Lead Windows developer bugged by security

Brian Valentine says he's not proud.

The senior vice president in charge of Microsoft's Windows development team has reason not to be. One of his most notable works, the Windows 2000 operating system, has a security record that is nothing to boast about. In fact, it's downright dismal, many experts say.

Security bulletins warning of holes and vulnerabilities in Microsoft operating systems are a regular occurrence. Late Wednesday, the company released a bulletin warning of a flaw in its digital certificate technology that could allow attackers to steal a user's credit card information. It is the second security bulletin to be issued this month.

In August, Microsoft warned in one of eight security bulletins issued that month, that many of its customers have experienced "an increased amount of hacking," in their various Windows systems. The Redmond, Washington, company has yet to identify the root of the problem, only saying that it has noticed some major similarities between the string of hack attacks.

"As of August 2002, the PSS (Product Support Services) Security Team has not been able to determine the technique that is being used to gain access to the computer," the company wrote in its security bulletin posted on August 30.

In short, Microsoft is stumped.

It is a case in point of the problems that the company is currently facing as it struggles to release more secure code around its new generation of .Net software and win redemption from customers who have been burned by buggy products. Its latest attempt to fight the problem is embodied in a company-wide effort called the Trustworthy Computing Initiative. As that effort lumbers to show results, the company is filling in the gaps with apologies.

"I'm not proud," Valentine said, as he spoke to a crowd of developers here at the company's Windows .Net Server developer conference. "We really haven't done everything we could to protect our customers ... Our products just aren't engineered for security."

The Windows 2000 operating system has been pummeled by continual security holes, some so widespread that they have resulted in major damage to computer systems around the world. Most notable are the Code Red and Nimda worms, which exploit a vulnerability in the operating system.

Customers seem to agree that Microsoft's spotty record with security has been a detriment to their own development of computer systems. One Windows systems consultant here, who wished to remain anonymous, said that security issues with Microsoft's IIS (Internet information Server) Web server have left a bad taste in many customers' mouths.

"Some of the customers I've worked with simply won't use IIS," the systems consultant said. "That's bad for us. We're losing business because of it."

Microsoft's Trustworthy Computing Initiative, which was launched with a memo from Bill Gates, Microsoft's chairman and chief software architect, has become the blanket program that resulted from Microsoft's revelations. With the launch of the initiative, Microsoft halted production on new code in all of its products and charged employees with scanning through every line of existing code in search of vulnerabilities.

"We realized that we couldn't continue with the way we were building software and expect to deliver secure products," Valentine said.

But the company is dealing with a problem that isn't going away anytime soon. Valentine noted here that as the company works to shore up its products, the security dilemma will evolve with more sophisticated hackers.

"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones.

"There's no end to this," he said.

During Microsoft's early years, security didn't drive the way the company built its software, said Michael Cherry, lead systems analyst with independent research company Directions on Microsoft Inc.

"If you go back a few years, unless you were working on login at Microsoft, you really didn't worry about security. The risk wasn't worth the effort," Cherry said.

One reason is because many of the early hackers who drilled into Windows didn't disrupt business with their hack attacks, Valentine noted. Rather they were just out for glory. But in the past year, many of the hacks launched against Microsoft software, most notably the Code Red and Nimda worms, have been malicious, going after business processes, and in many cases shutting those processes down.

"They went from glory hackers to what I call digital terrorists," Valentine said.

Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said.

Adam Kolawa, chief executive officer of ParaSoft Corp., a company that makes error-prevention tools used by IBM Corp., said Microsoft has long ignored the problem of fixing code when it is being produced. "Microsoft is paying a lip service to this problem," Kolawa said.

It is not only Microsoft that is to blame for the creation of faulty software, said Chandra Mugunda, a software consultant with Dell Computer Corp. in Round Rock, Texas, who attended Valentine's presentation here.

"It's an industry-wide problem, it's not just a Microsoft problem," he said. "But they're the leaders, and they should take the lead to solve these problems"Valentine, too, took the opportunity to point out the widespread bugs that have been discovered in competing operating products such as Linux and Unix.

"Every operating system out there is about equal in the number of vulnerabilities reported," he said. "We all suck."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matt Berger

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?