Microsoft says the Internet needs more trust to grow. It should start with its software.
In a video posted to Microsoft's Web site, Scott Charney, Microsoft's Corporate Vice President of Trustworthy Computing, described Microsoft’s new End-to-End Trust initiative, an endeavor to reduce the anonymity of cyber criminals on the Internet.
Microsoft: The Internet needs more trust to grow
To quote:
The Internet needs to be more trustworthy if it wants to grow, according to Microsoft's senior security executive, Scott Charney… "We need to push back on anonymity and lack of traceability," he said. "Because the Internet can be anonymous and untraceable, criminals flock to the Internet," Charney explained. "Today too many people do not know what software is running on their machine and often they have malware…”
Not only do people not know what software is running on their machines, but no one can say with any confidence how trustworthy that software might actually be…particularly the operating system, browser, and desktop applications. It is woefully ironic that only a few days after releasing what some called an "insane" number of security patches for the reporting period (23 fixes in all), Microsoft would confidently voice the need for trust on the Internet when its own software significantly retards the ability to attain it.
Simply put, the Internet is an expression of software. Without software the Internet is just a bunch of cables and devices much like a human cell, stripped of its DNA, is just a bunch of proteins and amino acids. For the internet to be trustworthy, software must be trustworthy. Acknowledging the fact that a majority of the software on the Internet happens to be Microsoft’s, it is more than reasonable to demand the company produce software worthy of trust.
Microsoft has indeed improved the security of its software through its Trustworthy Computing Initiative; an effort for which the company, and Mr. Charney, should rightly be commended. But users are still left with only a vague assertion by Microsoft that the company’s software is in fact trustworthy. To date, users have no objective measure to judge or compare the security of software; a disappointing shortfall given that a majority of worm and viruses regularly leverage design and implementation flaws in Microsoft software. Conficker is but one of many examples. Microsoft, and some within the cyber security community insist that lack of user patching is to blame for worm outbreaks. This is true to a degree. The fact remains however, that but for software vulnerabilites worm authors would not have nearly as much advantage or impact.
The holy grail of ubiquitous identity authentication then, which Microsoft appears enamored with in its End-End Trust campaign, is a dangerous distraction for cyber security and is not likely to address the key issues Microsoft so confidently says it will. It is also wrongly re-directs the core notion of what trust ought to be for any type of infrastructure.
Imposing strong user authentication would entail enormous technology-switching costs on users, something Microsoft is more than happy to force, but users less likely to welcome. To the extent that stronger authentication measures would be bolted onto legacy software to as well as embedded in new software the company releases, the endeavor would tend to increase the complexity of information systems and likely introduce new and original defects, compounding the ones already uncomfortably prevalent. While anonymity certainly attracts criminals, it also attracts larger numbers of non-criminals, whom, without anonymity, would not enjoy the vast benefits (some virtuous, some not) the Internet has to offer.
Most importantly however, attackers are rarely traced to a particular point of origin, so one could argue that it matters little whether these origination points are firmly associated with an identity. Even when attackers are traced to a particular computer, there is no guarantee that the owner of the computer is responsible (or culpable) because the same types of flaws that enable attackers to hijack systems also enable attackers to exploit particular computers and impersonate others. In other words, if software manufacturers are under-motivated to produce software that is secure right now, it is unlikely that software manufactures will choose in future to produce software for identity systems that is also secure.
The Internet indeed needs more trust - preferrably the objective kind. The foundation and fabric of the Internet – software – is a perfect place to start.
Comments