Gates dishes out security promises

SYDNEY, Australia--Bill Gates' security message is taking a page out of Robert Frost: Good firewalls make good neighbors.

At a news conference here Monday, Microsoft's chairman said computer systems must become more secure and must be at least as reliable as essential physical infrastructure like electricity and water systems. "That absolutely has to be done," he said.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

The main solution to the problem, Gates said, is to isolate people who are trying to send out malicious code.

"The Internet in a way says: Hey, these systems are connected," Gates said. "It?s not like the mainframe, (which) was kept secure not because the code was secure but rather because only the people there in that glasshouse were actually connecting software up to it. Here, we need to build the firewalls.?

Gates said one-third of customers have never had problems with security attacks because they have firewalls in place. But for the other 70 percent of the customers, he said, the process of protecting themselves had been "clearly not automatic enough."

"There wasn't a tool you could go in and really check to make sure you were only open to the things that you needed to be open, and those tend to be actually quite few--the mail server for mail, the Web server for http--but most of the systems actually can be isolated," he said.

Gates also said Microsoft wants to reduce the number of times security updates need to be made. "This involves very advanced tools, techniques that have been in academia for a long time but never used against large-scale software," he said.

"The thing we have to do is not only get these patches done very quickly, we also have to convince people to turn on auto-update." --Bill Gates, Microsoft chairman

Gates cited Windows Server 2000 as an example of a product that within the first year of its launch had 24 security bulletins. "With the most recent release, we?ve now had four of those and that?s a pretty dramatic reduction," Gates said. "However, we should get that to be either one or zero during that time frame."

The average time to make a fix on an operating system other than Windows, Gates said, is "typically 90 to 100 days."

"You know, today we have it down to less than 48 hours," he said.

According to Gates, a key "weak link" to focus on is the way people are using passwords. "Those are often easy to guess with computer systems or you?ll use the same password on a very insecure system that is used on a secure system. And so (we are) moving more and more into smart cards, biometrics, that?ll be a necessary step."

As for spam, Gates said Microsoft has recently announced a technique where it can guarantee that e-mail really is from who it appears to come from.

"And (that) lets us say that if you?re getting mail that?s not from a stranger, we can always pass it through, and mail that appears to come from a stranger, we can be very stringent (with) and require more proof that that?s a legitimate piece of e-mail," Gates said. "And there?s some very clever ideas there about having the computer that does the sending do some extra work or bouncing back something where the human verifies that this really is a legitimate piece of e-mail."

When questioned about whether Microsoft could guarantee a certain turnaround time for security patches, Gates was a bit vague.

"We can?t say that for everything that comes up in some big form that we?ll understand what?s vaguely being said and have it fixed in an exact period of time. We will guarantee that the average time to fix will continue to come down," he said. "We have several hundred people who are on 24-hour availability to do this work. It is a phenomenal thing. And if you track how we have improved over this last 24 months, you?ll see that we are absolutely doing our best on this."

Asked to respond to a claim by a prominent researcher that the vulnerability used last week by Russian criminal syndicates was based on a vulnerability reported to Microsoft in August 2003, Gates said he was confident that it was new.

"Honestly, otherwise somebody would have exploited six months ago," he said. "The time to exploit about a year and a half ago was typically 60 to 90 days. Time to exploit now we?ve seen anywhere from three to 21 days. We haven?t seen a single case where there has been a six-month time to exploit a known security vulnerability. I wish people were waiting six months to do the exploits."

Gates noted that a year ago the percentage of consumer Windows that were connected to auto-update was about 4 percent. "Recently there was episode called Sasser, where within 24 hours, we updated 80 million systems that were on auto-update and 30 million additional systems that were not on auto-update," Gates said.

"And so, the thing we have to do is not only get these patches done very quickly, we also have to convince people to turn on auto-update. And the next version of update, which is an update of Windows, which is called SP2, defaults both auto-update and the firewall to be turned on, and so you actually have to go out of your way to turn auto-update off," Gates said. "And so, the issue is how quickly we get those thing spread out there."

Lisa Simmons reports for ZDNet Australia.