Will Trustworthy Computing Last?
- By Scott Bekker
Microsoft's Trustworthy Computing initiative is now two years old. I'm not going to give it a grade, instead I'm going to look back at what Microsoft's been doing about security for the last year and try to anticipate what they'll do next.
When Bill Gates wrote his Trustworthy Computing memo in January 2002, the impulse was a pair of nasty viruses -- Code Red and Nimda -- that hit over the summer of 2001. The Sept. 11 terrorist attacks in 2001 surely contributed as well to the general attitude that security was more important than we all originally thought. But basically, it was a computer security sideswipe that prompted Trustworthy Computing. Code Red and Nimda attacked through normal vectors but spread quicker and caused more damage than previous attacks had. They also marked a tipping point. Suddenly there was an awareness that current approaches weren't working. A general sense of unease over the frequency and complexity of patching crystallized into anger at Microsoft over a process that was too difficult.
In response, Microsoft rolled up its sleeves and undertook the Trustworthy Computing initiative, a $200-million attempt to make its products secure by design, by default and in deployment. That involved retraining developers, throwing away product release timetables, re-examining the code base of Windows Server 2003 and other products in development, putting out security guides instructing users on best practices for deploying Microsoft infrastructures and changing default settings to emphasize security rather than whiz-bang features.
The attitude was basically that future products would be made secure and users would get tools to lock down existing products as much as possible without code changes. Meanwhile, a parallel effort went into effect to fix the patch process.
Trustworthy Computing -- Chugging Along
The defining event of Trustworthy Computing initiative occurred this year with the release of Windows Server 2003. The operating system benefited from the code review, the secure default settings and the developer training. Delaying the release by a year was concrete evidence of Microsoft's commitment to its new security focus. But now that the operating system is out and installed, we don't have to rely on symbols of Microsoft's intentions anymore. We have a real-world case to evaluate.
Certain vulnerabilities are reduced out of the box, most notably the new locked down form of Internet Explorer that has meant that several vulnerabilities listed as "critical" for other versions of Windows are only "moderate" problems for Windows Server 2003. In other cases it hasn't made much difference with Windows Server 2003 proving vulnerable to some of the same newly discovered holes as other versions of the operating system. At its heart, however, Windows Server 2003 does seem to be evidence of an area where the original concept behind Trustworthy Computing works.
Another area where the Trustworthy Computing initiative is chugging along as it was originally intended is with the work on the "Longhorn" version of Windows. This will be the first version of Windows that will see all its development performed during the Trustworthy Computing era. Presumably all the code is being written with security in mind, and Microsoft has made public significant new security technology coming in the form of the controversial "Palladium" components of Longhorn.
Trustworthy Computing Gets Tweaked
But Trustworthy Computing is a different initiative at its second anniversary than it was a year ago. Microsoft has responded to a number of issues in ways that the initiative did not originally call for.
The biggest example is the "Springboard" project that started with the complete overhaul of Windows XP in Service Pack 2. For some time, Microsoft's philosophy for service packs was that they include no new features, only bug fixes. While Jim Allchin won't concede the point, Microsoft is throwing that philosophy out the window with Windows XP SP2. The company is overhauling the operating system to add security features. The most obvious example is the Internet Connection Firewall, which will now be on by default and is being renamed the Windows Firewall. All sorts of functionality is being added to make the firewall more usable and effective.
It's not only a departure from Microsoft's past practice on service packs, it's a major change in Trustworthy Computing. Originally, the plan was to concentrate development work on future releases of Microsoft software. This drew valid criticism that Microsoft was turning security into a feature -- something that customers must upgrade to get.
On the other hand, ongoing virus threats demonstrated that with Microsoft's huge installed base of pre-Trustworthy Computing software, which includes Windows XP, best practices guides and baseline analyzer tools weren't going to be enough.
Microsoft's decision to put top developer talent and development time into a major service pack is a show of commitment to a slightly different view of Trustworthy Computing.
Interestingly, the Springboard effort also extends to Windows Server 2003 in Service Pack 1, indicating that Microsoft may recognize that the code-review and off-by-default settings approach isn't enough.
Another big tweak to Microsoft's security posture in the last year comes in its patch-release cycle. In the first year after Trustworthy Computing, Microsoft began shipping out patches on a weekly schedule. Now it's doing it even less frequently, on a monthly schedule. The thinking behind the step is that attackers often take their cue about vulnerabilities from the Microsoft patch reports. Many attackers only begin trying to exploit the holes when Microsoft has released a patch for them -- thus alerting the attackers that the security flaw exists. Microsoft's reasoning is that by releasing patches on a monthly cycle, IT has more time to prepare for, test and deploy new patches.
A related change is that Microsoft officials say they are hard at work rethinking and re-engineering their patching technologies. Microsoft currently employs seven different technologies for patching its products. That is supposed to be reduced to two in the near future.
But as much as Microsoft has massaged its Trustworthy Computing initiative, customers have been buffeted by several massive sideswipes this year that Microsoft's Trustworthy Computing initiative has been unable to counteract effectively. Anti-virus software is everywhere and anti-spam software is gaining traction in the market. But those technologies have proven insufficient in the last few months at counteracting the bandwidth- and Inbox-clogging traffic generated by broadband-connected home users infected by mass-mailing worms and viruses. The problem has emerged in three massive waves -- the Blaster worm, the Sobig virus and most recently with MyDoom.
With Sobig and MyDoom, this cross-over of malware and spam has proven an overwhelming combination for even customers who are diligent in keeping anti-virus software up to date and are running anti-spam solutions.
The breadth of the outbreaks highlights a publicity sideswipe affecting Microsoft -- the report last year by security researchers who warned of the threat that a computing monoculture represents for security.
What Will Year 3 of Trustworthy Computing Bring?
All this raises the question -- what will the third year of Trustworthy Computing bring? There is a real possibility that Microsoft will soldier on, continuing to bend its initiative to try to adapt to changing market forces. Many incremental responses will undoubtedly roll out no matter what Microsoft decides: Windows XP Service Pack 2, Windows Server 2003 and the new patching technology. There will probably be further refining and tuning of the monthly patching cycle, as well.
But there is a very real possibility that Microsoft will throw itself into some radical new security effort. The company bought an anti-virus company last year and remains quiet on its plans for that technology and talent. Gates, meanwhile, talked vaguely at the executive summit at Davos about big doings on the horizon with spam and about channeling a greater percentage of Microsoft's $6.8 billion research budget into security.
Put it this way. MyDoom, Blaster and Sobig are every bit as landscape-changing as Code Red and Nimda. Those prompted massive internal churn in Redmond. Is it realistic to expect anything less this time around?