Completely off topic: FW: Trustworthy Computing

[Brian Densmore]

> -----Original Message-----
> From: Becker, Rob 
> Sent: Friday, July 19, 2002 8:35 AM
> To: kclug at kclug.org
> Subject: Completely off topic: FW: Trustworthy Computing
> 
> 
> I thought some of you folks might like to read this.  Kinda 
> strange to get email from Bill Gates.
> 
> -----Original Message-----
> From: Bill Gates [mailto:BillGates at chairman.microsoft.com]
> Sent: Thursday, July 18, 2002 9:03 PM
> To: Becker, Rob
> Subject: Trustworthy Computing
> 
> 
> I'm writing to you, as a reader of one of Microsoft's 
> customer newsletters, about an issue of particular importance 
> to those of us who routinely use computers in our work and 
> personal lives - making computing more trustworthy. 
> Trustworthy Computing involves a lot of things - reliability, 
> security, privacy and business integrity. 
> 
> Before I share my thoughts about this in more detail, I want 
> to give you some context on why I am sending this email. This 
> is the first in an occasional series of mails that CEO Steve 
> Ballmer and I, and periodically other Microsoft executives, 
> will be sending to people who are interested in hearing from 
> us about technology and public-policy issues that we believe 
> are important to computer users, our industry and everyone 
> who cares about the future of high technology. This is part 
> of our commitment to ensuring that Microsoft is more open 
> about communicating who we are and what we are doing. 
translation: We are open source with our FUD

>...
> As I've talked with customers over the last year - from 
> individual consumers to big enterprise customers - it's clear 
> that everyone recognizes that computers play an increasingly 
> important and useful role in our lives. At the same time, 
> many of the people I talk to are concerned about the security 
> of the technologies they depend on. They are concerned about 
> whether their personal data is being protected. Although they 
> know that computers can do amazing things, they are 
> frustrated that their technology doesn't always work 
> consistently. And they want assurances that the high-tech 
> industry takes these concerns seriously and is working to 
> improve their computing experience.
Translation, customers are complaining about having their data wiped 
by Windows viruses.

> 
> Six months ago, I sent a call-to-action to Microsoft's 50,000 
> employees, outlining what I believe is the highest priority 
> for the company and for our industry over the next decade: 
> building a Trustworthy Computing environment for customers 
> that is as reliable as the electricity that powers our homes 
> and businesses today. 
translation: We made a public statement of our lip service.
We're Microsoft and we're going to force the chip makers to secure 
the hardware so we don't have to fix the bugs in our stinking, rotting,
flesh-eating code.

> 
> This is an important part of the evolution of the Internet, 
> because without a Trustworthy Computing ecosystem, the full 
> promise of technology to help people and businesses realize 
> their potential will not be fulfilled. Ironically, it is the 
> growth of the Internet and the advent of massive computing 
> systems built from loose affiliations of services, machines, 
> communications networks and application software that have 
> helped create the potential for increased vulnerabilities. 
translation: Resistance is futile, you will be assimilated!
We have already assimilated the feds now we are coming after you.

> 
> There are already solutions that eliminate weak links such as 
> passwords and fake email. At Microsoft we're combining 
> passwords with "smart cards" to authenticate users. We're 
> also working with others throughout the industry to improve 
> Internet protocols to stop email that could propagate 
> misleading information or malicious code that falsely appears 
> to be from trusted senders. And we are making fundamental 
> changes in the way we develop software, in our operational 
> and business practices, and in our customer support efforts 
> to make the computing experiences we provide more trustworthy. 
translation: Our assimilated politicians will make laws outlawing Linux.

> 
> For example, we've historically made our software and 
> services more compelling for users primarily by adding new 
> features and functionality. While we are continuing to invest 
> significantly in delivering new capabilities that customers 
> ask for, we are now making security improvements an even 
> higher priority than adding features. For example, we made 
> changes to Microsoft Outlook to block email attachments 
> associated with unsafe files, prevent access to a user's 
> address book, and give administrators the ability to manage 
> email security settings for their organization. As a result 
> of these changes, the number of email virus incidents has 
> dropped dramatically. In fact, email viruses like the recent 
> "Frethem" virus propagate only to systems that have not been 
> updated - underscoring the importance of updating them regularly.
translation: We are going to infect everyone's system with the Windows
virus.

>  
> We are also undertaking a rigorous and exhaustive review of 
> many Microsoft products to minimize other potential security 
> vulnerabilities. Earlier this year, the development work of 
> more than 8,500 Microsoft engineers was put on hold while we 
> conducted an intensive security analysis of millions of lines 
> of Windows source code. Every Windows engineer and several 
> thousand engineers in other parts of the company were also 
> given special training in writing secure software. We 
> estimated that the stand-down would take 30 days. It took 
> nearly twice that long, and cost Microsoft more than $100 
> million. We've undertaken similar code reviews and security 
> training for Microsoft Office and Visual Studio .NET, and 
> will be doing so for other products as well.
translation: We spent $100 million dollars in PR.

> 
> THE TRUSTWORTHY COMPUTING FRAMEWORK
> 
> Trustworthy Computing has four pillars: reliability, 
> security, privacy and business integrity. "Reliability" means 
> that a computer system is dependable, is available when 
> needed, and performs as expected and at appropriate levels. 
> "Security" means that a system is resilient to attack, and 
> that the confidentiality, integrity and availability of both 
> the system and its data are protected. "Privacy" means that 
> individuals have the ability to control data about themselves 
> and that those using such data faithfully adhere to fair 
> information principles. "Business Integrity" is about 
> companies in our industry being responsible to customers and 
> helping them find appropriate solutions for their business 
> issues, addressing problems with products or services, and 
> being open in interactions with customers.
translation: We're going to bury our code into your hardware,
so you can't run Linux on it.

> 
> Creating a Trustworthy Computing environment requires several steps:
> 
> - Making software code more secure and reliable. Our 
> developers have tools and methodologies that will make an 
> order-of-magnitude improvement in their work from the 
> standpoint of security and safety.
translation: our programmers are clueless.

> 
> - Keeping ahead of security exploits. Distributing updates 
> using the Internet so that all systems are up to date. 
> Windows Update and Software Update Services, discussed below, 
> provide the infrastructure for this.
> 
> - Early Recovery. In case of a problem, having the capability 
> to restore and get systems back up and running in exactly the 
> same state they were in before an incident, with minimal 
> intervention. 
translation: Who gives a rat's ???.
> 
> FIRST STEPS TOWARD MORE TRUSTWORTHY COMPUTING
> 
> There is still much work that Microsoft and others in our 
> industry must do to make computing more trustworthy. Here is 
> a summary of some of the progress we've made, six months 
> after my email to Microsoft employees:
> 
> - We have changed the way we design and develop software at 
> all phases of the product development cycle. Our new 
> processes should greatly minimize errors in software, and 
> speed up the development process for new products and services.
> 
> - Software Update Services (SUS) is a security management 
> tool for business customers that enables IT administrators to 
> quickly and reliably deploy critical updates from inside 
> their corporate firewall to Windows 2000-based servers and 
> desktop computers running Windows 2000 Professional and 
> Windows XP Professional.
> 
> - Microsoft Baseline Security Analyzer is a new tool that 
> customers can use to analyze Windows 2000 and Windows XP 
> systems for common security misconfigurations, and to scan 
> for missing security hot fixes and vulnerabilities on a 
> variety of products, including newer versions of Internet 
> Information Server, SQL Server and Office.
> 
> - In addition to providing customers with tools and resources 
> to help them maximize the security of Windows 2000 Server 
> environments, we are committed to shipping Windows .NET 
> Server 2003 as "secure by default." We believe it's critical 
> to provide customers with a foundation that has been 
> configured to maximize security right out of the box, while 
> continuing to provide customers with a rich set of integrated 
> features and capabilities.
> 
> - The error-reporting features built into Office XP and 
> Windows XP are giving us an enormous amount of feedback and a 
> much clearer view of the kinds of problems customers have, 
> and how we can raise the level of reliability in those 
> products - and that of products made by other companies. As 
> part of this effort, we recently created a secure Web site 
> where software and hardware vendors can view error reports 
> related to their drivers, utilities and applications that are 
> reported through our system. This enables the vendors who 
> work with us to identify recurring problems and address them 
> far more quickly than in the past. All of our server software 
> products will incorporate these error-reporting features in 
> subsequent versions of the products.
> 
> - With Microsoft Windows Update, we are completing the 
> customer-feedback loop based on the error-reporting features 
> mentioned above. This globally available Web service delivers 
> more than 300 million downloads per month of the most current 
> versions of product fixes, updates and enhancements. When 
> customers connect to the site, they can choose to have their 
> computer automatically evaluated to check which updates need 
> to be applied in order to keep their system up-to-date, as 
> well as identify any critical updates to keep their system 
> safe and secure.
> 
> - We are working on a new hardware/software architecture for 
> the Windows PC platform, code-named "Palladium," which will 
> significantly enhance users' system integrity, privacy and 
> data security. This new technology, which will be included in 
> a future version of Windows, will enable applications and 
> application components to run in a protected memory space 
> that is highly resistant to tampering and interference. This 
> will greatly reduce the risk of viruses, other attacks, or 
> attempts to acquire personal information or digital property 
> with malicious or illegal intent. Our goal is for the 
> Palladium development process to be a collaborative industry 
> initiative. 
> 
> - We've incorporated what is known as P3P (Platform for 
> Privacy Preferences) technology in the Internet Explorer 
> browser technology in Windows XP, which enhances a user's 
> ability to set privacy levels to suit his or her needs. The 
> P3P standard enables a user's browser to compare any 
> P3P-compliant Web site's privacy practices to that user's 
> privacy settings, and to decide whether to accept cookies 
> from that site. 
> 
> Identifying and addressing critical Trustworthy Computing 
> issues will require significant collaboration across our 
> industry. One example of the kind of cross-industry effort we 
> need more of is the recent creation of the Web Services 
> Interoperability (WS-I) Organization (http://www.ws-i.org/). 
> Founded by IBM, Microsoft and other industry leaders 
> including Intel, Oracle, SAP, Hewlett-Packard, BEA Systems 
> and Accenture, WS-I's mission is to enable consistent and 
> reliable interoperability of XML-based Web services across a 
> variety of platforms, applications and programming languages. 
> Among other things, WS-I will create a suite of test tools 
> aimed at addressing errors and unconventional usage in Web 
> services specifications implementations, which in turn will 
> improve interoperability among applications and across platforms.
translation: We don't have a clue. So we're going to make you
pay out the nose. Outlaw Linux. Jail all dissidents for life.
We're watching you!

