[CT] Fwd: Trustworthy Computing
Daniel Moran
continuing-time@ralf.org
Thu, 18 Jul 2002 19:40:26 -0700
Some of you probably got this already, but it seems relevant at the moment.
(It says it's the first in an "occasional series" -- any of you really
interested in this subject can subscribe; I won't post the later letters.)
Here you go:
>Reply-To: "Bill Gates"
><3_34049_159EC1AD-51C7-D011-8B1A-08002BB74F3F_US@chairman.microsoft.com>
>From: "Bill Gates" <BillGates@chairman.microsoft.com>
>To: <dkm@QueenOfAngels.com>
>Subject: Trustworthy Computing
>Date: Thu, 18 Jul 2002 18:47:51 -0700
>X-Mailer: Microsoft CDO for Windows 2000
>Thread-Index: AcIuxkf/OJnH/CCCTCScEEEahfGbsw==
>X-OriginalArrivalTime: 19 Jul 2002 01:48:43.0538 (UTC)
>FILETIME=[69EDA720:01C22EC6]
>X-RCPT-TO: <dkm@QueenOfAngels.com>
>
>I'm writing to you, as a reader of one of Microsoft's customer
>newsletters, about an issue of particular importance to those of us who
>routinely use computers in our work and personal lives - making computing
>more trustworthy. Trustworthy Computing involves a lot of things -
>reliability, security, privacy and business integrity.
>
>Before I share my thoughts about this in more detail, I want to give you
>some context on why I am sending this email. This is the first in an
>occasional series of mails that CEO Steve Ballmer and I, and periodically
>other Microsoft executives, will be sending to people who are interested
>in hearing from us about technology and public-policy issues that we
>believe are important to computer users, our industry and everyone who
>cares about the future of high technology. This is part of our commitment
>to ensuring that Microsoft is more open about communicating who we are and
>what we are doing.
>
>As I mentioned at the outset, you are receiving this email as a recipient
>of a Microsoft newsletter. If you would like to hear from me, Steve and
>periodically from other Microsoft executives in the future, please go to
>http://register.microsoft.com/subscription/subscribeMe.asp?lcid=1033&id=155.
>If you don't wish to hear from us again, you do not need to do anything.
>We will not send you another executive email unless you choose to
>subscribe at the link above.
>
>************************************************************************************************
>
>As I've talked with customers over the last year - from individual
>consumers to big enterprise customers - it's clear that everyone
>recognizes that computers play an increasingly important and useful role
>in our lives. At the same time, many of the people I talk to are concerned
>about the security of the technologies they depend on. They are concerned
>about whether their personal data is being protected. Although they know
>that computers can do amazing things, they are frustrated that their
>technology doesn't always work consistently. And they want assurances that
>the high-tech industry takes these concerns seriously and is working to
>improve their computing experience.
>
>Six months ago, I sent a call-to-action to Microsoft's 50,000 employees,
>outlining what I believe is the highest priority for the company and for
>our industry over the next decade: building a Trustworthy Computing
>environment for customers that is as reliable as the electricity that
>powers our homes and businesses today.
>
>This is an important part of the evolution of the Internet, because
>without a Trustworthy Computing ecosystem, the full promise of technology
>to help people and businesses realize their potential will not be
>fulfilled. Ironically, it is the growth of the Internet and the advent of
>massive computing systems built from loose affiliations of services,
>machines, communications networks and application software that have
>helped create the potential for increased vulnerabilities.
>
>There are already solutions that eliminate weak links such as passwords
>and fake email. At Microsoft we're combining passwords with "smart cards"
>to authenticate users. We're also working with others throughout the
>industry to improve Internet protocols to stop email that could propagate
>misleading information or malicious code that falsely appears to be from
>trusted senders. And we are making fundamental changes in the way we
>develop software, in our operational and business practices, and in our
>customer support efforts to make the computing experiences we provide more
>trustworthy.
>
>For example, we've historically made our software and services more
>compelling for users primarily by adding new features and functionality.
