Security

Interview: Microsoft's security guru, Steve Riley

Before the start of Tech.Ed 06 Builder AU caught up with Steve Riley who works at Microsoft as a Senior Security Strategist to talk about Vista's new networking stack, security vs usability, and the uptake of IPv6.

Before the start of Tech.Ed 06 Builder AU caught up with Steve Riley who works at Microsoft as a Senior Security Strategist to talk about Vista's new networking stack, security vs usability, and the uptake of IPv6.

Builder AU: How would you explain what you do to someone outside the company?

Steve Riley: I guess the best way to describe it would be -security evangelist." The most important aspect of my jobâ€"the part I enjoy the mostâ€"is making sure that our customers know as much as they can about how to run our products securely and, more broadly, how to develop a -security scientist" mindset. Security is a science, and it requires scientific thinking to properly weigh risks and threats and then make the correct mitigation choicesâ€"be they process or technology.

What do you really do?

Heh! I really do exactly what I just described above. I get the chance to watch people learn and help them have a good time while doing it. Adults require emotion to attach to facts if they want those facts to become memories. Thus the stories, humor, and illustrations in my presentations. I have the absolute grooviest job in the world! Sure, I can't deny the travel is fun. But when I receive emails from customers saying, -Steve, I did what you said, and it made my problem go away," that's when I feel proud.

How did you get into programming (IT)?

A not uncommon route, actually. Back in high school I got pretty good at playing the French hornâ€"so good that I considered it for a career. My goal was either to get into the Boston Symphony or to play in a pit orchestra on Broadway. But then in college I noticed many excellent horn playersâ€"too many, in fact. I didn't have the gumption to practice 10 hours a day, so I thought, what else am I good at? Computers!

I switched to an engineering college and received a computer science degree. What's interesting is that about half of any transfers into a computer science program at a university will have come from music or dance or drama. I don't know why that is. Anyway, after graduation, I worked in the IT departments at a chemical company, an electric utility, and an insurance company before joining Microsoft's consulting services, and then eventually wound up in the Security Technology Unit where I got the job I've got now.

What are your thoughts on Vista having a completely new networking stack? Why throw out what has been invested in it over the years and give the underside of the Internet a brand new target that has already been tested as faulty already?

There's plenty of discussion about that all over the Internet by now, I'm sure you've read much of it. XP's networking stack contained a lot of legacy code, and it was becoming increasingly difficult to provide the kinds of enhanced features people are clamoring for (like some advanced group policy controls and wireless settings). So we built a new stack, focusing on security and extensibility.

Of course there will be bugs in the prerelease code! No one can write perfect software, so that's what all the testing and fine tuning is for: to find and eliminate the bugs before release. You know, it really doesn't do anyone any good to publish -research findings" on code that isn't generally available and certainly will be tweaked by the time it's complete.

Why not take the BSD TCP/IP stack, with all its years of bug fixing and patching, and make your improvements on top of that instead of a complete rewrite?

Well I don't work in the networking group, but I'd say it would be more efficient to rewrite a new stack from scratch for things like group policy, zero configuration, 802.1X, and so on than to try and add on.

What improvements can we expect in the security features for Microsoft's Vista server when compared to Windows Server 2003?

You mean Windows Server codename -Longhorn"? (Windows Vista is the client. We haven't confirmed a name yet for the server.) In -Longhorn" Server you'll see all the same work that's in Windows Vista now: mandatory integrity control, BitLocker drive encryption, code integrity, user account control, service hardening, and improved traffic filtering through the Windows filtering platform (provides the firewall and IPsec in a single user interface). The most important enhancement, of course, is that -Longhorn" Server provides the plumbing necessary to deploy NAP (network access protection), a very important aspect of having a secure environment in the world of mobile computing.

Do you think the increased security features in XP made the operating system less user-friendly, especially for novices? Could this not be handled in a more elegant fashion? Are there some lessons to be learnt from Apple's OSX in this area?

The industry will always have to live with the security vs. usability tradeoff. The most secure computer is, of course, one that has no software, is switched off, is encased in two meters of solid concrete, and sunk to the bottom of an ocean! Conversely, the most usable computer is one in which everyone is an administrator, there is no access control or encryption, and has unlimited bandwidth to the world. Well, aside from the unlimited bandwidth bit, for most of the history of personal computing, we've been living in relative security for a while, and the community keen to change that have exploited it.

When cars and roads first started appearing, there were no rulesâ€"and you can imagine the chaos that ensued. Then cars grew faster and more powerful, so we needed rules to govern safe operation of a motor vehicle. It's the same with computers: as they become faster, smaller, able to access enormous bandwidth, able to store gobs of data, it becomes more and more necessary to have rulesâ€"security policies and procedures, enforced by technologyâ€"that govern the safe operation of an information processing device.

When do you see IPv6 gaining real traction?

It's purely economic. We're building a full IPv6 stack in Vista. I predict that the growth of the internet in countries like China, India, Russia and Brazil will propel the world toward IPv6. When a large population, which is absolutely enamored of anything that takes a battery and has an Internet connection, suddenly needs the address space of IPv6, this will bring about the economic conditions that compel the movement to IPv6; those who can't or won't join will be left behind.

Is a two tiered Internet a good idea? (from a network and user level)

By this I suspect you mean charging popular Internet sites extra money? Net neutrality is critical. Large sites are already paying more, simply because they need to buy the necessary bandwidth to handle all the traffic. I have an 8 mbps connection in my house and I pay an appropriate monthly rate.

Can you see a time when Windows can match Bonjour for ease of locating network resources?

I have never used a Macintosh in my life, so I can't make any comparisons.

Best Web site for procrastination?

How about: http://www.shibumi.org/eoti.htm. Once you reach that, then with a little imagination you can envision all kinds of ways to procrastinate. Maybe even just relaxing under a tree and using your imagination would be the perfect way to start.

About Chris Duckett

Some would say that it is a long way from software engineering to journalism, others would correctly argue that it is a mere 10 metres according to the floor plan.During his first five years with CBS Interactive, Chris started his journalistic advent...

Editor's Picks

Free Newsletters, In your Inbox