he got it right except for the last line ... VMS doesn't have these
Lead Windows developer bugged by security
By Matt Berger
September 5, 2002 1:46 pm PT
SEATTLE -- BRIAN Valentine says he's not proud.
The senior vice president in charge of Microsoft's Windows development
team has reason not to be. One of his most notable works, the Windows
2000 operating system, has a security record that is nothing to boast
about. In fact, it's downright dismal, many experts say.
Security bulletins warning of holes and vulnerabilities in Microsoft
operating systems are a regular occurrence. Late Wednesday, the
company released a bulletin warning of a flaw in its digital
certificate technology that could allow attackers to steal a user's
credit card information. It is the second security bulletin to be
issued this month.
In August, Microsoft warned in one of eight security bulletins issued
that month, that many of its customers have experienced "an increased
amount of hacking," in their various Windows systems. The Redmond,
Wash., company has yet to identify the root of the problem, only
saying that it has noticed some major similarities between the string
of hack attacks.
"As of August 2002, the PSS [Product Support Services] Security Team
has not been able to determine the technique that is being used to
gain access to the computer," the company wrote in its security
bulletin posted on August 30.
In short, Microsoft is stumped.
It is a case in point of the problems that the company is currently
facing as it struggles to release more secure code around its new
generation of .Net software and win redemption from customers who have
been burned by buggy products. Its latest attempt to fight the problem
is embodied in a company-wide effort called the Trustworthy Computing
Initiative. As that effort lumbers to show results, the company is
filling in the gaps with apologies.
"I'm not proud," Valentine said, as he spoke to a crowd of developers
here at the company's Windows .Net Server developer conference. "We
really haven't done everything we could to protect our customers ...
Our products just aren't engineered for security."
The Windows 2000 operating system has been pummeled by continual
security holes, some so widespread that they have resulted in major
damage to computer systems around the world. Most notable are the Code
Red and Nimda worms, which exploit a vulnerability in the operating
Customers seem to agree that Microsoft's spotty record with security
has been a detriment to their own development of computer systems. One
Windows systems consultant here, who wished to remain anonymous, said
that security issues with Microsoft's IIS (Internet information
Server) Web server have left a bad taste in many customers' mouths.
"Some of the customers I've worked with simply won't use IIS," the
systems consultant said. "That's bad for us. We're losing business
because of it."
Microsoft's Trustworthy Computing Initiative, which was launched with
a memo from Bill Gates, Microsoft's chairman and chief software
architect, has become the blanket program that resulted from
Microsoft's revelations. With the launch of the initiative, Microsoft
halted production on new code in all of its products and charged
employees with scanning through every line of existing code in search
"We realized that we couldn't continue with the way we were building
software and expect to deliver secure products," Valentine said.
But the company is dealing with a problem that isn't going away
anytime soon. Valentine noted here that as the company works to shore
up its products, the security dilemma will evolve with more
"It's impossible to solve the problem completely," Valentine said. "As
we solve these problems there are hackers who are going to come up
with new ones.
"There's no end to this," he said.
During Microsoft's early years, security didn't drive the way the
company built its software, said Michael Cherry, lead systems analyst
at independent research company Directions on Microsoft.
"If you go back a few years, unless you were working on login at
Microsoft, you really didn't worry about security. The risk wasn't
worth the effort," Cherry said.
One reason is because many of the early hackers who drilled into
Windows didn't disrupt business with their hack attacks, Valentine
noted. Rather they were just out for glory. But in the past year, many
of the hacks launched against Microsoft software, most notably the
Code Red and Nimda worms, have been malicious, going after business
processes, and in many cases shutting those processes down.
"They went from glory hackers to what I call digital terrorists,"
Microsoft has also been employing new tools developed by Microsoft
Research that are designed to detect errors in code during the
development process, Valentine said.
Adam Kolawa, CEO of ParaSoft, a company that makes error-prevention
tools used by IBM, said Microsoft has long ignored the problem of
fixing code when it is being produced. "Microsoft is paying a lip
service to this problem," Kolawa said.
It is not only Microsoft that is to blame for the creation of faulty
software, said Chandra Mugunda, a software consultant with Dell
Computer in Round Rock, Texas, who attended Valentine's presentation
"It's an industry-wide problem, it's not just a Microsoft problem," he
said. "But they're the leaders, and they should take the lead to solve
Valentine, too, took the opportunity to point out the widespread bugs
that have been discovered in competing operating products such as
Linux and Unix.
"Every operating system out there is about equal in the number of
vulnerabilities reported," he said. "We all suck."