Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Microsoft
PressPass - Information for Journalists 

Remarks by Bill Gates, Chairman and Chief Software Architect, Microsoft Corporation
RSA Conference 2004
San Francisco, Calif.
February 24, 2004

View the PowerPoint Presentation

View the PowerPoint presentation that accompanied Bill Gates' keynote:

  • BillgRSA04Keynote.ppt (26.1 MB)


    • Download Microsoft PowerPoint 2003 viewer.

    ANNOUNCER: It is now my unique privilege to introduce this morning's keynote speaker. I don't know why, but all of a sudden the words "big guns" come to mind. William H. Gates is chairman and chief software architect of Microsoft Corporation. In addition to his love of computers and software, Mr. Gates is interested in biotechnology and sits on the board of ICOS. Combine the vision of the general with the spirit of the lion, and you're pretty close to summing up Bill Gates. (Applause.)

    BILL GATES: Thank you. Well, good morning. It's great to be here with thousands of security experts and give you an update on where Microsoft sees the security threats and the things we can work on together to make sure these don't hold back the potential of software systems, the potential in the business world, the educational world and for people at home.

    Microsoft was founded with a vision that software could do some amazing things, but today the one real question mark that exists is will the network be reliable enough, protecting information so that people feel that their privacy is preserved? Will they be willing to use e-mail and avoid the spam, and will their computers be reliable and not subject to these attacks?

    So the goal of Microsoft is to invest in building these software platforms. We spend US$6 billion a year now in our R&D budget, which is the largest technology R&D budget in the world. And there are all sorts of exciting things that are coming out of this: The move toward systems that will recognize speech, that will use ink, much better ways of doing business intelligence and workflow, systems that are going to be lots of fun to use and let people communicate in new ways.

    And the rest of this week, I'm off at five different universities talking about some of these breakthrough opportunities and really trying to make sure that kids coming out of school are excited about working on these things and see the opportunities there.

    But the security topic is, I think, the most important topic -- to make sure that this happens. Certainly, if you look at our resources and what's the biggest part of that R&D investment at Microsoft right now, it's focused on security. Our research group is making advances that are very important here. Our product teams change the processes they've used. Everything we're doing has been impacted, and I think over the last two years we have made a lot of progress.

    I'm going to give you an update. It's not something that's a completed work, because not only Microsoft but everybody in this industry has a lot we need to do before we get to the point where this is not what stands at the top of the list of what would hold us back.

    There are a lot of different challenges out there. We've got to have the right tools. We've got to have the right processes. The people who attack these systems are getting more and more sophisticated. For every time we take a type of attack and eliminate that as an opportunity, they move up to a whole new level. And that's not an unending process. We can make it dramatically more difficult, but we have to keep that in mind: This is a measure-countermeasure type environment.

    We have so many devices that will be connected up to the Internet, billions and billions of devices. We have people who are connecting machines to all these wireless networks, and the wireless network is trying to be made secure, even though they're not controlled by a central IT department.

    The current statistics on the size of these challenges and the costs of remediating these things are very, very dramatic. And it's not only substantial, it's very hard for people to plan for. Knowing exactly what has to be done, that's been far too difficult.

    And so it's not a case of simply fixing a few vulnerabilities and moving on. The traditional responses, the way that the systems are architected, the way they're put together, all of these things have to change so that even as the attackers get more sophisticated, we're able to bring down the threat opportunity and bring it down very, very dramatically. My basic view is I'm very optimistic about this, even though there are many years of work ahead of us.

    I wanted to talk a tiny bit about the threat model, the types of motivations and the types of people who are going and creating security exploits.

    First of all, there is a lot of work done on security by experts who are totally benign, just really trying to help the software move forward, and we really appreciate the relationship we have with those security experts. They're the ones who are looking at threat models, giving us feedback and things of that nature.

    The unfortunate fact is that as there is that dialogue, as that gets public, people who have malicious intent take the information. It's very rare that the malicious person actually comes up with the exploit. But they take that information and use it, particularly in an environment where we haven't been able to keep the systems up to date in a very broad scale way. I'll talk about that, because making progress on that is one of the key elements to bringing these threats down.

    A lot of what you hear about are people going after personal things. That is, people who want to spread their exploit and put it on lots of different systems. All the headlines come around that. It's really the next levels up, though, that are perhaps in some ways more serious. These are exploits where people would go in and take information and not advertise it. So there's a big difference: If you're going for fame, you go for spreading functions and you want to make it well-known. If you're spying, which is the top part there, the national interest part, or if you're trying to steal information, you go in silently, do what you want to do and then come out of the system.

    And, in fact, the learning curve we go through, a lot of it is driven by the work with these security experts and the attacks that come out of that personal fame category. But the maturity that we're getting in terms of the systems, the updates, the methodologies, these are exactly what we need to take care of these other threat models.

    And so it's the dollar loss that comes in -- that gain level or the national interest piece -- that we can get to by making sure that none of these types of people can get in and attack these systems. And so the learning curve is being driven forward very rapidly by the visible portion of this activity.

    Now, our approach, of course, has two main buckets: the work we're doing at the technical level, both on our own and around industry standards, and then the work we're doing in terms of education and awareness and working with governmental entities. There are lots of policy issues here to make sure that when people are doing malicious things, the law is very clear that that's inappropriate, and having the sophistication to track down and make sure that it's very evident to people that these things are literally crimes that should not be repeated.

