November 13, 2002

Long Road Ahead

Microsoft VP Jim Allchin talks security during Chat

If anyone:

1. Has invested heavily in touting the product security.
2. Still needs to make massive investments to convince the marketplace

- It's Microsoft.

Convincing the Issue Elites*, that your products are secure takes far more than a couple of well placed marketing campaigns. Microsoft not only needs to examine 80 million+ lines of code, but also needs to revise training programs for internal and external developers, examine the core architecture of how the OS interacts with applications, and then connvince a group of professionally paranoid engineers that progress has been made.

Selected Allchin/Forbes security bits and more in the full entry. Thanks to Scott Loftesness for bringing this chat session to my attention.

* Market research parlance for the people who are the trusted sources of information on particular issues - in this case security professionals.

EndoLast: What effect on business do you see from the drive to create uniform security standards for government IT systems?

JALLCHIN: Governments have some specific needs that businesses might not, but that depends on the government agency. The whole industry needs to improve related to security. We are committed to be a leader in this space. There is still a lot for everyone to learn in the security space. CC win for W2K is a step. CC will happen for XP shortly. Both are good steps, but much more is needed. I believe investments we are doing in things like Pallidium will give businesses a lot of control and a NEW level of security not achieved before.

Interesting - "a new level of security" Pallidium is a mechanism for content owners to CONTROL content. It does nothing to improve reliability. However, it could potentially help with larger authenication and authorization issues.

EndoLast: Could you elaborate on what you mean by a lot to learn in the security space?

JALLCHIN: Long answer... here it comes...

1. Can't the OS be made more security from viruses? Technically, it would seem to me that behavior blocking is a much better technique that Anti-virus approaches today. AV is after the fact. I want to find a way to stop it without loading a signature (which has to be created AFTER the outbreak).

Try separating the OS from applications that communicate with other computers - email and brower apps would be a great place to start.

2. PKI vs. private key.
3. Federation between companies with different models

Clearly one of the harder questions of the day. This forces security to be addressed in the application architecture and major standards like SOAP and XML.

4. role of biometrics, and on and on....

The roll of biometrics?? Biometrics have error rates. My money says no biometric company breaks the $150 million mark in the next 5 years. (Revenues from physical access control systems don't count)

Italics exerpted from Microsoft VP Jim Allchin Chat

Posted by Abner on November 13, 2002 03:38 PM | TrackBack
Comments ARE BROKEN Send email instead - Thanks!

Recent Entries
iPhone's SIM Locks: Hardware vs. Software vs. Lawyers
Even (or especially) contests could use a security review
Vendors Responses: Voting Machines and the Pwnie Awards
Dude "Security Rocks"
iPhone Wi-Fi Vulnerability
Harry Potter Security
iPhone Hacking & Fustrations
Let the iPhone Hacking Begin
Geer heads to Washington, Again
This Just In: DRM still doesn't work
Phishing meets Internet Advertising
How long to unlock the iPhone Operating System?
Predictive Markets For Politics
The Irony of Phone Security Google Ads
Why Biometric Fingerprint Readers Are A Waste
How to Blag an Interview
Yet another Boston marketing flub
MAC vs. Vista Security
The latest in physical security
Data Loss Archive
Guerrilla Marketing Backfires in Boston
NY Times on the "Market" For Software Vulnerabilities
Not marketing security, marketing *during* security