Old timers might liken the encounter to Janet Jackson featuring the Mormon Tabernacle Choir in her next music video. The more strident "Friends of Linus" crowd might draw parallels to Lucifer gaining entry into the gates of Heaven. The event was the 2004 RSA Conference in San Francisco, the largest information security event in the world. The occasion was the opening day. The keynote speaker, none other than the venerable William H. Gates Jr., chairman of the board for Microsoft and possibly the most polarizing figure in the world outside of politics (some might say I don't need that disclaimer).
However, we do need Bill Gates to be at RSA. For even though Microsoft has been part of the problem, they also need to be part of the solution. How did we arrive at this crossroad? A crossroad is an intersection of multiple paths, so your perspective is bound by the path you took to get here. It is a fact that we cannot lay the problems of desktop insecurity at the doorstep of Microsoft alone, the consumers and IT professionals have made conflicting demands for never ending technology features without wanting any economic consequences, which has created an insecure house of cards. I would like to digress for a bit though, and focus on another key reason for why we are here - Microsoft's internal Battle of the Operating Systems.
The biggest and most fateful operating system battle that has shaped the state of insecurity has not been between Microsoft vs Linux, Microsoft vs Unix or even Microsoft vs Apple. It was the brief battle between Microsoft and IBM, which evolved into Microsoft vs Microsoft.
Once upon a time, Microsoft and IBM collaborated on operating systems. MS-DOS had a near identical twin called PC-DOS, which ran on IBM PCs specifically. IBM and Microsoft had a shared vision, that as PCs evolved from the single tasking toys of the mid 80s to more powerful machines of the future, that a new operating system would need to run on these systems to manage these "mainframes on a desktop". It was Bill Gates himself who said that OS/2 was the operating system of the future (whether he believed that or not, probably only Steve Ballmer knows). Going from the world of DOS to the world of OS/2 was not going to be an easy task: these operating systems were incompatible and it was a huge task to get the incumbent applications and installed base of DOS users migrated to the new operating system. Thus, the genius (?) of Windows was born. Not an operating system, but a graphical user interface for DOS, this transitional shell was born to make DOS more user friendly and to extend its life as well as the life of the puny hardware it ran on. As a young MIS Manager fresh out of college during those days, Windows was positioned by the experts (including those at Microsoft) as more or less a temporary solution to bridge the gap between the DOS of today to the robust, graphical OS/2, which was built to reside on the manly 4MB machines of the future. Sometimes the temporary things in life are more permanent than we think, I still have some ties from the same era.
Whether you believe there was a conspiracy within Microsoft, or Bill just succumbed to the incremental short term thinking of the consumers, that transition to OS/2 never occurred, and a permanent schism between IBM and Microsoft opened up over desktop operating systems. Windows continued to grow, eventually becoming an operating system itself. To me, this is where the battle of the operating systems became interesting, and where our collective security fates were sealed. Within Microsoft arose an even greater schism that has created many lasting security problems. The developers of Windows NT, which essentially was a "forked" version of OS/2, were creating an operating system that was incompatible with the much better selling DOS/Windows 3.X combination. One company making two incompatible operating systems that run on the same hardware platform is a recipe for trouble. The NT and 9X groups never got along, they fought about everything. Many people within the NT group knew that in order to provide a more robust operating system that provided greater data security and integrity, a decisive break with the past must occur. A break with the past meant a lot of incompatibilities, but the thinking was that you cannot have your cake and eat it too. This group within Microsoft lost, Windows 3.X and then 9X were much bigger sellers, and the market clout of the 9X group was far superior, forcing the NT group to follow the 9X group's lead when it came to building in compatibility to NT. These compromises to compatibility - making Windows compatible with DOS and NT compatible with Windows - created weak security baselines, which were very difficult and sometimes impossible to harden. Perhaps no company would have been able to react differently in the same situation, we will never know. The irony is that there were many people within Microsoft who understood the problem and felt they could make a break with the past without suffering a backlash from the market. Finally with Windows XP we have converged these operating systems into a consistent underlying kernel, but the extra ten years it took to get here has saddled the operating system with a lot of components that still need to be hardened.
Microsoft's fateful decisions in the 80's and 90's greatly contributed to the insecurity of today. Fast forward to now and security is on Microsoft's radar. How was Bill's presentation? In my opinion, the very positive aspect of the presentation was the fact that it was inwardly focused. Security is Microsoft's problem, and Microsoft must provide the solution. Many of the concepts for future products were also very sound, if fuzzy in terms of timeframes. The less impressive parts of the presentation were when Bill sounded more like a Windows product manager and less like a visionary CEO. The substance of the 2004 security deliverables were Service Packs for XP and Windows 2003, as well Systems Update Service (SUS) 2.0. The service packs add something new called the Security Center: a firewall is enabled by default, the presence of a virus scanner is monitored and system updates are managed. Nice stuff, although the firewall is not best of breed, but not earth shattering developments.
Some of the topics Mr Gates presented on were more interesting than this (see Trends to Ponder for my thoughts on virtual email postage). I particularly enjoyed listening to the active host protection concept. Active host protection is a behavioral blocking layer for the operating system, essentially a host-based intrusion prevention system much like the Cisco Security Agent. When a program is encountered that wants to modify system files, send messages to entire address books or otherwise cause trouble, active host protection recognizes this bad behavior and blocks it proactively. Where it goes further is in the integration with other key operating system components. For example, when it detects a missing patch that is required for a serious vulnerability (e.g. an ActiveX vulnerability), it dynamically adjusts the desktop firewall to compensate (e.g. ActiveX scripts are disabled), until the patch can be tested and deployed. I want this feature now! Unfortunately, no timetable was given for active host protection, 2006 is my guess.
Another positive well worth citing is the effort to improve the quality of software engineering. Improving Microsoft's own development was a key part of Trustworthy Computing, and Microsoft is making efforts to release the tools they use internally in the next version of Microsoft Visual Studio, code named Whidbey. The development environment includes tools for source code analysis and scanning for likely defects such as buffer overflows and memory leaks (PREfix and PREfast). It also includes a tool for .NET auditing (FxCop), capabilities to run the code as a normal user, a secure C library and several other features. While there are likely better 3rd party tools for secure development, Microsoft has the opportunity to make secure development tools a standard and legitimize this market. Bill did try to pat himself on the back with a metric for progress in secure software development: The Critical Bulletin Index. Windows 2000 Server had 38 critical bulletins in the first 300 days, while Windows 2003 Server had only 9. This may be a dubious metric (did they each have the same level of adoption in the first 300 days?), but clearly Microsoft is catching more of the obvious programming problems and is turning off more insecure default settings.
Bill said plainly that security is the biggest topic within their $6B annual research and development budget, and I believe him. Security is a matter of focus, and Microsoft clearly has that now. As I have said many times, growing information security products is not the end game for Bill, it is preserving the dominance of Microsoft operating systems, and extending control into the future growth areas of computing. Controlling web services, Internet transactions, digital rights management and other forms of content delivery are what drives Bill, and gaining your trust is the means to that end.
It was a fine product manager-type presentation from Bill, but what we needed more of was concrete answers on when we get the really interesting security solutions.
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.