Forwarded from: Joe Klein <jskleinat_private> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think it would have saved Microsoft Stock Holders and the company a lot of money if they would have designed security into the operating system from the beginning. I remember a quote from my college professor that 'for every $1 spent on planning, it will take $10 to 'fix' in the development phase and $100 to fix if it goes into production'. So I guess someone at Microsoft needs to answer up to why the 1 million dollars was not spent on the beginning of their software development process, instead of costing the Stock Holder $99 Million at this juncture. Joe Klein - -----Original Message----- From: owner-isnat_private [mailto:owner-isnat_private] On Behalf Of InfoSec News Sent: Friday, July 19, 2002 12:03 PM To: isnat_private Subject: [ISN] Gates says Microsoft security push cost $100 mln http://www.forbes.com/technology/newswire/2002/07/18/rtr667718.html By Elinor Mills Abreu Reuters 07.18.02 SAN FRANCISCO (Reuters) - Microsoft Corp. Chairman Bill Gates Thursday said the company's high-profile campaign to improve the security of its software had cost at least $100 million this year, but said the expense was paying off in better products. In the early months of this year, Microsoft interrupted the development work of more than 8,500 engineers and sent many on special training to improve the security of its Windows operating system. That "stand-down" took nearly two months and cost at least $100 million, Gates said Thursday. "We estimated that the stand-down would take 30 days," Gates wrote in an e-mail sent to more than a million customers who subscribe to Microsoft newsletters and provided to Reuters. "It took nearly twice that long, and cost Microsoft more than $100 million. "We've undertaken similar code reviews and security training for Microsoft Office and Visual Studio .NET, and will be doing so for other products as well," he said in the e-mail, in which he touted the progress that has been made since January when he proclaimed security as Microsoft's top priority. At the time, Gates sent a rare e-mail to Microsoft's 50,000 employees that said the future of the company depended on ensuring that its products were secure from hackers and viruses. Over the past six months, the Redmond, Washington-based software giant has changed the way it designs and develops software, and has committed to shipping Windows .NET Server 2003 as "secure by default," with settings in the position of the highest level of safety, the e-mail said. Microsoft also now offers tools which allow users to quickly install updates and patches and analyze systems for incorrectly configured software and missing fixes, he said. The company has incorporated technology into its Internet Explorer browser software in Windows XP that allows people to set privacy preferences and easily review Web site privacy policies. And most recently, the company released information about a new project dubbed "Palladium" in which it will work with microprocessor and PC manufacturers to embed security features into the hardware, among other actions. STILL COMPLAINTS Despite the efforts, the company still ends up releasing security fixes on a weekly, sometimes daily, basis. Just this week the company announced a vulnerability in its SQL Server 2000 software that could allow an attacker to run malicious code on the computer. In mid-June, a security program manager for the company's Security Response Center said officials had released 30 security bulletins since the beginning of the year, equal to about half the total sent out last year. Some of Microsoft's moves to improve the security of its products have actually been criticized as being too intrusive. For instance, certain automatic update features can pass data from the computer back to the company, but Microsoft executives insist they aren't collecting information about individual users. In addition, Microsoft's new Palladium plan has been criticized by privacy advocates who say it poses potential for abuse and by cyber-libertarians who say it is designed to allow copyright holders more effective ways to prevent piracy through digital copyright management. However, Microsoft executives have insisted that their aim with Palladium is to offer customers better security and privacy. The e-mail is the first in an "occasional series of mails" that Gates, Chief Executive Steve Ballmer and other Microsoft executives will be sending to people on technology and public policy issues, Gates wrote. "This is part of our commitment to ensuring that Microsoft is more open about communicating who we are and what we are doing," he said. "Trustworthy Computing really is a journey rather than a destination." Earlier in the day, Microsoft reported a 10 percent rise in fourth-quarter sales and higher earnings on strong corporate demand for its products. - - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPThT879qq+fXvpkLEQLSSQCg00vVeZ8uJgXT1GcMzrMFixIJGOEAn3LL a/0ONQbixHigEq07dgCRtzYl =6iyM -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jul 22 2002 - 03:41:04 PDT