Talking Internet security

Bob Muglia says information technology is not running out of patience with Microsoft after a string of hacks that exploited vulnerabilities in the company's Windows software.

He's not a household name, but Bob Muglia is part of a small constellation of executives Bill Gates and Steve Ballmer have repeatedly entrusted with important projects over the years.

During the course of his 15-year career with the company, Muglia has been given such responsibilities as managing the development of the MSN network, the Microsoft Office suite and Windows Server applications. These days, Muglia is running the storage business he started some 22 months ago while at the same time overseeing Microsoft's enterprise management division.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

But outside events may have conspired to turn this into one of his toughest assignments.

Over the last couple of years, hackers have repeatedly compromised Microsoft software by exploiting Windows vulnerabilities. The company contends that its software security is improving but allows that it remains a target for the foreseeable future.

The $64,000 question is whether this studied ambiguity will hinder Microsoft's ambitions to sell more of its software to information technology directors with big corporate data centers. Muglia spoke with CNET about the steps Microsoft is taking to foster better enterprise management and how the security issue is affecting the company.

Q: Microsoft has been talking a lot about interim steps--such as getting users to turn on firewalls--before making broader changes in the software. Is that the extent of what you can do about security in the near term?
A: Many things go into securing systems. Clearly, we've been working on eliminating problems, and as we continue to find them, we'll make sure to get patches out there. But that's not the only thing we have to do.

For instance?
With Blaster (also known as MSBlast), customers who had the Internet firewall turned on didn't get hit. In general, the idea of having that kind of level of defense is very useful.

There are places where we can change the structure of our software.
So we're looking at ways to get the (Internet Connection Firewall) turned on and finding ways to make it as effective as it can be--in addition to offering tools that prevent people from getting into the system. The way I like to think of it is that you need multiple levels of defense. Like with a house, you need a gate, which is one level of defense. Then you need your doors locked--and maybe an alarm turned on as well.

When Steve Ballmer gave his presentation at the Churchill Club a few of weeks ago, he talked about "shield technology." What is that going to include?
It's what I'm talking about with fences. Fences and shields are not that different.

Well, what is a shield?
A firewall is a shield. I like to think of the broader term, "countermeasures," because this is an ongoing battle. That hackers are committing criminal acts--and they are--if they want to exploit things, they will adopt all sorts of measures to do so. The question becomes: How can we put countermeasures in place that make it as difficult as possible for them? You want them to go someplace else. You don't want them to go to your house.

Go to Linux?
Not Linux. Fundamentally, you want people to build their systems structure so that if a hacker tries to find machines to get into, they won't be able to get into yours. The idea of having countermeasures in place is focused on turning hackers away--just like a locked door is.

So, what's the real problem? Is it the fact that many people are still not turning on firewalls or is it the way Microsoft's software gets designed?
I think it's a combination. For sure, there are things people can do, and that's why we're working with our original equipment manufacturers and running an ad campaign to get those firewalls turned on. That will help. But clearly, there are places where we can change the structure of our software.

Such as?
We need to make sure that the opportunities hackers have found to get into areas--that we get rid of those. Those are essentially vulnerabilities we've had to close.

There's more and more interest in remote management. And now, you have blade servers and gigantic data centers. The specific job of remote management is to let someone on another side of the network take control of your computer. Does that fundamentally open security vulnerabilities--because you have to build in so many capabilities to allow for remote management?
Not really. If access is protected through a security mechanism--like a difficult-to-break password or a smart card--that's a very secure mechanism. There's just a search. There's a certificate I need to unlock with a personal identification number, and then there's a password. With that combination, nobody's going to guess that password. It's just impossible.

But what I'm getting at is that you have a lot of features built into the server to let somebody else get in from somewhere else. Granted, it's hard to break in, but once you have surmounted the fence or shield, isn't it true that someone can do a lot more damage?
If you are able to get into a system with a set of credentials, you can perform a set of actions based on those privileges. If you have administrative credentials, you have a very, very broad ability to do things. The focus, first of all, is making sure that there are valid pathways for people who are allowed to get on to do the things they need to do.

That's why it's a good idea to use either long passwords that are difficult to crack or combinations of certificates and passwords to only allow in the people who really have authorized access--and then to make sure that there are no inadvertent backdoor ways for people to get in. There are always issues with people who have insecure passwords. If you have a password taped to the terminal monitor, that's the best way in.

A recent report maintained that Microsoft's dominance is by itself causing more critical vulnerabilities because of the potential for creating a cascade failure.
You're always going to have a limited number of systems people are using within their computing environment, because it makes economic sense to do so. There's Linux, Windows, Apple and other variants of Unix out there. There's plenty of opportunity for people to do damage on any of those systems, so I'm not sure how much credence I put in that report.

