February 6, 2007 11:41 AM PST

Microsoft: Still more to do on security

Related Stories

Vista for the masses

April 4, 2007

Will Vista stall Net traffic?

September 6, 2006

Ending Microsoft's identity crisis

February 16, 2006

Gates: End to passwords in sight

February 14, 2006

Gates predicts death of the password

February 25, 2004
SAN FRANCISCO--Though Microsoft has made leaps in security over the years, even more challenges lie ahead as additional devices go online, company executives said Tuesday.

Only last week, Microsoft released Windows Vista and Office 2007, promoted as the most secure versions of the operating system and productivity products yet. And it has been nearly five years since company chairman Bill Gates sent out his "Trustworthy Computing" memo, which said the software maker was turning its focus to security. But that doesn't mean Microsoft products are now watertight, said Craig Mundie, chief research and strategy officer at the company.

Gates at RSA

"This won't make (the products) perfect," Mundie said in a joint keynote speech with Gates at the RSA Conference here. "The challenges we face in building our products, and the challenges everybody faces in administering and using them, is that humans are humans and they make mistakes."

As more devices connect to the Internet, and as people demand access to data from anywhere, the security job will only get bigger and more complex. "This challenge is going to get a lot tougher," Mundie said.

Not all the pieces are in place yet for people to be able to freely and securely tap into online data while on the move, he said. But solutions to the challenges are beginning to emerge, both on the side of Internet infrastructure--in servers, routers and switches, for instance--and in individual devices.

"We will build this model of seamless, easy access across all these devices. But we're not really there yet. We're on the path to this future world," Mundie told the audience at the security conference.

special coverage
Unlocking security at RSA 2007
All the latest from the security confab.

Microsoft is pitching IP version 6, the next generation of the Internet Protocol, and IPSec, a suite of protocols for securing IP communications, as part of the solution. Windows Vista has IPv6 built in, as does the upcoming Windows Server Longhorn release, which also supports IPSec.

IPv6 is designed to support a broader range of IP addresses, as the IP version 4 addresses currently in use are becoming scarce. The new protocol will not only let more devices connect, it will also allow the use of fine-tuned security controls, since each device will have its own address, Mundie said. He said that features in Windows XP and Vista will help people move to IPv6.

Click here to Play

Video: What's next in Windows security?
Top exec Ben Fathi on Microsoft's next development moves.

"There really isn't a challenge, in our view, in moving to the IPv6 infrastructure," Mundie said. "You don't have to contemplate some gargantuan infrastructure change."

Securing the actual data is another important piece in the puzzle, Gates added. He pitched BitLocker, a disk drive encryption feature in the higher-end version of Vista, as a way to lock down the data on a PC.

In addition, for businesses, rights management systems can help control the flow of confidential data, he said. For example, companies can use such rights settings to limit who can forward or open certain e-mail messages, reducing the risk of data loss, Gates said.

Then came a familiar message from Microsoft: eliminate the weakest link in the computer security chain by getting rid of passwords. Gates told the RSA crowd that he now has the right weapons to supplant the password as a means of verifying who is who on computers and over the Internet.

"Passwords are not only weak; passwords have the huge problem that if you get more and more of them, the worse it is," Gates said.

In Vista, Microsoft introduced Windows CardSpace for consumers to use instead of passwords. CardSpace is an application designed to represent an individual's wallet, holding different cards to use for identification in online transactions.

"That is one of the things that is in the Vista system," Mundie said. "I think people are going to have to acclimate to it."

For authentication in businesses, the software maker is promoting products such as its Identity Lifecycle Manager 2007, set for release in May. "We think this is the milestone where enterprises should start the migration from passwords to smart cards," Gates said.

See more CNET content tagged:
Craig Mundie, IPv6, RSA Security Inc., Bill Gates, rights-management


Join the conversation!
Add your comment
Still more to do on security?
"Still more to do on security" - Ain't that the understatement of the century. Geezus H!

"5 years of Trustworthy Computing doesn't mean Microsoft products are watertight" - yeah, I think the MS Office Parade of Zero Day exploits that's been ongoing for weeks and unpatched to date gave us a hint of that.

"But we're not really there yet in building a model of seamless, easy access across many devices. We're on the path to this future world." - How many injections of hard drugs does it take Mundie to spew this crap with a straight face?

"BitLocker", "rights management systems", "CardSpace" - aye carumba. Gates and Mundie just keep taking drags on that crack pipe without let up.

Too much BS to swallow, this article is choking me before this Microsoft user can get to the end.
Posted by ejevo (134 comments )
Reply Link Flag
There will ALWAYS be work to do on security
Bill's statement is an understatement. Anyone who understands the basics concepts of network computing understands that security is a leapfrog game. Yes, security is getting better, but now attacks will become more sophisticated.

I'm waiting on the typical "my os is secure" comment to be applied here. No, your os is NOT secure. Brand A may not have the same exploits as Brand B, but the converse is true. As long as there is a determined 'hacker' out there, there will be exploits.
Posted by frankwick (413 comments )
Reply Link Flag
...so why does MSFT make it so hard on themselves?
Yup - no OS is secure, that much is true.

OTOH, if you had a choice between hitting a set of wild rapids in
a canoe with a couple of (literal) microscopic leaks, vs. riding in
one that had numerous fist-sized holes all over it?

Seriously - the number of Linux, Solaris, *BSD, and OSX exploits
COMBINED is less than 0.0001% (rough est). of the number that
Windows has to contend with. There's something seriously
wrong with this, and platitude-laden relativism ("...oh well, no
OS is secure...") isn't going to cut it as an excuse.

Yup - eventually any "determined hacker" will find a way in to
any type of machine. But, there is a difference between any old
fool busting into a Windows box in less than a few minutes vs.
the days/weeks/months on end that a "determined hacker"
would have to spend towards getting into an OSX or other *nix-
based machine.

Security may be a "leapfrog game", but it takes much, much
bigger frogs to leap ahead of the *nixes.

Open thine eyes, friend.

Posted by Penguinisto (5042 comments )
Link Flag
BitLocker and Card Space
This is a question which I hope can be answered civily and un-

BitLocker sounds a lot like Mac OS X's FileVault. What are the

Same with Card Space. This sounds an awful lot like a Mac OS X
Keychain. Are there differences?
Posted by jelloburn (252 comments )
Reply Link Flag
Even "Trustworth Computing Initiative" is a rip-off
Bill Gates got the term from an address by Bertrand Meyer who
spoke of his "Trusted Components Initiative"

<a class="jive-link-external" href="http://www.trusted-components.org/" target="_newWindow">http://www.trusted-components.org/</a>

Meyer has also been influential in .net:

<a class="jive-link-external" href="http://www.amazon.com/Bertrand-Meyers-NET-Training-Course/" target="_newWindow">http://www.amazon.com/Bertrand-Meyers-NET-Training-Course/</a>
Posted by Ian Joyner (66 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.