    A lot of the dollars are going into those technical buckets. Those technical buckets are very important, and I'm very optimistic about them, but we'll never get away from the need to have both of these pillars, to be working with customers, setting up Web sites, setting up auditing tools that can make things easy for them, and raising the level of awareness of these issues so that somebody can go through exactly the steps to secure their systems.

    There are a lot of different partnerships we've had that relate to this, working with the national cert organizations so that when there are issues, we're very coordinated with them and even looking at how we can have dedicated network bandwidth between us and them so that information can always flow and be helpful.

    We also have a class of partnerships where we provide the Windows source code. Part of that is called the Government Security Program and it was pretty amazing to me that governments like China and Russia, not to mention the United States and the United Kingdom, NATO, all of them expressed an interest, and signed up for that Government Security Program. We now have over 30 different governments working with us on that.

    Our Customer Source Share Program, we now have thousands of customers working with us on that, and that's been very important to us to get more feedback, more understanding. People are looking in there, making sure that they're seeing what they want, making sure we have the modularity for whatever security algorithms they want to apply, that we let them come in and connect those things up.

    I'm sure many of you have heard that there was over the last month a leak of a portion of the Windows source code that related to a previous version. That was not something that came off the Microsoft network. It's not something that related to any of these Shared Source programs.

    So we're very committed to these Shared Source programs. In fact, the volume and level of activity of those will continue to increase. We see that as just one of the partnership things that's very important to us.

    So how do we get to these higher security levels? Well, there's a whole way of looking at code and saying, 'How do you reduce that attack surface? How do you have tools that can look at code and go through and find the areas where there might be vulnerabilities?' And we call this the Trustworthy Computing process, and it's something that we rolled out in 2002. And so, products starting to ship last year had the benefit of this work. And it's been pretty substantial in terms of what it's meant in terms of investment, but also in terms of what it's done to the quality levels of the resulting products.

    There are a lot of architectural principles. We talk about SD-cubed-plus-C; that's secure by design, that's security-aware features.

    Secure by default: That's making sure people can see very, very easily exactly what type of network communication they're allowing, understand exactly what that surface is, and we've eliminated a lot of the so-called network responding services. We've defaulted off those services, and we've made these group administrative policy management capabilities apply very easily. So some can say, 'Are there any systems on this network that have this port open? Are there any systems on this network that have been experiencing a certain type of traffic?' And you have this visibility not just on a single system-by-system level, but as an administrator looking at all the different systems in your environment.

    Secure by deployment: This means having logs, having the training activities there, doing security audits with customers and making sure those things are absolutely clear. Take, for example, the need to keep software up to date. We did not make it absolutely clear to our customers that having the updating services and the latest versions was particularly important for Internet-facing systems. For other systems, having the firewalls was particularly important. So making it easy for them to know they have best practices there, keeping those things up to date and making it very easy to do that is part of our mission in this.

    Many of the problems that came around, people who were up to date because the fixes had been there, they didn't have those problems, But the responsibility comes back to us, until we make it so virtually 100 percent of the customers find it attractive to have that updating in place for the Internet facing systems, we really haven't done our job.

    There are a lot of ways to measure our progress. There's the progress we've had in getting our software management services deployed and used by enterprises. That's up by more than a factor of three over the last 18 months. That's the updating piece there.

    Another way to look at progress is the chart I have here that talks about what type of critical or security bulletins have we had in the time period, in this case a little over 300 days since the release of our last server product.

    So in blue you see that during that time period, for Windows 2000 Server there were 38 either critical or important bulletins and here now for Windows Server 2003 in that same time period we've had nine, and the average severity in fact has been lower on those.

    [Editors' note, Feb. 26, 2004: The numbers of bulletins noted in the previous paragraph have been updated since original publication to correct a speaking error and to accurately reflect the numbers as shown in the accompanying slide deck.]

    Now, we're not saying that's a job done, but even in the face of the increased sophistication of the attackers, the attack tools, trying to raise up to that level of get that fame, this represents substantial progress based on those improvements. Clearly, there's more to do, but that is one of the metrics that shows us that we're definitely on the right track.

    In terms of securing systems, the importance of updating and firewalls and how those are administered, that exists not only at the corporate level but at the medium business level, the small business level and even at the consumer level. And, in fact, the tactics we go through to make sure that all of those things come together for those systems vary according to the audience.

    These things are interconnected. If somebody is sending around a mail thing and they're clicking on executable files, that can cross over from a consumer scenario on to a corporate machine, particularly if you have a mobile machine that's carried into the network. The idea that you can look at that machine before it comes onto the network, see if it's up to date, see if anything is on there that shouldn't be on there, that type of analysis and scanning needs to be a standard part of the security environment so that the two domains are kept separate from each other.

    In terms of the updating capabilities, we have the free Windows Update. For consumers, our message is very simple: You should have the automatic update turned on. For corporations, it's a more complex message and the tools have to be more complex to deal with those environments. But at the heart of it is the Software Update Service -- that's a free capability -- and then SMS, the System Management Server that's the superset of that and, as I said, has had a very dramatic increase in deployment, particularly as that was made rich enough to deal with these disconnected machines, the portable machines that have often been the toughest piece and therefore often been a problem in security scenarios. As soon as we got good enough to handle that in an auditable, totally predictable way, people saw this as the software that would solve that problem.

