Anti-Trustworthy computing

Microsoft's new security drive aims to appease Hollywood, comfort consumers and reinvigorate the PC. But will the price for such safety be too high?

Published April 10, 2002 2:30AM (EDT)

Would you trust your life to Microsoft?

That's the challenge the company's "Trustworthy Computing" initiative is throwing down. First hinted at publicly in one of Bill Gates' rare companywide e-mails earlier this year, the sweeping concept was explained in detail in a white paper written by CTO Craig Mundie for January's World Economic Forum summit in New York.

"Computers helped transport people to the moon and back, they control critical aircraft systems for millions of flights every year, and they move trillions of dollars around the globe daily, [but] they generally haven't reached the point where people are willing to entrust them with their lives, implicitly or explicitly," Mundie wrote. "We will have to make the computing ecosystem sufficiently trustworthy that people don't worry about its fallibility or unreliability the way they do today ... It may take us ten to 15 years to get there."

Microsoft is making a big play on its new push: In a wager detailed in the May issue of Wired magazine, Mundie has bet Google CEO Eric Schmidt that by 2030, passengers will routinely board commercial airline flights without a pilot. That is, United and American flights will be flown entirely by computers.

Six months after Sept. 11, you have to wonder: Is he nuts?

Those who've followed the company's escapades the past few years are asking a different question: What's the spin here? What does Microsoft stand to gain by planting in our minds the image of computer systems so reliable we'll leave more fallible human pilots on the ground?

Perhaps, if we'll trust computers with our lives, we'll also trust them with our credit cards. And maybe, even more important, Hollywood will trust them with its movies. The Trustworthy Computing initiative is as much about securing intellectual property control as it is about "safety."

Call it corporate arrogance, call it chutzpah, call it the American way: Microsoft is pushing Trustworthy Computing even as its antitrust settlement with the federal government is being fought by nine U.S. states. The company's announced goal is to make computing a utility as ubiquitous and unnoticed as electric power -- a development that would also just happen to preserve Microsoft's PC-powered monopoly in the process. But with that monopoly comes a software monoculture, one already prone to infections by Outlook mail viruses and Windows server worms. In Mundie's scenario, the threat could hardly be more lethal: Figure out how to hijack one remote-controlled plane, and you can hijack them all.

Still, the company's goal isn't really to fly planes. Onboard computer systems for airliners are a small, specialized market and will probably stay that way. Trustworthy Computing's real aim is to secure Redmond's hold on the desktop, by putting the PC back in the center of the action. Just as Gates' "Pearl Harbor Day" e-mail more than five years ago refocused everything his company did around the Internet, his Trustworthy Computing memo places the company at the forefront of today's driving interests. Bundling up consumers' fears of crackers and e-commerce fraud, IT staffers' worries about server break-ins and Hollywood's paranoia that its crown jewels are being Napstered into worthlessness, Gates hands back a secure solution for all of us that fits the existing space on our desks. Don't panic -- upgrade!

One of the reasons there's been little debate about Trustworthy Computing is that no one -- including most Microsoft employees -- seems to know what it is. Even the company's public relations experts have trouble conveying Mundie's vision. But for those willing to wade through it, his white paper details the big picture in depth: "Trustworthy Computing is a label for a whole range of advances that have to be made for people to be as comfortable using devices powered by computers and software as they are today using a device that is powered by electricity."

That's a tall order, and a mission statement that could be extended to almost anything vaguely related to computing -- Mundie's paper includes regulatory issues along with technical ones. But besides fixing the notorious security holes in its Web servers and virus-prone desktop clients, the company is also pushing hard on a front that goes beyond its traditional role: Digital rights management, or DRM. A trustworthy DRM system would extend Microsoft's role where pundits focused on Web services and wireless gadgets least expect -- right under their noses, on the PC.

DRM technologies aim to block unlicensed distribution or use of copyrighted material. Movies, music, books, software -- any intellectual property that can be put into 1's and 0's and passed around the Internet for free. On the consumer side, similar worries abound over credit card numbers, passwords, account information, even mail -- all of it easily pilferable from the wide-open architecture of today's PC. Not just by crackers, but by your kids.

