Trustworthy Computing: It’s About Time

Microsoft finally gives security the attention it deserves

By now, you've probably heard about Microsoft's Trustworthy Computing initiative, a stunning bit of irony if you're well versed in the problems Microsoft has had with security. Earlier this year, Bill Gates (or a high-level Microsoft executive posing as him) sent a memo to all of Microsoft's 37,000 full-time employees, asking them once again to redirect their efforts to a long-term company goal. This time around, the goal was improved security and privacy—what Gates called Trustworthy Computing—and the memo hearkens back to earlier initiatives aimed at moving Microsoft toward the Internet and Web services.

Not Bad ...
The Gates memo addressed a problem that I've been harping on for some time: Microsoft's products don't adequately protect users' security and privacy, and that situation has to change. "Trustworthy Computing is computing that is as available, reliable, and secure as electricity, water services, and telephony," Gates wrote. "Microsoft and the computer industry will only succeed ... if CIOs, consumers, and everyone else sees that Microsoft has created a platform for Trustworthy Computing."

Just weeks after the memo was leaked to the press, SecurityFocus (a security-information provider) released some security numbers for Windows 2000 and Windows NT versus Red Hat Linux (the most popular Linux server distribution). In January through August 2001, Win2K/NT had 42 security vulnerabilities and Red Hat Linux had 54. In 2000, Win2K/NT had 97 and Red Hat Linux had 95. When you compare Win2K/NT with all Linux distributions combined, Windows has fewer vulnerabilities, year after year.

These findings are interesting because, despite a complete lack of evidence and despite the maturity of the Windows platform—and the relative youth of Linux—many people blindly assume that Linux is far more stable and secure than Windows. I wonder how Linux would have fared had it been under constant intruder assault over the past few years, as has Windows, which runs on far more machines than all Linux distributions combined and is thus a more popular intruder target.

... But Not Good Enough
But even Microsoft now admits that it has too often sacrificed security for ease of use, defending itself by stating that it has simply provided the features for which its customers have asked. And that, really, is the problem with Microsoft security: The company isn't saving us from ourselves. By making Windows servers as easy to use and administer as Windows desktops, Microsoft has lowered the bar to increase market share.

Traditionally, Microsoft has slowly reacted to a never-ending series of vulnerabilities and bad press by revising its processes and instituting half measures. Finally, the company is undergoing what appears to be a total reversal. In true Microsoft style, the company has taken a glaring problem and marketed it as a victory: The company even revealed that it had required its software engineers to halt new coding for the month of February 2002 so that it could train its developers in modern security techniques and overhaul its core products—Windows .NET Server (Win.NET Server), Windows XP, and Win2K—with these practices in mind. It's about time. Microsoft customers deserve to be able to assume that their computing is trustworthy.