SAN JOSE, Calif. -- The kickoff keynote address from Microsoft Chairman and Chief Software Architect Bill Gates
has become a tradition at the RSA 2006 Conference. This year he'll make his third consecutive appearance and will likely do what he did at the last two--unveil a major security initiative and/or product for the coming year.
In 2004, Gates offered a sneak peek at Windows XP Service Pack 2 with significant security improvements. Last year he announced Internet Explorer 7, chock full of security enhancements. This year industry watchers expect Gates to preview the security features in forthcoming products, such as Microsoft Vista. A Microsoft spokesman wouldn't divulge the details of Gates' address, scheduled for today, Feb. 14, at 8:10 a.m.
The software giant has made major strides, said Matthew Murphy, an independent security researcher based in Springfield, Mo. Microsoft has committed an increasing amount of resources to defense in-depth, and its latest patches often feature changes that go far beyond fixing the original issue, he said, adding that several of these patches have also caused fundamental changes to vulnerable code that reduces or eliminates the likelihood that another flaw in the same area of the system will be able to cause damage.
"This is a huge improvement," Murphy said. "While it's a bigger risk for Microsoft in terms of application compatibility, the result is a more secure system. Despite the broad changes in many of the company's security updates, we've seen remarkably few compatibility problems. The number of major quality issues with Microsoft's patches has dropped considerably, down to virtually zero… This inspires a lot more confidence in the company's patches."
John Hornbuckle, an IT administrator for the Taylor County School District in Perry, Fla., said he's pleased. "The biggest improvement I've seen with Microsoft over the past year has been increased communication with the outside world," he said. "I've seen active (and sanctioned) participation from Microsoft employees on mailing lists, newsgroups and blogs; and it helped my implementation and support of Microsoft products in my enterprise."
He said these efforts give a human face to the company and provide insight into Microsoft's design process, decisions and plans for the future--"not to mention facilitating direct communication with the programmers who are responsible for Microsoft's software."
For example, he said, "I was experiencing a problem with [Windows Server Update Services] and posted a message about it to a mailing list. A member of Microsoft's WSUS team was on that same list and saw my message, and the two of us were able to work together directly on the issue. That's something that just couldn't have happened in the past." But there are still skeptics.
Two years ago Brad Melrose, security administrator for the city of Edmonton, Alberta, said that he had a beta of Microsoft's XP Service Pack 2 sitting on his desk but was afraid to try it for fear it would "blow my machine up." After all, he said, "Microsoft has ... released code that doesn't work." However, XP SP2 is 15 times less likely to be attacked than older versions of the operating system, according to Debby Fry Wilson, director of communications for Microsoft's Security Technology Unit.
After Gates unveiled the security improvements of IE 7 last year, Fred Rickabaugh, CISO for Charlotte, N.C.-based Premier, said that "we'll have to wait and see." Microsoft must change its approach to software development, he said, adding that until it does, every new security product is nothing more than window dressing.
The biggest problem affecting Microsoft these days is efficiency, according Murphy. "Its patch processes are simply dead-dog slow," he said. "Microsoft routinely uses maintenance releases like service packs to deliver complicated or low-priority security fixes, even though service packs typically fall years apart. Microsoft's continued reliance on service-pack fixes has meant that users aren't getting in-depth defensive measures, in some cases, for years after attacks are discovered."
Two hundred million customers are now getting security updates automatically, said Microsoft's Fry Wilson.
"If you look at Blaster in August 2003 versus Zotob last August, they are almost identical attacks but the impact of the two was so dramatically different," Fry Wilson said. "This is partly because of the default firewall and because people have gotten automatic updates."
Though Gates is one of the main attractions, the 15th annual RSA Conference will feature a host of other speakers and sessions on Tuesday. In addition to the Gates appearance, there will be keynotes from RSA Security CEO Art Coviello and Sun Microsystems Chairman and CEO Scott McNealy. Coviello said he will talk about identity protection and the need for more authentication solutions.
Meanwhile, McNealy will discuss the need for enterprises to build security into each step of the infrastructure. "He'll talk about building security from the bottom up and trying to make it transparent to the user", said a Sun spokesperson. McNealy will also talk what he calls the participation age--where people are exchanging information and participating via online communities--and as a result the need for enhanced security.
Also on tap is the popular Cryptographer's Panel; this year's lineup is Burt Kaliski, VP of research and chief scientist of RSA Laboratories; Whitfield Diffie, CSO, VP and fellow at Sun Microsystems; Ronald Rivest, Viterbi professor of computer science at MIT; Adi Shamir, professor at the Weizmann Institute of Science in Israel; and Martin Hellman, professor emeritus of electrical engineering at Stanford University.
The conference will also include more than 200 classes in 17 different tracks and an Expo hall featuring exhibits from more than 275 large corporations, small start-ups, professional organizations and government agencies.