Microsoft spells out .Net security strategy

Microsoft's chief technology officer, Craig Mundie, has acknowledged the company's software security problems.

Microsoft's chief technology officer, Craig Mundie, has acknowledged the company's software security problems.

Speaking at a Microsoft-hosted three-day Trusted Computing Forum in California, Mundie said: "Despite best efforts by smart people, it is unlikely that computing will ever be perfect,"

As the recent security problem with Passport showed, Microsoft still has some way to go with the key authentication technology that will facilitate .Net.

Mundie compared the problems facing the technology to those faced by several innovations in history, from the telephone to the credit card.

"I don't think the people who designed these networks ever would have predicted the problems they would face," he said.

Programmers have found ways to exploit Microsoft's naivety, spreading worms such as Code Red and Nimda through the company's Internet Information Server software. This has raised serious questions over how the company and the industry can progress without falling victim to similar attacks.

Still, growing industry support was witnessed at the forum in the comments from delegates, many of whom are Microsoft's biggest critics and competitors.

"There is a lot to be said about Microsoft's progress in co-operating with the industry on privacy," said Tatiana Gua, senior vice-president of integrity assurance at America Online, the Internet service division of AOL Time Warner.

Citing the addition of new security technologies in Microsoft's products - such as P3P (Platform for Privacy Preferences), and the company's efforts to step up its co-operation with industry standards groups - Gua expressed support for Mundie's presentation. But she criticised some technical points in Microsoft's security strategy. "Unlike Microsoft, we don't believe that one size fits all," she said.

With government regulators and industry counterparts pressing down on several aspects of Microsoft's business - from US federal trustbusters to industry chief technology officers who have been burnt by the use of Microsoft's "bug-prone" software - the company that arguably has been at the centre of the industry's security and privacy battle has now found itself with a difficult choice.

If Microsoft gets too wrapped up addressing privacy - appeasing critics such as those who recently filed a claim with the US Federal Trade Commission regarding its Passport service - the company would endanger its ability to create secure products, Mundie said

But, he added, if it is too concerned with security, devising products impervious to malicious programmers, it could step on privacy. "Compromise will be required," he added.

He went on to compare hackers to terrorists. "The evolution of hacking is very, very akin to this network of terror cells," he said. "And there is the potential to treat them the way we treat terrorist cells."

On government regulation of Microsoft's business practices and those of other companies building similar Internet technology, Mundie compared the company to goose that lays golden eggs. "Do we shoot the goose, or do we take more of a risk and let the goose keep running free for a while?" he asked.

Read more on IT legislation and regulation