Fair article on the Truthworthy Computing Initiatve


Jun 27, 2000

I am just posting this article because I read it this morning and it seemed to explain a lot of why MS is doing the TCI. Of course, it doesn't say a lot about the issues that AT OTers have problems with, but still, it is a good article.

Microsoft regroups to build trust in its product and image

Company seeks to take the lead in making reliable software


By ALAN GOLDSTEIN / The Dallas Morning News

REDMOND, Wash. ? If Microsoft Corp. built automobiles, the joke goes, your car might stop in the middle of the highway for no apparent reason and you'd have to restart it.

Occasionally, when restarting didn't work, you'd have to reinstall the engine.

Now the company known for the infamous "blue screen of death," the maker of the ubiquitous and sometimes balky Windows operating system, seeks to take the lead in making software that is as secure and reliable as the networks that provide electricity, water and telephone service.

Microsoft calls its program Trustworthy Computing, and the initiative marks the most dramatic shift in how the company operates since the Internet explosion in the mid-1990s.

Microsoft officials tackled security first. Like other software makers, Microsoft has regularly added snazzy features ? from plug-and-play capabilities to network set-up utilities ? to entice customers to buy new versions of its products.

But across the industry, security hasn't been sexy enough to sell upgrades.

"There has always been an emphasis on getting the product out. 'We'll think about security later. Let's get the moneymaker out front,' " said Al Decker, executive director of security and privacy services at Electronic Data Systems Corp.

These days, Microsoft wants its developers to make fundamental changes in the balance they strike between adding capabilities to products and making the software secure. In interviews at the company's headquarters, officials said they recognize that hackers, virus writers, identity thieves and cyberterrorists all pose an increasing threat as societies grow ever more reliant on information technology to communicate and conduct business.

This spring, Microsoft released Windows Server 2003, its first major product developed under the initiative. In the past, the tendency was to ship a program with a feature turned on and let the customer turn it off, if necessary, to increase security. The new program is shipped "locked down," leaving the customer with the choice of whether to turn a feature on.

Among other changes, the company has overhauled its testing methods, relying on work from its Microsoft Research laboratories, searching regularly for potential vulnerabilities in each software module. Microsoft has also been pushing the concept of individual accountability within its software development teams.

And the company has been trying to learn more from outsiders. It solicits feedback from users and administrators on software problems and now knows that a high percentage of faults are related to relatively few specific problems. Microsoft has been scrutinizing the more than 100,000 attacks each month on its systems ? more than any network other than the federal government's ? and plans to spread the knowledge to its product developers and customers.

Software controls almost every aspect of modern life. But programs have grown unnecessarily bloated and complex, technology experts say. The kind of low quality that was acceptable for hobbyist projects can no longer cut it when software runs such critical infrastructure as the banking, transportation and utility networks.

Acknowledging the problem, businesses like Microsoft have focused their attention on security and reliability. Some have adopted new techniques, such as extreme programming, in which teams of developers work side by side at the same keyboard to minimize glitches.

Meanwhile, as more programming moves to India and elsewhere to take advantage of cheap labor, a whole new realm of software security and design issues has arisen.

A new world

Bill Gates, Microsoft's chairman and chief software architect, launched the Trustworthy Computing initiative in January 2002 with an e-mail to the company's 50,000 employees. In the offices and hallways of the company's sprawling campus in Redmond, the memo was considered Mr. Gates' most important strategy message since one he sent in December 1995, called Internet Tidal Wave.

"When he sends a strategic e-mail like that, it truly means we're supposed to think about our world differently," said Susan Koehler, chief strategist of the Trustworthy Computing program.

To show he was serious, Mr. Gates halted all work on Windows while his engineers took 10 weeks of special training. Each developer was instructed not to write a single line of code without thinking through how it could be subverted. That delay cost the company more than $100 million, and the price tag has grown since.

Microsoft officials say Trustworthy Computing tenets are now embedded in everything the company makes.

Industry experts say they like what they've seen in the past year and a half.

"They've made a lot of improvements in their processes," said Jim Hurley, an analyst who covers security and privacy issues at Aberdeen Group Inc. in Boston. Before the initiative began last year, he said, there was a broad perception that Microsoft wasn't as focused on software quality as some of its more established counterparts, such as International Business Machines Corp.