It's no secret in a post-Napster world that nothing digital is safe from being copied once it's on a PC. While individual users worry about storing sensitive personal information or sending it across the Net, corporations fear their valuable intellectual property will become worthless once released into the digital wild. Enter Microsoft, offering to tame these Internet-spawned threats -- by pushing its Windows operating system back into the center of every digital transaction.

"They're trying to get the PC back into the stream of e-commerce," says Lark Allen, VP of business development for Wave Systems, a Massachusetts company that supplies software and hardware to hold data securely inside a PC. "Today it's just a browser. We've moved all the important applications back off the desktop and onto the server, which is the only thing that's trusted today." Adding secure systems onto the PC, he says, could be "like the original PC era, where you start moving things back onto people's desks."

But at the same time consumers are worrying about having their personal data stolen, Hollywood studios are worrying about consumers. Studios have balked at releasing movies and music online until they're sure the PC users who pay to download them won't be able to give out a million free copies. Why should Microsoft care? Because if a solution can be found, downloadable movies might be the biggest boon to PC sales since the Web caught on nearly a decade ago: To play them, you'll want a PC even more powerful than the new crop of 2.4GHz machines with their 80-gigabyte disks. "It's going to be the biggest, fattest client you've ever seen," says Allen. "You'll want terabytes of storage."

Engineers like to keep intellectual property locked up behind firewalls and server room doors. But it seems to be basic human psychology that consumers prefer to have their stuff right in front of them on their computer. That's why Microsoft filed for a patent on a "digital rights management operating system" in 1999. The patent was granted this past December -- #6,330,670. If the company builds it and ships it, there's no doubt what it will be called: Windows.

It's also no coincidence that the proposed antitrust settlement cooked up by Microsoft and the Department of Justice conveniently excuses Microsoft from having to share any information related to digital rights management and encryption technology with its competitors.

So what's wrong with all this? If the answer wasn't obvious before last September, it is now: A ubiquitous box that holds everyone's personal information is the world's most tempting target for thieves and terrorists alike. Computer scientists call it "the monoculture problem," drawing a parallel to the frailties of single-strain crops described in Paul Raeburn's 1995 book "The Last Harvest" and its precursor of a decade earlier, Jack Doyle's "Altered Harvest." As Doyle wrote, "What appears to be a genetic godsend and an economic bonanza for the company today could become an economic nightmare for them tomorrow ... should one tiny organism find a genetic window of virulence in the Russet Burbank potato ... If that happens McDonald's will have contributed mightily to the spread of a genetic epidemic." In the early '90s, as Raeburn documented, a single strain of blight knocked out crops from Maine to British Columbia.

Computing systems aren't nearly as complex as living organisms, but security experts say the monoculture problem has proven to be more than theory in the wake of e-mail viruses and hack attacks that took advantage of identically weak Windows code on millions of computers -- many in the hands of less tech-savvy consumers unable to recognize or remove a virus. Expand Windows' domain so it holds our credit card info for us and U2's entire catalog for them, and the much greater risk is obvious.

In the software world, "the existence or nonexistence of a monoculture in a particular environment is usually haphazard," says Greg Hoglund, CTO of Cenzic, a company that makes automated security testing software. "People will buy three different types of intrusion detection systems specifically because they want to be more resilient," he says, "but you can't afford to have three different kinds of Web server environments, with three different kinds of programmers maintaining them."

When it comes to consumer products, planning is even more shortsighted. "People want instant gratification," Hoglund says. "They want [a new feature] so bad that they're willing to buy it and use it without concern for the ramifications. If three years from now that opens me up to an attack, I'm not thinking about it."

Dr Robert Thibadeau, a Carnegie-Mellon professor who lectures on security and privacy, says the real danger is Windows may already be compromised. "Do you remember how we won the Second World War?" he asks. "We cracked their codes and we never let them know. My concern isn't about the stuff we hear about, it's the ones we don't. A really bad guy isn't stupid enough to tell you he's figured out how to get into your computer. You give them a monoculture and you open the door to them."

