COMDEX : Microsoft execs speak on Trustworthy Computing

A panel of Microsoft executives touted the company’s achievements in the area of security, but said that consumers should expect a long wait and may need to change their own behavior before the goal of “trustworthy computing,” as laid out by Microsoft Chairman and Chief Software Architect Bill Gates, is realized.

The informal panel discussion was held at a hotel near the Las Vegas Convention Center where the Comdex industry trade show is under way and featured a number of senior Microsoft executives including Craig Mundie, senior vice president and chief technology officer of Microsoft’s advanced strategies and policy.

Speaking first, Mundie touted Microsoft’s about-face on the issue of security, saying that the company had switched in the past year from a customer-focused mind-set to one that put security on an equal footing with features, and that made security a core part of the development process.

Mundie cited Microsoft’s Security Response Center, the automatic update feature offered in Windows XP Service Pack 1, a vulnerability rating system, and the Palladium initiative as evidence of the company’s commitment to providing secure applications and operating systems.

Mundie and other speakers, however, expressed reservations that a comprehensive security fix was near at hand.

Speaking directly after Mundie, Microsoft Corporate Privacy Officer Richard Purcell noted that increased attention to user privacy and security usually goes hand in hand with a reduction in convenience, adding that individual users would need to be more attentive to the data they give to businesses and the security permissions they grant to view personal information and sensitive data.

Achieving trustworthy computing, Purcell said, would be a long and painstaking process that involved a change in how people and governments use technology as much as changes in the technology itself.

“Products can’t change until processes change,” Purcell said. “It takes time. You need a methodical process.”

Speaking about Microsoft’s ongoing “Palladium” effort to build hardware and software-based security features into the Windows operating system, Peter Biddie, Palladium product manager, said that the project represented an effort by Microsoft to redesign its operating system from the ground up, with security as an essential component.

By using an integrated hardware- and software-based security architecture to protect the entire chain of communication between users connecting across an insecure environment – what Biddie referred to as “fingertip to eyeball” security – Microsoft hopes to make packet-sniffing programs, worms, and viruses obsolete.

Still, Palladium will require Microsoft to reach outside its area of expertise in desktop software, partnering with hardware and chip makers to develop the new Palladium architecture.

Biddie said that Microsoft is speaking to Intel about developing a secure platform to support the Palladium technology.

In response to a question about when the Palladium technology might be ready to take to market, Biddie said only that it was a “set of features to be delivered in a future release of the Windows operating system.”

In response to concerns about how Palladium might be used to provide information from users’ desktops to vendors or other online entities, Biddie said that Microsoft is considering opening the Palladium code for inspection by the outside world.

“We’d like to take the Palladium code and make it widely available for review. To say ‘The code only does this thing. It doesn’t call Microsoft. It doesn’t do anything other than what it says it does, and it does it only for you,'” Biddie said.

On the controversial issue of how Palladium or similar technology might be used to enforce copyright protection, Mundie said Microsoft was in dialog with representatives of the entertainment industry about the role of technology in copyright enforcement.

While in agreement that technology must play a role in protecting copyrighted material, Mundie said the two sides disagreed about how that technology should be used.

In contrast to the entertainment industry, however, Microsoft favored using digital rights management technology to secure new content as opposed to using technology to retroactively enforce copyrights on insecure content that has already been released, Mundie said.

“The dialog is an interesting one on both sides. It’s a complicated issue,” Mundie said.