[Am-info] You'll wanna barf after you read this.....

[Fred A. Miller]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Date: Fri, 19 Jul 2002 00:42:30 -0700
From: Bill Gates <BillGates@chairman.microsoft.com>
Reply-To: Bill Gates
    <3_34049_C1B88BB1-4211-D211-88B9-08002BB74F65_US@chairman.microsoft.c=
om>
To: *******************
Subject: Trustworthy Computing

I'm writing to you, as a reader of one of Microsoft's customer newsletter=
s,=20
about an issue of particular importance to those of us who routinely use=20
computers in our work and personal lives - making computing more trustwor=
thy.=20
Trustworthy Computing involves a lot of things - reliability, security,=20
privacy and business integrity.

Before I share my thoughts about this in more detail, I want to give you =
some=20
context on why I am sending this email. This is the first in an occasiona=
l=20
series of mails that CEO Steve Ballmer and I, and periodically other=20
Microsoft executives, will be sending to people who are interested in hea=
ring=20
from us about technology and public-policy issues that we believe are=20
important to computer users, our industry and everyone who cares about th=
e=20
future of high technology. This is part of our commitment to ensuring tha=
t=20
Microsoft is more open about communicating who we are and what we are doi=
ng.

As I mentioned at the outset, you are receiving this email as a recipient=
 of a=20
Microsoft newsletter. If you would like to hear from me, Steve and=20
periodically from other Microsoft executives in the future, please go to=20
http://register.microsoft.com/subscription/subscribeMe.asp?lcid=3D1033&id=
=3D155.=20
If you don't wish to hear from us again, you do not need to do anything. =
We=20
will not send you another executive email unless you choose to subscribe =
at=20
the link above.

*************************************************************************=
***********************

As I've talked with customers over the last year - from individual consum=
ers=20
to big enterprise customers - it's clear that everyone recognizes that=20
computers play an increasingly important and useful role in our lives. At=
 the=20
same time, many of the people I talk to are concerned about the security =
of=20
the technologies they depend on. They are concerned about whether their=20
personal data is being protected. Although they know that computers can d=
o=20
amazing things, they are frustrated that their technology doesn't always =
work=20
consistently. And they want assurances that the high-tech industry takes=20
these concerns seriously and is working to improve their computing=20
experience.

Six months ago, I sent a call-to-action to Microsoft's 50,000 employees,=20
outlining what I believe is the highest priority for the company and for =
our=20
industry over the next decade: building a Trustworthy Computing environme=
nt=20
for customers that is as reliable as the electricity that powers our home=
s=20
and businesses today.

This is an important part of the evolution of the Internet, because witho=
ut a=20
Trustworthy Computing ecosystem, the full promise of technology to help=20
people and businesses realize their potential will not be fulfilled.=20
Ironically, it is the growth of the Internet and the advent of massive=20
computing systems built from loose affiliations of services, machines,=20
communications networks and application software that have helped create =
the=20
potential for increased vulnerabilities.

There are already solutions that eliminate weak links such as passwords a=
nd=20
fake email. At Microsoft we're combining passwords with "smart cards" to=20
authenticate users. We're also working with others throughout the industr=
y to=20
improve Internet protocols to stop email that could propagate misleading=20
information or malicious code that falsely appears to be from trusted=20
senders. And we are making fundamental changes in the way we develop=20
software, in our operational and business practices, and in our customer=20
support efforts to make the computing experiences we provide more=20
trustworthy.

For example, we've historically made our software and services more compe=
lling=20
for users primarily by adding new features and functionality. While we ar=
e=20
continuing to invest significantly in delivering new capabilities that=20
customers ask for, we are now making security improvements an even higher=
=20
priority than adding features. For example, we made changes to Microsoft=20
Outlook to block email attachments associated with unsafe files, prevent=20
access to a user's address book, and give administrators the ability to=20
manage email security settings for their organization. As a result of the=
se=20
changes, the number of email virus incidents has dropped dramatically. In=
=20
fact, email viruses like the recent "Frethem" virus propagate only to sys=
tems=20
that have not been updated - underscoring the importance of updating them=
=20
regularly.

