Q&A: Microsoft’s Allchin on Blaster, security

The aftereffects of the W32.Blaster worm that have beset  Microsoft during the past two weeks have been particularly painful for Jim Allchin, a self-described perfectionist. The vice president of Microsoft’s platforms group spoke last week with Computerworld about security matters and his belief that the company has to come up with a “new approach.”

What sorts of plans are you formulating to deal with the effects of the Blaster worm?

I personally have spent a lot of time on this, because I think I’ve concluded that we have to take a different tack than what we’ve been taking. I have nothing to report now, but you can stay tuned because. … I’ve had enough, and I’m going to do something about it. We have a team trying to propose some new approaches on this.

Are you talking about internally holding individuals or groups of engineers accountable for specific code vulnerabilities?

No. All software has problems. We have to come at it with a different approach, and just stay tuned.

When analyzing the Blaster case, what did you find when you did your analysis, beyond the fact that some people didn’t install a patch a month ago?

If everybody had the patch on in the entire universe, fine. But the question is: Can you really expect anybody to do that? I think that it’s a very difficult proposition to expect people to do that perfectly. If it’s done perfectly, you’re home free, and frankly I’ve talked to companies that did it perfectly.

But let’s suppose you didn’t. What are the downsides of having one hole?

One machine gets into your environment, and you’ve got a problem. If your perimeter protection doesn’t save you, then it’s inside, and let’s suppose there are just a few machines that haven’t been patched for whatever reason. They were laptops. They never connected up to get the antivirus signatures, or whatever. I think we’re going to have to come at it from a different approach (than) expecting perfection by the distribution, even though we’re going to give great distribution technology.

Is it something that we can expect to see this year, or next year?

I don’t know.

But there will be some form of technology that you will offer to IT professionals?

That’s right.

And whether that’s going to be a separate product?

I don’t think (it will be) a separate product.

It will be some sort of technology that helps them to protect systems by default.

Yeah.

Is this a recognition that Microsoft’s  Trustworthy Computing initiative took you only so far and really didn’t effectively enough deal with issues such as this, and now you’re going to step up the effort?

Just think about it as Phase 2. … We said we had security by default. Now think about it as moving to protection by default. It’s occupied a lot of time, and we take it very, very seriously.

Do you have that technology now and just need to implement it, or do you need to develop that technology?

A combination. I think we can swing around to this pretty quickly.

Historically, Microsoft has shipped systems that weren’t secure by default. How far are you willing to go? Is the company willing to lock the system down completely?

There’s lots of different answers to that. … The Internet Connection Firewall is in Windows XP. It’s been in there all along. … Why is it that people haven’t turned it on? Well, we didn’t communicate it well enough, I guess, because it does protect. Honestly, I’ve never had a virus hit my machine. And the reason why is I do a few basic things that we haven’t communicated, and there are some other things that you should do behind that. I happen to have scheduled automatic update. My mom’s got no problem either. She’s got ICF on, she’s got scheduled updates, and I don’t talk to her about it. My mother-in-law, same situation. Whenever I set up machines, I always turn this stuff on.

We spent a lot of time on improving the code and the like, and now I think, at least my eyes have been opened that we need to take a different level.

You’ve acquired various security technologies. Is that a market Microsoft is going to pursue further?

We’re acquiring technology because we believe in security, and how it gets moved into the market, I don’t know.

Is there a feeling that you need to address the more imminent problems with existing systems before you offer separate security products?

All my IQ is on current customers and how to help them. Do I believe that there are opportunities, if Microsoft chose to do that? Yes. But they’re not in what I would consider any of the basics.

Some corporate users think security should be built into systems and they shouldn’t have to buy extra products. Microsoft also faces the issue of whether it can credibly sell security products when it has such a perception problem in that area. What’s your feeling?

I understand why they’re saying what they’re saying, why they would be confused about it, or take either side. There are a host of issues to think about, including legal concerns that have to be thought about. So it’s not an easy question.

Some people might say, “Antivirus, it’s obvious you should include it.” Others would say, “No, that’s a business.” Others would say, “Antivirus is the wrong solution, period. You’ve got to do an intrusion-detection/prevention system. That’s really the answer.” Oh, “Should that be built in?” “Oh, no.” Well, maybe you could charge extra for the enterprise version. So, different people could have different views.

Do you feel the security perceptions and realities that Microsoft faces threaten the business?

Yes … I think it threatens business for everyone. It’s not a Microsoft statement. I think that customers are afraid that their business is going to be jeopardized by the IT infrastructure, because they’re so dependent on computers. That’s a huge problem for the entire industry, and it’s a huge problem for us.

The industry is at risk here.

Well, I think it’s more the opportunity is being limited, compared to all the Web services, for example, that might exist if people felt a little bit more comfortable. There’s just a lot of opportunity if we can get this nailed.

When Microsoft signed the $30 million contract with the U.S. Department of Homeland Security, in a lot of people’s minds, that took it up a notch beyond “the security of my company” to “the security of my country.” Did that contract change Microsoft’s philosophy or thinking or approach in any way?

For me personally, no. It might have for others here in the company. … I think my personal sensitivity to this has been high for some time now. And I think it’s true through the whole company that trustworthiness is something (where) you don’t get to play without that, so you’ve got to go do that really, really well.

What do you see as the accomplishments vs. the disappointments with regard to Microsoft’s Trustworthy Computing initiative in the past year and a half?

It’s sort of funny to say this, because it’s sort of asymptotic to perfection, but the first part of the curve is a huge jump, so I feel incredible progress. We trained everyone. We have people who have written textbooks. We have threat models that happened. We have all the work that we did in terms of the analysis tools, which are really phenomenal. We have some of the best people in the research team that are doing tools that analyze the code looking for issues. If there’s an exploit … the answer is, you don’t ship — and have that permeate the company so deeply, it’s great.

Are we perfect? No. But if you look at the slope of what we’ve accomplished, it’s pretty phenomenal. It may not be visible to everybody because oftentimes, once we turn the ship around, it may not be visible, but we have turned the ship.

(Windows Server) 2003 is a big step up. It’s not enough, but it’s a big, big step up. It’s dramatically different than looking back just a few years. I mean, look at NT 4, look at Windows ME — I mean, come on. It’s quite a different world today. The ship has been turned, and I see all the progress inside.

You asked about disappointments. Well, I am sort of a perfectionist, and we still have work to do. We know that. I just feel really bad personally about this worm. I wasn’t impacted. I know how people could have avoided it, but they didn’t. So, I take — the company takes — responsibility. We’ve got to do better.