Despite the hoopla and earnestness of Microsoft's 'Trustworthy Computing' initiative, evidence suggests real change is slow to percolate through the company. Witness yesterday's disclosure of vulnerabilities in Vidual Studio .NET by Cigital researchers. Understandably embarrassed, Microsoft chose to respond in form, treating the disclosure not as a security or technology problem, but rather a PR problem. First, the flaw was described as 'technically narrow,' then as a feature meant to help programmers identify security bugs. And if that wasn't enough to convince you, Microsoft assures us the researcher is just suffering from sour grapes, since they didn't get a contract from Microsoft.

It would seem that trustworthy computing doesn't look much different from the old un-trustworthy computing.

How to tell if Microsoft is actually making progress? Bruce Schneier offers a detailed list of seven criteria in his most recent Crypto-Gram.

Counterpane: Crypto-Gram: February 15, 2002: "As longtime security experts, we'd like to suggest some concrete ways to evaluate Microsoft's (and anybody else's) progress towards trustworthiness. These are specific and measurable changes that we would like Microsoft to make. This is not intended to be an exhaustive list; building secure software requires much more than what we delineate here. Our goal is to provide a list of measurable recommendations, so that the community can judge Microsoft's sincerity." 

8:52:42 AM