PC security: We've come a long way, baby
Source: Robert X. Cringely

A notable anniversary in the annals of personal computing is arriving this Sunday. Ten years ago, on Jan. 15, 2002, Microsoft's then-chair Bill Gates penned the famous Trustworthy Computing Memo.

That was the day Microsoft finally woke up, smelled the hackers, and began getting serious about security. Gates wrote:
In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. ...If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first.

[ Also on InfoWorld: Redmond may be drawing to the close of a different chapter in "Microsoft + CES: End of an era." | For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]

Of course it's one thing to write a memo, another thing to make it real. The notoriously insecure Internet Explorer didn't stop being a hacker's plaything until the release of IE8 in 2009. During that time frame, Microsoft went from owning 90-plus percent of the browser market to less than 50 percent today. A lot of that had to do with IE's notorious vulnerabilities and poor performance.

Vista's User Access Controls, an ill-conceived effort to keep users from harming themselves, made computing more annoying, not more trustworthy. (It was also brilliantly parodied by Apple in its "I'm a Mac" commercials.)

But by and large, Microsoft products have steadily grown more secure over the years. Christopher Budd, a crisis communications consultant who was working in Microsoft's Security Response Center at the time the memo was issued, says Gates's notice helped bring us all a little closer to the goal of secure computing:


        In a way that memo served a function similar to the US Constitution: it enshrined high, aspirational ideals at the center of things. Just like with the Constitution, the reality may fall short of the ideals, but because of how central they are for the organization, it's easier to fight for those ideals than it would be otherwise.

        Relative to others in the industry, I think Microsoft comes as close to that ideal Gates outlined around privacy as anyone does. No, they're not fully there yet, but they have been one of the progressive and innovative companies around privacy.

        I can say from my time there that, as someone focused on doing the right thing for customers around security and privacy, it was much easier to succeed at that after the memo than it was before.

Are computers more trustworthy than they were back when Gates wrote his memo? Without a doubt. Whether they are trustworthy enough is another question. Because even if computers are 10 times more secure than they were back then, the threats are now 100 times worse.

So I'm tossing this one back to the residents of Cringeville. What do you think? Are computers trustworthy enough, 10 years later? If not, do you think they ever will be?

Post your thoughts on Trustworthy Computing below or email me: cringe@infoworld.com. I'll collect the best responses and publish them in a future post.