REDMOND, Wash., Feb. 6, 2006 — As Trustworthy Computing at Microsoft reaches the four-year mark, a look back at 2005 provides a solid picture of sure and steady progress toward long-term success.
Microsoft’s ongoing work to bring customers a safe, private and reliable computing experience produced across-the-board results in the year past. Some of the more significant highlights include shipping the first Microsoft products to undergo – at every phase of design and development – the full Security Development Lifecycle (SDL) process; releasing new source-code analysis tools designed to help third-party developers build greater security and reliability into their software, and publicly advocating federal privacy legislation in the U.S. to create uniform standards for the protection of customers’ data. Microsoft also made progress by further refining its business practices, cementing Trustworthy Computing as a philosophy and core tenet that permeates the company’s culture, its communications with customers and its software and service development strategy.
Noteworthy strides aside, Microsoft recognizes that a new year also presents an occasion for resolutions. In that spirit, the company continues to strengthen its commitment to Trustworthy Computing, not just for 2006 but as a permanent corporate tenet.
“Trustworthy Computing guides everything Microsoft does for our customers, from the technology we develop to the collaborative efforts we undertake with industry partners, to the prescriptive guidance we offer to users,” says Scott Charney, vice president of Trustworthy Computing at Microsoft. “As a fundamental corporate tenet, Trustworthy Computing informs the decisions we make and the actions we take across all facets of the company.”
Technology Investments Drive Progress
With Trustworthy Computing guiding Microsoft’s fundamental approach to how it does business, technology investments in 2005 reflected a broad commitment to building security, privacy and reliability into all its products and services. The depth of Microsoft’s investment is perhaps most apparent in the SDL process, an approach to software development that requires all new Microsoft enterprise-class and Internet-facing software to meet rigorous security and, more recently, privacy standards, before they ship.
The most recent fruits of this effort came in November 2005 when Microsoft unveiled the first trio of products developed using the full SDL process. From start to finish, the development of Microsoft Visual Studio 2005, Microsoft SQL Server 2005 and Microsoft BizTalk Server 2006 integrated security and privacy at a foundational level.
Bob Muglia, senior vice president of the Server and Tools Business at Microsoft, explains how the SDL process consolidates proven security techniques, best practices and learnings that Microsoft has accumulated since putting Trustworthy Computing on the map four years ago.
“These three products demonstrate our commitment to address customer security at a fundamental level by adhering to a security-focused discipline at every stage of software development,” Muglia says. “The SDL process helps provide customers with a more secure integrated infrastructure.”
Parallel to the November product launches, Microsoft released automated code-analysis tools to the broader developer community. These tools enable independent software vendors to create more secure and reliable code in a cost effective manner. PREfast, FXCop and AppVerifier were developed as part of the SDL process and are available today to third-party developers via Microsoft Visual Studio 2005. Through the SDL, Visual Studio 2005 and SQL Server 2005 represent a more secure platform from which developers will be able to write code with fewer vulnerabilities and quality issues.
Microsoft invested in and delivered a number of other technology offerings during 2005 that focused on customer needs relating to privacy and security, including the following:
Windows Malicious Software Removal Tool (MSRT). The MSRT is designed to improve security and reliability by checking for and removing the most prevalent malicious software families. Since its introduction in January 2005, the tool has been executed more than 2 billion times.
Microsoft Windows OneCare Live. Currently in beta, this subscription service will provide a comprehensive and easy-to-use solution to help consumers maintain the overall health of their PCs. The Windows OneCare Live service helps protect and maintain PCs through automated functions, including anti-virus protection, firewall, PC maintenance, data backup and restore capability, and on-demand customer support.
Microsoft Windows Defender (formerly Windows AntiSpyware). Microsoft released a beta version of this software, which is designed to improve Internet browsing safety by protecting users against spyware and other forms of software that they might consider to be malicious or a nuisance. Microsoft is especially concerned about protecting users against spyware because this deceptive software has the potential to intrude on privacy and threaten security. The most popular Microsoft download to date, the Windows Defender beta software is helping to protect more than 25 million customers (as of December 2005). Since its release, it has removed tens of millions of spyware packages, reducing security and privacy risks for people who use their PCs to connect to the Internet.
Microsoft Client Protection. Announced in October, Microsoft Client Protection will combine strong anti-spyware tools, comprehensive virus protection and centralized management capabilities for laptops, desktops and servers in business systems.
