhancing our daily lives, while sparking a new era of growth for the global economy.

But for this to become a reality, we must first make computing as secure and reliable as it can be. Achieving truly trustworthy computing is a long-term challenge -- perhaps a 10-year process -- but considering the amazing opportunities the digital decade has to offer, it is essential that we meet it.

Crooked

How to Subscribe

Subscribe to executive e-mail from Bill Gates, Steve Ballmer and other Microsoft executives.
Subscribe via RSS here:

Executive E-mail Home
Read the latest executive e-mail.

Archives
Read previous executive e-mails.

Resources
Trustworthy Computing White Paper
Microsoft's vision for security, privacy, reliability and business integrity.
Q&A with Craig Mundie
How Microsoft is refocusing on security, reliability, privacy and more, as part of Trustworthy Computing.
Microsoft Security Web Site
Security information and links to security strategies, viruses and latest news.
Microsoft Privacy Web Site
Key information about how Microsoft is committed to protecting your privacy and developing technologies that provide a safe and secure computing experience.



July 18, 2002

Trustworthy Computing

Printer-Friendly Format

As I've talked with customers over the last year - from individual consumers to big enterprise customers - it's clear that everyone recognizes that computers play an increasingly important and useful role in our lives. At the same time, many of the people I talk to are concerned about the security of the technologies they depend on. They are concerned about whether their personal data is being protected. Although they know that computers can do amazing things, they are frustrated that their technology doesn't always work consistently. And they want assurances that the high-tech industry takes these concerns seriously and is working to improve their computing experience.

Six months ago, I sent a call-to-action to Microsoft's 50,000 employees, outlining what I believe is the highest priority for the company and for our industry over the next decade: building a Trustworthy Computing environment for customers that is as reliable as the electricity that powers our homes and businesses today.

This is an important part of the evolution of the Internet, because without a Trustworthy Computing ecosystem, the full promise of technology to help people and businesses realize their potential will not be fulfilled. Ironically, it is the growth of the Internet and the advent of massive computing systems built from loose affiliations of services, machines, communications networks and application software that have helped create the potential for increased vulnerabilities.

There are already solutions that eliminate weak links such as passwords and fake email. At Microsoft we're combining passwords with "smart cards" to authenticate users. We're also working with others throughout the industry to improve Internet protocols to stop email that could propagate misleading information or malicious code that falsely appears to be from trusted senders. And we are making fundamental changes in the way we develop software, in our operational and business practices, and in our customer support efforts to make the computing experiences we provide more trustworthy.

For example, we've historically made our software and services more compelling for users primarily by adding new features and functionality. While we are continuing to invest significantly in delivering new capabilities that customers ask for, we are now making security improvements an even higher priority than adding features. For example, we made changes to Microsoft Outlook to block email attachments associated with unsafe files, prevent access to a user's address book, and give administrators the ability to manage email security settings for their organization. As a result of these changes, the number of email virus incidents has dropped dramatically. In fact, email viruses like the recent "Frethem" virus propagate only to systems that have not been updated - underscoring the importance of updating them regularly.

We are also undertaking a rigorous and exhaustive review of many Microsoft products to minimize other potential security vulnerabilities. Earlier this year, the development work of more than 8,500 Microsoft engineers was put on hold while we conducted an intensive security analysis of millions of lines of Windows source code. Every Windows engineer and several thousand engineers in other parts of the company were also given special training in writing secure software. We estimated that the stand-down would take 30 days. It took nearly twice that long, and cost Microsoft more than $100 million. We've undertaken similar code reviews and security training for Microsoft Office and Visual Studio .NET, and will be doing so for other products as well.

THE TRUSTWORTHY COMPUTING FRAMEWORK

Trustworthy Computing has four pillars: reliability, security, privacy and business integrity. "Reliability" means that a computer system is dependable, is available when needed, and performs as expected and at appropriate levels. "Security" means that a system is resilient to attack, and that the confidentiality, integrity and availability of both the system and its data are protected. "Privacy" means that individuals have the ability to control data about themselves and that those using such data faithfully adhere to fair information principles. "Business Integrity" is about companies in our industry being responsible to customers and helping them find appropriate solutions for their business issues, addressing problems with products or services, and being open in interactions with customers.

Creating a Trustworthy Computing environment requires several steps:

- Making software code more secure and reliable. Our developers have tools and methodologies that will make an order-of-magnitude improvement in their work from the standpoint of security and safety.

- Keeping ahead of security exploits. Distributing updates using the Internet so that all systems are up to date. Windows Update and Software Update Services, discussed below, provide the infrastructure for this.