Microsoft has briefed 7-Eleven Inc., a large customer, at least four times since early last year on its quality efforts, said Keith Morrow, chief information officer for the Dallas-based chain of convenience stores.

"I see a real conscious effort to change their behavior and quality controls around new releases," Mr. Morrow said. "They will sacrifice that all-important delivery date to make sure a product is less vulnerable in a customer's hands."

Dan Meacham, security information officer for Baylor Health Care System in Dallas, another customer, said he much prefers that features be locked down.

"You don't want to spend time researching the product, then installing it, only to find out what you have to turn off, investing more time to configure the system properly from a security standpoint," he said.

Most security breaches, in fact, occur because of improper configurations of software ? a point that hit home for Microsoft as the company marked the first anniversary of its trustworthy campaign. Microsoft's servers were hit by the Slammer worm because administrators had failed to install the company's own software patch for the glitch.

"The patch was ready, and we thought the work was done," said Craig Fiebig, general manager of product management in Microsoft's security business unit. "Now we know the way to measure success is not the publication of a patch but its application."

Microsoft officials in Redmond stressed in interviews that the strategy reflects a long-term cultural shift with an objective so ambitious that it's virtually impossible to declare victory and end the program.

"Zero vulnerabilities is the goal, and it's the right goal," Mr. Fiebig said. "The environment we're in has all the elements of an arms race, with very smart people on both sides."

In Dallas recently for a Microsoft conference, a senior executive issued a call to action for technology professionals.

"Microsoft has a huge responsibility here because of our market share, but we are by no means the only major IT company," said Scott Charney, Microsoft's chief security strategist. "Everyone has a responsibility, everyone from a large company to an independent developer."

Mr. Charney also said Microsoft is improving its system for sending out security fixes, or patches, for its software. Eventually, the company will consolidate its patch management into a single tool that can work across all its products, he said.

'Tidal Wave'

Microsoft's power in the marketplace left the company with little choice but to get serious about software quality, analysts said.

"They'd been taking a lot of heat on how untrustworthy their products were. And what hurts Microsoft in that regard is their monopolistic position on the desktop. When 90 percent of people boot up their PCs, they salute the Windows flag," said Gary Beach, group publisher of CIO magazine, which serves corporate technology managers.

"When Bill issues an edict like this, generally [Microsoft is] already behind," he said.

But the company also has a history of focusing intensely on whatever objective Mr. Gates sets with considerable vigor.

Mr. Gates wrote the Tidal Wave memo, for example, in direct response to the dominance that Netscape Communications Corp. held at the time in Internet browsers.

Microsoft's Internet Explorer eventually won the browser war, although the company paid a price for its tough tactics.

An antitrust battle with the U.S. Department of Justice grew so acrimonious that Microsoft was nearly split up. The company also became saddled with a perception that it's an "evil empire" that doesn't play fair with its competitors.

Indeed, the Trustworthy Computing initiative seeks to repair Microsoft's image in a number of ways because if people don't trust Microsoft, they won't trust computers that run its products.

Company officials, talking about the strategy, emphasize the company's role in computing as a whole.

"It's more than software," Ms. Koehler said. "It's our relationship to hardware partners, to chip manufacturers. It's not just Microsoft. We're connected to an ecosystem. The question is how you design and develop a chain of trust."

Other software makers welcome the effort.

"I think it's of the utmost importance that Microsoft take a leading position because it's such a large and dominant player in software," said Bill Conner, chairman, president and chief executive of Entrust Inc., an Addison-based Internet security company.

"The strategy sends a message for everyone to get their houses in order."

E-mail agoldstein@dallasnews.com
Direct link: http://www.dallasnews.com/sharedcontent/dallas/business/stories/062203dnbustrustworthy.6b60c.html (Free reg required)


Jun 30, 2001
I'm curious, what are the problems ATOTers have with it? It seems to be a good thing to me.

Also, where is this thread in the software forum? I tried posting there, but didn't see any thread.


Jun 27, 2000
Oops, I forgot to create the thread. I just started it :)

I'll quote your response over there.