Microsoft’s head of consumer security discusses its free anti-virus service, Internet Explorer 8 and the decline of phishing
Amy Barzdukas has one of the computer industry's more thankless tasks: she's general manager for Internet Explorer and consumer security at Microsoft. But it doesn't seem to have got her down. When we met in London, she was bright, smart, and utterly charming, though some of her answers had the polish that probably comes from giving them a bit too frequently. Microsoft security issues have been a constant topic for the past decade.
Microsoft has greatly improved the security of its coding since the dark days of Windows XP and Internet Explorer 6, and most criminals have now changed their approach to social engineering, phishing and other indirect attacks. “The impetus today is really about financial gain,” said Barzdukas, “and as we've moved to lock areas down, they've found it easier just to trick people.”
Whether there's any prospect of financial gain for Microsoft is another matter. Until this summer, Barzdukas offered home users a comprehensive security, tuning and backup service - Microsoft OneCare - but it seems not enough of them were willing to pay for it. Now she's launching the security part as a free service, which she codenamed Morro after a beach resort she stayed at in Brazil (http://bit.ly/msmorro).
“The [Morro] engine is the same as the one that drives Forefront and that drove OneCare, but our focus was to make a very lightweight and performant security solution that also has a level of quality backed by Microsoft's researchers around the world,” she said.
Forefront is the security service that Microsoft sells to businesses and Forefront/OneCare/Morro have been tested by most independent sites such as av-comparatives.org and Virus Bulletin (virusbtn.com). “So far, we've been doing extremely well,” said Barzdukas. No doubt the specialist antivirus companies will claim that they do a better job, but Microsoft's engine seems to be competitive, and it's aimed at the people that the specialist companies have so far failed to reach.
This is particularly the case in what Microsoft calls “developing nations”.
But Microsoft Security Essentials - a free product launched on Tuesday (from microsoft.com/security_essentials) - could raise more political questions than technical ones. Will the European Commission's (EC) competition department try to stop Microsoft from defending its OS, because some other companies - mainly Symantec and McAfee - make a lot of money by charging for protection?
Since Symantec and McAfee are well-known for complaining to the EC, I asked Barzdukas if she thought the EC would try to block it. (We met before the launch.)
“Our party line: we are committed to working within the regulatory environment of all of the countries in which we do business,” she said, sweetly. “Microsoft Security Essentials will launch in an environment where there are already a number of no-cost players, so it's not reinventing the model. We're really focused on doing the right thing for the customer.
“I've worked on the consumer security side since 2002, and the data have not shifted significantly in terms of the number of consumers who either don't have antivirus software or don't keep it up to date,” she said. “As incidences of malware continue to grow more pernicious, stepping up the work for consumers who are either unable or unwilling to pay for protection is what Morro's about.”
Barzdukas said “Morro is just one piece of what my team looks after: IE is the other. The security advancements we've seen in IE8 go hand in hand with addressing the problem of socially engineered software downloads. With the SmartScreen filter, we find we're blocking 20 times as much malware as we are phishing. The security landscape we used to worry about - mass-mailer worms and so on - are not really in style any more. It turns out, when you want to rob people, it's better to be quiet and not call too much attention to yourself.”
While it's useful to stop people being robbed, I also wonder whether people should be allowed to keep their infected PCs on the net. Some of these PCs are in botnets that are pumping out spam or being used to attack other people's servers, so there are arguments for either blocking their internet access or cleaning up their PCs remotely.
Microsoft already does some of this policing by running its MSRT (Malicious Software Removal Tool) on PCs that it is updating. In a networked society, where people are infecting their neighbours, could it and should it do more?
“We try to look at the balance of doing what we can to protect the ecosystem, and doing it to the appropriate level while respecting regulatory concerns, the partner environment and so on. There are widely divergent viewpoints on how much anybody wants their PC to be managed by somebody else. And it's your laptop, after all,” said Barzdukas.
“It puts more emphasis on all of the different people in the ecosystem: What is the role of an ISP in terms of protecting their portion of the network? What is the role of enterprise IT administrators now there's a blurring between home and work PCs? What is the role of software and hardware manufacturers? To what extent is Dell or Asus responsible for helping ensure that you have a good experience? What is the role of the individual? No one group can do it alone,” she said.
“The problem is that you've got consumers who can barely handle a firewall prompt [asking] whether they want to allow an application to use port whatever. Consumers aren't that technical. What we think at Microsoft is that we have to make it simple, and in Windows 7 we've tried to do that: we've corrected things where we hadn't done as good a job in previous versions of Windows to make [security] easy, accessible and effective. In IE8, we've tried to make it hard for you to do the wrong thing.”
But with the move to social engineering attacks, there isn't a technical fix that would remove the malware problem completely.
“I don't think anybody in the antivirus area of the company thinks there will be a time when there will be no more malware,” said Barzdukas. “What we look forward to is continuing our ability to protect against malware, and to make those protections more robust and less prone to requiring constant updating.”
Windows 7 and IE8 represent a huge advance on Windows XP and IE6, from that point of view. Whether that will be enough remains to be seen.