Microsoft Takes New Approach to Security
It’s tough to plug holes in a ship’s hull once it’s at sea, or to reattach an airplane’s wing in flight. Yet that’s akin to what the computer industry has been trying to do with security: append layer after layer of protection onto the world’s increasingly connected computer networks, all as one big afterthought after another.
Afterthoughts on that scale rarely work, so we read daily about a fresh crop of electronic heists, filched identities, hacked Web sites and computer viruses.
Now Microsoft Corp. is saying, “Let’s start over.” The company whose software helped launch the personal computing revolution three decades ago announced last week that it wants to redesign the computer so it will have built-in security and privacy functions, including some etched onto special chips to be made by Intel Corp. and Advanced Micro Devices Inc.
The hyper-ambitious project, code-named Palladium, is supposed to create a platform on which Microsoft and other developers could write all sorts of new software applications for managing security, privacy, copyrights and even spam.
The idea, said project manager Mario Juarez, is to create a virtual vault inside the Windows operating system. In it, each user could create personal “safe-deposit boxes” for storing encrypted information. The information would be accessible only to those software programs, Web sites and people whom the computer recognized as being authorized to see it.
The notion of hard-wired authentication rings alarms for conspiracy theorists who sense a plot by which Microsoft might exert even more control over what kind of software could run on future computers. The Redmond, Wash., behemoth dismisses such talk as silly.
“No one will necessarily, by design, have to call up Microsoft or the government to get authorization,” Juarez said.
Some technologists are skeptical for other reasons, noting that Microsoft is infamous for releasing software riddled with huge, hacker-friendly holes.
“Why should we trust them that this will be any different?” said Bruce Schneier, a cryptography specialist who wrote the book “Secrets and Lies: Digital Security in a Networked World.”
Yet some consumer advocates and champions of personal privacy cautiously support Palladium. Nobody questions that more security is needed.
“It has the potential to put users in more control over their information if it’s done right,” said Ari Swartz, associate director of the Washington-based nonprofit Center for Democracy and Technology.
It could turn out that Microsoft’s initiative is little more than a public relations campaign to buff up a corporate image devastated by an antitrust case and hackers taking continual glee at exposing weaknesses in the company’s software.
But whatever the reason, Microsoft is on a tear about security. In January, founder Bill Gates sent a memo to the entire staff, saying the company’s “highest priority” would be making its products secure, rather than adding features.
That’s the backdrop for Palladium, which appears to be as much idea as project at this point. Juarez acknowledged last week that though code writing has begun, it will be several years before Palladium becomes a product, and even longer before software applications are written to take advantage of it. There are many hurdles to overcome, not the least of which involve getting computer makers to install the chip, helping users to understand the system and persuading developers to create products that run on it.
Skeptics question whether Microsoft is creating something to empower consumers or trying to engineer new ways to elbow out competitors.
But former National Security Agency officer Ira Winkler said the concept seems fundamentally sound because it would embed security directly into devices, potentially making it more prevalent and requiring less work from computer users.
“Security has to be a basic part of information technology,” Winkler said. “If you leave it to a user to secure themselves, they won’t do it.”
