Ten Years After Gates’s Memo, Effects Still Being Felt

Ten years.That’s a really long time. Think about what you were doing 10 years ago. Can you even remember? Maybe you were in college or high school, or cripes, even grade school. Or maybe you were working in security already, trying to figure out why your network kept getting overrun by viruses and attackers.

MicrosoftTen years.

That’s a really long time. Think about what you were doing 10 years ago. Can you even remember? Maybe you were in college or high school, or cripes, even grade school. Or maybe you were working in security already, trying to figure out why your network kept getting overrun by viruses and attackers.
You know what Microsoft was doing 10 years ago?

Making really, really buggy software and watching its customers get owned left and right.

The early part of the 2000s was not a good time for the folks in Redmond. The company was taking a serious public beating for the instability and insecurity of its software, especially Internet Explorer, Outlook and Windows. VB script viruses such as I Love You, Melissa and others were running wild and large enterprise customers were screaming and pounding their shoes on the table and demanding answers from Microsoft.

And Microsoft didn’t have any.

The company had spent the last few years defending itself against the Department of Justice’s antitrust suit centered on its Windows-IE monopoly. Much of its energy and resources–not to mention money–were devoted to the case, which Microsoft ultimately lost. Then, when the dust settled and company officials began looking around to see what had been going on while they were buried in federal courtrooms for three years, what they found was something like the information age version of the angry mob of villagers with torches and pitchforks.

To say that customers were not happy would be like saying Bill Gates has some money tucked away.

As it turned out, it was Gates himself who would provide the spark that would ultimately light a fire under the thousands of developers, product managers and engineers in Redmond to make security not just a priority, but the priority.

The email that Gates sent on Jan. 15, 2002, has come to be known as the Trustworthy Computing memo and it is often pointed to as the origin of any sort of security awareness at Microsoft. But that’s not really the case. Gates’s email may have been the first real public expression of that sentiment, but some people inside the company had been thinking along those lines for some time.

The first step is admitting you have a problem, of course. But then you have to do something about it.

A few months before Gates sent his email, Microsoft held a small conference in Redmond on what it then called trusted computing, bringing in a series of software security experts to discuss the principles and concepts that are the foundation of building more secure software. There were a few reporters there and some security researchers and the fascinating thing about it was that it was not Microsoft officials preaching their ideas to the audience, but trying to learn from the assembled experts. Odd.

And well before Gates pushed the button on his email, there were people inside the company talking about the same concepts–reliability, robustness and resistance to attack–and advocating that developers build their applications around them.

In the months following the publication of Gates’s email, Microsoft began a number of painful internal changes designed to refocus its developers around the idea of building secure software. Until then, the ship-or-die mentality had reigned supreme inside the company and features and functionality were the two-headed god that every developer worshipped. The chances of a team stoppping shipment because of a security problem at that point were zero point zero zero.

But within a few months of Gates’s memo, that’s exactly what happened. The company stopped development on several major products in order to put their developers through security training. Since then, the company has developed and released a slew of software security tools and methodologies and somehow turned Microsoft from the butt of every joke in the industry into an organization that’s seen as doing it the right way.

But it wasn’t just Microsoft that began changing in those days. The turnaround initiated by the company and Gates also took hold in the wider software industry and other industries, albeit much more slowly and spottily. After Microsoft’s public declaration of the need for change, the sentiment began to spread to some of its larger customers. Then, more and more financial services firms, insurance companies, telecoms and other companies got on board, starting their own software security programs.

By the middle to latter part of the decade, Microsoft not only wasn’t the object of every joke in the security community, it was being used as an example of how to do things right, how to get your collective stuff together and fix what’s broken.

So, what Gates’s memo turned out to be was not just a directive for Microsoft developers, but a call to arms for the rest of the industry, as well. It was by no means the beginning of the software security movement. Not even close. But it was, in fact, the beginning of something different and perhaps more important: widespread acceptance that software security needed to be a top priority.

Even for Microsoft.

*Microsoft homepage image via SeattleClouds.com‘s Flickr photostream

Suggested articles

Discussion

  • Mario Kukucov on

    This article doesen't pass the sniff test since windows is "The low hanging fruit", and the easiest to exploit vector of atack. So wtf are you talking about?

  • Anonymous on

    @Mario

    Ugh? Wtf are you talking about? Macs have been easier to exploit (ask Charlie Miller) because they haven't used SDL-like development process and Apple has lagged in implementing  technologies like ASLR. It's just that no one much bothers attacking MACs at the moment. About time someone at Apple got round to writing a security memo don't ya think?

  • Anonymous on

    10 years and nothing has changed with Windows. Every new security meassure Microsoft adds to Windows (aslr, dep, uac...) is hacked within days. Windows 7 is still full of security holes copy&paste from Windows NT/2000 (some even for Windos 3.1 ).

    Data lost and other demages from Hacking into Windows serves and desktops cost the users Trillions of $$$ each year. 

  • Jan van Niekerk on

    Wow! Do people still use windows?
  • Jan van Niekerk on

    It's absolutely amazing. 10 years on, and people STILL use Windows. Amazing.
  • tm on

    Meanwhile, I just bought a brand new macbook pro last week, with Lion preinstalled, and guess what? they STILL don't come with the firewall turned on by default.   Didn't with Snow Leopard, either.

    Macs have by far the worst security, if only because of that, which XP SP2 addressed *years* ago.    Safari is the least secure browser, and Macs always fall the first day on the "PWN to Own" contests.

    OSX Lion only just NOW features some of the sandboxing elements MS has had in place since Vista / UAC.

    If you think the *nixes are invulnerable to attack because of the Root/User habit, you need to do some serious reading on just how much mischief can be done with only a compromised User account, too.

    If you build it, they will hack it.    Learn good habits, and learn how to button down the OS of your choice.   Using one OS or another is, in itself, absolutely no guarantee of security.

  • Anonymous on

    Hackers just need to grow up and do something positive with their lives and skillset. Fortunately, I've been able to stop them in their tracks with existing technologies. It's those that do not take precautions that become victims.

  • Vrihad on

    I have been in the IT industry for over 15 years. I couldn't notice anything secure coming out of Redmond so far. After reading this article, I think I was living in a cave all these years. BTW, I do agree that MS has improved a lot on PR front. This article is an excellent example of it. Just count the number of software vulnerabilities reported in weekly security bulletins like US CERT. And then segregate them on the basis of Windows, Linux, OSX etc. You don't need any other evidence to reach a conclusion.
  • Anonymous on

    One of (not the only one of course) the reasons hackers get noticed is that the greed of fat ugly Microsoft far outways their sense of responsibility to customers and that Windows is still not good value for money. Hence the resentment.  Hacking to destroy another PC or person is absolutely wrong and Microsoft are the ones who blatantly make it easy for hackers and  provide the emotional angst for hacking to happen.

    As corrupt journalists say (and 99% of them are) never let truth, doing anything right or moral, get in the way of making money from lies, destroying another person, or exposing the pain of another's misery.

    Mr Microsoft I don't believe you.

  • Anonymous on

    Many of you people sound like morons to me. Okay so if I take a copy of Win7 PRO out of the box and apply all the patches to it you are still going to break in? Good Luck to you. I highly doubt anyone posting on this forum is of that skill level. If you are, instead of being an idiot why don't you do the world a favor and report your secret day-0?

    As far as the other OS's being more secure I'm really tired of hearing that broken record. I run Linux and Windows alike. They both get security patches. Windows gets more but to me that just means more of the explouts are actualy found and mitigated.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.