How Microsoft missed the boat on zero-day threats

Computerworld - On Jan. 15, 2002, Microsoft Corp. Chairman Bill Gates issued a jaw-dropping memo with the subject line "Trustworthy Computing." To stem rising hacker attacks, Gates ordered all Windows development halted and directed his company's full attention to shoring up security.

Microsoft has since poured vast resources into making Windows PCs more secure. And yet the risk of having your PC compromised and your sensitive data used in scams has never been greater, according to a new book, Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity (Sterling Publishing, 2008), by USA Today technology reporters Byron Acohido and Jon Swartz. The authors point to a confluence of factors increasing the danger: a banking system built for speed; a tech industry enamored with commercializing the Internet; consumers hooked on convenience. In these edited excerpts, Acohido and Swartz convey Gates' acknowledgment of the problem.

Command Performance

Bill Gates seemed weary and disengaged. He had just co-delivered a keynote address to about 3,000 tech-security executives, analysts and researchers at San Francisco's Moscone Center and was sitting in a vast room behind the stage waiting to do a requisite one-on-one interview with one of the authors.

The Feb. 6, 2007, speech was billed as Gates's final command performance at the giant RSA Conference, the tech-security industry's premier convention, held early each year. At his first RSA keynote, delivered in 2004, Gates had a good story to tell. It had been two years since he had issued his Trustworthy Computing edict, ordering his troops to alter their features-first worldview and make security their new religion. Microsoft developers at the time were in the home stretch of hammering together Windows XP Service Pack 2, which would make the use of personal firewalls and automatic patching standard practice for most home computer users.

Now here he was, five years into Trustworthy Computing, with Windows Vista, the first Microsoft desktop operating system with security accounted for in every major component, freshly delivered to store shelves. Evangelizing Security

How Microsoft missed the boat on zero-day threats

Microsoft now had a more well-rounded security story to tell. And tell the story it did. Beginning in the summer of 2006, a crack team of Vista "evangelists" -- the product managers and marketing specialists assigned to wine and dine researchers, analysts and reporters at conferences and other events -- began spreading the SDL gospel. SDL stood for Security Development Lifecycle, a process for meticulously rooting out coding errors and security holes throughout the development of a new software product.

Given the timing of his swan-song appearance at RSA, Gates had the perfect pulpit to drive home the message his SDL disciples had delivered to many of the people seated in Moscone Center's main hall. But Gates' focus appeared to be elsewhere. Several months earlier, he had announced his intent to retire in mid-2008 to turn his attention to eradicating disease in Third World nations.