Microsoft Group Vice President Jim Allchin admitted something yesterday that I've suspected ever since I first read the "Trustworthy Computing" email, a missive that Chairman and Chief Software Architect Bill Gates sent to Microsoft employees and that the company purposefully leaked to the press (see the WinInformant Web site for details). Under questioning during cross-examination at the Microsoft remedy hearings, Allchin said that it was he, not Gates, who originally came up with the Trustworthy Computing idea. Allchin also described the Windows products that the initiative covers.
"Was there a particular event that caused Microsoft to undertake this new security program?" asked Steven Holley, an attorney representing the nonsettling states and the District of Columbia. "Yes, there was a particular event," Allchin answered. "I was traveling, and there was a flaw discovered in what we call Universal Plug-n-Play \[UPnP\] and that was, I believe, December 21 \[2001\]. I remember because I was so angry to see it in the newspaper while I was traveling. And I had a conversation with one of my direct reports, \[Senior Vice President of the Windows Division\] Brian Valentine, and we decided that we were going to institute this new policy program."
Allchin described the process Microsoft underwent to move to Trustworthy Computing. "We decided to retrain the developers within the platforms group," he told the court. "We decided to institute new policies for looking at our code, new policies for determining whether there might be threats that could be done against our code, \[and\] prioritized corrections dealing with problems that were found as part of an overall review of the security. It was quite extensive."
When Holley asked Allchin which Windows OSs are involved in Trustworthy Computing, Allchin said the company's programmers reviewed only recent Windows releases. "We made a pass through the Windows XP code base, which is a very similar code base to \[Windows .NET Server\]," Allchin answered. "We also went back and reviewed--not as extensively--the code from past releases, like Windows 2000. But primarily it was the Windows XP code base and then the \[Win.NET\] Server family."
Allchin admitted that the initiative doesn't cover previous Windows releases. When Holley asked Allchin whether the initiative covers Windows 9x, for example, Allchin said that those OSs are "very, very old" and that customers concerned about security wouldn't want to use such products. "I think that's fairly well known," Allchin said. "Most of the customers, certainly in the corporate space, are moving to Windows 2000. \[Win9x\] is just a very, very old system."