>While we are continuing to invest significantly in delivering new
>capabilities that customers ask for, we are now making security
>improvements an even higher priority than adding features. For example, we
>made changes to Microsoft Outlook to block email attachments associated
>with unsafe files, prevent access to a user's address book, and give
>administrators the ability to manage email security settings for their
>organization. As a result of these changes, the number of email virus
>incidents has dropped dramatically. In fact, email viruses like the recent
>"Frethem" virus propagate only to systems that have not been updated -
>underscoring the importance of updating them regularly.
>
>We are also undertaking a rigorous and exhaustive review of many Microsoft
>products to minimize other potential security vulnerabilities. Earlier
>this year, the development work of more than 8,500 Microsoft engineers was
>put on hold while we conducted an intensive security analysis of millions
>of lines of Windows source code. Every Windows engineer and several
>thousand engineers in other parts of the company were also given special
>training in writing secure software. We estimated that the stand-down
>would take 30 days. It took nearly twice that long, and cost Microsoft
>more than $100 million. We've undertaken similar code reviews and security
>training for Microsoft Office and Visual Studio .NET, and will be doing so
>for other products as well.
>
>THE TRUSTWORTHY COMPUTING FRAMEWORK
>
>Trustworthy Computing has four pillars: reliability, security, privacy and
>business integrity. "Reliability" means that a computer system is
>dependable, is available when needed, and performs as expected and at
>appropriate levels. "Security" means that a system is resilient to attack,
>and that the confidentiality, integrity and availability of both the
>system and its data are protected. "Privacy" means that individuals have
>the ability to control data about themselves and that those using such
>data faithfully adhere to fair information principles. "Business
>Integrity" is about companies in our industry being responsible to
>customers and helping them find appropriate solutions for their business
>issues, addressing problems with products or services, and being open in
>interactions with customers.
>
>Creating a Trustworthy Computing environment requires several steps:
>
>- Making software code more secure and reliable. Our developers have tools
>and methodologies that will make an order-of-magnitude improvement in
>their work from the standpoint of security and safety.
>
>- Keeping ahead of security exploits. Distributing updates using the
>Internet so that all systems are up to date. Windows Update and Software
>Update Services, discussed below, provide the infrastructure for this.
>
>- Early Recovery. In case of a problem, having the capability to restore
>and get systems back up and running in exactly the same state they were in
>before an incident, with minimal intervention.
>
>FIRST STEPS TOWARD MORE TRUSTWORTHY COMPUTING
>
>There is still much work that Microsoft and others in our industry must do
>to make computing more trustworthy. Here is a summary of some of the
>progress we've made, six months after my email to Microsoft employees:
>
>- We have changed the way we design and develop software at all phases of
>the product development cycle. Our new processes should greatly minimize
>errors in software, and speed up the development process for new products
>and services.
>
>- Software Update Services (SUS) is a security management tool for
>business customers that enables IT administrators to quickly and reliably
>deploy critical updates from inside their corporate firewall to Windows
>2000-based servers and desktop computers running Windows 2000 Professional
>and Windows XP Professional.
>
>- Microsoft Baseline Security Analyzer is a new tool that customers can
>use to analyze Windows 2000 and Windows XP systems for common security
>misconfigurations, and to scan for missing security hot fixes and
>vulnerabilities on a variety of products, including newer versions of
>Internet Information Server, SQL Server and Office.
>
>- In addition to providing customers with tools and resources to help them
>maximize the security of Windows 2000 Server environments, we are
>committed to shipping Windows .NET Server 2003 as "secure by default." We
>believe it's critical to provide customers with a foundation that has been
>configured to maximize security right out of the box, while continuing to
>provide customers with a rich set of integrated features and capabilities.
>
>- The error-reporting features built into Office XP and Windows XP are
>giving us an enormous amount of feedback and a much clearer view of the
>kinds of problems customers have, and how we can raise the level of
>reliability in those products - and that of products made by other
>companies. As part of this effort, we recently created a secure Web site
>where software and hardware vendors can view error reports related to
>their drivers, utilities and applications that are reported through our
>system. This enables the vendors who work with us to identify recurring
>problems and address them far more quickly than in the past. All of our
>server software products will incorporate these error-reporting features
>in subsequent versions of the products.
>
>- With Microsoft Windows Update, we are completing the customer-feedback
>loop based on the error-reporting features mentioned above. This globally
>available Web service delivers more than 300 million downloads per month
>of the most current versions of product fixes, updates and enhancements.
