Results 1 to 2 of 2

Thread: Bill Gates sent out 1 million e-mails...

  1. #1
    Senior Member
    Join Date
    Nov 2002

    Bill Gates sent out 1 million e-mails...


    Bill Gates sent out 1 million e-mails with pledge for better software security. For the ones of you that want to read it, here's his complete e-mail, titled "Security in a Connected World".

    Source here


    From: Bill Gates BillGates@chairman.microsoft.com
    Sent: Thursday, January 23, 2003 10:22 PM
    To: Hamster, D Runken
    Subject: Security in a Connected World

    Jan. 23, 2003

    As we increasingly rely on the Internet to communicate and conduct
    business, a secure computing platform has never been more important. Along
    with the vast benefits of increased connectivity, new security risks
    have emerged on a scale that few in our industry fully anticipated.

    As everyone who uses a computer knows, the confidentiality, integrity
    and availability of data and systems can be compromised in many ways,
    from hacker attacks to Internet-based worms. These security breaches
    carry significant costs. Although many companies do not detect or report
    attacks, the most recent computer crime and security survey performed by
    the Computer Security Institute and the Federal Bureau of Investigation
    totaled more than $455 million in quantified financial losses in the
    United States alone in 2001. Of those surveyed, 74 percent cited their
    Internet connection as a key point of attack.

    As a leader in the computing industry, Microsoft has a responsibility
    to help its customers address these concerns, so they no longer have to
    choose between security and usability. This is a long-term effort. As
    attacks on computer networks become more sophisticated, we must innovate
    in many areas - such as digital rights management, public key
    cryptology, multi-site authentication, and enhanced network and PC protection -
    to enable people to manage their information securely.

    A year ago, I challenged Microsoft's 50,000 employees to build a
    Trustworthy Computing environment for customers so that computing is as
    reliable as the electricity that powers our homes and businesses today. To
    meet Microsoft's goal of creating products that combine the best of
    innovation and predictability, we are focusing on four specific areas:
    security, privacy, reliability and business integrity. Over the past year,
    we have made significant progress on all these fronts. In particular,
    I'd like to report on the advances we've made and the challenges we
    still face in the security area. As a subscriber to Executive Emails from
    Microsoft, I hope you will find this information helpful.

    In order to realize the full potential of computers to advance
    e-commerce, enable new kinds of communication and enhance productivity,
    security will need to improve dramatically. Based on discussions with
    customers and our own internal reviews, it was clear that we needed to create a
    framework that would support the kind of innovation, state-of-the-art
    processes and cultural shifts necessary to make a fundamental advance in
    the security of our software products. In the past year we have created
    new product-design methodologies, coding practices, test procedures,
    security-incident handling and product-support processes that meet the
    objectives of this security framework:

    SECURE BY DESIGN: In early 2002 we took the unprecedented step of
    stopping the development work of 8,500 Windows engineers while the company
    conducted 10 weeks of intensive security training and analyzed the
    Windows code base. Although engineers receive formal academic training on
    developing security features, there is very little training available on
    how to write secure code. Every Windows engineer, plus several thousand
    engineers in other parts of the company, was given special training
    covering secure programming, testing techniques and threat modeling. The
    threat modeling process, rare in the software world, taught program
    managers, architects and testers to think like attackers. And indeed, fully
    one-half of all bugs identified during the Windows security push were
    found during threat analysis.

    We have also made important breakthroughs in minimizing the amount of
    security-related code in products that is vulnerable to attack, and in
    our ability to test large pieces of code more efficiently. Because
    testing is both time-consuming and costly, it's important that defects are
    detected as early as possible in the development cycle. To optimize
    which tests are run at what points in the design cycle, Microsoft has
    developed a system that prioritizes the application's given set of tests,
    based on what changes have been made to the program. The system is able
    to operate on large programs built from millions of lines of source
    code, and produce results within a few minutes, when previously it took
    hours or days.

    The scope of our security reviews represents an unprecedented level of
    effort for software manufacturers, and it's begun to pay off as
    vulnerabilities are eliminated through offerings like Windows XP Service Pack
    1. We also put Visual Studio .NET through an incredibly vigorous design
    review, threat modeling and security push, and in the coming months we
    will be releasing other major products that have gone through our
    Trustworthy Computing security review cycle: Windows Server 2003, the next
    versions of SQL and Exchange Servers, and Office 11.