But Thibadeau says it's important not to confuse a business monopoly with a software monoculture. "It's not bad because there's one big ugly company doing it," he says, pointing out that Unix code shared among vendors has similarly been exploited. The threat is created when a common code base -- in this case, the Windows "kernel," the heart of the operating system -- is shared across a wide range of computers. Even if one is a PDA and one is, say, an airliner. "I can run a completely different interface for everyone," he theorizes, "but if someone gets into the kernel ... "

And the upside? "I can't imagine there's anything good out of one kernel out there," he says, echoing what seems to be the ubiquitous sentiment in his field. Instead, he suggests Microsoft take a lesson from the early days of mainframe operating systems: "There should be five giant strong architectures out there that can emulate each other," he says. "The classic way you do risk management is you limit the amount of damage one person can do because he can't cross boundaries."

It's possible to do that, even within the Windows realm: The free Outlook Express e-mail client, built from an entirely different code base than its pricey big brother Outlook, has proven to be immune to many of the e-mail viruses Outlook users have suffered from for years. But that's the exception; the company's usual means of gaining synergy among its software products is to give them access to one other's data and functions using code hooks only Microsoft can build in. These tie-ins not only lock out other companies forced to use higher-level protocol standards to get, say, your e-mail to talk to your calendar, they've also provided many of the biggest holes exploited by virus and worm programmers. And for what? So your e-mail can show you pretty HTML designs.

Will Microsoft break up its code monoculture in order to make Trustworthy Computing more resilient, providing more separate code bases instead of fewer in order to prevent global hack attacks? Probably not. But there are some things it can do that take advantage of the company's "Windows everywhere" goal to lessen the risks from single-strain software.

First, Microsoft can improve its hugely popular development tools for programmers to prevent them from writing vulnerable code. "Software engineers are not traditional engineers. They're rock stars," Hoglund says, meaning they're less interested in meticulously removing all flaws from a design the way a skycraper architect would feel compelled to do. "But a smart development environment has the capability of being the cleanup crew that picks up the mess behind them," says Hoglund. Right now, Microsoft's development tools for C and Visual Basic are the most-used on the planet, and the company's Java tools are a top contender, despite the ongoing feud over that language between Microsoft and Sun Microsystems. Building into these tools more automated checks for known security holes would help keep programmers at other companies from unwittingly creating unsafe software.

Second, Microsoft can refuse to honor software systems known to be insecure or unreliable -- starting with its own. First on the hit list is Passport, the ubiquitous customer identification system known to Hotmail and MSN Messenger users. In attempting to keep sensitive customer data away from millions of individual companies' Web sites by using a central repository at Microsoft, the company is setting up a single, giant point of failure that makes security experts nervous. One who meets regularly with the company confided that "Passport is a great example of privacy protection by half measure."

Dave Taylor, a coauthor of the game Quake, told me last year that getting certain third-party software programs certified for Windows was a brutal, expensive process. "You wouldn't believe the hoops they make you jump through" to get that logo, he said. Yet not too long ago, a consolidation of Passport domain name servers onto one operational team's network in Redmond -- a classic screwup motivated by internal politics rather than engineering -- resulted in a day-long outage for all Passport users.

By emphasizing Trustworthy Computing, Microsoft hopes to ride the drive for greater security, privacy, and protection of intellectual property as profitably as it rode the initial Internet boom half a decade ago. The company has called the Consumer Broadband and Digital Television Promotion Act currently before Congress "simply wrongheaded," yet people who've read both the bill and Microsoft's DRM patent joke about the similarities between the two documents. As usual, Microsoft and Washington have each seen the future and are wrestling over which of them gets to dictate its terms.

Not that any other red-blooded technology firm wouldn't do the same thing. Apple has long been pushing its Macs as "the hub of your digital lifestyle." But the name of the new initiative points out that Mundie and Microsoft, far more than their competitors, know they've got a tough question to answer before we'll let them fly that plane 10, 30 or 100 years from now:

Can we trust them?


By Paul Boutin

Paul Boutin is a technologist and writer in San Francisco.

MORE FROM Paul Boutin


Related Topics ------------------------------------------

Microsoft