I guess their point is that companies that are standardized around Windows set up the potential for trouble down the road, because if there is an attack on one system, it's likely going to affect all systems on the network.
Again, I don't know that that's valid, because more and more of these systems are interrelated. If you look at the way applications are being built, there's a strong relationship between them. So if any system is down for any reason, that has the potential of impacting large parts of a company's business.

But then comes along a report that argues that customers should diversify. What do you think about that?
I'm not sure I buy that. When you do that, you introduce a great deal of complexity and a great impediment--potentially--that prevents people from doing their job on a day-to-day basis.

Listening to you talk about the scope of the security challenges, it sounds as if Microsoft remains a moving target. In other words, that there's no way you're going to be ready to declare final victory on such and such a date, and that's that.
I think that it's a process. Absolutely.

But what's the overall strategy, as opposed to, "We're going to a perimeter initiative?" I hear "initiative, initiative, initiative," and then I hear "patch, patch, patch, patch, patch." There must be something grander.
At a higher level, we talk about trustworthy computing and DSI. (Dynamic Systems Initiative, a Microsoft strategy to make corporate data center equipment better able to self-manage.) Both are umbrella programs in which we're putting many efforts together.

Do they map into each other?
Sure they do. DSI is partly aimed at tracking all sorts of issues that are associated with managing systems--including security vulnerabilities. DSI's core is to start with the development process, to look at the entire life cycle of an application, and to look at how to improve the communications of information and knowledge of each participant in the creation of that application. That does not exist today.

Can you give a practical example how this is going to play out?
Today's applications are multifaceted in the sense that they run on multiple computers and have very complex interactions. There's nothing that captures that in a standardized way that can be tacked on as knowledge.

I think that IT understands that it's not just Microsoft that has these issues.
People have it in their heads. They may write it on a napkin or print something out, but they don't systematically capture that and pass it on. Well, that's a critical thing to make those operators more effective--and that's part of what we're doing with DSI.

And here's the security component. The understanding of all the components and all the interactions between components is key to understanding the potential vulnerabilities that could exist within a secure system. If something happens to one component, you can replace it or perhaps create a wall between that component and keep the system operating.

Someone might say what Microsoft's doing is intuitive and that it should have already solved the problem. How is what you're doing more complicated than that?
This is our top priority for everything we're doing.

But you're still saying that you're not going to be able to fix it once and for all. How much time do you think IT is willing to give Microsoft to put this issue behind you?
I think that IT understands that it's not just Microsoft that has these issues. They understand that they have this issue across all their systems. Customers generally feel pretty good about the fact that we're focusing on and taking this very seriously. For most of these customers, there are a lot of steps they can take right now to make themselves less vulnerable.

I'm sure there are, but you're still putting the onus on the customer. We receive a ton of feedback from readers whenever one of these attacks takes place, and each time, there's major blowback against Microsoft.
We talk to those same customers and have heard their concerns in every one of those cases. You have to see what happened and replay it. It's usually a combination of some operational issues and some software problems on our part. They're very happy to hear from us about the things we're doing to address the problems that are our own and the ways we can work to improve their operational situation.

Have these security-related problems slowed Microsoft's ability to get its products into more corporate data centers?
It certainly has had some impact. Some customers have said they need to make sure that we fix these problems before they feel comfortable about moving forward (on a sale). But we also meet with other customers who have never used our software for certain data center systems and are strongly considering doing that or are in the process of installing.

Nonetheless, has it been an issue?
It's like anything else. On any given day, there are issues customers have with any company. Security is very public and visible for us right now, so it's a concern for some folks. As we work through the issues, we'll be able to get through that.

Do you see a point in time when you have a better code base?
It's certainly true that a lot of the problems exist with the older systems, so as the newer things come in, it will get better. We think that the fixes and the countermeasures are going to improve this. But to be perfectly honest, it's only been in the last couple of months that it's become clear to people that these are criminal acts.

What does that have to do with anything?
If you talk to the young man who did the variant of Blaster and whom the FBI arrested, he claimed not to have been aware that he was doing something illegal. This is not unlike robbing a bank.

But most hacks or intrusions are internal or corporate espionage.
That's a different issue.

Aren't they also taking advantage of the same vulnerabilities?
No, they really aren't. An internal act is performed by an employee who has some level of credentials on the system. That's something we don't know how to fix. We have systems that allow people to be very granular in the rights they give to people to limit exposure. But if I have the keys to the data center, I can inflict significant damage. That's very different than writing a virus that's meant to exploit and traverse around the Internet--which is a criminal act in this country and much of the world.

Your terminology's interesting. I'm hearing this "criminal act" refrain popping up whenever Microsoft talks about this issue. Are you doing that on purpose to project a concerted message?
Yes. These are criminal acts.