[ISN] Microsoft Security Push Faces Skepticism

From: InfoSec News (isnat_private)
Date: Fri Mar 01 2002 - 02:12:49 PST

  • Next message: InfoSec News: "[ISN] Czar sets out security stall"

    27 February, 2002 17:57 GMT  
    By Elinor Mills Abreu 
    SAN JOSE (Reuters) - The last time the world's largest software
    company announced a major shift in strategy, it went on to muscle its
    way from nowhere to dominance of the market for Internet browsers over
    industry favorite Netscape.
    Now with Microsoft Corp.'s MSFT.O founder and resident visionary Bill
    Gates hammering home the message that computing must be made more
    "trustworthy," could anti-virus and other computer security companies
    be facing a Netscape-like fate?
    Not likely, observers say. Many industry watchers remain skeptical
    that Microsoft, famous for loading its software with bells and
    whistles, can learn to put security first.
    Others question whether it will be technically possible to build
    hacker-proof software, especially given the sophistication of
    Microsoft's upcoming Web services offerings.
    Those services will allow consumers to use a single name and password
    to log on to a range of online services from banking to travel. But
    one key to their success, experts have said, will be convincing
    consumers that their financial information is safe from prying
    "Microsoft and security is an oxymoron," said Howard Lev, group
    product manager of appliances at Symantec Corp. SYMC.O "Historically,
    they haven't been that interested."
    Jim Bidzos, chairman of the conferences unit of RSA Security Inc.  
    RSAS.O , a leading computer security company, could not resist taking
    a jab at Microsoft at a recent conference in San Jose, Calif.
    "I love the Microsoft security story. I loved it the first time I
    heard it in 1991," he said as the crowd of computer security
    professionals erupted in laughter. "The day people who stop products
    from going out the door because they're not secure enough become
    heroes then we'll know they're serious."
    "We managed to embarrass Microsoft into doing something," said Bruce
    Schneier, chief technology officer of security monitoring firm
    Counterpane Internet Security. "When push comes to shove we'll see
    what they do. I'm hopeful, but not optimistic."
    New Microsoft initiatives tend to ripple through the computer security
    industry, with many companies bracing for competition from a rival
    they don't want. Anti-virus companies were nervous, for example, when
    Windows 95 came out, thinking the new Microsoft offering would cut
    into their market, according to experts.
    It was widely believed that the operating system would end virus
    infestations, and it did for a while, David Perry, director of
    education at anti-virus company Trend Micro Inc., said.
    But then came macro viruses and other malicious code that the old
    software could not stop. Now, there are more than a dozen major virus
    types, and new ones cropping up all the time, including ones that take
    advantage of advanced features in Microsoft software, Perry said.
    "If Microsoft gets its act together, in three years, we'll still have
    viruses," said Rob Rosenberger, editor of computer security site
    By reducing the number of security bugs in its products, Microsoft
    could take away some demand for products like intrusion detection and
    firewall software. But experts say there will always be new security
    problems whenever new technology is introduced.
    "People who think that any kind of technological trick is going to end
    malicious software are committing an error that one can find in
    classical Greek literature -- hubris," Perry said.
    Even if perfectly secure software is out of reach, software companies,
    most notably Microsoft, face pressure from key customers to do
    something to make its products less susceptible to hacking.
    Noting that the U.S. government is the single largest consumer,
    Richard Clarke, the White House cyber security czar, made the stakes
    clear at a recent conference: "We're going to stop buying products
    unless they're secure."
    The demands of the marketplace, ultimately, are what will make
    software makers provide security, and Microsoft has a long history of
    sniffing out consumer demand and creating products that meet it. David
    Hughes, president of the U.S. subsidiary of British-based anti-virus
    firm Sophos, said that Gates has a track record of success when he
    stakes out clear goals for Microsoft, as he did in a company-wide
    e-mail announcing the security push.
    "When Bill says they are going to do something, they do it. He
    realizes it's a high priority issue for customers," he said.
    But others say the public relations risks are skewed against the
    company this time since even a single hack could loom larger than a
    host of quiet improvements in its software.
    "Microsoft is in a no-win situation," said Lawrence Walsh, managing
    editor of Information Security Magazine. "They have to do something.  
    But perception is stronger than reality. If they suffer one hack,
    people will think they didn't do their job."
    During an interview in Tokyo with Reuters last week, Gates, who has a
    record of confounding naysayers, said Microsoft welcomed the scrutiny
    of its software and the level of their security.
    "Microsoft products get looked at harder than any other products and
    that's a good thing, he said.
    "We have these 24-hour response teams and we're the guys who are
    serious about this," Gates said. "We've put into place infrastructure
    to update things so it's certainly a key issue for the industry."
    (Additional reporting by Reed Stevenson in Tokyo.)
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 05:26:19 PST