Q. Has Microsoft done a better job with security than their open source competition?
A. I believe there are three perspectives on security here: the security process, the question of who is “most secure” today, and what the direction of security is over the next few years.

Let me start with the second of these: “who is most secure”. Well, this is no longer a question of the operating system, but rather of a client’s overall application of security technologies in a “holistic” way. Basically, it is entirely possible to be insecure with a Microsoft, Linux or an IBM system. It is, however, also possible to be very secure with all of these.

The question is that of knowledge and simplicity of process. If you ignore that, then most comparisons between systems are fairly neutral: none of them is overall much stronger than any of the others. If you include the whole process, however, then I believe Microsoft makes for a better choice. For example, one aspect is that of patching vulnerabilities. Recently, two serious security vulnerabilities were discovered in Firefox, the open community browser. The only advice at the time was to quit using Java with the browser until a new version had been released. It is the individuals that need to be aware of the problems and the solutions to apply it themselves. Unless you are technically minded, you wouldn’t know it. Today, thanks to Windows Update, this is an automatic process in the Microsoft world.

The third perspective, of the future, is even more poignant. I believe that the whole debate about the security of an OS is a small part of the overall environment, which also looks at application and network security. Attacks that target not the OS but the application layer are on the increase and they will form a significant part of the security weakness of any system.

Q. How would the average user be affected in that circumstance?
A. Because their online banks, etcetera, will be unable to function properly. As for a more direct impact to the home user, I would say that they are likely to become the target of more and more “social engineering” type of exploitations.

Q. Does the game change in any way when, instead of securing individual clients, you would need to secure government infrastructure? For example, do you think the US would ever buy closed source security systems manufactured in China?

A. Yes and no. It changes, as politics plays a significant new role with all its pluses and problems. On the other hand, as long as there is a way of reviewing the product, for instance by looking at the source code or by obtaining independent certifications, this is not as much of an issue. Of course, anyone who is a Microsoft Enterprise Customer, including all governments, has full access to the source code if they are interested. This, incidentally, also applies to universities and academic institutions, as long as they sign a suitable agreement.

 

More importantly, however, we need to make sure that someone has reviewed the code well. This is not even an issue of access to the code, but an issue of the sheer amount of work involved.

Q. What new technologies do you expect will change the way we look at security today?

A. An area known as “active security” or more simply “pattern and behaviour analysis” will be a major breakthrough. In 10 years, neural networks with their innate ability to discover patterns may be of help. In the next two years or so, Microsoft should ship two interesting technologies: Active Protection and Dynamic Systems Initiative. I think they will play a big role too.

Q. What policies should a developing country emphasise to accelerate technological progress?

A. There should be strong support for education, especially at the school and university levels, in order to create a group of people capable of driving these technologies. Further, a country in your position needs to retain these skills when they have been raised. This means good support from the government for people building new businesses, wanting to venture and perhaps risk money and resources.

Finally, the government themselves should ensure that their IT and e-government strategy is well thought through. Of course, the government should be a good buyer of home-grown technologies as well as a keen observer of what happens elsewhere.

The government ought to consider supporting a Strategic e-Government Initiative and Group (or Committee). One of their tasks is to clearly define the priorities for spending and resource allocation. Needless to say, in the case of Pakistan, those ought to include concentrating on information communication technologies (ICTs) (especially broadband) in general and bridging, or preventing, the growth of the “digital divide”.

Q. What role do you see developing countries such as Pakistan playing in the IT field over the next 10 or 15 years? Do you see Pakistan playing any significant role in the security arena?

A. Of course. There are at least two huge benefits Pakistan has over the rest of the world. One of them, the relative cost of labour, is already being exploited through outsourcing. The second area is slightly more complex. As Pakistan is a new entrant in this field, it does not carry the baggage of old-fashioned legacy systems and, more importantly, older ways of thinking. This means you can jump to the newest and best faster, giving you the advantage, and above all, allowing you to innovate ahead of the rest.
 

Q. What advice would you give to our readers on protecting themselves in the digital world?

A. Do not believe in a “free lunch”. If software is very good and free, it may be because the author is philanthropic. Typically, however, a lot of free software comes with spyware and malware attached, such as Kazaa, which will exploit your systems. So be vigilant and slightly suspicious.

The Sites
Cert Coordination Center – www.cert.org
Microsoft Security Home Page – www.microsoft.com/security
 Microsoft Pakistan Developer Conference 2005 –
 www.microsoft.com/middleeast/pakistan/pdc/
Project Botticelli Ltd. – www.projectbotticelli.co.uk
Mozilla Firefox – www.mozilla.org/products/firefox