[ISN] Microsoft: Users may have to pay for security

From: InfoSec News (isnat_private)
Date: Wed Oct 09 2002 - 00:23:09 PDT

  • Next message: InfoSec News: "[ISN] Carnegie Mellon Fights Back"

    Forwarded from: William Knowles <wkat_private>
    Tuesday 8th October 2002
    Peter Judge, Tech Update UK  
    RSA 2002: Microsoft is considering charging for additional security
    options, and admits it didn't move on security until customers were
    ready to pay for it
    Microsoft "may offer new security abilities on a paid basis,"  
    according to the company's chief technical officer Craig Mundie. The
    possibility is under consideration within Microsoft's security
    business unit, recently set up under its own vice president, Mike
    The idea is still only hypothetical, but represents an acknowledgement
    that Microsoft sees security not just as a necessary condition to
    reassure existing and future customers, but also as a potential source
    of revenue.
    "Our work was diffuse, but we have quite a few security initiatives,"  
    said Mundie, speaking on Tuesday at the RSA Conference on IT security
    in Paris. "Mike is assessing that. The unit will have inputs into
    products, marketing, training and other areas."
    In presenting Microsoft's trustworthy computing initiative, Mundie
    defended the company's reluctance to follow through and accept legal
    responsibility for the security of its products. "If we took that
    responsibility, say for a big contract at Airbus, I would have to take
    out a giant insurance policy from Lloyds or another insurance broker,
    and pay a giant invoice," said Mundie. "The product would then cost
    not 50 euros, but 50 million."
    Legal liability would cost the user greatly he said, and contracts
    like the one he described were the exact opposite of the normal
    situation. "In such a situation, the computer must not change, and
    only technicians could touch it. This is the antithesis of the general
    purpose mass market business."
    Windows runs an arbitrary set of applications, in an arbitrary
    configuration, with arbitrary devices, said Mundie. "The operating
    system is designed to run on machines that are not designed yet."  
    While Microsoft could demand that it creates the drivers for all
    hardware, the industry would not accept that. "Each time we accede to
    the reality of the industry, we accede to the problem," he said.
    Asked why it has taken Microsoft 25 years to get trustworthy computing
    into the forefront of its efforts, he said: "Because customers
    wouldn't pay for it until recently." Admitting this was a flippant
    answer to a flippant question, Mundie said that chief information
    officers had only recently begun to demand security, and it is only in
    the last ten years that Microsoft has attempted to play in the
    security-requiring worlds of banking payroll and networked systems.
    "Communications without intelligence is noise;  Intelligence 
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Oct 10 2002 - 18:31:39 PDT