-
January 25th, 2003, 04:04 AM
#1
Bill Gates sent out 1 million e-mails...
Guys,
Bill Gates sent out 1 million e-mails with pledge for better software security. For the ones of you that want to read it, here's his complete e-mail, titled "Security in a Connected World".
Source here
----------
From: Bill Gates BillGates@chairman.microsoft.com
Sent: Thursday, January 23, 2003 10:22 PM
To: Hamster, D Runken
Subject: Security in a Connected World
Jan. 23, 2003
As we increasingly rely on the Internet to communicate and conduct
business, a secure computing platform has never been more important. Along
with the vast benefits of increased connectivity, new security risks
have emerged on a scale that few in our industry fully anticipated.
As everyone who uses a computer knows, the confidentiality, integrity
and availability of data and systems can be compromised in many ways,
from hacker attacks to Internet-based worms. These security breaches
carry significant costs. Although many companies do not detect or report
attacks, the most recent computer crime and security survey performed by
the Computer Security Institute and the Federal Bureau of Investigation
totaled more than $455 million in quantified financial losses in the
United States alone in 2001. Of those surveyed, 74 percent cited their
Internet connection as a key point of attack.
As a leader in the computing industry, Microsoft has a responsibility
to help its customers address these concerns, so they no longer have to
choose between security and usability. This is a long-term effort. As
attacks on computer networks become more sophisticated, we must innovate
in many areas - such as digital rights management, public key
cryptology, multi-site authentication, and enhanced network and PC protection -
to enable people to manage their information securely.
A year ago, I challenged Microsoft's 50,000 employees to build a
Trustworthy Computing environment for customers so that computing is as
reliable as the electricity that powers our homes and businesses today. To
meet Microsoft's goal of creating products that combine the best of
innovation and predictability, we are focusing on four specific areas:
security, privacy, reliability and business integrity. Over the past year,
we have made significant progress on all these fronts. In particular,
I'd like to report on the advances we've made and the challenges we
still face in the security area. As a subscriber to Executive Emails from
Microsoft, I hope you will find this information helpful.
In order to realize the full potential of computers to advance
e-commerce, enable new kinds of communication and enhance productivity,
security will need to improve dramatically. Based on discussions with
customers and our own internal reviews, it was clear that we needed to create a
framework that would support the kind of innovation, state-of-the-art
processes and cultural shifts necessary to make a fundamental advance in
the security of our software products. In the past year we have created
new product-design methodologies, coding practices, test procedures,
security-incident handling and product-support processes that meet the
objectives of this security framework:
SECURE BY DESIGN: In early 2002 we took the unprecedented step of
stopping the development work of 8,500 Windows engineers while the company
conducted 10 weeks of intensive security training and analyzed the
Windows code base. Although engineers receive formal academic training on
developing security features, there is very little training available on
how to write secure code. Every Windows engineer, plus several thousand
engineers in other parts of the company, was given special training
covering secure programming, testing techniques and threat modeling. The
threat modeling process, rare in the software world, taught program
managers, architects and testers to think like attackers. And indeed, fully
one-half of all bugs identified during the Windows security push were
found during threat analysis.
We have also made important breakthroughs in minimizing the amount of
security-related code in products that is vulnerable to attack, and in
our ability to test large pieces of code more efficiently. Because
testing is both time-consuming and costly, it's important that defects are
detected as early as possible in the development cycle. To optimize
which tests are run at what points in the design cycle, Microsoft has
developed a system that prioritizes the application's given set of tests,
based on what changes have been made to the program. The system is able
to operate on large programs built from millions of lines of source
code, and produce results within a few minutes, when previously it took
hours or days.
The scope of our security reviews represents an unprecedented level of
effort for software manufacturers, and it's begun to pay off as
vulnerabilities are eliminated through offerings like Windows XP Service Pack
1. We also put Visual Studio .NET through an incredibly vigorous design
review, threat modeling and security push, and in the coming months we
will be releasing other major products that have gone through our
Trustworthy Computing security review cycle: Windows Server 2003, the next
versions of SQL and Exchange Servers, and Office 11.