- Early Recovery. In case of a problem, having the capability to restore and get systems back up and running in exactly the same state they were in before an incident, with minimal intervention.

FIRST STEPS TOWARD MORE TRUSTWORTHY COMPUTING

There is still much work that Microsoft and others in our industry must do to make computing more trustworthy. Here is a summary of some of the progress we've made, six months after my email to Microsoft employees:

- We have changed the way we design and develop software at all phases of the product development cycle. Our new processes should greatly minimize errors in software, and speed up the development process for new products and services.

- Software Update Services (SUS) is a security management tool for business customers that enables IT administrators to quickly and reliably deploy critical updates from inside their corporate firewall to Windows 2000-based servers and desktop computers running Windows 2000 Professional and Windows XP Professional.

- Microsoft Baseline Security Analyzer is a new tool that customers can use to analyze Windows 2000 and Windows XP systems for common security misconfigurations, and to scan for missing security hot fixes and vulnerabilities on a variety of products, including newer versions of Internet Information Server, SQL Server and Office.

- In addition to providing customers with tools and resources to help them maximize the security of Windows 2000 Server environments, we are committed to shipping Windows .NET Server 2003 as "secure by default." We believe it's critical to provide customers with a foundation that has been configured to maximize security right out of the box, while continuing to provide customers with a rich set of integrated features and capabilities.

- The error-reporting features built into Office XP and Windows XP are giving us an enormous amount of feedback and a much clearer view of the kinds of problems customers have, and how we can raise the level of reliability in those products - and that of products made by other companies. As part of this effort, we recently created a secure Web site where software and hardware vendors can view error reports related to their drivers, utilities and applications that are reported through our system. This enables the vendors who work with us to identify recurring problems and address them far more quickly than in the past. All of our server software products will incorporate these error-reporting features in subsequent versions of the products.

- With Microsoft Windows Update, we are completing the customer-feedback loop based on the error-reporting features mentioned above. This globally available Web service delivers more than 300 million downloads per month of the most current versions of product fixes, updates and enhancements. When customers connect to the site, they can choose to have their computer automatically evaluated to check which updates need to be applied in order to keep their system up-to-date, as well as identify any critical updates to keep their system safe and secure.

- We are working on a new hardware/software architecture for the Windows PC platform, code-named "Palladium*," which will significantly enhance users' system integrity, privacy and data security. This new technology, which will be included in a future version of Windows, will enable applications and application components to run in a protected memory space that is highly resistant to tampering and interference. This will greatly reduce the risk of viruses, other attacks, or attempts to acquire personal information or digital property with malicious or illegal intent. Our goal is for the "Palladium" development process to be a collaborative industry initiative.

- We've incorporated what is known as P3P (Platform for Privacy Preferences) technology in the Internet Explorer browser technology in Windows XP, which enhances a user's ability to set privacy levels to suit his or her needs. The P3P standard enables a user's browser to compare any P3P-compliant Web site's privacy practices to that user's privacy settings, and to decide whether to accept cookies from that site.

Identifying and addressing critical Trustworthy Computing issues will require significant collaboration across our industry. One example of the kind of cross-industry effort we need more of is the recent creation of the Web Services Interoperability (WS-I) Organization (http://www.ws-i.org/). Founded by IBM, Microsoft and other industry leaders including Intel, Oracle, SAP, Hewlett-Packard, BEA Systems and Accenture, WS-I's mission is to enable consistent and reliable interoperability of XML-based Web services across a variety of platforms, applications and programming languages. Among other things, WS-I will create a suite of test tools aimed at addressing errors and unconventional usage in Web services specifications implementations, which in turn will improve interoperability among applications and across platforms.

WHAT YOU CAN DO

Given the complexity of the computing ecosystem, and the dynamic nature of the technology industry, Trustworthy Computing really is a journey rather than a destination. Microsoft is fully committed to this path, but it is not something we can do alone. It requires the leadership of many others in our industry and a commitment by customers to establish and maintain a secure and reliable computing environment. For customers, the most important first step is understanding what it will take to make their computers and networks more reliable and safe. Below are some suggestions on what individuals and businesses can do to create a more Trustworthy Computing environment for themselves and others.

- Give us feedback by using the error-reporting features built into Office XP and Windows XP.

- Use Microsoft Windows Update (http://windowsupdate.com/) to ensure that you have the most up-to-date and accurate versions of product updates, enhancements and fixes.

