Please, No More Promises from Bill Gates
eSecurityPlanet Columnist Ray Everett-Church is skeptical about yet another promise from Bill Gates. Will his vision of authentication be more realistic than his promise to wipe out spam?
Note to Mr. Gates: Only one absurd promise at a time, please! Many of us are still waiting for you to deliver on your promise to rid the world of spam by 2006.
According to his keynote address last Tuesday, the weakest link in today's computer security chain is the password. Thus, with the coming release of the new Windows Vista operating system, Microsoft is introducing a concept called InfoCard, which will assist users in better managing login names and authentication.
InfoCard, similar to Microsoft's failed single sign-on service called Passport, will give users a unified place to manage all their authentication tasks. But unlike Passport, which had the fatal flaw of requiring Microsoft to hold all your secrets, InfoCard will let users manage their own information on their own computer.
In case you don't keep a running tally of promises and prognostications from Redmond's answer to the Oracle of Delphi, it was almost exactly two years ago -- Jan. 24, 2004 -- during the World Economic Forum in Davos, Switzerland, when Microsoft's chairman declared: ''Two years from now, spam will be solved.''
In fairness, Gates conceded at the same event that some of his previous predictions -- that Linux was a flash in the pan, open source software was no threat, and that Google was destined for obscurity -- may have been a bit off the mark.
But those familiar with the anti-spam world in 2004 can understand why Gates was comfortable predicting the end of spam. It was at that very same time that executives from Microsoft's email-related product teams were in full arm-twisting mode, trying to convince the world's major Internet service providers that the wisdom and efficacy of Microsoft's latest and greatest ideas for stopping spam were undeniable.
Unfortunately, somebody forgot to tell the spammers.
Today, the volume of spam coursing through Internet systems is greater than ever, and most of Microsoft's contributions to the anti-spam debate, including Sender ID and Penny Black have been widely panned as unworkable.
So you can forgive the skepticism when Gates took a few minutes away from deleting spam from his email inbox to tell RSA attendees that soon the world would be rid of the need to have passwords written on Post-It notes stuck to the corners of computer monitors.
The goal of simplifying the management of passwords and enabling stronger authentication is laudable and necessary. But I'm compelled to ask whether Microsoft's security efforts wouldn't be better spent solving the massive systemic security problems that riddle the company's operating systems and major applications?
To see the consequences of Microsoft's negligence regarding critical security issues, one need only look at the single most significant challenge facing the fight against spam today: massive armies of spam-relaying 'zombie' computers controlled by gangs of spammers.
In most cases, these networks of zombie computers, sometimes numbering in the thousands, were compromised through well-known vulnerabilities in the Windows operating system.
Microsoft is exceedingly familiar with the damage wrought by these zombie spam networks. According to documents filed in a lawsuit against an anonymous band of spammers, Microsoft discovered an infected computer in late 2005 and watched as the compromised machine attempted to send more than 18 million spam messages in a 20-day period.
As I've learned first-hand over the last year while working with some start-up firms in the security and authentication marketplace, there are many great reasons to improve the way users deal with passwords and other forms of authentication.
Indeed, if Microsoft's InfoCard and the other related improvements featured in Gates' keynote address will further open up opportunities -- for Microsoft and third-parties alike -- to improve the ability of users to authenticate themselves, that would be great for the industry and for users.
However, I think the technology world would take his devotion to solving the comparatively piddling issues of spam and computer security more seriously if Gates applied some of the same restraint he observes when approaching vastly more serious issues, such as his remarkable philanthropy on global health issues.
Along with his wife, Melinda, Gates has pledged billions of dollars to help stamp out some of the world's most vexing diseases, such as malaria, AIDS, and tuberculosis. When talking about these deadly serious world health initiatives, he wisely avoids hyperbole and over-promising. When it comes to life and death matters, Gates knows how to keep his hubris in check.
A touch of that humility in his keynote speeches might go a long way toward convincing the world that he takes these other challenges seriously, too.
Because, if I've said it once, I've said it a million times: Hyperbole shows that you aren't serious about solving a problem and you're just out to score meaningless PR points.