    As there are problems, we've put out various things that you can click on and get the systems cleaned up. And, in fact, we've seen with things like Blaster, as people have applied those, we're seeing a big drop-off now in the network traffic that's related to that.

    So having those things there, getting those things out faster, that's a very important part of our commitment.

    Another part of our commitment is having tools so that people who are writing applications can also make sure that their code is secure. And so, there are many layers in the system and the attackers will go after whatever the weak layer is. And so as we strengthen, we have to make sure that's being done from top to bottom.

    Visual Studio is, of course, our popular development tool that's used to write the vast majority of all Windows applications. We've been sitting down with developers and saying to them, 'OK, what would they like to see in the security area?'

    One example where there was very strong feedback was that they wanted to be able to develop applications that didn't require people to run in administrator mode. And so, actually what we do in this next release that's codenamed "Whidbey," as you're developing an application, you indicate you want it to work without somebody being in admin mode, and as you're using various systems calls it will point out to you which ones you can use and can't use. And so, we'll get even the corporate applications to get out there and not require any privilege escalation to either install that application or use that application.

    Making it easy to understand the Internet security zones and how you can make an application that works with those, there was a lot of work to be done on that.

    An area of particular innovation is this idea of scanning source code and finding areas that might be security vulnerabilities, things like checking the size of the buffer, checking the size of an on-stack data structure. We bought a company called Intrinsa about five years ago and took this analysis tool and said, 'OK, we are going to put a lot of money into this and for many years we'll just apply this to our own code, make sure that it catches all these different patterns,' and it's helpful there. Now we're turning around and taking that and putting that as just a standard part of Visual Studio.

    And so, whereas the original business plan for this technology, before we bought the company, was that this would be a fairly low volume but high-priced type thing for people who wanted to have very reliable code, in this environment what we've said is, 'No, let's take this and just put it into every copy of Visual Studio, so that pre-fast technology that does those scans, checks for those things, very sophisticated, very flexible, that's just there as a standard thing.'

    So a lot of things happening in the development tools that are going to get that application layer to come in and also be as secure as the other layers as they improve.

    Now, as we look at security issues, we can take and make sure there are no vulnerabilities but we can also take and make sure that the way that these things are spread, that we're blocking those off. We need to work on both of those fronts.

    And so what are the main modes of attack taking place here? Most people here will know that there are really four buckets that are important.

    Things come in across the network, using open ports that are there for benign reasons, but finding attacks there. And those are the attacks that spread the most rapidly, because those are basically at the speed of code executing and sending messages on the network.

    There are attacks through e-mail attachments and Web downloads. If somebody downloads a piece of code that they think is benign, but it's not, that code is running essentially on their behalf and can compromise the system and spread from there. It's not just e-mail, it's Instant Messaging, it's all the different ways that files come onto those systems, including those download capabilities.

    Finally, there's a thing that's very common in these attacks in terms of taking memory and using it for something other than what it was intended for. The classic case being these software-overrun cases, where you literally inject code into a space that should have been a data space. And both in terms of how we compile things, the so-called "GF Flags" in the compiler, and raising the sophistication of that, and now having support at the chip level, where we're working with both Intel and AMD so that the new chips that they are bringing out have this NX Flag that doesn't allow execution and data rights on the same pages, that takes a huge mode of attack that's common across many, many, many of these exploits, and prevents it. Sees that it's happening and doesn't allow that transfer to take place.

    So these are the four areas, along with the quality work, that we're doing in this release of Windows that we call SP 2. SP 2 is a release that's totally focused on security. And, in fact, today, this is the primary focus of the Windows team. We've got some portion of them still working on the major featured-oriented release that's off in the future, code named "Longhorn," very exciting, but we prioritized the resources and the activities around what's an intermediate release under the name SP 2 that is just security-oriented. And really listened to a lot of people in terms of what's necessary there, what we should put into it, I think the best way to understand why we think this will be a very important advance and one that we're going to really encourage people to install very broadly, I would like to ask Zachary Gutt, who is a product manager for this, to just come out and give us a quick look at some of the new things that are in SP 2.

    Welcome, Zachary.

    ZACHARY GUTT: Thanks, Bill.

    So, we've designed Windows XP SP 2 to improve security around all the modes of attack that you just talked about. I'm going to show you that through three key features. The first is Windows Firewall, which is the successor to Internet Connection Firewall. The second is enhancements to Internet Explorer. And the third is the brand new Windows Security Center.

    So, let's start with Windows Firewall. One of the easiest things to protect your computer is to run a firewall, so that's why in SP 2 Windows Firewall will be on by default. However, some applications don't always function properly when a firewall is installed. This is because many of them have been written assuming that these ports are always open. So, I'm going to launch an application here called Net Chess, which allows me to play chess on the Internet. Now, to do this, Net Chess needs to listen on the network.

