RE: [ISN] Gates says Microsoft security push cost $100 mln

From: InfoSec News (isnat_private)
Date: Mon Jul 22 2002 - 00:31:20 PDT

  • Next message: InfoSec News: "[ISN] Security concerns loom in new wireless world"

    Forwarded from: Joe Klein <jskleinat_private>
    Hash: SHA1
    I think it would have saved Microsoft Stock Holders and the company a
    lot of money if they would have designed security into the operating
    system from the beginning.  I remember a quote from my college
    professor that 'for every $1 spent on planning, it will take $10 to
    'fix' in the development phase and $100 to fix if it goes into
    production'. So I guess someone at Microsoft needs to answer up to
    why the 1 million dollars was not spent on the beginning of their
    software development process, instead of costing the Stock Holder $99
    Million at this juncture.
    Joe Klein  
    - -----Original Message-----
    From: owner-isnat_private [mailto:owner-isnat_private] On
    Behalf Of InfoSec News
    Sent: Friday, July 19, 2002 12:03 PM
    To: isnat_private
    Subject: [ISN] Gates says Microsoft security push cost $100 mln 
    By Elinor Mills Abreu
    SAN FRANCISCO (Reuters) - Microsoft Corp. Chairman Bill Gates
    said the company's high-profile campaign to improve the security of
    its software had cost at least $100 million this year, but said the
    expense was paying off in better products.
    In the early months of this year, Microsoft interrupted the
    development work of more than 8,500 engineers and sent many on
    training to improve the security of its Windows operating system.
    "stand-down" took nearly two months and cost at least $100 million,
    Gates said Thursday.
    "We estimated that the stand-down would take 30 days," Gates wrote in
    an e-mail sent to more than a million customers who subscribe to
    Microsoft newsletters and provided to Reuters. "It took nearly twice
    that long, and cost Microsoft more than $100 million.
    "We've undertaken similar code reviews and security training for
    Microsoft Office and Visual Studio .NET, and will be doing so for
    other products as well," he said in the e-mail, in which he touted
    progress that has been made since January when he proclaimed security
    as Microsoft's top priority.
    At the time, Gates sent a rare e-mail to Microsoft's 50,000 employees
    that said the future of the company depended on ensuring that its
    products were secure from hackers and viruses.
    Over the past six months, the Redmond, Washington-based software
    has changed the way it designs and develops software, and has
    committed to shipping Windows .NET Server 2003 as "secure by
    with settings in the position of the highest level of safety, the
    e-mail said.
    Microsoft also now offers tools which allow users to quickly install
    updates and patches and analyze systems for incorrectly configured
    software and missing fixes, he said.
    The company has incorporated technology into its Internet Explorer
    browser software in Windows XP that allows people to set privacy
    preferences and easily review Web site privacy policies.
    And most recently, the company released information about a new
    project dubbed "Palladium" in which it will work with microprocessor
    and PC manufacturers to embed security features into the hardware,
    among other actions.
    Despite the efforts, the company still ends up releasing security
    fixes on a weekly, sometimes daily, basis.
    Just this week the company announced a vulnerability in its SQL
    2000 software that could allow an attacker to run malicious code on
    the computer.
    In mid-June, a security program manager for the company's Security
    Response Center said officials had released 30 security bulletins
    since the beginning of the year, equal to about half the total sent
    out last year.
    Some of Microsoft's moves to improve the security of its products
    actually been criticized as being too intrusive.
    For instance, certain automatic update features can pass data from
    computer back to the company, but Microsoft executives insist they
    aren't collecting information about individual users.
    In addition, Microsoft's new Palladium plan has been criticized by
    privacy advocates who say it poses potential for abuse and by
    cyber-libertarians who say it is designed to allow copyright holders
    more effective ways to prevent piracy through digital copyright
    However, Microsoft executives have insisted that their aim with
    Palladium is to offer customers better security and privacy.
    The e-mail is the first in an "occasional series of mails" that
    Chief Executive Steve Ballmer and other Microsoft executives will be
    sending to people on technology and public policy issues, Gates
    "This is part of our commitment to ensuring that Microsoft is more
    open about communicating who we are and what we are doing," he said. 
    "Trustworthy Computing really is a journey rather than a
    Earlier in the day, Microsoft reported a 10 percent rise in
    fourth-quarter sales and higher earnings on strong corporate demand
    for its products.
    - -
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    Version: PGP 7.0.4
    -----END PGP SIGNATURE-----
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Jul 22 2002 - 03:41:04 PDT