January 17, 2002 8:10 AM PST
Gates: Security is top priority
- Related Stories
Gates memo: 'We can and must do better'January 17, 2002
.Net breakdown: More to come?January 15, 2002
Privacy flaw continues to dig IE holeJanuary 15, 2002
Microsoft's security push lacks oomphJanuary 11, 2002
Virus writers take an early crack at .NetJanuary 9, 2002
Microsoft alerts Passport users to patch IEJanuary 3, 2002
Microsoft issues patch for "serious" XP holeDecember 20, 2001
Microsoft tries to cage security gremlinsNovember 6, 2001
Microsoft.Net shrouded in mysteryOctober 18, 2001
Code Red for securityJuly 27, 2001
In an e-mail sent to employees Tuesday, Gates said the company intends to shift from focusing on features to spotlighting security and privacy.
"When we face a choice between adding features and resolving security issues, we need to choose security," Gates wrote in the e-mail, a copy of which was forwarded to CNET News.com. "Our products should emphasize security right out of the box."
Calling the new initiative "Trustworthy Computing," Gates billed it as the "highest priority" for the company.
Gates also addressed the matter of privacy. "Users should be in control of how their data is used," Gates wrote in the memo, which was first reported on by the Associated Press. "It should be easy for users to specify appropriate use of their information, including controlling the use of e-mail they send."
The message to the Microsoft troops comes after a recent set of security and reliability problems that have added fuel to long-simmering worries about the defensive capabilities of the company's software.
"Microsoft has a serious image problem when it comes to the reliability, security and stability of its network services and products," said Richard Forno, chief technology officer for information assurance company ShadowLogic.
On Tuesday, the software titan finally fixed a technical glitch in one of its servers that had caused consternation among Windows users. The error caused the company's automated updating system to fail frequently during a five-day period.
Microsoft, feds: Security plagues them both
Alan Brill, managing director, Kroll Security
Last month, the company revealed a serious flaw in its flagship Windows XP operating system--software that had supposedly benefited from its latest push for program security, known as the Secure Windows Initiative. The efforts have produced mixed results.
In addition, the Code Red and Nimda Internet worms last year attacked vulnerabilities in Microsoft's Internet Information Server Software. In November, a flaw in Microsoft's Passport authentication protocol--a key part of .Net--allowed intruders to access consumer financial data stored in the company's Wallet, an e-commerce buying service.
Gates apparently does not send many memos to all Microsoft employees, particularly since turning over the CEO position to Steve Ballmer at the beginning of 2001.
"It's significant when he does send out an issue-oriented memo," a Microsoft representative said.
"The mail demonstrates a stepped-up commitment in the area of security and a call to action from the executive level on down aimed at the critical challenge of building safe and secure software and services for our customers," the representative added.
Analysts agreed that the change is an essential one.
"Obviously, Microsoft's .Net strategy could never succeed if they kept having as many security problems as they have been having," said John Pescatore, research director for Internet security at Gartner. "It's one thing to buy a CD-ROM with a security problem. It's another thing to connect your computer over the Internet to theirs.
"Without security, .Net fails, and Microsoft made a big bet on .Net and Web services," Pescatore said.
In the memo, Gates said the Trustworthy Computing concept is vital to the success of .Net.
Gates added that his call should carry the same weight as two earlier, major strategy shifts for the company--the outlining of .Net two years ago and the now-famous Internet "tidal wave" memo Gates penned in the mid-1990s that led to the company finally tackling the Web head on.
"Over the last year it has become clear that ensuring .Net is a platform for Trustworthy Computing is more important than any other part of our work," he wrote.
Pescatore said the new focus on security reflects a change in Microsoft's customer base.
"The culture was built on desktop operating systems; it was built on putting all the control in the hands of the user," he said. "(Then) they started selling software to enterprises, and enterprises said, 'Wait a minute, we don't want to put control in the hands of the user.'"
But while the new strategy comes with orders from on high, it may still take awhile for the company--and customers--to change gears.
"You're looking at 18 months. They moved very quickly in 1996 in changing things around" to a focus on the Internet, Pescatore said. "But the Internet was like a new feature. It's another thing to say, 'Floss your teeth every night.'"
ShadowLogic's Forno thought the message sounded similar to Gates' Internet memo, and he offered a critique that echoed reaction to that exhortation.
"My gut feeling on this announcement today is that it's a PR blitz, pure and simple," Forno said.
Staff writer Joe Wilcox contributed to this report.