...have a lot of issues at the moment. Essentially you're going to consume a lot of resources trying to track a professional guy who's setting up multiple accounts and identities, who just keeps moving them around and shutting them down.
Microsoft has launched successful prosecutions against a number of spammers, but for trademark infringement and damage to reputation, instead of the act of sending spam. Why is that?
We've only been able to launch quite narrow prosecutions. I'd like to see more of the companies affected by spam, such as Google and Yahoo, banding together with us to bring prosecutions.
Let's look at Vista security. If you harden the system so much that third-party security becomes unnecessary, you'll land yourselves in even more hot water with the EC anti-competition inquiry. However, if you don't harden up the system, you open yourselves up to accusations of being lax about security, and possibly damage your reputation. What's the answer?
We've made the operating system as good as it can possibly be, but that doesn't preclude the fact that security can always be improved over time, particularly as the way hackers exploit the platform evolves.
The idea of a completely secure consumer platform remains in the land of research. You can already get some specialist locked-down configurations, but over time all operating systems are getting more secure.
Is it possible to have a hardened operating system that you automatically update as security threats evolve?
With Kernel Patch Protection, even if you slipstream trusted updates into the operating system, you have to make sure you don't break the applications of third-party providers. It's always desirable to try not to break anyone's apps.
However, attacks are increasingly moving from the operating system to the application layer. It's going to be a real focus to get applications to the same security level as operating systems, as most have focused on ease of use with a major trade-off with security.
The real challenge for industry now is how to move the existing internet model, that's quite embedded, to one that's more secure.
How might that happen?
Identity selectors such as Cardspace could go some way to solving the problem, but we now have to get the provider and consumer spaces interested. ID selectors are trying to get online e-commerce and banking sites interested.
How do you decide what security to put into the operating systems, and what to hold back and sell as security tools?
It's a fine line to tread. The standard principle is this: is it core to protecting the operating system, like a firewall, or is it something that sits around it, like mail services?
Social engineering still remains the most viable form of attack. Spam and email attacks are mostly about social engineering. Some people want to believe that some guy wants to move £1m into their accounts. Some of the stories you hear about pensioners losing their life-savings are frightening, really.
Microsoft security has suffered from having to incorporate legacy code. Has the move to 64-bit with Vista allowed a break with the past?
64-bit has given us the chance to impose a stringent set of ground rules, and say to people — if you want to play in the 64-bit space, here are the rules. With 32-bit, there are legacy issues caused by the desire for backwards compatibility. We were always trying to architect software to run on the previous system. The test used to be — would Donkey Kong run on it?
How will Microsoft get along with third-party security vendors, now it has entered the security products arena?
It's a horrible word that Shakespeare definitely never used, but "co-opetition" is the answer. When it comes to security we're all on the same side, but below that we're all competing. Apple is a good example — we've had that with them for a long time.
We talk to open-source identity selectors, because there's...