Phishing Filter. This new Web browser technology is designed to proactively prevent and protect against phishing attacks, which aim to trick people into providing personal information by posing as legitimate (and often trusted) sites or organizations. The filter combines machine-learning heuristics, client-side scanning for suspicious characteristics and an online URL reputation service (powered by data on reported phishing threats from users and third parties). Available today as an add-in for the MSN Search toolbar, the Phishing Filter is included as part of the Internet Explorer 7 and Windows Vista betas.
The principles of Trustworthy Computing have also driven the development of Windows Vista, the next generation of the Windows operating system. Security, privacy and reliability are included as core design criteria for the new operating system in an ongoing effort to improve its overall performance and capabilities.
“Windows Vista is a reflection of Trustworthy Computing’s broad impact on our most fundamental and critical engineering practices,” says Brian Valentine, senior vice president of the Windows Core Operating System Division at Microsoft. “As complex business challenges evolve and consumer technology becomes increasingly prevalent, we build customer trust through a more secure and reliable computing experience.”
Windows Vista will feature technology enhancements that are especially key to Microsoft’s security, privacy and reliability picture for 2006 and beyond. Specifically, customers on the Windows Vista platform can expect to see security improvements in everything from user account control, better support for smartcards and enhanced firewall protection to improved security and privacy capabilities in Microsoft Internet Explorer 7.0. Customers also stand to benefit from enhanced information protection functionality in Windows Vista, such as BitLocker Drive Encryption, a hardware-based feature that addresses the growing concern over corporate and customer data on lost or stolen PCs. Microsoft is striving to drastically reduce the number of hangs, crashes and reboots customers may experience in Windows Vista. The operating system will automatically diagnose and fix many common hardware, networking and performance issues, and work to protect the registry and user data in the event of a problem. Windows Vista will also dynamically keep track of system resources and help avoid slower performance and reliability issues when running a large number of applications.
Making Headway through Collaboration
Microsoft recognizes that one company alone cannot address all the challenges of improving the trustworthiness of technology innovations, today or in the future. Rather, the technology industry, business, government, academia and individual users must work together to achieve the goal of a safer global computing environment. Putting this belief into practice, Microsoft in 2005 called for a federal-level response to data privacy in the U.S., viewing this approach as a necessary step to help protect consumers and businesses from the staggering growth in abuses of personal information, both online and offline.
“Online threats are eroding user confidence in the Internet,” notes Microsoft Chief Privacy Strategist Peter Cullen. “Technology plays a key role in helping to curb these threats, but if we’re to succeed in safeguarding data privacy on a global scale, technology needs to be bolstered with collaboration among industry partners and tough, prescriptive laws, standards and enforcement.”
In November, Cullen joined Brad Smith, Microsoft senior vice president and general counsel, in Washington, D.C. to announce public support for comprehensive U.S. federal privacy legislation. In a speech to the Congressional Internet Caucus, Smith cited three key factors that led Microsoft to assume this advocacy role: the increasingly complex patchwork of local, state, federal and international laws related to data privacy and security; growing concerns over online identity theft and other dangers; and the rising demands of consumers who want more control over how their personal information is collected and used, both online and offline.
Microsoft also cooperated with law enforcement throughout 2005, leading to the following Internet safety enforcement actions against several prevalent forms of privacy and security threats:
Anti-phishing action. Microsoft has filed 121 lawsuits against phishers around the world and secured takedowns of more than 2,000 phishing Web sites targeting Microsoft, MSN and Hotmail users since January 2004. Microsoft’s legal team helps establish connections between phishing scams worldwide to uncover the largest-volume operators. In August, as follow-up to a civil case that Microsoft had filed, the FBI and the U.S. Attorney’s Office in Iowa announced the arrest of Jayson Harris, the “MSN Billing” phisher who was accused of orchestrating a phishing scheme using a fake Microsoft Web site. On Dec. 30, 2005, Harris pleaded guilty to wire fraud and to fraud and related activity in connection with access devices. Early this year, Microsoft commended the Bulgarian law-enforcement National Services to Combat Organized Crime (NSCOC) agency for investigations leading to the prompt arrest of an organized ring of eight individuals who allegedly operated an international phishing operation. Microsoft supports the work of international law enforcement by providing investigative and technical support on these cases. Last year, the company also partnered with the U.S. Federal Trade Commission and the National Consumers League to promote awareness of phishing scams.