We are also undertaking a rigorous and exhaustive review of many Microsof=
t=20
products to minimize other potential security vulnerabilities. Earlier th=
is=20
year, the development work of more than 8,500 Microsoft engineers was put=
 on=20
hold while we conducted an intensive security analysis of millions of lin=
es=20
of Windows source code. Every Windows engineer and several thousand engin=
eers=20
in other parts of the company were also given special training in writing=
=20
secure software. We estimated that the stand-down would take 30 days. It =
took=20
nearly twice that long, and cost Microsoft more than $100 million. We've=20
undertaken similar code reviews and security training for Microsoft Offic=
e=20
and Visual Studio .NET, and will be doing so for other products as well.

THE TRUSTWORTHY COMPUTING FRAMEWORK

Trustworthy Computing has four pillars: reliability, security, privacy an=
d=20
business integrity. "Reliability" means that a computer system is dependa=
ble,=20
is available when needed, and performs as expected and at appropriate lev=
els.=20
"Security" means that a system is resilient to attack, and that the=20
confidentiality, integrity and availability of both the system and its da=
ta=20
are protected. "Privacy" means that individuals have the ability to contr=
ol=20
data about themselves and that those using such data faithfully adhere to=
=20
fair information principles. "Business Integrity" is about companies in o=
ur=20
industry being responsible to customers and helping them find appropriate=
=20
solutions for their business issues, addressing problems with products or=
=20
services, and being open in interactions with customers.

Creating a Trustworthy Computing environment requires several steps:

- - Making software code more secure and reliable. Our developers have to=
ols and=20
methodologies that will make an order-of-magnitude improvement in their w=
ork=20
from the standpoint of security and safety.

- - Keeping ahead of security exploits. Distributing updates using the In=
ternet=20
so that all systems are up to date. Windows Update and Software Update=20
Services, discussed below, provide the infrastructure for this.

- - Early Recovery. In case of a problem, having the capability to restor=
e and=20
get systems back up and running in exactly the same state they were in be=
fore=20
an incident, with minimal intervention.

FIRST STEPS TOWARD MORE TRUSTWORTHY COMPUTING

There is still much work that Microsoft and others in our industry must d=
o to=20
make computing more trustworthy. Here is a summary of some of the progres=
s=20
we've made, six months after my email to Microsoft employees:

- - We have changed the way we design and develop software at all phases =
of the=20
product development cycle. Our new processes should greatly minimize erro=
rs=20
in software, and speed up the development process for new products and=20
services.

- - Software Update Services (SUS) is a security management tool for busi=
ness=20
customers that enables IT administrators to quickly and reliably deploy=20
critical updates from inside their corporate firewall to Windows 2000-bas=
ed=20
servers and desktop computers running Windows 2000 Professional and Windo=
ws=20
XP Professional.

- - Microsoft Baseline Security Analyzer is a new tool that customers can=
 use to=20
analyze Windows 2000 and Windows XP systems for common security=20
misconfigurations, and to scan for missing security hot fixes and=20
vulnerabilities on a variety of products, including newer versions of=20
Internet Information Server, SQL Server and Office.

- - In addition to providing customers with tools and resources to help t=
hem=20
maximize the security of Windows 2000 Server environments, we are committ=
ed=20
to shipping Windows .NET Server 2003 as "secure by default." We believe i=
t's=20
critical to provide customers with a foundation that has been configured =
to=20
maximize security right out of the box, while continuing to provide custo=
mers=20
with a rich set of integrated features and capabilities.

- - The error-reporting features built into Office XP and Windows XP are =
giving=20
us an enormous amount of feedback and a much clearer view of the kinds of=
=20
problems customers have, and how we can raise the level of reliability in=
=20
those products - and that of products made by other companies. As part of=
=20
this effort, we recently created a secure Web site where software and=20
hardware vendors can view error reports related to their drivers, utiliti=
es=20
and applications that are reported through our system. This enables the=20
vendors who work with us to identify recurring problems and address them =
far=20
more quickly than in the past. All of our server software products will=20
incorporate these error-reporting features in subsequent versions of the=20
products.

- - With Microsoft Windows Update, we are completing the customer-feedbac=
k loop=20
based on the error-reporting features mentioned above. This globally=20
available Web service delivers more than 300 million downloads per month =
of=20
the most current versions of product fixes, updates and enhancements. Whe=
n=20
customers connect to the site, they can choose to have their computer=20
automatically evaluated to check which updates need to be applied in orde=
r to=20
keep their system up-to-date, as well as identify any critical updates to=
=20
keep their system safe and secure.