> 
> WHAT YOU CAN DO
> 
> Given the complexity of the computing ecosystem, and the 
> dynamic nature of the technology industry, Trustworthy 
> Computing really is a journey rather than a destination. 
> Microsoft is fully committed to this path, but it is not 
> something we can do alone. It requires the leadership of many 
> others in our industry and a commitment by customers to 
> establish and maintain a secure and reliable computing 
> environment. For customers, the most important first step is 
> understanding what it will take to make their computers and 
> networks more reliable and safe. Below are some suggestions 
> on what individuals and businesses can do to create a more 
> Trustworthy Computing environment for themselves and others.
> 
> - Give us feedback by using the error-reporting features 
> built into Office XP and Windows XP.
> 
> - Use Microsoft Windows Update (http://windowsupdate.com/) to 
> ensure that you have the most up-to-date and accurate 
> versions of product updates, enhancements and fixes.
> 
> - Businesses customers can take advantage of Software Update 
> Services to download critical updates from Windows Update. 
> (http://www.microsoft.com/windows2000/windowsupdate/sus/)
> 
> - Use Microsoft Baseline Security Analyzer to analyze Windows 
> XP and Windows 2000 for common security misconfigurations. 
> (http://www.microsoft.com/technet/treeview/default.asp?url=/te
chnet/security/tools/Tools/MBSAhome.asp)

- Enterprise Systems Integrators can take advantage of the Systems
Integrator Source Licensing Program
(http://www.microsoft.com/licensing/sharedsource/).

- Hardware, software or systems vendors can sign up for Microsoft's
Windows Logo Program at http://www.microsoft.com/winlogo/ to ensure a
high-quality user experience.

- Find more information about computing security at
http://www.microsoft.com/security/.

- Our White Paper on Trustworthy Computing is at
http://www.microsoft.com/PressPass/exec/craig/05-01trustworthywp.asp.

- If you don't already have Internet Explorer 6.0, download it for free
at http://www.microsoft.com/windows/ie/evaluation/overview/ to take
advantage of its increased reliability and security and privacy
features. 

We are doing everything we can at Microsoft to make software as
trustworthy as possible. By building awareness, through collaborative
work and with a long-term commitment, I am confident we can and will
create a truly Trustworthy Computing environment. 

translation: Resistance is futile. YOU WILL BE ASSIMILATED!

IMHO,
Brian