Microsoft wants Internet safe for .Net

That's the major theme here at the software giant's Trusted Computing conference, where the company has brought together almost 200 security experts, privacy advocates and policy-makers in hopes of developing a firm strategy to better secure the Internet.

"The Internet is clearly at the stage where the telephone was when we had just switched from rotary dialing," Craig Mundie, Microsoft's chief technical officer for advanced strategies, said during a Tuesday keynote address.

Like the poor security that originally surrounded tone dialing and let hackers misuse the phone network, poor security on the Internet today allows online vandals, hackers and others free reign, Mundie said. "We have been a bit naive about the threats that are out there."

As Microsoft readies its multibillion-dollar bet on its .Net strategy to turn software into a Web-delivered service, security on the Internet and in Microsoft products is a serious issue. The .Net initiative focuses on connecting customers with businesses over the Internet using a new, more secure framework. The initiative could be Microsoft's best chance to maintain its business growth.

This past summer, a myriad of incidents plagued the company's products. Two Internet worms, Code Red and Nimda, hit Web servers running Microsoft's Internet Information Server software. Last week, a set of flaws in Microsoft's Passport authentication protocol left consumers' financial data accessible to potential attackers.

The company has launched an internal project to tighten its own coding standards and in October introduced another project to heighten security awareness among its customers.

The problems go beyond Microsoft, Mundie said. He stressed that all companies on the Internet need to work to become more secure.

"Many of the problems that we have today are human problems," he said. "It doesn't matter if you buy a perfect firewall or a computer system if the humans don't configure them right."

In the long term, better research into security is also necessary, he said.

Pressing for more security is necessary if the company is to convince others to join the .Net effort, said George Kurtz, CEO of security service provider Foundstone and an attendee at the conference.

"This is definitely laying the groundwork for .Net," he said. "If you can't show that you have your house in order and that you care about security, then .Net is a tough sell."

While the conference will benefit Microsoft most of all, having the software titan behind a push for more security helps a lot, Kurtz said.

"This is a good thing for the world--anytime you have someone like Microsoft get behind security initiatives," he said.

Yet, in the push to make the Internet safe for commerce, open-source programmers and hackers may fall afoul of the company's attempt to crack down on those who poke holes in security.

Mundie holds little love for hackers and online vandals, likening them to the terrorists that the U.S. declared war on after the Sept. 11 attacks. While he fired a warning shot against virus writers and network attackers, Mundie didn't seem to distinguish them from those who find software flaws.

"The people that are sitting around and developing these exploits against networks and network based services...I think we are going have to be more pro-active in dealing with them," he said.

Many security experts expect that a major initiative to come out of the conference will be new rules for disclosing vulnerabilities in software.

However, closed-door discussions on Tuesday only worked to hash out the security problem, participants said.