Today I attended a Microsoft Presentation with Mike Nash, Corporate VP of Security Business and Technology. The infosession was hosted by the Society of Women Engineers at 155 Olin, and featured a long talk about Security and Trustworthy Computing, followed by Q&A and a raffle of Xbox, Ipaq, Office, and VS.NET prizes. I unfortunately did not win.

Mike Nash is a Cornell Alumni of 1985. He majored in computer science and got his MBA in 1991 from Wharton. His 13 year career at Microsoft started as an intern in relations and LAN. After that, he spent 5 years in NT, 3 in Server Infrastructure, 1 in Business Windows Product Management, 2 years of VP of Content Development and Delivery Group, and has currently been the VP of the Security Business & Technology Unit for 2 years. Microsoft’s vision is his vision: “To enable people and businesses throughout the world to realize their full potential.”

His talk emphasized trustworthy computing. “We have to deliver a level of trust in these systems,” he said. Now that computers have become pervasive in the world, users depend on them alone. Rather than buy a paper backup and go online to check movie times, in 2004 you just go online. You trust your computer to perform certain tasks flawlessly. Therefore, he says, Microsoft has a responsibility to its customers in four categories:

• Security
• Privacy
• Reliability
• Business Integrity

An amusing video of his grandmother Estelle emphasizes the need for secure, reliable, easy to use software. 91 years old, she takes online surveys to save money, and inadvertantly aquires various malware. Patches, she says, are “too … too involved. I’ve never made a patch.” With this kind of typical user experience, Microsoft realizes that it must protect its customers from attack transparently. Security updates should be rolled out automatically and painlessly.

Nash points at XP Service Pack 2 as a breakthrough in solving those problems. With over 100 million installations, SP2 features stronger security settings, increased control and managability, an improved end-user experience, and a centralized security center which highlights the three most important security features. And in the future, he hints at dynamic system protection, where your operating system identifies vulnerable system and user components and disables them until they’re patched, application aware firewalls, behavior blocking, and intrustion protection.

Most malware, Nash said, is discovered and reported by annoyed users who find additional toolbars and ads on their computers, decreased performance, or other anormalities. His comments on user security brings up the question, “Should spyware just provide a better user experience?” If spyware causes computers to misbehave, why not simply write better, less annoying spyware. This would increase the stick rate of spyware, and market saturation would increase. No more processor hogging, hard-disk churning, and countless popups means more happy infected consumers!

Internally, Microsoft has begun a number of intensive automated and manual code review processes, as well. The source trees for patches have been split into two trees–one for corporate QFA patches, the other for security flaws. Patches and code get more testing than before, and there is a new emphasis on quality. Nash referenced Bill Gates’ Memo on Trustworthy Computing frequently.

Mike’s prime example of the new Microsoft security iniative was a server vulnerability (MS03-007) reported in Windows 2000 just before Windows 2003 server was about to ship. The bug, in IIS 6’s WebDAV module ntdll.dll, had been fixed in secure code review in Windows 2003, but image it weren’t. Windows 2003 ships with IIS 6.0 turned off by default, so the bug would not apply to a default installation. But, even if IIS were on, WebDAV is not running by default. Supose, even, that WebDAV were running. The maximum URL length of WebDAV is shorter than the exploit’s needed length, by default. Suppose, as a final hypothetical, that the user changed the default URL length longer. The IIS thread is running in user mode and would not allow system compromise, just DOS at worst.

It was a good presentation, but I had some reservations. First, he cited the infamous “Is Linux more secure than Windows?” report, to which you can read the linux response. At best, it makes an unfair generalization of the nature of security flaws. Second, a number of the Microsoft policies he mentioned with regards to DRM and licensed users seem needlessly harsh. I think that Microsoft should support its products, legal or not. A worm in a pirate’s computer will negatively affect neighboring systems, and doesn’t cost more to support with patches that are publically released. Third, he said nothing about fighting Microsoft’s poor security reputation except an aside in an anecdote. This is a real problem for Microsft that won’t go away by ignoring it. Even if you highlight security improvements, you should beg forgiveness for past security flaws.

All in all, quite interesting, and Mike Nash is a nice guy. I had a chance to speak with him afterwards about Windows Starter Edition, piracy, and some other themes. Just wish I won that Ipaq.

blog comments powered by Disqus