Microsoft Corp. Chief Technology Officer Craig Mundie has one of the most difficult jobs in a company full of difficult jobs. The tough-speaking executive has found himself on several occasions addressing red-hot issues at the time in which they were most heated -- such as talking to a roomful of Linux developers in July, just weeks after Microsoft executives had compared their operating system of choice to a cancer.
Tuesday, just one week after an independent programmer managed to write a program that could expose credit card information stored in Microsoft's Passport authentication service database, Mundie found himself in a similar pinch: standing before nearly 150 industry executives and security experts talking about the security behind Microsoft's lofty plan for the Internet, called .Net.
As seen in the recent security snafu with Passport, the key authentication technology that will facilitate .Net, Microsoft still has a ways to go before it can ensure that its plans for pervasive computing will be secure. Speaking at Microsoft's campus here, where the company is hosting a three-day Trusted Computing Forum, Mundie conceded that and extended an olive branch to those who might be able to help solve the problems.
"Despite best efforts by smart people, it is unlikely that computing will ever be perfect," Mundie said, comparing the problems facing the technology to those faced with several innovations in history, from the telephone to the credit card. "I don't think the people who designed these networks ever would have predicted the problems they would face.
"In a way you could say it was a bit naive," he said.
But programmers have found ways to exploit Microsoft's naivete, spreading worms such as Code Red and Nimda through Microsoft's Internet Information Server software, and this has raised serious questions regarding how the company and the industry can progress without falling victim to similar malicious computer attacks.
Still, growing industry support was witnessed here in the comments from attendees, many of whom are Microsoft's biggest critics and competitors.
"There is a lot to be said about Microsoft's progress in cooperating with the industry on privacy," said Tatiana Gua, senior vice president of integrity assurance at America Online Inc., the Internet service division of AOL Time Warner Inc., who attended Mundie's presentation.
Citing the addition of new security technologies in its products, such as P3P (Platform for Privacy Preferences) and Microsoft's efforts to step up its cooperation with industry standards groups, Gua expressed some support for Mundie's presentation. Still, she criticized some of the technical points in Microsoft's security strategy. "Unlike Microsoft, we don't believe that one size fits all," she said.
Robert Hahn, a research director with the American Enterprise Institute, a Washington, D.C.-based think tank, who studies privacy and government regulation, noted a similar shift in Microsoft's actions in regard to ensuring a balance of privacy and security in its products.
"Microsoft is clearly thinking about security and privacy very hard, and they've realized they're not going to solve it by themselves," Hahn said.
With government regulators and industry counterparts pressing down on several aspects of Microsoft's business, from federal trust-busters to industry chief technology officers who have been burned by the use of Microsoft's bug-prone software, the company that arguably has been at the center of the industry's security and privacy battle has now found itself with a difficult choice.
If it gets too wrapped up addressing privacy -- appeasing critics such as those who recently filed a claim with the U.S. Federal Trade Commission regarding Microsoft's Passport service -- the company endangers its ability to create secure products, Mundie said. If it gets too wrapped up in security, devising Teflon products that are impervious to malicious programmers, it could step on privacy.
"Compromise will be required," Mundie said.
As seen here in the vast complexity of the issues behind making a secure and private computing network that also is a useful tool, Mundie turned to analogies to identify many of the latest security and privacy issues it is facing.
On hackers, Mundie compared the malicious coders who are poking holes in Microsoft's software to the cells of terrorists that threaten the safety of the U.S.: "The evolution of hacking is very, very akin to this network of terror cells," he said. "And there is the potential to treat them the way we treat terrorist cells."
On government's role in monitoring technology and the Internet, Mundie says regulation has historically been done by policy makers who rely on examples from the past. "It's like trying to drive a car looking through the rear-view mirror," he said.
On government regulation of Microsoft's business practices and those of other companies building similar Internet technology, Mundie compared the company to goose that lays golden eggs. "Do we shoot the goose? Or do we take more of a risk and let the goose keep running free for a while?" he said.
With two days of discussion ahead, and presentations scheduled from speakers including Federal Trade Commissioner Mozelle Thompson as well as Richard Clarke, special advisor to President Bush for cyberspace security, Microsoft is bringing the issues to the fore and looking for some answers.
"This is not a simple problem, and no simplistic approach is in and of itself going to yield the desired result," he said. "But we're up to the task of meeting our commitment."