Microsoft And Security For The Next Millennium - Company Business and Marketing

Computer Technology Review, Dec, 2000 by Joshua Piven

As this decade of destructive email viruses, email virus hoaxes, and major network security breaches winds down, it's perhaps fitting to consider the state of security in our industry as we begin the true new millennium in January.

This topic is especially timely because of the recent break-in at Microsoft where hackers may have--over a mind-boggling period of three months--stolen or altered the source code of key Microsoft applications, and perhaps even Windows itself. Don't believe the official denials from the company brass: even if nothing was stolen, this hack was the result of a serious, worrisome security lapse and should serve as a wake-up call for Microsoft, and any enterprise. What makes the Redmond robbery even more distressing is the fact that Microsoft's lax attitude about security was responsible for the decade's other super-destructive hack: 1999's Melissa virus, which caused what many experts estimate at billions of dollars in damage, both in terms of data loss and productivity.

Who was responsible for Melissa? I propose that it was not a misguided hacker obsessed with a stripper, but a company in Redmond that designs applications without the slightest regard for security and data integrity. Outlook is one of the worst-designed, most-needlessly complex, poorest-performing pieces of software I have ever used, and it opened the door for Melissa. But that virus--and the subsequent LoveLetter variant--was a low-level prank compared to the sophistication of the Microsoft hack which, while it probably began with the opening of an attachment, stole passwords and data over a long period, all the while avoiding detection.

Which brings us to possible solutions. Obviously, anti-virus tools are one way to protect against hackers trying to gain entrance via an attachment. Firewalls and port protectors like the popular ZoneAlarm also work well. But these defenses break down because of human error: someone forgets to update a DAT file, or scanning software is disabled and then not re-enabled. Or the virus arrives disguised as a "trusted" file. In any case, no anti-virus software is perfect, firewalls can be breached, and humans are not infallible.

But as the maker of the world's most widely used software, Microsoft, it seems to me, owes users a vastly more secure working environment, both in operating systems and in applications. Just as tire and car companies can be sued if their products cause injury, I say let software makers defend themselves, in court, if their poorly designed code causes financial harm. I am not a litigious person, but the fact is that very often class action lawsuits are the only way to get companies to alter their business practices: hit 'em where it hurts, in the pocketbook. The 21st century is already the connected century, where information can move around the world in an instant. Connection is valuable, but it can also be dangerous, and the Internet doesn't distinguish between innocuous and malevolent code. If we want to be connected as well as secure, the companies that build the underlying infrastructure are going to have to start accepting responsibility for their mistakes.