ITNews

On January 15, 2002, Bill Gates sent email to every full-time employee at Microsoft, in which he describes the company’s new strategy emphasizing security in its products. In the email Gates referred to the new philosophy as “Trustworthy Computing” and called it the “highest priority”.

The Computerworld posting Microsoft Can’t Claim Victory in Security Battle picks up the story.

As Gates officially retires from his job at Microsoft, he leaves behind a company that by most accounts is doing better on security. But fully convincing users of that is an elusive goal. And increasing competition from Web 2.0 and software-as-a-service (SaaS) vendors is posing new challenges for the security development model implemented after Gates wrote his memo.

There is general agreement that bugs are inevitable and that Microsoft’s massive user base makes it a big target for attackers. But the steady drumbeat of patch releases has tarnished the company’s efforts to improve its security standing, …

The original blog posting “Trustworthy Computing” - Yea, Right, Sure
was posted soon after the “Trustworthy Computing” memo hit the Web. It has been updated since.

Yea, right, sure, Bill. Sending Microsoft coders off to security and reliability coding school is going to make thing all better real soon. If you believe that, I have a bridge to sell you. Anyone sent off to training comes back knowing some new buzzwords and maybe even understanding a couple new concepts.

I applaud the effort, but it takes a very long time to break old coding habits and internalize new ones, no matter what the punishments and rewards are. No one comes back cleansed of old habits. I’m reminded of the limerick that you can train a dog but you can’t make it think.

I think the problem facing Microsoft is systemic. In my opinion, poorly designed code and poor coding practices may be at the heart of the Microsoft security and stability epidemic. Detecting and eradicating them may be impossible.

If it could be done, the effort may cost many times that of developing and testing the product line in the first place. Automated tools will help pick off the very low hanging fruit, but won’t get anywhere near the really nasty problems that seem to exist throughout Microsoft’s product line.

Bill Gates seems to have made choices about security and reliability early on. There’s no practical way to rectify them now, except maybe by starting from scratch.

Even starting over with Vista won’t fix the problem. The real culprit may be Microsoft’s corporate culture created by Bill Gates. Getting a culture’s head straight is a very difficult, if not an impossible task.

In my opinion, the fundamental problem facing Microsoft isn’t a technology one but a human one. I don’t think any amount of training or engineering will fix it.

Besides corporate culture, I don’t think starting over is a likely option for Microsoft, as I discussed in the Obese Windows blog posting.

Microsoft security issues are getting better. I don’t foresee them improving to the state of common contemporary operating systems such as Mac OS X, Linux, Solaris, HP/UX, AIX, Free BSD, Open BSD, etc…

I also don’t expect seeing the company culture change radically. Bill Gates may have left the building but he is still Chairman of the Board and the company’s largest share holder.

…John

The Organisation for Economic Co-operation and Development (OECD) report Malicious Software (malware): a Security Threat to the Internet Economy (PDF file) says malware infects more than 25 per cent of US computers.

Malware is a general term for a piece of software inserted into an information system to cause harm to that system or other systems, or to subvert them for use other than that intended by their owners.

Malware can gain remote access to an information system, record and send data from that system to a third party without the user‟s permission or knowledge, conceal that the information system has been compromised, disable security measures, damage the information system, or otherwise affect the data and system integrity.

Different types of malware are commonly described as viruses, worms, trojan horses, backdoors, keystroke
loggers, rootkits or spyware. These terms correspond to the functionality and behaviour of the malware (e.g. a virus is self propagating, a worm is self replicating).
Experts usually group malware into two categories: family and variant. “Family” refers to the distinct or original piece of malware; “variant” refers to a different version of the original malicious code, or family, with minor changes.

Reading the report is a relatively quick way to get up to speed on the realities of malware and botnets.

(Credit for Graphics: Organisation for Economic Co-operation and Development)

Read the report for all the details.

…John

Proofpoint’s 2008 survey on outbound email report is summed up by Help Net Security posting U.S. corporations massively read employee e-mail.

Some of the findings are

40% of companies surveyed investigated an e-mail-based violation of privacy or data protection regulations in the past 12 months.

26% of companies surveyed terminated an employee for violating e-mail policies in the last 12 months.

23% of U.S. companies surveyed said their business was impacted by the exposure of sensitive or embarrassing information in the last 12 months.

34% of the largest companies (20,000 employees or more) reported that employee e-mail was subpoenaed in the last 12 months.

Some of the other risks are:

27% of companies surveyed had investigated the exposure of confidential, sensitive or private information from lost or stolen mobile devices in the past 12 months.

11% of U.S. companies surveyed disciplined employees for improper use of blogs/message boards in the past 12 months.

13% of surveyed companies disciplined employees for social network violations and 14% for improper use of media sharing sites in the past 12 months.

14% of publicly traded companies surveyed had investigated the exposure of material financial information (such as unannounced financial results) on blogs or message board postings in the last 12 months.

So, be aware the Big Boss is watching.

…John

The ZDNet Australia posting Antivirus is ‘completely wasted money’: Cisco CSO says

Companies are wasting money on security processes — such as applying patches and using antivirus software — which just don’t work, according to Cisco’s chief security officer John Stewart.

“If patching and antivirus is where I spend my money, and I’m still getting infected and I still have to clean up computers and I still need to reload them and still have to recover the user’s data and I still have to reinstall it, the entire cost equation of that is a waste.

“It’s completely wasted money,” Stewart told delegates.

He said infections have become so common that most companies have learned to live with them.

“There are too many companies in the world that actually believe infection is just a cost of doing business and are getting used to doing it — as opposed to stopping it completely. That’s dangerous,” he said.

I have worked with companies that also believe infection is just a cost of doing business. My experience is it takes some pain like a security breach to get their attention.

Mr. Stewart thinks a better way of dealing with the unknown is using whitelists.

Of course some antivirus vendors such as McAfee and CA don’t agree with Mr. Stewart views. After all, he is questioning their business models.

…John

The Gartner, Inc posting Gartner Changes Its Enterprise iPhone Recommendation; It’s Ready for Business reverses its initial dis of the iPhone over security issues.

(Credit: Apple)

“In its initial release, the iPhone was, with few exceptions, an Internet tablet with browser-based applications as its main offering, however, the release of firmware 2.0 changes that, enabling enterprises to develop local code and create applications that do not depend on network capabilities,” Gartner analyst Ken Dulaney said in a statement. “The iPhone will thus match up initially in several segments against its main smartphone competitors — BlackBerry, Windows Mobile, and Symbian Series 60.”

“By licensing Exchange ActiveSync and exposing its basic security policies, enterprises can provide sufficient security for iPhone during Exchange personal information manager (PIM) and e-mail use,” Mr. Dulaney said. “This will open up a huge market for the iPhone, which previously had been stymied by a lack of basic business security and application functionality. However, Apple must widen distribution and of course deliver what they have promised.”

Managing such a disruptive technology as the iPhone will be challenging for IT.

…John