- - We are working on a new hardware/software architecture for the Window=
s PC=20
platform, code-named "Palladium," which will significantly enhance users'=
=20
system integrity, privacy and data security. This new technology, which w=
ill=20
be included in a future version of Windows, will enable applications and=20
application components to run in a protected memory space that is highly=20
resistant to tampering and interference. This will greatly reduce the ris=
k of=20
viruses, other attacks, or attempts to acquire personal information or=20
digital property with malicious or illegal intent. Our goal is for the=20
Palladium development process to be a collaborative industry initiative.

- - We've incorporated what is known as P3P (Platform for Privacy Prefere=
nces)=20
technology in the Internet Explorer browser technology in Windows XP, whi=
ch=20
enhances a user's ability to set privacy levels to suit his or her needs.=
 The=20
P3P standard enables a user's browser to compare any P3P-compliant Web si=
te's=20
privacy practices to that user's privacy settings, and to decide whether =
to=20
accept cookies from that site.

Identifying and addressing critical Trustworthy Computing issues will req=
uire=20
significant collaboration across our industry. One example of the kind of=
=20
cross-industry effort we need more of is the recent creation of the Web=20
Services Interoperability (WS-I) Organization (http://www.ws-i.org/). Fou=
nded=20
by IBM, Microsoft and other industry leaders including Intel, Oracle, SAP=
,=20
Hewlett-Packard, BEA Systems and Accenture, WS-I's mission is to enable=20
consistent and reliable interoperability of XML-based Web services across=
 a=20
variety of platforms, applications and programming languages. Among other=
=20
things, WS-I will create a suite of test tools aimed at addressing errors=
 and=20
unconventional usage in Web services specifications implementations, whic=
h in=20
turn will improve interoperability among applications and across platform=
s.

WHAT YOU CAN DO

Given the complexity of the computing ecosystem, and the dynamic nature o=
f the=20
technology industry, Trustworthy Computing really is a journey rather tha=
n a=20
destination. Microsoft is fully committed to this path, but it is not=20
something we can do alone. It requires the leadership of many others in o=
ur=20
industry and a commitment by customers to establish and maintain a secure=
 and=20
reliable computing environment. For customers, the most important first s=
tep=20
is understanding what it will take to make their computers and networks m=
ore=20
reliable and safe. Below are some suggestions on what individuals and=20
businesses can do to create a more Trustworthy Computing environment for=20
themselves and others.

- - Give us feedback by using the error-reporting features built into Off=
ice XP=20
and Windows XP.

- - Use Microsoft Windows Update (http://windowsupdate.com/) to ensure th=
at you=20
have the most up-to-date and accurate versions of product updates,=20
enhancements and fixes.

- - Businesses customers can take advantage of Software Update Services t=
o=20
download critical updates from Windows Update.=20
(http://www.microsoft.com/windows2000/windowsupdate/sus/)

- - Use Microsoft Baseline Security Analyzer to analyze Windows XP and Wi=
ndows=20
2000 for common security misconfigurations.=20
(http://www.microsoft.com/technet/treeview/default.asp?url=3D/technet/sec=
urity/tools/Tools/MBSAhome.asp)

- - Enterprise Systems Integrators can take advantage of the Systems Inte=
grator=20
Source Licensing Program (http://www.microsoft.com/licensing/sharedsource=
/).

- - Hardware, software or systems vendors can sign up for Microsoft's Win=
dows=20
Logo Program at http://www.microsoft.com/winlogo/ to ensure a high-qualit=
y=20
user experience.

- - Find more information about computing security at=20
http://www.microsoft.com/security/.

- - Our White Paper on Trustworthy Computing is at=20
http://www.microsoft.com/PressPass/exec/craig/05-01trustworthywp.asp.

- - If you don't already have Internet Explorer 6.0, download it for free=
 at=20
http://www.microsoft.com/windows/ie/evaluation/overview/ to take advantag=
e of=20
its increased reliability and security and privacy features.

We are doing everything we can at Microsoft to make software as trustwort=
hy as=20
possible. By building awareness, through collaborative work and with a=20
long-term commitment, I am confident we can and will create a truly=20
Trustworthy Computing environment.

Bill Gates

For information about Microsoft's privacy policies, please go to:=20
http://www.microsoft.com/info/privacy.htm.

- --=20
Never forget: At Microsoft, the engineering department are the=20
Ferengi... The marketing and legal departments are the Borg!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj046KwACgkQeNJ3p8sZ/utK5gCfTko139fYK2U29hICpNmOTqqs
uZAAnRxrlIigSXLeyhL2wjaNzWFS4Jz9
=3Dd18T
-----END PGP SIGNATURE-----