A random collection of stuff mostly about operating systems, software licensing, technology, and privacy



MikeCh’s stuff…

MSFT’s Trustworthy Computing’s 10th Anniversary

Jan. 12, 2012

Sometimes I’m totally stunned at how fast time passes, and this week was no exception when I saw an article at MSFT PressPass that it was ten years since Bill Gates had written his ‘Trustworthy Computing’ (TWC) initative e-mail.

I wrote a series of articles for about Trustworthy Computing for Directions on Microsoft’s Update that were subsequently combined into two Research Reports, one in 2002 and the second in 2004.

In case you too have forgotten what was happening when the TWC initiative began, the Introduction from the first TWC Research Report provides some background:

“Code Red and the rash of other security vulnerabilities during the summer and fall of 2001 had prompted some industry analysts to recommend against using certain Microsoft products, which in turn helped impress upon Microsoft executives the importance of making security a top priority. They quickly realized the company would have to drastically reduce the likelihood that vulnerabilities in its products could expose customers’systems to threats such as viruses, worms, and malevolent attacks.”

“Otherwise, the risk was not so much that customers would flee en masse to competing products but that customers would delay consideration of a new product upgrade for a year or more until one or two subsequent service packs had plugged most security vulnerabilities. Or, even worse, that customers would skip a new product upgrade on the assumption that the version they were currently using was better understood, more mature, and inherently safer than a newer technology. When viewed in the context of other public relations setbacks during the second half of 2001, Microsoft’s security lapses also helped crystallize the view within the company that it was facing an even wider threat—the issue of ‘trustworthiness.’”

“Customers, partners, and consumers were concerned not only about security but also whether or not Microsoft products could be trusted to be available whenever users needed them (‘reliable’), and whether or not the products and company in general could be trusted to respect individual users’ privacy. These trust-related issues threatened to damage Microsoft’s existing OS and Office businesses, hamper the company’s drive to increase server product sales, and impede Microsoft’s expansion into consumer services. For example, fears about computer security, reliability, and privacy helped scuttle Microsoft’s plans to expand in the consumer market with Web services such as Passport and .NET My Services (code-named HailStorm).”

“As an initial step in addressing these growing fears, Microsoft executives began to publicly articulate a broad concept called ‘Trustworthy Computing’ at the beginning of 2002. The goal of this initiative—which will unfold in stages over the next decade—is both to try to convince customers that Microsoft is passionate about making computer systems as reliable, secure, private, available, and easy-to-use as the telephone as well as to focus the product groups throughout the company around the steps necessary to deliver on these promises.”

This time-line from MSFT fills in the rest of the story, and shows the progress that has been made.

TWC Time-line

Although he would likely say that MSFT’s success in this area is due to the hard work of all the program managers, software development engineers, and testers, I think the key factor was Scott Charney, MSFT’s Corporate Vice President, Trustworthy Computing.

When I first met Scott, I was impressed by his knowledge and background, but my initial thought was that this soft-spoken lawyer was not going to be able to change the culture of MSFT and get people to focus on security. But, boy was I wrong.

Congradulations, Scott. I know you will say that continued effort and vigilence are still required, but in my mind, you have set the foundation for continued improvements.

Thanks for proving me wrong.