To Microsoft, security is about features. A builtin "firewall", VPN, encryption of this or that, trusted something or other. Applets and wizards.

They're basically stuck in that position, too. The cash cow is actually layer upon layer of such features, fundamentally designed for a different, and far less ambitious, job than it's now asked to perform.

I'd better stop, or I'll go into full-on rant mode. Oops, too late.

Windows needs a complete rewrite, but that's not enough. If they did that now, they'd wind up with the same sorts of problems they currently have.

Even a total refocus on security is not enough. They have to change who they are as a company.

It's my understanding that at Microsoft, as at many software companies, the prestige and resources allotted to a group of programmers are determined by how much revenue their piece of the product will produce.

To make software customers can trust, they will have to change that mindset.

To a software business the value of a product can be measured by how much money it makes, but it's an unholy error of the stupidest freshman sort to value individual parts of the design by how much they'll bring in. Some parts are so essential, and some phases of design so vital, that without proper attention paid to them the overall product falls on its face.

The marketplace doesn't know enough about the inner workings of your product to tell you what value to place on any particular phase of design. The market (eventually) tells you how well it likes the finished product versus your competitor's, but hidden design processes aren't part of the comparison.

Security has got to be considered at every step of the design process. It follows along with robustness, portability, scalability, and overall algorithmic soundness.

I have a suggestion for you Microsoft design managers out there, for the next time your boss says, "Hey, let's make [X] really easy - that would really sell!". Don't just nod. Look at them and say, "Maybe, but it would also be simple to exploit."

The response will tell you how far the focus has really shifted.

I regularly clean the keyboards of computers that come to me for various fixes. I started doing it because some keyboards are so foul that I don't want to touch them without some kind of powerful cleaning agent nearby.

I have several different cleaning solutions and tools, depending on the type of grime in question. Apply the cleaning solution to the cloth or swab, not on the keyboard. Usually it works best to apply the cleaning solution to a row of keys, then come back along to clean that row thoroughly.

• For typical grimy student keyboards, I use a vacuum cleaner followed by Windex and a cotton cloth.
• For tobacco stains and other unfettered nastiness, I use a solution of alcohol (70% isopropyl) and "Arm & Hammer Baking Soda Washing Powder" on cotton swabs. (You can substitute equal parts of any laundry soap and baking soda). Use about a teaspoon of the powder for a half liter of the alcohol. The washing powder dissolves in the water, not the alcohol, so it may be necessary to dilute with more water. The baking soda also has a mechanical cleaning feature if it isn't fully dissolved, but the tradeoff is more residue. Be sure to wipe thoroughly to remove any residue.
• I've also used Scope (20% alcohol with menthol and eucalyptus, I think) or Listerine instead of rubbing alcohol. The washing powder dissolves better, but there's not as much alcohol in the mix. This method leaves a clean, fresh scent.
• For some other icky types of pernicious goo, the pumice + citrus hand cleaners work great (but tend to wear away at the paint on the keycaps). Follow this with Windex, alcohol, or water to remove any residue.

Denatured alcohol works almost as well as the baking soda mixture, depending on the type of disgusting adornment your keyboard has gathered. It also leaves no residue. You can get 91% alcohol from most drug stores, usually including Wal-Mart.

Wall Street increasingly runs on Linux. Maybe the irony of Microsoft selling antivirus software will drive that trend to continue. What's that? You don't see the irony in Microsoft selling antivirus software?

Computer experts talk about security flaws and software bugs as if they're separate things. A security flaw is just a bug that someone can exploit to affect the system somehow, even to take it over completely. A virus, or any other program that moves from computer to computer more or less on its own, has to exploit a bug in the host operating system.

Viruses, worms, trojan horses, and spyware are all examples of "malware", or what I'll call automated attack software. Increasingly the purpose for automated attack software is to coordinate control of computers to accomplish some goal, such as to send spam or collect private data, rather than simply to create havoc as in times past.

The Redmond Response

If Microsoft follows its usual pattern, its antivirus (AV) group will have access to the Windows source code. The AV group will also interact with the Microsoft marketing team, which means that A) they will sell a lot of AV software and B) they will tend to coordinate bug fixes with the marketing department.

As malware reports come in to Microsoft's antivirus group, the engineers (from the AV group or elsewhere inside Microsoft) will eventually look at the Windows source code and discover the flaw that the malware exploits.

But the antivirus group won't be able to release a bugfix to Windows. Such fixes have to be examined for effectiveness and to make sure they don't create flaws of their own. Fixes also tend to be aggregated together to lessen the burden on users to keep up to date.

What the antivirus group can do on their own is to release new malware detection and removal definitions. Such changes don't go into Windows itself, but into the add-on antivirus software.

So rather than fixing holes in the OS as they come in, Microsoft may tell users to buy the AV software.

It will provide them a way to shed criticism over vulnerabilities while actually profiting by them. The bugs uncovered by the AV group may eventually be fixed, but the company will have motivation to delay fixing Windows in order to generate sales of AV software.

So that's why it's ironic that Microsoft is selling antivirus software. They should fix the OS rather than sell AV software. However, selling the software will give them an easy out when future problems are discovered. They can dissemble for a while, calling a bug a simple virus matter.

Never mind that viruses should not exist. No operating system is totally impenetrable. Every program has bugs, and operating systems are no exception. These flaws should be limited, and no operating system vendor should add a single feature to their software while an exploitable bug exists. To have an entire industry devoted to removing automated attack software is ridiculous, and shows the incredible inattention to quality in the market leader.

Maybe the government, consumers and business will be more motivated to look away from Microsoft for software solutions because of Microsoft's entry into the antivirus market. Maybe the drive to squeeze another profitable quarter out of software that compares poorly with its freely available competitors will, in a loop-closing irony of its own, drive the Wall Street software installers away from Windows - while the brokers are buying Microsoft stock.

But probably it will only serve to put more pressure on some smaller AV companies that are just squeaking by, forcing them or to change their model or even to go out of business.

And few things make for happier tidings in Redmond than dominating yet another market segment.

When Al Gore, Jr. got to Congress in 1976, the Internet was already experiencing exponential growth. People were discovering the benefits of connecting computers together, much the way their forebears discovered that yes, they could find a use for a telephone in their home after all.

In 1989-90, I was a student at the University of Illinois, working in a little computer lab. By then, the Internet was growing at 8% per month. A coworker predicted that in 10 years, everyone's toaster and fridge would be on the Internet.

"No", I told him, "only computer geeks will ever use the Internet." That was before the web took over. We were both wrong, or perhaps, while I wasn't looking, the definition of "geek" changed.

The first time I saw a URL on a billboard, I felt a twinge of grief. My Internet wasn't mine any more. It was everyone's, just as it always wanted to be.

At any rate, the Internet was exploding, and it wasn't due to the efforts of any one person. There are certain forces in history that gain momentum and will just happen, regardless of the efforts of individuals to aid or deter them. Congressman Gore was on the right side of the curve, and his leadership was well-known in academic circles, but the importance of the Internet in the sweep of history dwarfs the ability of any one person to have much influence on it.

In fact, that's probably why people lampoon him so much for saying he "created the Internet". He was drawing on his viewpoint in government, that here was a tiny little program with a budget of much less than a billion dollars a year, which he championed until it became a phenomenal success. From his point of view, he did create the Internet.

All of us have tunnel vision. We are only able to see things through the lens of our own environment, our own experiences.

In the U.S., before 9/11/01, we didn't think terrorism could happen here. Sure, there was the first Trade Center attack, which we promptly ignored. Then there was the Oklahoma City bombing, which we attributed to right-wing anger over the disaster at the Branch Davidian compound in Waco a year to the day earlier.

We had blinders on. Terrorism happened in Europe and the Middle East. Here, the Good Guys always stopped them. That's the way the movies show it.

Now we're forced to recognize that we can have terrorist attacks here. Probably VP Gore felt the same dawn of recognition when he realized that worldwide adoption of internetworked computers was not his doing. To a lesser degree, I felt the same sudden change in my world when I saw "http://...." on that billboard.

I wonder what I can't see now.

The time to deal with the PHB and the security consultant is before the report comes. Define a level of security your company finds acceptable.

It doesn't take much to quickly set the right tone for a security audit. Even the Pointiest of HBs can understand the basic rules:

1. You're never totally secure. The goal is to find a level of safety that we can tolerate and still get satisfactory service from our systems. (Do we change our passwords every day? No, too much hassle.) Security must be balanced with usefulness, and that balance point is different for each machine in each company.
2. We layer security measures on top of one another and hope that our effort is enough to make someone seek an easier target.
3. Bosses understand cost/benefit ratios, and they understand that you get more usefulness for more dollars. They'll also understand that you get more security with more dollars - what are they willing to pay (either for labor or devices)?

If you have a chance, take them through this:
The only way to really secure a system is to turn it off. Not very useful, but highly secure. Ok, so maybe turn it on, but unplug the network cable. And lock the door. (Who has a key? Who cleans the room? ) But it's a server, so it sort of has to be on the network to be useful. So plug it in, but use a firewall it off from the rest of the network with every service but files blocked. Well, ... you get the idea.

It's all about tradeoffs. Sometimes something comes along that makes life better, easier, and cheaper at the same time, but usually you only get one or two out of three.