Looking ahead, we are working on a new hardware/software architecture
for the Windows PC platform (initially codenamed "Palladium"), which
will significantly enhance the integrity, privacy and data security of
computer systems by eliminating many "weak links." For example, today
anyone can look into a graphics card's memory, which is obviously not good
if the memory contains a user's banking transactions or other sensitive
information. Part of the focus of this initiative is to provide
"curtained" memory - pages of memory that are walled off from other
applications and even the operating system to prevent surreptitious observation -
as well as the ability to provide security along the path from keyboard
to monitor. This technology will also attest to the reliability of
data, and provide sealed storage, so valuable information can only be
accessed by trusted software components.
SECURE BY DEFAULT: In the past, a product feature was typically enabled
by default if there was any possibility that a customer might want to
use it. Today, we are closely examining when to pre-configure products
as "locked down," meaning that the most secure options are the default
settings. For example, in the forthcoming Windows Server 2003, services
such as Content Indexing Service, Messenger and NetDDE will be turned
off by default. In Office XP, macros are turned off by default. VBScript
is turned off by default in Office XP SP1. And Internet Explorer frame
display is disabled in the "restricted sites" zone, which reduces the
opportunity for the frames mechanism in HTML email to be used as an
attack vector.
SECURE IN DEPLOYMENT: To help customers deploy and maintain our
products securely, we have updated and significantly expanded our security
tools in the past year. Consumers and small businesses can stay up to date
on security patches by using the automatic update feature of Windows
Update. Last year, we introduced Software Update Services (SUS) and the
Systems Management Server 2.0 SUS Feature Pack to improve patch
management for larger enterprises. We released Microsoft Baseline Security
Analyzer, which scans for missing security updates, analyzes configurations
for poor or weak security settings, and advises users how to fix the
issues found. We have also introduced prescriptive documents for Windows
2000 and Exchange to help ensure that customers can configure and
deploy these products more securely. In addition, we are working with a
number of major customers to implement smart cards as a way of minimizing
the weak link associated with passwords. Microsoft itself now requires
smart cards for remote access by employees, and over time we expect that
most businesses will go to smart card ID systems.
COMMUNICATIONS: To keep customers better informed about security
issues, we made several important changes over the past year. Feedback from
customers indicated that our security bulletins, though useful to IT
professionals, were too detailed for the typical consumer. Customers also
told us they wanted more differentiation on security fixes, so they
could quickly decide which ones to prioritize. In response, Microsoft
worked with industry professionals to develop a new security bulletin
severity rating system, and introduced consumer bulletins. We are also
developing an email notification system that will enable customers to
subscribe to the particular security bulletins they want.
WHAT'S NEXT
In the past decade, computers and networks have become an integral part
of business processes and everyday life. In the Digital Decade we're
now embarking on, billions of intelligent devices will be connected to
the Internet. This fundamental change will bring great opportunities as
well as new, constantly evolving security challenges.
While we've accomplished a lot in the past year, there is still more to
do - at Microsoft and across our industry. We invested more than $200
million in 2002 improving Windows security, and significantly more on
our security work with other products. In the coming year, we will
continue to work with customers, government officials and industry partners
to deliver more secure products, and to share our findings and knowledge
about security. In the meantime, there are three things customers can
do to help: 1) stay up to date on patches, 2) use anti-virus software
and keep it up to date with the latest signatures, and 3) use firewalls.
There's much more I'd like to share with you about our security
initiatives. If you would like to dig deeper, information and links are
available at http://www.microsoft.com/mscorp/exec...3security2.asp
to help you make your computer systems more secure.
Bill Gates
----------
Bye.
DKRR
-
January 25th, 2003, 05:28 AM
#2
Good info, D_R_
A very reasonable info-mail, obviously to existing customers and in-house contact lists, more companies might profitably make use of the tactic. A word from the CEO about company views and plans is always of interest to the clients of that product. Like, when Adobe PDF files got hacked (the Russian thing) a lot of people wrote to Adobe asking if there was going to be a fix. After all, authors and other people who produce technical papers that should not be changed need to know. As far as i can tell, nobody got an answer from Adobe. At least, this cat didn't, and neither did a dozen others i've talked with.
Good to know MS is making a concerted effort to tighten up the products. The bad news is, it looks like they are going on to another level of OS rather than reinvent the present ones. Just when we've changed everything to W2000Pro and server, except for one RH server...... OhWell, you give the customer what they want.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|