 |
• November 15, 2002 •
Earlier this week, Microsoft's Craig Mundie, Senior Vice President and chief technology officer, spoke on Microsoft's monthly "Speaker Series" about Microsoft's Advanced Strategies and Policy.
You can read the whole speech on the Microsoft Web site. It's mainly about Microsoft's "Trustworthy Computing" initiative.
The interesting part I wanted to share with you is near the bottom of this article. I'll just quote some passages:
(At this point, Mundie apperently showed his audience a graph, which isn't available in the on-line article).
"One of the biggest challenges we face as a company and to some extent as an industry is depicted by this graph. The various humps and bumps on this graph are the current estimated deployments of the different generation of Windows. And they total something about 400 million active users.""And to put this in perspective, about what the challenge is: the little black line growing slowly, that's the population of New York City. The big dotted line going up very quickly is the rate of growth of the number of people connected to and using the Internet."
"And so what you realize is that the newest systems, the ones that have had all this work done to them are down here in these little slices. They're the ones that are in the earliest stages of deployment."
By "the ones that have had all this work done to them" Mundie seems to imply that Microsoft's more recent Operating Systems have had more work in security "done to them", which to some extent is true.
Mundie continues:
"And what society is doing and we're doing as a business is dragging around behind us a giant tail of systems that, of course, were built and deployed quite a long time ago. And this is infrastructure for our society today. And any time you decide to change infrastructure it costs money and takes time. And so it doesn't matter how fast you push this stuff out.""If we wanted to go out, and some days I think about the challenge that we face and we say, oh, if you have to do this with the conscious effort of real people it would be roughly many times worse than just saying, okay, we just want to get every single person in New York City to do the same thing today to their computer system, please to fix it today. And even if it was just New York City you'd have a tough time. The reality is we have the equivalent of about 30 or 40 New York Cities that all want to in some sense move together or get repaired in one fell swoop."
"So we know that in practice it's impossible for us to remediate the threats that we know exist in the world today in systems that were designed in 1991, '2 and '3 and deployed in '95 and which are actively still in use today. It's interesting the single largest bump on this graph is Windows 95. And while it's actually shrinking now, Windows 98 has kind of surpassed it, but the newest stuff is still considerably less deployed."
"Now, we know that these waves just keep rolling through and they will ultimately change, but it shows how long the threat exists of bad things happening and why it's not completely possible to fix every old system."
"The message here is that there will have to be two tradeoffs that have to be made, and to some extent the events of last September have facilitated us in making one of those tradeoffs or changes."
"We have decided that we will begrudgingly forsake certain app compatibility things when, in fact, they don't allow us to have a default configuration that opts for more security. In the past, the biggest thing that happened to us was IT managers would come to the company and say, hey, all those new features, they're great, all that new security stuff, that's great, but whatever you do don't break my app. So just turn it all off and trust me, we'll fix the apps and then we'll turn it all on. And the reality is that never happened."
"And so we're going to tell people that even if it means we're going to break some of your apps we're going to make these things more secure and you're just going to have to go back and pay the price."
"And the other thing is that the customers, whether they're individuals or corporations, are going to have to make a decision about when and how much they spend to get these machines to be more secure. And to some extent you can do it by insulating them, to some extent you can do it by putting things around them or in front of them that protect them, you know, firewalls in some sense. And then in some cases, you can just replace them when you get new machines or new software or both that have intrinsically better capabilities."
"But I think one of the things that we say, and even if you look at the national cyber security plan that was put forth, Dick Clark and the people at the White House have realized that security is going to cost some money, whether it's having a new transportation safety authority to make people feel like they have more security in the airport or spending other things on homeland defense. It isn't free, and to some extent as the threat models continue to emerge in new ways, then we are all going to collectively have to spend more, both in the development and maintenance of these machines if we're going to be secure."
"This cycle has no end. Just like in the physical world crime hasn't been eliminated, despite lots of efforts, crime won't be eliminated here. There's a lot of focus on whether these are flaws in systems but to some extent we also have to realize that we are not in a state of equilibrium relative to the normal functioning of a stable society relative to cyberspace."
OK, so what's he saying here? One key phrase is: "We have decided that we will begrudgingly forsake certain app compatibility things when, in fact, they don't allow us to have a default configuration that opts for more security."
Microsoft is making the first move, as it was recently reported that Microsoft Office 11 would not be made available on the Windows 9x, Me and NT 4.0 platforms, citing lack of security.
UK based The Register, known for it's unbiased (sic!) reporting on Microsoft, is alleging Mundie's speech suggests we should all start buying Windows XP.
I'm not reading the article that way, but what I am reading is just the simple fact that Windows 9x (I mean Windows 95/98/Me) will never be as secure as Windows 2000 / XP are today.
The largest security problem facing us today is with systems connected to the Internet. We have seen a number of Viruses and Worms inflict massive damage to systems & networks in the past. I'm sure you all remember the Melissa, Badtrans or the more recent Klez.H worms/viruses. These were able to spread so rapidly, for the most part, because of unprotected systems accessing the Internet (Yes, uneducated users also played a part, as well as several other factors).
There is a lot that Windows 9x users can do today to protect themselves, but the problem is that the user has to do it, and like it or not, the majority of users accessing the Internet today don't even have a clue about the need to install the latest updates for their OS. So we can forget about getting them to install a firewall or anti-virus software.
For the home user, all security needed has to be built in and enabled by default, something that's just going to require the latest OS. Just a few years ago, hardly anybody gave any thought to putting a firewall on his home PC, let alone build it in the OS. Any new version of anything had to have the latest and greatest features, which led to the sad and insecure software we've seen come out (Outlook, Outlook Express & Office all have/had their share of security flaws).
Do I think Microsoft needs to do a better job? Yes I do! But I'm willing to cut them some slack, and I will not complain when they "declare" Windows 9x "not fit". There's only so much you can do with patches & upgrades... it's time to move forward on new technology. The old systems will continue to work, but some things will just no longer be available for them.