    So, as I start up a network game, we can see that now Windows Firewall is asking me if I want to allow Net Chess to use the network, and doing that is as easy as clicking "Unblock this program" and then clicking "OK." Now, it's also important to note that Windows Firewall will dynamically close these ports when Net Chess is finished using them.

    So, let's take a look at the Windows Firewall user interface, and we can see that an exception has automatically been defined for Net Chess. We can also see that this list includes exceptions for common programs and services like file and printer sharing, and Windows Messenger. It's also very easy here to add your own exceptions manually.

    Now, looking at the General tab, you can see we added a brand new operating mode or Windows Firewall called On with No Exceptions. Now, this prevents all incoming traffic from coming to this computer. This is especially useful when I'm on something like a wireless connection in a restaurant, a hotel, or an airport. Now, in a corporate environment, these settings should ideally be made by the IT administrator, so that's why in SP 2 we've made all Windows Firewall settings centrally manageable through Active Directory Group Policy, or via scripts for non-Active Directory environments. So, what we're looking at here is the Microsoft Management Console, and this is the view that the IT administrator would see. The great new feature we've added here is the addition of two profiles, one for when the PC is inside the corporate network, and one for when the PC is mobile. So, what I'm going to do here is go in and change the operational mode in the mobile profile to be in that shielded on-with-no- exceptions mode. This way, corporations can easily control and protect their assets when they're out in the world.

    So, the second big feature area I would like to talk about is Internet Explorer, and the improvements we've made in Web browsing to make the experience safer and more manageable. Now, customers have told us that in addition to being a security risk, that one of the most frustrating things about surfing the Web today are pop-up ads. So, I'm going to go to a site that I know has one, so we can see here now this is the IE Pop-Up Blocker, and it's detected a pop-up and is now asking me if I want to block it. When I click yes, we now see the brand new IE Gold Bar, which lets me fully control my pop-up experience on the Internet. I can also look at that pop-up I just blocked just in case I might want to see it.

    So, another big area of concern is around sites that require ActiveX controls. Just like the flight-booking part of this travel site right here, as you can see when I load the page, everything loads here except for the ActiveX calendar controls that would help me schedule the flight. Now, we can see that the gold bar is back, and this time it's telling me that there are ActiveX controls that can be downloaded. So, when I click on allow, we can see that I now have much more control over my ActiveX control downloading experience. I can now, on a per-publisher basis, decide to always install, never install, or have IE ask me every time to make a decision. Now, this is especially useful for sites that repeatedly prompt you to download ActiveX controls that you may not want to run. So, in this case, I'm going to click always install. We can see that now the page loads because I now trust this ActiveX control from this publisher.

    The customers have also told us that it's very hard for them to know when their PC is secure, and it's also very hard for them to know what they should do if action needs to be taken. So, beginning in SP 2, we're going to start to see alerts like this one down in the corner that's telling me that my antivirus software is off and that I can click here for help.

    Now, this brings me to my third key feature, which is the brand new Windows Security Center, which I'm extremely excited to be showing publicly for the first time here at RSA. Now, Windows Security Center does two things for end users, it displays the status of a central security setting, and can recommend guidance when action needs to be taken. So, we can see here that it's very easy for me to tell that my firewall is on and that my computer is up to date. And from an antivirus perspective, Windows Security Center can tell me if I have virus software installed, if it's on, and if it's up to date.

    In this case, it's telling me that it's off. So, I will move down to the system tray and re-enable my virus software, and we can see the light quickly changes to green. Now I can see that everything is on, and I'm okay. Now, additionally, if we look at the bottom of the page you can see we've centralized many security settings that were formerly only available in unrelated parts of the system. Finally, it's also very important to note that all of the features you've seen here, from Windows Firewall to Internet Explorer, to this security center, can all be managed through Active Directory group policy or scripts in non-directory environments.

    So in summary, Windows Firewall, Internet Explorer, and the new security center are just a handful of the new features that we'll be delivering in Windows XP SP 2. Now, through these features, SP 2 will deliver improved security, a great end-user experience, and make all of these security settings much more manageable by the IT administrator.

    Thank you.

    BILL GATES: There's a lot of key things there, and that update is going to be a very, very important one. Now, I want to talk about spam. Spam is both a nuisance, it's a problem in terms of do you get the mail you really want to read, and the time you waste on mail you don't want to read. But, it's also a security threat. People sending mail that appears to come from someone authoritative, and telling you either to install something, or download something, or not to pay attention to some other advice you might get from a legitimate source. Having e-mail come in, and not really being able to identify where it comes from, this is a huge security hole. And like so many of the standards and protocols that grew up on the Internet in the early days, we need to strengthen these in this environment where there is malicious activity.

    So authenticating e-mail, that it really came from who it appears to come from, avoiding this domain spoofing is a very key initiative for us. Now, our goal here is to get rid of spam, and we believe that over the next several years, with these various proof techniques, the filtering, that we can reduce spam to not being a huge problem. There's a few pieces of spam that maybe I might even miss not being able to get. This is one that must have been targeted towards me, it offers a university diploma, and that could be very convenient. This one is saying somebody's got a job that's available, and I don't know how they targeted me for that. Finally, this easy financing is pretty interesting. So you get a lot of these things, and if they were real, they might be worth reading.