- Business customers can take advantage of Software Update Services to download critical updates from Windows Update. (http://www.microsoft.com/windows2000/windowsupdate/sus/)

- Use Microsoft Baseline Security Analyzer to analyze Windows XP and Windows 2000 for common security misconfigurations. (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp)

- Enterprise Systems Integrators can take advantage of the Systems Integrator Source Licensing Program (http://www.microsoft.com/licensing/sharedsource/).

- Hardware, software or systems vendors can sign up for Microsoft's Windows Logo Program at http://www.microsoft.com/winlogo/ to ensure a high-quality user experience.

- Find more information about computing security at http://www.microsoft.com/security/.

- Our White Paper on Trustworthy Computing is at http://www.microsoft.com/PressPass/exec/craig/05-01trustworthywp.asp.

- If you don't already have Internet Explorer 6.0, download it for free at http://www.microsoft.com/windows/ie/evaluation/overview/ to take advantage of its increased reliability and security and privacy features.

We are doing everything we can at Microsoft to make software as trustworthy as possible. By building awareness, through collaborative work and with a long-term commitment, I am confident we can and will create a truly Trustworthy Computing environment.

Bill Gates

The new components being developed for the Microsoft Windows Operating System, which are described in this email under the code name "Palladium," are now referred to as the next-generation secure computing base for Windows

[Prndll]

Who are you?

Do you represent MS?

Having security does NOT mean forcing "everything" to be network addressable.

At this point, it has become a basic fact that Windows XP is alot less secure than Windows 98se. IE6.0 is also alot less secure than IE5.5 or IE5.0.

You have typed up quite a bit just to sound to me like a comercial advertising Microsoft.

MY COMPUTER IS MINE. IT BELONGS TO ME, "NOT" MICROSOFT.

[Scott W]

terms

after reading all the replies i have noticed a lot of people saying: "If you don't like Windows then get Linux, you shouldn't steal Windows because stealing is bad."

let me put this into relative terms for you:

A man comes to your house and offers you a thirty-year old banged up piece of **** car for £75K. it works at an acceptable level but anyone who knows anything about cars know this is a bad deal. under normal circumstances this offer would be rejected. now imagine that 90% of the roads on earth required you to run this specific model of car. if you didn't own one of these cars you could do sweet FA. so what happens? you are forced into buying a car that is overpriced and that you don't want. you could, on the other hand, steal it and put up with the poor performance just because you need to use it to get anywhere. THINK ABOUT IT!!!

already is freeware aviable from windows

I aready thought about before, John Smith, lol

The bottom line on both sides, $$$

Regardless of your feelings about MS, Gates, or any other big hitters in the software "world," the bottom line is the money. I feel that MS has lost touch with the consumer that ultimately spends more money in the retail market than anyone, the home user. They are too busy trying to get the businesses to buy $10,000 worth of licenses, they forget that the average consumer can't afford to spend 100 - 400 dollars on software for a computer they have only spent 500 on for the whole deal. It is just way too much cash to deal out. On the other hand, MS has to make their money, otherwise, they can't continue to produce the second rate software that we have all grown to love and hate at the same time. The only quality time that I have with my family is during the installation process of any MS OS's! But seriously, MS needs to concentrate on the real problem, poor marketing, poor performance, and over charging. If they could get all of their ducks in a row for once, I think that everyone, malicious hackers included, will want to spend their hard earned money on a product they can trust will work when they use it, especially if they didn't have to sell their first born to get a legal copy of it.

[iqula]

Windows worries, Desktops are moving off the PC

Things are going bump in the night for Microsoft with the network fast becomming the future of IT. Look at new services like http://www.cosmopod.com that are taking email to a new level and the desktop virtual.

Mirosoft is going to go the way of AT&T

AT&T created the transistor.
Microsoft bought and improved upon a language.
What the transistor did to make Microsoft Corp possible, Microsoft has done for us.
Now that so many people can speak there language it will become free. Like Linux and English

What they both created will put them out of business. Ask AT&T in a couple of months.
When you charge for the use of the language a revolt is sure to come your way.

Good for Microsoft they did not do this earlier.
Good for us that Linux did.

Since I switched back to Netscape I do not have any pop ups or hostile attacks on my computer.

Who do we charge back for the cost of protecting holes in there operating system? Send my next rebate on a new purchase to Symantec \Norton?

How about a guarantee on their product like most other products comes with?

I think Microsoft is savvy in allot of areas but they should have listened to marketing before going forward with this announcement.

Thanks for allowing me to spout.

Bob P

All well and good but!

What about companies that buy the pcs from vendors and have to by a license with the pc. Then they also are purchasing an Enterprise License as well. So in a sense these companys are getting charged double for licensing. I don't think that is right that you have to buy to of the same licenses for one pc. How about you?

Later