Get Smart about Business Spending
- Related Stories
-
Gates: Microsoft to offer anti-spyware
October 1, 2004 -
Microsoft-backed antispam spec gets filtered out
September 23, 2004 -
Microsoft's blast from the past
August 12, 2004 -
Gates reports on security progress
March 31, 2004
Speaking at a gathering of U.K. press, Ballmer said Microsoft's "trustworthy computing" effort is far more than just a one-off initiative.
"We will be working on 'trustworthy computing' for the rest of my days at Microsoft, which I hope are many. There are bad people out there in cyberspace, and they are not going to go away. We are going to have to be vigilant. That's going to last for the duration," he said.
But despite the ongoing rounds of new security vulnerabilities and virus alerts, Ballmer said he believes the situation has improved greatly and can only get better.
"It's not like five or six years ago viruses didn't exist. More damage has been done in other periods of time (than today). The last 12 months was a better 12 months by a margin. I do believe in the next two to three years we'll get good enough and customers' practice of implementation will get good enough," he said.
Ballmer admitted that getting it wrong is not an option for Microsoft. "Security is the potential downside for the business. Do people have enough faith? That's why we made security job one priority at Microsoft."
Microsoft and Ballmer have said that the company will look at new markets and new areas of innovation for future growth. One area that analysts and industry watchers have tipped is the antivirus and firewall market, possibly with the acquisition of one of the big players such as McAfee.
Ballmer declined to elaborate on Microsoft's plans with regards to launching its own security products but also didn't rule out the possibility of acquisitions, whether in the security market or any other area of its business.
"We're always looking at acquisitions, but we don't have cash earmarked for acquisitions. Almost all of those (big deals) are done for stock anyway," he said.
One area Ballmer did highlight for future security innovation was the concept of "isolation," which has already been partly introduced with Windows XP Service Pack 2. This technology is intended to ensure that PCs, laptops and other mobile devices are virus-free and have all the latest security updates and patches before being allowed to connect to a corporate network.
In corporate settings, Ballmer said, "the No. 1 way people get viruses is, in fact, with machines that are on their networks sometime and off the network other times. How do you check before you reintroduce someone to the network? It's a form of isolation."
Ballmer said the goal is to have the technology out before the next iteration of Windows, Longhorn, and at the latest "certainly by Longhorn."
Microsoft has had less luck in getting its Sender ID e-mail standard for stopping spam accepted by the rest of the industry; it was rejected last month by major players such as America Online. But Ballmer reinforced Microsoft's commitment to the concept.
"We're doing a little bit of rethinking but the technology and the way we've done it, we still think, is spot on," he said.
Andy McCue of Silicon.com reported from London.
article doesn't fixing Windows core problems. Instead he seems
to be saying security problems are being solved outside
Windows core with such things as firewalls, virus and worm
detecting and removing, and isolation techniques. In my
opinion, this will eventually be a failure. The black hats will
continue worming their way through these barriers and continue
attacking Widows core defects. It seems to me, Windows
continues its security downward spiral until the core is gutted
and replaced with something built for the realities of a
networked world.
...John
1. Microsoft apparantly has no concept or understanding of "pure data" in any of its products. In a secure design, only "pure data" may be transmitted over unsecure connections. This, along with simple measures like data validation, keeps applications from being compromised by conditions which they cannot handle (which result in "crashes"). Allowing executable content within data, especially when the data has neither been validated nor source-verified, is a prescription for cascading disasters resulting from a simple failure in any running program. Active X is only one of the many, many flagrant violations of this principle which are built into Windows.
2. Microsoft, by default, assumes that anyone signed onto a machine should be allowed access to everything on that machine. This leads to cascading data-compromising disasters affecting whole networks when a single malicious, stupid, or beserk user gets in. In a secure architecture, access is granted based on the user's identity, organization, and 'clearance' level.
3. Microsoft does not control the configuration of the operating system. This is because it allows users to modify the operating system by replacing dll's and other executables, and by allowing destructive changes in the Registry with no authentication or validation. If there is no configuration control, there can be NO SECURITY.
There are many, many security holes in Windows, and they are extraordinarily easy to discover via the principles outlined above. Closing any one of them or patching to eliminate exploits will never be effective until Windows architecture is completely redesigned for security.
1. Microsoft apparantly has no concept or understanding of "pure data" in any of its products. In a secure design, only "pure data" may be transmitted over unsecure connections. This, along with simple measures like data validation, keeps applications from being compromised by conditions which they cannot handle (which result in "crashes"). Allowing executable content within data, especially when the data has neither been validated nor source-verified, is a prescription for cascading disasters resulting from a simple failure in any running program. Active X is only one of the many, many flagrant violations of this principle which are built into Windows.
2. Microsoft, by default, assumes that anyone signed onto a machine should be allowed access to everything on that machine. This leads to cascading data-compromising disasters affecting whole networks when a single malicious, stupid, or beserk user gets in. In a secure architecture, access is granted based on the user's identity, organization, and 'clearance' level.
3. Microsoft does not control the configuration of the operating system. This is because it allows users to modify the operating system by replacing dll's and other executables, and by allowing destructive changes in the Registry with no authentication or validation. If there is no configuration control, there can be NO SECURITY.
There are many, many security holes in Windows, and they are extraordinarily easy to discover via the principles outlined above. Closing any one of them or patching to eliminate exploits will never be effective until Windows architecture is completely redesigned for security.
machines that are on their networks sometime and off the
network other times."
Sorry, No1, on and sometimes off ?
To suggest that Microsoft needs to "gut and replace" their OS is ignorant. Regardless of your code base, security will be an ongoing challenge. There is no simple solution, and there is no totally secure system. At least Microsoft is devoting resources to the effort. How many open-source developers are spending 8 hours a day, 5 days a week devoted to security issues... working for free... ? No... they just post on News.com claiming that Microsoft can never be successful...
It is amazing how many, lacking knowledge about computing history and other OS alternatives, just follow Microsoft blindly and never challenge it to be better.
Suggested reading: technical literature on the several OS's in the 70's which had the words "Non-Stop" in their name.
Read and understand how (1) an OS CAN BE MADE SECURE....even against power failure and even against most hardware failures! (2) what we have now is a mere "toy" compared to the industrial-quality OS's of pre-Wintel machines.
In our rush to get low cost (to the exclustion of performance, security, reliability, and everything else), we simply ignored the alternatives.
- See this page for help today!
- by anthonycea October 5, 2004 8:03 PM PDT
- You can get free downloads and free security data now. See
- Like this Reply to this comment
-
(10 Comments)http://www.searchwars.squarespace.com/free-software-downloads/
Don't wait for M$ to solve your problems.