    You can see how this one is interesting, you see a lot of nonsense down at the bottom of the message, that's an illustration of this measure, counter-measure thing that goes on for people who are trying to do bad things around computing. We have filters that are very good now at seeing typical spam. So what they're doing is trying to throw off the filters by putting in these sort of randomly generated sentences, to get variety in, and to appear to look like a legitimate piece of e-mail.

    So the idea of filtering, looking at the content that we pushed for in Outlook, and all of our mail products, that's only a piece of the solution. There's another piece that's part of our overall coordinated spam reduction initiative, which is seeing exactly who the mail comes from. The picture in the future is that you need to know that it's authentic, and then you'll have a so-called white list, a safe list, that shows mail that should come into your Inbox automatically. Mail that doesn't fit that profile will be judged by a variety of factors, what the content looks like, and by whatever proof is being offered along with that e-mail. So if it looks like it's spam, and there's no proof, an attempt to prove that it's not being offered, it's not on your safe list, then, depending on how you set your e-mail client, that mail will just go into a Junk folder.

    The kind of proof technique is something where if the person if the machine sending that mail has actually done a computation that's kind of the opposite of kind of crypto-algorithms, this is a computation that is hard to compute, but easy to verify. These are sometimes talked about as puzzle-type functions. And by having a system send one of those along, that allows the e-mail client to say, OK, that was a fair piece of work to solve that, I may, depending on how the parameters are set, I'll move that into the in-box automatically for that user. And this is a perfect thing, because for legitimate senders, who are sending out (mod 03 ?), doing that computation can just be done in the background, it doesn't slow things down, whereas for somebody who is sending in bulk millions of messages, it's actually a very substantial expense for them to do that. So that's one form of proof that, as we get the infrastructure to understand this, can work very, very well.

    Likewise, proof techniques of solving a human-interactive puzzle that software doesn't solve, or at some point if you have a chain of financial proof, you can say, okay, if you read this message I will put at risk a certain amount of money, so that if it's really wasting your time that money can be transferred to you. But, if it was a serious message, you don't debit that, and this is just for the e-mail that's coming from strangers that can't pass through on the normal safe list thing. Even that safe list doesn't work if we don't know exactly what domain things come from.

    So we're putting out, as an industry proposal this week what we call caller ID for e-mail. And it's a very specific technical proposal about how you can make sure that the domain is authentic. We've actually taken our we have some patents around this, we're saying are royalty free, available for everyone to use, the ones that relate to the fundamentals of this, and so we're talking with other ISPs and mail providers, and we believe that by this summer, with the right agreements, we can put this in place. So all the mail that's coming in and out, Hotmail or Exchange, systems like that, now can be authenticated in this way. It uses the DNS to do this, so it's piggybacking an infrastructure that's there. So we've come up with a way that we think will be very easy for people to apply.

    We're also putting together the ability with Exchange to run filtering and the proof-type things away from the main Exchange server. So front-ending things with the very latest filtering and proof-type algorithms is something we think that a lot of people would be interested in, and we'll put betas of this out, and get feedback this year to make sure we're doing exactly what people want in the mail scenario.

    The mail area is very important, there's a lot that needs to be done there. Likewise, the firewall area firewalls over time will not just be at the boundary of the company, they'll be on all systems. And firewalls won't just be looking at the port that's being used, they'll be looking at who is trying to use that port. And so by having authentication around both VPN and IP stack, and those will both be part of this, because of the ease of bootstrapping, one is easier for some applications, and one for the others. The idea that you don't just open the port for no one or everyone, but you open it up for people specifically, we think that is incredibly important.

    So firewalls eventually will be on all clients. And as Zachary said, that's now turned on by default with the SP 2 release, and it will be on the various servers, and then there will be a particularly powerful firewall that's at the perimeter. That won't go away, but it will be defense in depth. So with the new ISA server that's coming out this spring we take forward these things, with high performance, ease of management, and this deep inspection capability, and bring those to a whole new level.

    Now, there's a whole approach in the security world of saying, why can't we look at systems, and understand what's normal behavior, and not normal behavior. What can we do that would alert us to something unusual going on with the system? If somebody is installing a new application and that looks unusual, that's fine, we expect that. But, if you see an unusual behavior profile, in terms of network traffic, memory usage, system calls being used, why can't that be held off, and automatically dealt with? This will be very important at the system and network level.

    It takes a very small percentage of systems on the Internet to do big flooding attacks. And we have to have the network understand when it sees new profiles of traffic, to filter out that traffic, and to essentially cue those down and let the other traffic come through. So at every level of the system, this idea of resiliency, what we sometimes call dynamic system protection, we think is going to be very important. So this is big area of investment for us, a new type of protection, one that we're spending a lot of time talking in the industry of how we can pull this forward. Again, this is another one I'd love to have you see, how it's going to connect up and work, and let me ask Zachary to come out again and explain what is Active Protection Technology.

    Zachary.

    ZACHARY GUTT: Thanks, Bill.

    So I'm back again to show you two more things. First, how worms and viruses attack computer systems, and second, how new technology we're investing in will make computers resilient in the presence of malicious code. So first let's start with how worms and viruses attack computers. So what we're looking at here is a network of PCs where traffic is flowing normally.