    Looking ahead, we are working on a new hardware/software architecture
    for the Windows PC platform (initially codenamed "Palladium"), which
    will significantly enhance the integrity, privacy and data security of
    computer systems by eliminating many "weak links." For example, today
    anyone can look into a graphics card's memory, which is obviously not good
    if the memory contains a user's banking transactions or other sensitive
    information. Part of the focus of this initiative is to provide
    "curtained" memory - pages of memory that are walled off from other
    applications and even the operating system to prevent surreptitious observation -
    as well as the ability to provide security along the path from keyboard
    to monitor. This technology will also attest to the reliability of
    data, and provide sealed storage, so valuable information can only be
    accessed by trusted software components.

    SECURE BY DEFAULT: In the past, a product feature was typically enabled
    by default if there was any possibility that a customer might want to
    use it. Today, we are closely examining when to pre-configure products
    as "locked down," meaning that the most secure options are the default
    settings. For example, in the forthcoming Windows Server 2003, services
    such as Content Indexing Service, Messenger and NetDDE will be turned
    off by default. In Office XP, macros are turned off by default. VBScript
    is turned off by default in Office XP SP1. And Internet Explorer frame
    display is disabled in the "restricted sites" zone, which reduces the
    opportunity for the frames mechanism in HTML email to be used as an
    attack vector.

    SECURE IN DEPLOYMENT: To help customers deploy and maintain our
    products securely, we have updated and significantly expanded our security
    tools in the past year. Consumers and small businesses can stay up to date
    on security patches by using the automatic update feature of Windows
    Update. Last year, we introduced Software Update Services (SUS) and the
    Systems Management Server 2.0 SUS Feature Pack to improve patch
    management for larger enterprises. We released Microsoft Baseline Security
    Analyzer, which scans for missing security updates, analyzes configurations
    for poor or weak security settings, and advises users how to fix the
    issues found. We have also introduced prescriptive documents for Windows
    2000 and Exchange to help ensure that customers can configure and
    deploy these products more securely. In addition, we are working with a
    number of major customers to implement smart cards as a way of minimizing
    the weak link associated with passwords. Microsoft itself now requires
    smart cards for remote access by employees, and over time we expect that
    most businesses will go to smart card ID systems.

    COMMUNICATIONS: To keep customers better informed about security
    issues, we made several important changes over the past year. Feedback from
    customers indicated that our security bulletins, though useful to IT
    professionals, were too detailed for the typical consumer. Customers also
    told us they wanted more differentiation on security fixes, so they
    could quickly decide which ones to prioritize. In response, Microsoft
    worked with industry professionals to develop a new security bulletin
    severity rating system, and introduced consumer bulletins. We are also
    developing an email notification system that will enable customers to
    subscribe to the particular security bulletins they want.


    In the past decade, computers and networks have become an integral part
    of business processes and everyday life. In the Digital Decade we're
    now embarking on, billions of intelligent devices will be connected to
    the Internet. This fundamental change will bring great opportunities as
    well as new, constantly evolving security challenges.

    While we've accomplished a lot in the past year, there is still more to
    do - at Microsoft and across our industry. We invested more than $200
    million in 2002 improving Windows security, and significantly more on
    our security work with other products. In the coming year, we will
    continue to work with customers, government officials and industry partners
    to deliver more secure products, and to share our findings and knowledge
    about security. In the meantime, there are three things customers can
    do to help: 1) stay up to date on patches, 2) use anti-virus software
    and keep it up to date with the latest signatures, and 3) use firewalls.

    There's much more I'd like to share with you about our security
    initiatives. If you would like to dig deeper, information and links are
    available at http://www.microsoft.com/mscorp/exec...3security2.asp
    to help you make your computer systems more secure.

    Bill Gates




  2. #2
    Senior Member The Old Man's Avatar
    Join Date
    Aug 2001
    Good info, D_R_
    A very reasonable info-mail, obviously to existing customers and in-house contact lists, more companies might profitably make use of the tactic. A word from the CEO about company views and plans is always of interest to the clients of that product. Like, when Adobe PDF files got hacked (the Russian thing) a lot of people wrote to Adobe asking if there was going to be a fix. After all, authors and other people who produce technical papers that should not be changed need to know. As far as i can tell, nobody got an answer from Adobe. At least, this cat didn't, and neither did a dozen others i've talked with.
    Good to know MS is making a concerted effort to tighten up the products. The bad news is, it looks like they are going on to another level of OS rather than reinvent the present ones. Just when we've changed everything to W2000Pro and server, except for one RH server...... OhWell, you give the customer what they want.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts