Security IS a Serious Concern for Microsoft

Disclaimer: For a number of years, I have been very critical of Microsoft’s relatively poor security posture. Nevertheless, I have applauded Microsoft when it took positive steps (like XP SP2). But since that time, I have joined Microsoft. That doesn’t mean that you should discount my commentary. Rather, you should accept it with a modicum of skepticism.
I have been with Microsoft for over two weeks. That’s insufficent time to render a judgement on the company’s actions. However, it is sufficent time to assess what I’ve seen.
1. Microsoft is taking code security very seriously. I spent almost ten hours in conference sessions devoted to the security aspects of our new product line. I have walked away with the knowledge that code will not be shipped if it does not meet minimum code standards.
2. Microsoft is engaging a much wider pre-availability audience. This includes public betas and wide technology previews. Some of this is to tantalize our customers with the new features of our products. But most of this effort is designed to leverage the “many eyes” concept to promote higher code quality.
3. Microsoft is dedicated to securing resources within the company. When I arrived on site, I was issued a smart card that is used to encrypt objects and data streams on my laptop. That doesn’t sound like much. But let me tell you that some corporations will not take these steps simply because they require an incrmental investment. And Microsoft is willing to make that investment rather than risk corporate assets. BTW, I have used a number of VPN and encryption products in the past. But the Microsoft deployment is incredibly simple.
4. During the TechReady conference, I spoke with members of the Vista development team. They highlighted the importance of the Trusted Platform Module (TPM) infrastructure. And Vista will take full advantage of the TPM 1.2 infrastructure. In the meantime, I’ve determined that my new tablet supports TPM 1.1. So I’ve enabled the TPM infrastructure on my system. And I’ve set aside a USB thumb drive for the storage of my H/W certificate. At the same time, I’ve installed the Toshiba TPM software so I can test the current (Windows XP) support. So far, I’m impressed with what Microsoft and the hardware vendors have come up with. I can encrypt columes and/or directories using hardware encryption. More importantly, the TPM sub system keeps trakc of the H/W and S/W platform. And the system will not boot if any tampering is detected. In short, the anti-theft measures are impressive. I can’t way to see how this is integrated into the core OS.
-CyclingRoo-

OMG: The Wave Is Huge

I’ve now completed my second week of employment at Microsoft – and I haven’t sprung any leaks yet. So what’s been happening?
– I spent my first couple of days in Minneapolis receiving district training. Kelly did a wonderful job making sure that the details of switching to a new company went smoothly. After a few minor bumps, I am in all the HR systems. I have enrolled in all the benefits programs. I have received my insurance cards. I’ve gotten the 401K enrollment taken care of. And I’ve gotten enrolled in the employee stock purchase program.
– I spent a day in the Kansas office getting security tokens and setting up my voicemail and PBX mailbox.
– On day four, I headed out to Seattle. I spent the first two days in Seattle receiving training as an Account Technology Specialist. The ATS Bootcamp was very good. I even got to go through a Meyers-Briggs personality profile (under a differnt label).
– I then spent the last week at a Microsoft technology conference entitled TechReady2 (a readiness seminar on upcoming products). The content was wonderful. Unfortunately, much of the content is protected via non-disclosure agreements.
However, there are some things I can say… First, the wave of change is huge. Indeed, it was this wave of change that inspired me to join Microsoft. Here are some of the elements of that wave of change:
1. The launch of SQL Server 2005 went incredibly well. The new database engine is immensely more scalable and manageable than any previous version of the product. But beyond the blandishments, I can confidently state that MS SQL Server 2005 is a real enterprise competitor. Most corporations can easily consider SQL for the majority of their database needs. And this fact has Oracle scared. Indeed, I believe that one of the reasons for drving deeper into the enterprise application stack is because they recognize the threat that Intel/AMD, Microsoft and the open source databases represent. Well, it’s time to push these products into their rightful place in the enterprise. And the real winners will be our customers.
2. The launch of Visual Studio 2005 represents a huge milestone in the distributed computing environment. While many would argue that “.Net” may need some brand burnishing, few can argue that Microsoft’s original vision for script and DHTML is now overtaking the web. Today, the young programmers call it Web 2.0 and may tout AJAX. But this ignores the fact that this strategy was the heart of DHTML (and even “Hailstorm”). With the latest version of Visual Studio, Windows developers now have a complete platform for connected and disconnected applications.
3. Office 12 is phenomenal. First, the product has everything that has made this product the most successful office product of all times. It includes: Word, Excel, PowerPoint, Outlook, Access and OneNote. Second, the product team has improved on existing features. Pivot table usage is simple and more powerful. And every product ahs a new look an feel. The new “themes” have a 3-D look that is quite appealing. Third, there are new features that are quite compelling. I love the fact that all documents support user-defined classification. In the Internet era, this is called tagging. And tags are everywhere. Finally, each Office product plays a huge part in the enterprise collaboration framework. When combined with SharePoint, the entire office suite becomes part of a comprehensive organizational content platform. I will write about this in more detail as the products get closer to release. But until then, know that I am really excited about this product.
4. Vista is coming. The December CTP was a huge milestone in many ways. First, it is an excellent preview of what is coming later this year. Second, it is a huge milestone because it represents another step in our efforts to engage the user community in product development and product “fit and finish.”
5. Windows Mobile is starting to roll. Last quarter, Sprint rolled out the PPC 6700. I want this phone! This month, Verizon rolled out the Treo 700W. Both of these phones represent the fundamental truth that our day-to-day computing platform is starting to get smaller and more mobile. In fact, I am writing this entry on my Toshiba M4 tablet PC. This system is a wonderful platform that sits between the traditional laptop and the smaller form factor table devices. There are some things that I love about this system and some things that could be improved. But the realithy is becoming crystal clear: computing is moving to a small and mobile form factor. This transformation is key to the evolution of the next wave of computing power. And Windows Mobile is starting to emerge as a pivotal player in these emerging platforms.
As I look up the face face of this wave of change, my heart is skipping a beat (figuratively, not literally). The changes are awesome. The opportunity for our friends and customers is great. So let’s grab the rail and shoot the pipe!
-CyclingRoo-

By the third day, the trees bore fruit!

By the third day of God’s creation, the trees began bearing fruit. Well, by the evening of the third day at Microsoft, I began to see fruit from the bureaucratic trees. Here is the summary of the first three days:
Day One:
I got up at 3:30 today after only three hours of sleep. I generally don’t ever have trouble sleeping. But this is the first real job change I’ve experienced in over eighteen years. So getting to sleep was tough. Fortunately, waking up was easy. I got up and headed to the Kansas City International airport.
Yes, you read that right. Kansas City does have an international airport with flights to Arkansas and Oklahoma! OK, that’s an unfair, cheap shot. But the Kansas City airport is a severely under-utilized asset in our country. It is centrally located with good equipment support. But few airlines use it for any kind of regional hub. So it is a glorified endpoint.
When I arrived, I found out that my 6:00 AM flight to Minneapolis was cancelled. So I had to scramble to get on a different flight. Fortunately, I found a direct flight from KCI that got me into Minneapolis a full hour before my original schedule. So what looked like a disaster (i.e., a cancelled flight) became an early start to my first day. Boy, I love it when a challenge becomes a victory.
When I got to the Minneapolis office, I met the hardware tech who was provisioning my gear. Unfortunately, he ran into a curious challenge. When my equipment was provisioned, it was provisioned with a password that did not meet corporate standards. So I spent the first three hours working with an offshore help desk representative who could not “push the right buttons” and resolve the problem. Fortunately, the network administrators were engaged and the problem was resolved rather quickly – once the right resources got engaged.
So what is the “lesson learned” from this incident? What is the “least-common denominator” for all U.S. corporations? All companies have a finely-tuned bureaucracy that demands constant feeding and attention. I met that bureaucracy in the first few hours of my new career. But the more important lesson is that every bureaucracy works through people. And most people have an innate desire to help. Fortunately, I was able to “connect” with some great people who really helped me through the bureaucratic maze. Thanks to Kelly, David and the network administrators from Redmond!
I spent the balance of the day learning about the systems that were finally being alerted to my presence. Like most corporations, few things can be successfully pre-provisioned. So I had to wait for many downstream systems to receive confirmation of my employment before they could begin their processes. It took two days to be able to sign up for medical coverage. Now that the Microsoft systems have my elections, this information must now flow to the external coverage providers for their systems to get updated. When I started at Sprint, this process took weeks. In this case, it looks like it will take days. And given the number of process interconnects, I think that a few days is an amazing feat. In a few years, I am sure that this “delay” will soon be measure in hours, not days.
So here is the summation of my first day. I was reminded that all corporations operate on fixed processes and procedures that are always under revision. But despite these process “hiccups,” real success is always marked by the attitude of the people that use these systems. And after a few days, I am ultimately impressed by the attitude and competence of the many people that are working to make me the most productive employeee that I can be. Thanks to the entire team. I am glad to become part of a group with such a “can do” attitude.
Day Two:
I am still waiting form many of the downstream systems to recognize my existence. I can get into many sites, but some of the pivotal sites are still not recognizing my credentials. Fortunately, I have been able to get my smart card activated. This will allow me to access the corporate network from my home (and while I travel). Unfortunately, while the card is “active” in some systems, it is not in my possession. The card has been sent to my Kansas office where I will pick it up tomorrow. At the same time, I have received confirmation that my travel and expense application has been accepted. With any luck, I’ll have a corporate travel card when I get home.
The rest of the day was consumed with a process orientation for the North Central District. Kelly was immensely helpful. Hopefully, my aging brain will be able to retain most of the data that I am receiving. I’ll try and provide metrics on “content retention” in a few weeks. I’ve been told that the fire hose effect will continue for several weeks. OK. Let’s hope that this sponge can absorb all of the water that is being thrown at it.
Day Three:
I am finally in my local office. I have a “semi-permanent” place to locate my miscellaneous gear. Since this is a “progressive office,” there are no official cubicle assignments. But since most employees work from home, I think I’ll be able to take advantage of “squatter’s rights” on an office cubicle.
I now have my access card and I have self-provisioned its use. This is a really cool system. When I got my PC, I got a PCMCIA smart card reader. I installed the card and loaded the drivers. Then I stumbled through the activation process. Like most written processes, some important pieces of information were ommitted (or not clearly articulated). So it took an hour to get it right because I was creating a PIN with embedded spaces. Apparently, that doesn’t work. But once I got rid of the spaces, everything else worked amazingly well. Total time to provision/activate the card for remote access: thirty-five minutes.
And I am finally percolating through the various HR systems. I’ve finally got benefit elections complete. I’m now waiting for the outbound updates to Fidelity so that I can complete my 401K tasks. I expect that everything will be humming along within the next few days.
Summary:
After eighteen years with one employer, I didn’t know what to expect when joining a new company. I can certainly say that this beat my previous experiences. But the process wasn’t without its flaws. And I couldn’t say that the process was a “best-of-breed” process as I have no salient point-of-reference. But I can say that when there were problems, there were people available to help solve the challenges. And the people were attentive and courteous. So I am thrilled with my first excursions into the Microsoft bureaucratic jungle.
-CyclingRoo-

Fripp Is “In the Court of the Cobalt King”

The Microsoft Vista team has been toiling to make Vista a technically fabulous piece of work. You can find example of this throughout the December CTP. This system looks and operates with excellence as its chief design objectives

And now, that excellence is being extended to the human interface realm. Everyone has heard of the great visual touches in Vista. And I certainly welcome these. But as a legally blind user, I rely upon other senses in order to get a complete “picture” of something.

To that end, I was thrilled when I learned (from Channel 9) that a programmed soundscape was going to be part of the user experience. More simply stated, the Vista “soundtrack” will include composition by Robert Fripp (of Crimson King fame). If you care to hear pieces of the soundscape, head on over to the Channel 9 video of the studio session with Robert Fripp. BTW, I think this if frippin’ fantastic!

-CyclingRoo-

Fripp Is "In the Court of the Cobalt King"

The Microsoft Vista team has been toiling to make Vista a technically fabulous piece of work. You can find example of this throughout the December CTP. This system looks and operates with excellence as its chief design objectives
And now, that excellence is being extended to the human interface realm. Everyone has heard of the great visual touches in Vista. And I certainly welcome these. But as a legally blind user, I rely upon other senses in order to get a complete “picture” of something.
To that end, I was thrilled when I learned (from Channel 9) that a programmed soundscape was going to be part of the user experience. More simply stated, the Vista “soundtrack” will include composition by Robert Fripp (of Crimson King fame). If you care to hear pieces of the soundscape, head on over to the Channel 9 video of the studio session with Robert Fripp. BTW, I think this if frippin’ fantastic!
-CyclingRoo-

Microsoft Opens New Doors

Boy, I’m grinning like a Cheshire cat. Everyone likes to hammer MSFT for a history of fierce (and often exclusionary) competition. I won’t comment on that history because the past is the past. But I can say that Microsoft is competing to open up new markets these days. Here are two great examples:
1. Tomorrow, Verizon will start selling the Treo 700w (formerly known as the Treo 670). This new device will be based upon Windows Mobile 5. It will be fun to see whether or not Windows Mobile 5 will look as good on the small screen of the Treo. Currently, I like the HTC 6700 (Apache) sold through Sprint. But either way, I love the fact that two of the hottest smart phones now boast Windows Mobile 5. In this case, Microsoft is opening up the smart phone market.
2. Microsoft has released a beta version of Iron Python. Since ActiveState dropped their Visual Python tool, the new Iron Python will be the only real way of incorporating Python into the .Net framework. In short, Python developers can use one of the foremost scripting environments available today. Maybe a Visual Studio plugin for Javascript will come next!
-CyclingRoo-

Dial-A-Song Reborn Anew!

John Flansburgh and John Linnell started their careers by singing music into their answering machine. People in Brooklyn would call their number and hear the lastest songs/comments from these guys. Thus was born They Might Be Giants. From this humble start, they have recorded albums, CD’s, DVD’s and just about every other digital (and non-digital) form imaginable. And starting last month, they joined the podcast revolution.
The first TMBG podcast contains songs (like “Particle Man” and “Bloodmobile”) as well as typical TMBG wit and sarcasm. These guys are great in every medium they try. I jsut wish that they would be more frequent in their podcasting. Hey guys, keep it coming!
-CyclingRoo-

Sony Settles

After nearly three months, Sony is now settling the class-action lawsuits filed in a number of U.S. courts. The settlment includes a complete recall of CD’s containing the XCP software. The settlement also provides some measure of compensation for those who purchased XCP-laden disks and who were damaged by such installation.
Well, it’s about time that this happened. Three months ago, I bought a CD from one of my favorite bands (Switchfoot). But as soon as I placed the CD into my computer’s CD drive, I knew I had a problem. In an attempt to manage and control rampant digital piracy, Sony had installed DRM enforcement software onto my computer.
Since then, Sony and I have been working to resolve my problem. I’ve posted several times on the ongoing saga. The first things I did were remedial for my computer. I utilized third-party tools to remove the XCP rootkit from my system. Then I wrote to Sony BMG about my problems. A few weeks later, I was informed of the CD recall – so I took advantage of the recall/replacement offer. Then I waited.
But I can now report that my part of this saga is now closed. I have finally received my replacement CD. And this CD appears to be free of any and all malware. I hope that this is the end of the saga.
But now that it is over, I want to say a few things about the whole situation:
1. Sony acted poorly when they decided to put hidden detection and reporting software onto the systems of their purchasing customers.
2. Sony acted negligently when the first dealt with the problem. Some executives even fabricated stories – or were totally ignorant – of the real situation. And the first response was to “fix” the DRM software, not resolve the problem.
3. The computing and file sharing community acted swiftly to inform folks of the magnitude of the problem. Comprehensive removal tools and techniques were avaialble from the computer security community long before Sony made them available.
4. When confronted with the real magnitude of the challenge, Sony BMG did address the problem. They finally provided real removal software. They recommended third-party techniques and tools to ensure customer satisfaction. They provided a postage-free means of sending in the defective disks in exchange for good disks. Yes, it was hard to find the recall program on the Sony website. But it was there. And word of the program spread. It will be interesting to find out just how many people took advantage of the program before the settlement was announced.
While it would be easy to rant (as many have already), I think it is equally important to commend Sony for what they did correctly. They finally admitted the problem. They finally provided adequate removal processes. They finally provided a real exchange program. So while I could be angry about the inconvenience, I am happier that Sony has really tried to address the problem and not just hide it.
Was Sony acting from noble motives? Who knows? Thwey may have just addresses the PR problem. But the end result is the same: they fixed their product problem. Now we have to watch and see if they have fixed the underlying problem that prompted them to act in this way.
But before I close this commentary, I have to admit that Sony is not the only guilty party in this escapade. Sony was acting (however improperly) to protect the intellectual property rights of their artists. Digital piracy does exist. Some folks truly abuse the medium.
Other people walk precariously close to the line between fair use and abuse – myself included. I have downloaded some digital material w/o first determining whether I could or should. My most recent example was the dowloding and viewing of the BBC Doctor Who 2005 TCI episode (which was phenomenal). Well, I watched the show as if I was able to see it on the public airwaves. And I deleted the content after watching it. And I will buy a Region 1 DVD whenever it becomes available.
But did I have the right to see it at all? And what about “back catalog” content? When is it appropriate to download or watch older content? And why can’t we have a public library for digital content? These are important questions. I hope that this episode may actaully elicit a good dialog between content producters, content distributors, and content consumers.
-CyclingRoo-