    Now, eventually a worm or virus is going to get into this network and attempt to infect a computer. So let's take a look at how that would work. What we're seeing here is an attack, a worm specifically, that's entering through the network, exploiting a vulnerability in the system, and infecting a service.

    Now, worms and viruses are very sophisticated, multifaceted threats and once they're on a computer, they can continue in any number of the following ways. So the first is opening up a back door. Now, this is done in an attempt to download more malicious code to the system or to get the system to act on the worm's behalf. Second is persistence. Now, this involves infecting the registry or infecting the file system. And third is propagation.

    Now, once a computer is infected, the odds are very high that it will be used to further spread the attack.

    So as you can see, once one system is infected, this attack spreads very quickly, but we can see that there is one computer here that's been very resilient in the presence of this attack. So let's take a closer look.

    This computer is running the Active Protection Technology that Bill just introduced, depicted here in glowing green. This technology makes computers resilient in the presence of worms and viruses by preventing and containing attacks.

    So let's take a look first at containment, which helps limit the impact and spread of attacks once they are on a system.

    So again we see an attack enter the network and exploit a vulnerability in the system to infect a service. This time when it tries to open a back door, this behavior is recognized by the system as out of the ordinary and it will be blocked.

    For example, the Blaster worm caused the RPC service to open a back door and download more malicious code onto the machine. In this case, behavior blocking would recognize that this behavior is out of the ordinary for the RPC service and block it.

    You can really think of this as taking the notion of secure-by-default to the next level. The system will truly know what actions are allowed for operating system components and the applications that are running. Attempts to propagate and attempts to persist are also blocked in this very same way.

    So the second way that Active Protection Technology makes computers resilient is by the prevention of attacks, and a key piece of this is Dynamic System Protection, which can automatically raise and lower the security levels of a computer based on changes in states.

    So what we see here is Dynamic System Protection detecting that a patch is missing. Then it informs the firewall component to block any suspicious traffic that contains symptoms of an exploit.

    So let's take a look at prevention in action. So what we're looking at here is a Windows XP computer running a very early alpha version of our Active Protection Technologies. This machine is also missing the patch described by Microsoft security bulletin MS03041, which describes a vulnerability in the authenticate verification.

    Now, because this issue can affect Internet Explorer if it would happen to download a malicious ActiveX control, surfing the Web from this machine could be risky. The only way I could be completely protected from an attack is to either disconnect my machine from the network, or go and download and apply this patch immediately.

    Now, with Active Protection Technology, the experience gets better. In this case, when I load up a page that has ActiveX controls, we can see that the whole page loads, except for the ActiveX control, and that we now get a notification from the system saying that my computer is protected and that downloading ActiveX components with Internet Explorer is blocked until this computer has the required security updates.

    What's happening here is exactly what we just saw in the animation: Dynamic System Protection has detected that this machine is missing a patch for this vulnerability and has automatically notified the firewall component to protect my PC.

    So next, let's install the patch. Now, as the patch installs, it's very important to note that we're only limiting the ActiveX functionality out of Internet Explorer and that the rest of Internet Explorer will continue to function correction.

    So now we see I've gotten a second notification that says the security update has been installed and that downloading ActiveX components with Internet Explorer will no longer be blocked.

    Now, the idea of Dynamic System Protection is not only limited to patch state; this system can also sense and react to other potential things that might make this machine more vulnerable, like changes in the configuration of a system or the installation of new programs or a change in network location.

    So as we go back into Internet Explorer here and refresh the page, we can see that the ActiveX control now loads completely and I'm returned to my fully functional browsing experience.

    So in summary, I've shown you two things: One, how worms and viruses infect computers, and two, how Active Protection Technology, through the prevention and containment of attacks, will make computers resilient in the presence of worms and viruses. In the future, this will help customers to be able to communicate and collaborate much more securely.

    Thank you. (Applause.)

    BILL GATES: So Active Protection represents the next generation of how systems will watch activities and understand what the appropriate policies should be.

    When I meet with developers, one of the key messages is the opportunity created by the Web services standard. You've probably seen the momentum building behind these, the acceptance of XML as the rich data standard, and then protocols around how XML can be exchanged between different systems, no matter what software is running on those systems. That started with the SOAP standards, was enhanced with WSDL self-description, and now a very rich protocol stack has been put together that's monitored and endorsed by this WS-I organization.

    What this is, is it's a platform for really being able to use the Internet to let any piece of software talk in a rich, secure way with another piece of software, not tied to the language the software is written in or where it's running.

    And this is an infrastructure that's absolutely vital. To achieve the dreams of e-commerce that were talked about in the period of the Internet bubble, this infrastructure is absolutely necessary.

    And what it means is letting people build these rich protocol oriented applications but not asking them to do the low-level work, not asking them to go out and buy special queuing add-on software or publication add-on software, literally putting all of this richness down into the system.

    Now, a very central element of the Web services standard is a piece called WS Security, and what WS Security does is it creates a protocol-based approach that's not subject to spoofing or replay attacks, so it takes the level of the protocol software that's very hard to do right, puts that into the runtime so the application developer doesn't have to try to do that.

    We've got a working draft of all the security scenarios that will be used around WS Security that we're releasing here at this conference, and this is a standard that is very near completion. With feedback over the next several months, this will be formalized, finalized and put through the full standards process, so a lot of progress on this and it's a key one to look at because your corporate developers are going to be building to these runtimes.

