February 24, 2005

Microsoft's negative rep leads to startling new security strategy

Triage is one thing, security is another. Last week's ground-shifting news was widely ignored in the press. Scanning a bunch of links, the closest I found to any acknowledgement of what Microsoft announced is this:

In announcing the plan, Gates acknowledged something that many outside the company had been arguing for some time--that the browser itself has become a security risk. "Browsing is definitely a point of vulnerability," Gates said.

Yet no discussion on what that actually meant. Still, to his sole credit, author Steven Musil admitted he didn't follow what Microsoft were up to. The rest of media speculated on compatibility, Firefox as a competitor and Microsoft's pay-me-don't-pay-me plans for anti-virus services, which I guess is easier to understand as there are competitors who can explain how they're not scared.

So what does this mean? Microsoft has zero, zip, nada credibility in security.

...earlier this week the chairman of the World's Most Important Software Company looked an auditorium full of IT security professionals in the eye and solemnly assured them that "security is the most important thing we're doing."

And this time he really means it.

That, of course, is the problem: IT pros have heard this from Bill Gates and Microsoft many times before ...

Whatever they say is not only discounted, it's even reversed in the minds of the press. Even when they get one right, it is assumed there must have been another reason! The above article goes on to say:

Indeed, it's no accident that Microsoft is mounting another security PR blitz now, for the company is trying to reverse the steady loss of IE's browser market share to Mozilla's Firefox 1.0.

Microsoft is now the proud owner of a negative reputation in security,

Which leads to the following strategy: actions not words. Every word said from now until the problem is solved will just generate wheel spinning for no productivity, at a minimum (and not withstanding Gartner's need to sell those same words on). The only way that Microsoft can change their reputation for insecurity is to actually change their product to be secure. And then be patient.

Microsoft should shut up and and do some security. Which isn't entirely impossible. If it is a browser v. browser question, it is not as if the competition has an insurmountable lead in security. Yes, Firefox has a reputation for security, but showing that objectively is difficult: their brand is indistinguishable from "hasn't got a large enough market share to be worth attacking as yet."

Some agree:

"This is a work in progress," Wilcox says. "The best thing for Microsoft to do is simply not talk about what it's going to do with the browser."

Posted by iang at February 24, 2005 11:08 AM | TrackBack

"actions not words"? Do you mean Results Not Resolutions? http://www.securityfocus.com/news/315 :)

Posted by: Adam Shostack at February 24, 2005 11:38 AM

LOL... So the thing about this strategy is that we can proclaim it every 3 years as being "Startling, New" and nobody will notice :)

Seriously though, I hadn't realised that 3 years had passed since the Gates memo. That's enough time to measure progress. There's an article there for anyone interested to write one, comparing then with now.

Posted by: Iang at February 24, 2005 01:07 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.