CNET News Video
Internet both safer and more dangerousIn an interview, Microsoft security executive Scott Charney tells CNET News' Ina Fried about the latest threats as well as new ways that Microsoft is trying to thwart the hackers.
>> Ina Fried: I'm Ina Fried with CNET News. I'm here with Scott Charney, a Corporate Vice President in Microsoft's Trustworthy Computing Unit: its security group. Scott spoke earlier this week at the RSA Security Conference here in San Francisco. Scott, thanks for taking the time. >> Scott Charney: Thanks for having me. >> Ina Fried: I'm curious I guess, just to start it off -- I mean we hear a lot about security on the internet. We always hear about it. Is the internet getting fundamentally safer or a more dangerous place? >> Scott Charney: Well actually a little of each. I mean as new security technologies have come to the fore, many people engage in millions of transactions everyday without any problem at all. But there is still a sense that it is not safe enough. It was not built for the uses that we currently use it for: all these commercial transactions. As we move to cloud computing there will be more and more personal information online. I think most people want the internet to be safer. They want to worry less about things like phishing and identity theft. And there are a lot of companies and governments worried about losing proprietary information on the internet. >> Ina Fried: For the last couple years we've been hearing about threats getting more targeted, less of these widespread, more targeted at money as well and less at notoriety. But we are again hearing about sort of these widespread attacks you know with Conflicker and so forth. Why are we still dealing with these widespread type of exploits? >> Scott Charney: Well some of those widespread exploits take advantage of older platforms. So for example when the industry got very serious about security in the post 9/11 world, we built a lot of technologies into the Windows platform for example to make it safer. We turned on the firewall by default and we did address space layer randomization which sounds very technical, but essentially it forces malware to misfire. And therefore people running Vista for example were not affected by Conflicker in the same way. The challenges that people run all the versions of the operating system that were built before we had this focus on security. >> Ina Fried: One of the things which you've been talking about recently which is somewhat unusual to hear from a Microsoft executive is actually the importance of hardware in creating a more secure overall ecosystem. Why is it important to have security features built into the hardware? >> Scott Charney: In a nutshell, software is malleable and hardware is harder to tamper with. And ultimately you want to know that everything that's running on your machine goes down to some fundamental root of trust and that needs to be in the hardware. So we're big fans of what's called the trusted platform modular TPM. And we think putting more security in the hardware - not just in the TPM - but smart cards or dongles, other physical pieces of hardware that you have is a good thing to do. >> Ina Fried: How has Microsoft security strategy changed more in recent years? Obviously people remember you know the days of Bill's Trustworthy Computing Memo and you know when Microsoft stopped everything to work on security, but we haven't heard as much in recent years about really "What is the crux of where Microsoft's putting its energy in terms of security?" >> Scott Charney: So in the early years we picked a lot of low hanging fruit. We changed the way we developed products and we built tools to get rid of things that were commonly exploited such as buffer overruns. As we've done that though the criminal population has become more sophisticated and more targeted in their attacks. So a year ago I wrote a paper called "Establishing End to End Trust." And what we're really focused on is building a trusted stack [assumed spelling] - that is the hardware operating systems application, data and people - should all be verified in the right circumstances so that you know what's running on your machine and who you're dealing with. And we have to do that in a way that also preserves anonymity, free speech and other democratic values. So the real key is giving users control over their environment so they have the ability to share information about themselves or verify who they're dealing with when they want to, but be anonymous in other circumstances. >> Ina Fried: On the consumer side, one of the changes that Microsoft's making is for awhile now you guys had been in the consumer antivirus space with Windows Live OneCare: a paid product. You guys said we're going to discontinue that product. We're going to offer a more basic free product. What significance do you think that will have for the overall security landscape and where are things as far as that product which is code named Morrow [assumed spelling]? >> Scott Charney: Yeah that product is still in development. I'm optimistic that it is the right thing to do for security because we've found that still a lot of consumers weren't running basic antivirus software. And for it to be really effective, the broadest possible distribution is necessary so I think that giving it away to your consumers so that they can run it for free is the right thing to do. >> Ina Fried: And what about on the enterprise side? It seems like a lot of things are moving to the hosted realm. You guys recently offered a hosted security product. You know does Cloud computing and the switch to more services, does that make things again more secure, less secure or a combination of the two? >> Scott Charney: I think that this computing model's going to change somewhat dramatically. In Windows 7, we have something called direct access which is really a pure to pure model for the enterprise. And it's good because it relies on IPV 6 which is more robust than IPV 4 and it also uses IPsec so you're encrypted end to end. And there are other things that we enforce when we use direct access at Microsoft like two-factor log on to the desktop. So I think the network model is changing. It's becoming more information centric and overall it creates a better security model. >> Ina Fried: For all the time and energy that you and other folks at Microsoft put into security you know still when people think about computer security attacks, often times Microsoft is what comes to mind. Your rivals Apple and so forth get kind of a free pass when it comes to security. Is that something that's frustrating to you as someone who spends all their time working on security that Microsoft doesn't get more credit in this area? >> Scott Charney: Well actually I think we're getting a lot of credit today but we are ubiquitous. We have a large amount of market share. People are very familiar with Microsoft products and therefore we've always been a target for the hacker community. In some odd way that causes us to be even better, but I think we are getting credit. When I joined Microsoft in 2002, Microsoft did not have any reputation for making secure products. And now you see many people including other large companies, saying that our security development life cycle is really a great model and they give us credit publicly. So I think we've made huge advances but because we have such large market share, we are going to be the target of attacks and we just need to be better. >> Ina Fried: Thanks Scott. I've been speaking with Scott Charney, Microsoft's Corporate VP for the Trustworthy Computing Unit. He spoke earlier this week at RSA. For CNET News, I'm Ina Fried.