    Another important standard for us is called Common Criteria. This is the U.S. government and many other governments saying that software that runs on their networks has to be certified. And we've put a lot of investment in this. For example, Windows is certified at what's called EAL level 4, and of all the popular operating systems, that is the highest level of certification. We're working very closely with the government in terms of making those certification processes even more rigorous over time, because that's very important.

    Another standards group, and this is something new, is called the Federal Bridge Certificate Authority, and this is a group that NIST put together in this country to make sure that all the different, disparate PKI infrastructures being built in the government can interoperate with each other. And although the government has this problem to a larger degree than anyone else, the interoperability that's coming out of this I think will be a benefit to lots and lots of corporations.

    This group makes sure that there is full interoperability of the electronic credentials between these different systems. And the federal government has very ambitious goals in terms of how they use PKI. We're very supportive of that and we think it's really a showcase for what will be happening in all computing environments.

    In some cases, there are no standards organizations, and we've stepped forward to create new groups, and I've got two examples of that. One is a group called the Global Infrastructure Alliance for Internet Safety, GIAIS, and this is us working with ISPs. We've got virtually all the very large major ISPs involved in this.

    And for consumers who are connected up, they don't have a CIO, they don't have somebody who can go and check their systems and give them advice on using these things; a combination of Microsoft and the ISP needs to do this.

    And so, for example, when MyDoom came out, this organization worked together, identified the characteristics, showed them how to publicize the cleanup, making sure that that would go away, showed them how for their mail servers to make sure that they weren't part of spreading this thing, get more customers educated about what they should click on and not, and just using the update functions, using the firewall functions and making sure those are working with the things that the ISPs are doing. So I think this organization will be a very important one for the kind of responses that are important.

    Another one is called the Virus Information Alliance. You can see at the top here we have the members we had in this group when we first put it together; then today we have the five companies down on the bottom of the slide who are joining this organization. And the goal here is to exchange information absolutely as fast as possible. We have a very strong 24-hour response system of the top people getting involved and we have ways that we reach out to the employees in these organizations who are doing those same things and make sure that the very best methods of remediation are put into place literally at network speeds; so another important group that I think it was necessary to pull together there.

    I've mentioned that some of the challenges of making these networks with all these different software systems as reliable and robust as it needs to will require breakthroughs, some breakthroughs we've already had over these last couple of years with the focus, but even more are necessary to come, breakthroughs in cryptography, code access, even hardware level things to verify that the operating system you're running, that nobody's tampered with that, so it's what we call authenticated boot capability. That's an effort that is talked about as the NGSCB, Next Generation Secure Computing Base. And the fact is making sure that the OS is always verified and making sure that, at the OS level, secrets can be maintained that even driver level software or other malicious software can't get at those secrets, that's a very fundamental thing for security and privacy guarantees that we need. So that's an advance, that was a new design that actually requires work at the chip level to make sure that that really comes together, and again there we're getting great cooperation from the people in the hardware business.

    Another weak link in these security systems has been the use of passwords, and there's no doubt that over time people are going to rely less and less on passwords. I'm sure all of you know what a weak thing that is, both in terms of people using that same password on insecure systems or writing them down or taking things that are guessable; it just doesn't meet the test for anything you really want to secure.

    Microsoft for its employees moved to a Smart Card approach; anybody connecting in off the network needed to use that Smart Card.

    A key partner in a lot of this has been RSA and the work they do to give people various smart card type options. And we recently announced a new development between us, which is a way you can use the RSA Secure ID that's a very simple little ID card and actually I've got one of them here -- (applause) -- clearly very popular with RSA employees -- (laughter) -- and everyone here.

    Anyway, the recent advance is that the offline scenario was one that required innovation on both sides, us working with RSA to understand, okay, how do you get the information onto the machine so that it still can be used but used in a secure way when the network is not there and available, and that's the advance that we both solved together. And so we expect to see wider spread use not just of smart cards in general but this secure ID approach that brings some very particular benefits.

    The rollout of smart cards and PKI, we are just at the beginning of that. We have some banks who have gone through and done that. We, as I mentioned, have done that. One of our bigger customers, Royal Dutch Shell, is out there now with their 7,000 users using it and that's gone well enough that over the course of the year all 85,000 users, 1,200 sites, 134 countries will be involved in that. So you see it, it's a leading-edge thing, but it's a necessary step that really guarantees that the person connected up is the person you expect it to be.

    Microsoft Research has done so many different things in the security area I had to pick which one I thought would be very interesting, and what I picked is a really neat piece of work called the Tamper Resistant ID Card. And so let me ask Gavin Jancke from our research group to come out and show us what is the idea and what's the advance here with this Resistant ID Card. Welcome.

    GAVIN JANCKE: Thank you, Bill. (Applause.)

    So what I'm going to show you today is a new biometric ID card technology developed in Microsoft Research, which is a synthesis of several new techniques we've been working on in the fields of security, computer vision, compression and adaptive computing, in addition to proven public-key cryptography. It's the unique combination of these that enables us to realize very cost-effective, tamper-resistant biometric IDs that can be printed onto ordinary paper or plastic media, being able to leverage existing organizational infrastructure, such as laptops in police cars or terminals at ticket gate check-in, and using off-the-shelf PCs and other peripherals.