>When customers connect to the site, they can choose to have their computer
>automatically evaluated to check which updates need to be applied in order
>to keep their system up-to-date, as well as identify any critical updates
>to keep their system safe and secure.
>
>- We are working on a new hardware/software architecture for the Windows
>PC platform, code-named "Palladium," which will significantly enhance
>users' system integrity, privacy and data security. This new technology,
>which will be included in a future version of Windows, will enable
>applications and application components to run in a protected memory space
>that is highly resistant to tampering and interference. This will greatly
>reduce the risk of viruses, other attacks, or attempts to acquire personal
>information or digital property with malicious or illegal intent. Our goal
>is for the Palladium development process to be a collaborative industry
>initiative.
>
>- We've incorporated what is known as P3P (Platform for Privacy
>Preferences) technology in the Internet Explorer browser technology in
>Windows XP, which enhances a user's ability to set privacy levels to suit
>his or her needs. The P3P standard enables a user's browser to compare any
>P3P-compliant Web site's privacy practices to that user's privacy
>settings, and to decide whether to accept cookies from that site.
>
>Identifying and addressing critical Trustworthy Computing issues will
>require significant collaboration across our industry. One example of the
>kind of cross-industry effort we need more of is the recent creation of
>the Web Services Interoperability (WS-I) Organization
>(http://www.ws-i.org/). Founded by IBM, Microsoft and other industry
>leaders including Intel, Oracle, SAP, Hewlett-Packard, BEA Systems and
>Accenture, WS-I's mission is to enable consistent and reliable
>interoperability of XML-based Web services across a variety of platforms,
>applications and programming languages. Among other things, WS-I will
>create a suite of test tools aimed at addressing errors and unconventional
>usage in Web services specifications implementations, which in turn will
>improve interoperability among applications and across platforms.
>
>WHAT YOU CAN DO
>
>Given the complexity of the computing ecosystem, and the dynamic nature of
>the technology industry, Trustworthy Computing really is a journey rather
>than a destination. Microsoft is fully committed to this path, but it is
>not something we can do alone. It requires the leadership of many others
>in our industry and a commitment by customers to establish and maintain a
>secure and reliable computing environment. For customers, the most
>important first step is understanding what it will take to make their
>computers and networks more reliable and safe. Below are some suggestions
>on what individuals and businesses can do to create a more Trustworthy
>Computing environment for themselves and others.
>
>- Give us feedback by using the error-reporting features built into Office
>XP and Windows XP.
>
>- Use Microsoft Windows Update (http://windowsupdate.com/) to ensure that
>you have the most up-to-date and accurate versions of product updates,
>enhancements and fixes.
>
>- Businesses customers can take advantage of Software Update Services to
>download critical updates from Windows Update.
>(http://www.microsoft.com/windows2000/windowsupdate/sus/)
>
>- Use Microsoft Baseline Security Analyzer to analyze Windows XP and
>Windows 2000 for common security misconfigurations.
>(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp)
>
>- Enterprise Systems Integrators can take advantage of the Systems
>Integrator Source Licensing Program
>(http://www.microsoft.com/licensing/sharedsource/).
>
>- Hardware, software or systems vendors can sign up for Microsoft's
>Windows Logo Program at http://www.microsoft.com/winlogo/ to ensure a
>high-quality user experience.
>
>- Find more information about computing security at
>http://www.microsoft.com/security/.
>
>- Our White Paper on Trustworthy Computing is at
>http://www.microsoft.com/PressPass/exec/craig/05-01trustworthywp.asp.
>
>- If you don't already have Internet Explorer 6.0, download it for free at
>http://www.microsoft.com/windows/ie/evaluation/overview/ to take advantage
>of its increased reliability and security and privacy features.
>
>We are doing everything we can at Microsoft to make software as
>trustworthy as possible. By building awareness, through collaborative work
>and with a long-term commitment, I am confident we can and will create a
>truly Trustworthy Computing environment.
>
>Bill Gates
>
>
>For information about Microsoft's privacy policies, please go to:
>http://www.microsoft.com/info/privacy.htm.
____________________________
continuing-time mailing list
continuing-time@ralf.org
http://www.ralf.org/mailman/listinfo/continuing-time