Trust not automatic: it has to be earned

Well, it’s about time. I am referring, you may have already guessed, to Microsoft’s renewed focus on security, our main cover story in this issue.

The cynical among us may be tempted to think this is simply another marketing scheme for the mammoth company to sell more products. However, I tend to believe the company may actually be more serious this time. For one thing, the extent of the new commitment to greater security was apparently not supposed to be public knowledge, but was gleaned from an internal memo from Bill Gates himself, then obtained and made public by the Associated Press. (Though many are skeptical that the memo was not deliberately leaked.)

Gates dubbed the new philosophy “trustworthy computing” in the memo, which begs the question: just what did he think his company was doing before now?

“If we don’t do this, people won’t be willing – or able to take advantage [of Microsoft products],” Gates reportedly wrote. Well, it seems he’s finally getting the message. But this epiphany of his may have come too late. For instance, how many of us have already switched from using Outlook to another vendor’s e-mail package after being hit with viruses and worms which specifically target holes in that product?

In April of 1999, there was the Melissa macro virus, which, granted, was a new twist on an old kind of threat that not many of us were expecting (unless we happen to be very up on malicious code writing for a pastime). So, although it targeted Microsoft’s Outlook and Word, and wreaked havoc with many a user, being caught by surprise was somewhat forgivable.

Fresh on the heels of Melissa came the W32/ExplorerZip.worm, a fast-spreading Internet worm, which propagated via e-mail and destroyed files on the hard drives of tens of thousands of Outlook and Exchange users. But this, again, we were fairly quick to forgive, as it hit only a couple of months after Melissa’s carnage, not really enough time for Microsoft to significantly alter inherent product vulnerabilities.

By May of 2000, however, there was no love lost when the ILOVEYOU worm hit – again, like a broken record, exploiting holes found in Microsoft’s Outlook e-mail package.

And who could forget the Code Red worm? Though the actual software vulnerability that Code Red would exploit was announced by Microsoft in June 2001, more than a month before the worm actually propagated, thousands of users were still affected by it. One could argue that it was the responsibility of the companies and individuals to be proactive in applying patches and fixes more diligently, since there was actual warning that something bad was likely to occur. And this is partly true.

But the reality was that with so many security bulletins and patches being issued, systems administrators were overwhelmed by the task of constantly needing to update those fixes. And, ironically, we also learned from that experience Microsoft could not even be trusted to patch its own software properly. A mixed message if there ever was one.

I believe a company, especially one with an install base as large as Microsoft’s, has a responsibility to its users to make sure every conceivable vulnerability is weeded out before a product is released. But the responsibility doesn’t end with the vendors. We, as users, have a responsibility as well to take security bulletins more seriously and to choose the products we feel the most comfortable and confident using, not just the ones which are the most readily available to us.

I am truly glad to see Microsoft’s increased focus on something so important and so obviously needed as security. But, for the cynical among us (and there are a few, I suspect), wholeheartedly believing in the notion of “trustworthy computing” may still be a long time coming.