MOUNTAIN VIEW, Calif.--Microsoft wants to make the world safe for .Net.
That's the major theme here at the software giant's Trusted Computing
conference, where the company has brought together almost 200 security
experts, privacy advocates and policy-makers in hopes of developing a firm
strategy to better secure the Internet.
"The Internet is clearly at the stage where the telephone was when
we had just switched from rotary dialing," Craig Mundie, Microsoft's
chief technical officer for advanced strategies, said during a Tuesday
keynote address.
Like the poor security that originally surrounded tone dialing and let
hackers misuse the phone network, poor security on the Internet today
allows online vandals, hackers and others free reign, Mundie said.
"We have been a bit naive about the threats that are out there."
As Microsoft readies its multibillion-dollar bet on its .Net strategy
to turn software into a Web-delivered service, security on the Internet
and in Microsoft products is a serious issue. The .Net initiative focuses
on connecting customers with businesses over the Internet using a new,
more secure framework. The initiative could be Microsoft's best chance to
maintain its business growth.
This past summer, a myriad of incidents plagued the company's products.
Two Internet worms, Code Red and
,
hit Web servers running Microsoft's Internet Information Server software.
Last week, a set of flaws in Microsoft's Passport authentication protocol
left consumers' financial data accessible to potential attackers.
The company has launched an internal project to tighten its own coding
standards and in October introduced another project to heighten security
awareness among its customers.
The problems go beyond Microsoft, Mundie said. He stressed that all
companies on the Internet need to work to become more secure.
"Many of the problems that we have today are human problems,"
he said. "It doesn't matter if you buy a perfect firewall or a
computer system if the humans don't configure them right."
In the long term, better research into security is also necessary, he
said.
Pressing for more security is necessary if the company is to convince
others to join the .Net effort, said George Kurtz, CEO of security service
provider Foundstone and an attendee at the conference.
"This is definitely laying the groundwork for .Net," he said.
"If you can't show that you have your house in order and that you
care about security, then .Net is a tough sell."
While the conference will benefit Microsoft most of all, having the
software titan behind a push for more security helps a lot, Kurtz said.
"This is a good thing for the world--anytime you have someone like
Microsoft get behind security initiatives," he said.
Yet, in the push to make the Internet safe for commerce, open-source
programmers and hackers may fall afoul of the company's attempt to crack
down on those who poke holes in security.
Mundie holds little love for hackers and online vandals, likening them
to the terrorists that the U.S. declared war on after the Sept. 11
attacks. While he fired a warning shot against virus writers and network
attackers, Mundie didn't seem to distinguish them from those who find
software flaws.
"The people that are sitting around and developing these exploits
against networks and network based services...I think we are going have to
be more pro-active in dealing with them," he said.
Many security experts expect that a major initiative to come out of the
conference will be new rules for disclosing vulnerabilities in software.
However, closed-door discussions on Tuesday only worked to hash out the
security problem, participants said