January 18, 2000 4:55 PM PST
Microsoft touts Windows 2000 security at RSA confab
Without greater attention to security, people will lose confidence in the computer industry and cause the e-commerce boom to falter, warned Brian Valentine, senior vice president of Microsoft's Windows division, speaking at the RSA security conference today.
Windows 2000, the successor to Windows NT that is due to arrive next month, is the flagship of what Valentine described as a improved effort at Microsoft to make its products more resistant to attacks. It was designed with computer security in mind from the start, a policy that will apply to other Microsoft products in the future, Valentine said.
Microsoft used a new development process when writing Windows 2000 in which programmers had to make sure they had signed off that each module they wrote passed certain security criteria, Valentine said. In addition, a dedicated 15-person team and outside consultants scrutinized the software for 18 months before the product was released.
Microsoft has been criticized for security problems that let attackers take advantage of Windows computers. Critics have raised concerns that Windows, with its roots in standalone PCs, isn't ready to power computers connected to the Internet around the clock.
Critics argue that it's too easy to get privileges to make system-level changes on Windows computers. They also say the ability to run programs written in ActiveX or VBScript formats provide a relatively easy way for attackers to send malicious software. And Microsoft Outlook email and address book software, combined with Microsoft Word's macro programming language and the Internet Explorer Web browser, provided a fertile field for the Melissa virus and several other attacks that spread by email last year.
Microsoft hopes to turn around this image and set an example for the rest of the industry, Valentine said.
One part of this effort will be publication of the "Microsoft Security Commitment," a declaration that Microsoft takes security seriously and will respond to problems quickly.
The commitment isn't actually a contractually binding guarantee from Microsoft, Valentine said. "It's really a customer confidence thing" to assure people that Microsoft cares about security, he said.
Microsoft said its Windows 2000 operating system will ship with 128-bit encryption capabilities, allowing its Web server software and other information transfers over a network to be encrypted more strongly than was possible previously. Microsoft benefited from a new policy from the federal government that allows software with this stronger encryption to be exported, Valentine said.
Computer security and privacy go hand-in-hand, and without both, consumers will lose faith in the Internet as a medium for commerce, Valentine said.
His words come shortly after news that a hacker posted credit card numbers obtained from online store CD Universe.
Lax security is an outgrowth of the climate a few years ago, when networks were more controlled and companies were eager to connect employees' computers, Valentine said.
Ten years ago, the prevailing attitude was, "I need to get people on my network, don't tell me how I keep people off," Valentine said. Now, though, with the Internet's popularity, "It's incumbent on us to really get serious about this and move it forward."
Although teaching people about security risks is important in stemming security problems, it's not enough. The holes have to be plugged by the manufacturer, not by the consumer, he said.
"We can't trust end users" to take care of security themselves anymore, he said. "We can try to make it an educational problem, but first and foremost it should be a product problem."