Thursday, February 02, 2006

Microsoft Vista: Committed to Security?

Microsoft wants everyone to know that security in their next OS, Vista, will be wonderful. We understand that every bit of Vista is checked for security holes, and that security teams are a routine part of all development at MSFT. Here's a story about shipping security patches for Vista in Beta. And Here's Microsoft's Jim Allchin telling us that "Safety and security is the overriding feature that most people will want to have Windows Vista for."

Is Microsoft REALLY hardening its code to make it all secure? I think that if they were really serious, they would post most of the source code for inspection at their web site. That would get them hundreds of fine, cantankerous inspectors. They don't have to post all their code, they can keep some of it secret and inspect it at home, but open inspection will correct a lot of the rest. And I'm not making this idea up.

In a lecture, Paul Graham tells of submitting an article to a magazine and then finding he was hoping it would be rejected so he could post it at his website. "I feel pretty confident of something," he said, "after it's been reviewed by 7,500 people."

Microsoft could have the same confidence if they tipped most of their beautiful new VISTA out into the daylight. They could even offer to pay $50 per security bug that anyone finds. Why don't they?

No comments: