Risk
4/7/2008
05:25 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

RSA: Microsoft Calls For Broad Dialogue On Internet Trust

Research officer Craig Mundie's proposal includes the creation of a trusted computing stack in which software, hardware, people, and data can be authenticated.

At the 2008 RSA Conference in San Francisco on Tuesday, Microsoft chief research and strategy officer Craig Mundie called for a wide-ranging discussion about creating a more trustworthy Internet.

As a first step, Microsoft published a call-to-action for the technology industry that proposes the necessary elements for establishing a more secure and trustworthy environment online. The white paper detailing Microsoft's plan, "Establishing End to End Trust," was written by Scott Charney, the company's corporate VP of trustworthy computing.

Microsoft has also established an online forum where those concerned about security and privacy on the Internet can participate in the discussion.

The vision articulated by Microsoft encompasses the creation of a trusted computing stack in which software, hardware, people, and data can be authenticated. It imagines "a system that enables people to preserve their identity claims while addressing issues of authentication, authorization, access, and audit." And it seeks closer alignment of Internet stakeholders as a means to make progress, an aspiration that implicitly acknowledges the daunting task of rebuilding trust online.

Microsoft is aware of the difficulties of rewriting the rules of the Internet, but it contends something has to be done. "[S]taying the current course will not be sufficient; the real issue is that the current strategy does not address effectively the most important issue: a globally connected, anonymous, untraceable Internet with rich targets is a magnet for criminal activity -- criminal activity that is undeterred due to a lack of accountability," Charney explains in his white paper. "Moreover, the Internet also fails to provide the information necessary to permit lawful computer users to know whether the people they are dealing with, the programs they are running, the devices they are connecting to, or the packets they are accepting are to be trusted."

"We believe that End to End Trust will transform how the industry thinks about and approaches online trust and security," said Mundie in prepared remarks. "Our end goal is a more secure and trustworthy Internet, but it's also important that we give people the tools to empower them to make good trust choices. End to End Trust will enable new opportunities for collaboration on solutions to social, political, economic, and technical issues that will have a long-term impact on Internet security and privacy."

Perhaps wary of the blowback that followed its 2001 introduction of its "Hailstorm" identity database service (which withered a year later because other companies didn't want Microsoft authenticating their customers), Microsoft is providing more detail about what its proposal is not than what it is.

Charney makes it clear that Microsoft is not calling for an end to anonymity, a new national identification scheme, or a mega-database of personal information.

At the same time, Charney acknowledges that Microsoft's vision will have some impact on privacy, that abuse of a more authenticated environment may still happen, and that universal buy-in isn't necessary to make the Internet more trustworthy.

Kurt Roemer, chief security strategist for Citrix Systems, in a statement acknowledged that being able to assess trustworthiness online remains a key concern for organizations and consumers. "It's time for a global collaborative effort to define and support an actionable end-to-end trust model that can help balance the often competing interests of privacy and security," he said.

The question is whether a Microsoft-driven initiative can thrive despite the competing interests of competitors, or whether any such effort, however seemingly well-intentioned, is doomed by technological partisanship and conflicting agendas.

But in taking such a hat-in-hand approach, in asking for consensus-building rather than trying to impose a branded technical solution, Microsoft manages to make such a question seem petty, like arguing over whether red or blue buckets should be used to bail water out of the sinking ship that is the Internet.

Charney doesn't quite put it that way. He asks, "As we become increasingly dependent on the Internet for all our daily activities, can we maintain a globally connected, anonymous, untraceable Internet and be dependent on devices that run arbitrary code of unknown provenance?"

Answering his own question as if there were still some question about the answer, Charney continues, "If the answer to that is 'no,' then we need to create a more authenticated and audited Internet environment, one in which people have the information they need to make good trust choices."

In other words, we need to create a more authenticated and audited Internet environment.

In a phone interview prior to Mundie's address, Steve Lipner, senior director of security engineering strategy of Microsoft's Trustworthy Computing group, discussed Mundie's planned remarks and how much the security of Microsoft's products had improved in the six years since its Trustworthy Computing initiative began. The security of Microsoft's products isn't perfect, he said, because that isn't possible. But they are now on a path of continuous improvement.

Although the vulnerability of Microsoft's software has declined, Lipner said, the shift toward sophisticated targeted attacks and social engineering shows that there's more to be done. "While there's some comfort the products are getting secure, there's still concern that customers aren't safe on the Net," he said.

As an example of how the Internet might work if other major stakeholders buy into Microsoft's vision, Lipner pointed to Web sites for children. "If you have children-only Web sites, how do you know that the children-only Web site is in fact for children only?" he said. "With stronger authentication and a trusted stack, we get to the idea of in-person proofing."

The idea, a safer Internet, certainly sounds appealing. But the devil is in the details. In all likelihood, Microsoft will be providing updates on its End to End Trust proposal at the 2009 RSA Conference, and in the years that follow, for quite some time. "This is a launch of a long term initiative that we think will bear fruit over time, but is very important in improving people's trust in the Internet," said Lipner.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?