Anti-spam action. In January 2005, Microsoft joined Texas Attorney General Greg Abbott in taking legal action against spam through the CAN-SPAM law (officially known as the Controlling the Assault of Non-Solicited Pornography and Marketing Act). This suit, which culminated nearly a year of investigative cooperation, accused two defendants of setting up and operating shell companies that distributed tens of millions of illegal e-mail messages. In February 2005, Microsoft teamed with Pfizer Inc. to file 17 lawsuits against two international pharmacy spam rings operating Web sites that allegedly sold illegal “generic” versions of Pfizer’s Viagra drug. The February lawsuits followed a seven-month investigation during which Microsoft and Pfizer collaborated to track down the drug distributors operating the sites as well as the spammers advertising them. Also, in August 2005, Microsoft announced it had reached a US$7 million settlement with former self-proclaimed “Spam King” Scott Richter. Microsoft also contributed to the investigation leading to the filing of seven anti-spam enforcement lawsuits by the FTC against companies that hire others to send allegedly illegal pornographic spam. As of September 2005, Microsoft has filed 109 lawsuits against spammers in the U.S., resulting in over $869 million in judgments.
Anti-virus action. In July, Microsoft made the first payout under its Anti-Virus Reward program, awarding $250,000 to two informants who helped identify the creator of the 2004 Sasser worm, following the conviction of the worm’s author in German court the same day. Also in 2005, Microsoft technical and investigative support helped the FBI and overseas law-enforcement authorities arrest the alleged authors of the Zotob and Mytob worms, only 11 days after the worms were unleashed.
“Effective enforcement actions are critical to realizing Trustworthy Computing,” says Tim Cranton, senior attorney and director of Internet Safety Programs at Microsoft. “Microsoft supports governments and law enforcement by providing them with technical training, investigative and forensic assistance, and the development of new technology tools that make it easier for them to prosecute cyber crime. These public-private partnerships are essential to building a framework that can protect and preserve online safety and privacy.”
Increasing Trust in Technology Through Awareness
In addition to its technology investments, collaborations and partnerships, Microsoft is investing heavily in educational efforts, with the understanding that users of technology also play a vital role in securing the computing ecosystem.
Microsoft unveiled or strengthened a number of features, services and programs in 2005 that empower customers with the tools to make better decisions about the security and privacy of their computing experience. For example, Microsoft introduced a new short-layered privacy notice for many online services across Microsoft, which provides a clear, concise one-page summary (in layman’s terms) of the company’s essential online privacy practices. As a result, Internet users are able to make more informed choices about sharing their information online. The short notices conform to all regulatory requirements and provide links to full legal statements and other relevant information, so customers who want more detail can easily click through to read the longer version. With a single notice, customers can have a more consistent experience across all of Microsoft’s properties, with the same privacy standards and expectations extended to many sites. This notice currently applies to Microsoft.com, MSN, Xbox, Windows Live, Microsoft Support Services and Windows Media Player.
One of Microsoft’s most recent customer resources is an online resource called the Windows Live Safety Center (http://safety.live.com), released in beta form in November. The Web site provides a free security and maintenance service allowing users to scan for and remove viruses from their PCs on demand. As often as they like and at no charge, PC users can visit the site for a tune-up. Unlike similar tools available today, the Windows Live Safety Center toolset performs a full scan to help ensure that PCs are protected, healthy and running well. Also throughout 2005, Microsoft continued to add new information, advice, guidance, links, tips and other resources to its existing Web sites dedicated to protecting consumers. Sites routinely refreshed with new content included http://www.microsoft.com/athome/security, http://www.microsoft.com/safety and http://safety.msn.com.
Next Steps in 2006 and Beyond
As Charney maps out the near-term future of Trustworthy Computing, he notes that progress will continue across the areas of technology, collaboration and partnerships, and customer education. In the technology realm, Charney says Microsoft’s efforts will also focus largely on finalizing and delivering to customers a more robust, secure and reliable experience with Windows Vista, further advancing the state of the art in IT security. Security fundamentals added to the new operating system include anti-malware scanning tools, firewall protection and a better-protected Microsoft Internet Explorer browser. Before it is released to market, the new operating system will also clear a final privacy review.
Even as four years of investments in Trustworthy Computing continue to have a positive impact on customers and the industry at large, company leaders are quick to point out that the job is far from over.
“Our customers deserve secure, private and reliable computing experiences,” Charney says. “We know delivering on the vision of a trusted global computing environment is a complex goal. That’s why it’s incumbent upon us to continue developing innovative technology, collaborating with industry, government and academia, and sponsoring educational efforts that yield the kind of leadership and progress our customers expect.”