    So what you see here is one of these tamper-resistant biometric IDs, and here we have a face and arbitrary text, such as a name, license ID, date of birth, and then a barcode, which contains a digital signature of the compressed face, combined with a text hash. And should any of these elements change, then the authenticity of the ID will fail.

    Now, what I'm going to do now is show you how to create one of these IDs. And so the first step will be to take a picture of the person, and this can be done simply with a Web cam, so let's say a portable ID creation scenario or other traditional photo capture technologies. But in this case I'm going to use a picture of Bill from just a couple of years ago. (Laughter.) I think the hairstyle is a little different now, but that's about it.

    And so now I'm going to enter your textual detail, which will form part of the hash, so I'll enter your name and your driver's license ID here, and then I'm going to generate the barcode, which is then signed using SHA-1.

    And then what I'm going to do now is print this to an ordinary inkjet printer using standard off-the-shelf paper media.

    Now, there's a reason why we don't also hash the face in this scenario, because hashing requires an exact retrieval of bits between the generation and verification phases. And because with printing there are so many different things that go on, the colors that are actually sent to the printer aren't the actual colors that are actually sent to it. And also when we do the scanning process, artifacts such as anti-aliasing come into this, preventing this exact retrieval of bits from occurring.

    So what we've come up with is a new face-comparison technology, which enables us to compare the fact that is on the card and the actual printed form and that is what is actually stored in the barcode. And so the face you see there can actually be compressed into simply 136 bytes into that barcode.

    So what I'm going to do now is remove this paper-based biometric ID card, and I'm going to show you it in just a second, and if you can see that piece of paper.

    And so this essentially is what I'm going to do now is verify the authenticity of this ID. So what I'm going to do is switch over to verification mode and I'm going to use this standard business card reader, which will be able to do this. So I'm going to insert our business card like so and in a couple of moments we'll see what happens.

    Now, one of the key aspects of this system is there are absolutely no database requirements involved in this, as the authenticity of the ID is actually stored in the printed information in the card itself, and this will address a lot of users' privacy issues that they actually know that what is stored on this card is stuff that they can actually see.

    Now, Bill, given these boyish good looks of yours, I'm sure that you were carded all the time when you went into bars, and before the age of 21, there was probably no chance he would get a beer.

    But given that you were an enterprising young man in those days, what you may have tried to do is address this, so what I'm going to do is use this black pen and change your imaginary birth date from 1957 to 1952 to make you a couple of years older, and I'm going to reinsert this back into the scanner to see what happens.

    Now, admittedly, this black pen is an extremely crude form of tampering, but even with advanced image manipulation and morphing techniques, the verification of this ID will still fail. (Laughter, applause.) Sorry, Bill, it looks like it's going to be milk and cookies for you tonight. (Laughter.)

    Now, a photo ID is inherently a first-tier authentication mechanism, which requires a security official to actually do a face comparison between the person that's on the card and who's standing in front of them. And this works in the majority of cases, given that care is taken during the comparison and also that people look sufficiently different.

    But for more demanding scenarios, this system is also extensible so that we can include other biometric information such as iris and fingerprint, yet still retain the same benefits of tamper resistance on ordinary paper or plastic printed media.

    So in summary, essentially Microsoft Research has developed this tamper resistant biometric ID card for scenarios in the printed domain, whether it be on paper or plastic medium.

    Thank you very much. (Applause.)

    BILL GATES: Thanks, Gavin.

    Well, let me just wrap up with a little bit of a timeline that will take the various things I've talked about and put them in a chronological perspective. 2003, as I said, that was a year a lot of things happened, understanding exactly how to categorize our patches, exactly how to make those smaller. The big event I'd say that year was SMS 2003, getting the software that works for all the key scenarios to keep systems up to date.

    This half year there are a lot of things taking place: Improving the update training, the ISC update, but I'd say the key thing is that XP Service Pack 2, SP 2 that you saw the demo up here, getting that out and updating systems with that.

    The second half of the year we'll have essentially our first SP for the server, ongoing updating enhancements, and then in the year after that is where the tools come out, the Active Protection Services, the Exchange services and these hardware-level advances that are the NGSCB. And so you see there are advances across a wide range of fronts.

    I have to say this is an area where we value the dialogue we have with people like yourselves very, very much, deciding exactly how we can make these things simple to apply, exactly how we update these things, how we deal with the various threat models. You know, for example, we're making it a great deal more difficult, nearly impossible to distribute code, and that's a good thing because that is a vector out there, but then for certain types of code that's signed and passes through, it's important for your infrastructure to support that. So having a dialogue about exactly where is that special case necessary, how do you want to set that up, making sure we're doing this right, you're going to help guide us in the right direction on those things.

    And so there's an immense amount of work here. There's quality work, innovation work. There are many new partnerships that have been formed and more that are necessary. But we have a commitment to achieve this goal of Trustworthy Computing, many years of work, lots to be done, billions of dollars to be invested in it, but a very critical and worthy goal, and so we look forward to working with you as these advances come forward.

    Thank you.

    (Applause.)

    		  

    Related Links

    © 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement