As expected, self-described "longtime security expert" Bruce Schneier has responded to the recently published Microsoft internal memo outlining Bill Gates' new-found motivation for security. Schneier gets it mostly right. He rightly points out that trust must be earned. He champions simplicity in design and implementation. He identifies as problematic the commingling of data and code, asks for "rigid separation", and wants scripting features removed. This sidesteps the issue of insufficient user understanding regarding security, which is something no one is likely to solve any time soon. But he also wants to put a stop to SOAP and clarify blurred distinctions between local and remote resources. This runs counter to the promise of distributed computing and is increasingly irrelevant when users' data and applications are remote, anyway. In short, Schneier wants Microsoft to make a lot of changes that will upset, frustrate, and alienate the average customer, at least in the short- and mid-term. Although the results may be long-term positive for users and industry, Microsoft will suffer for a while. There is no easy way to quickly deploy secure infrastructure and convince users to give up things to which they've become accustomed. Schneier briefly acknowledges the business cost of his recommendations. It's important to see that what works for Sun with Java may not be feasible for Microsoft with XP and .Net. Java is mostly free, and is ultimately intended to sell more Sun hardware. The code is all Microsoft has to offer; this fact necessitates a different approach. Schneier asks Microsoft to open-source Windows and Office, but stops short of expressing an interest in reading the code. "Making security Microsoft's first priority will require a basic redesign of the way the company produces and markets software. It will involve a difficult cultural transition inside Microsoft. It will involve Microsoft setting aside short-term gains in order to achieve long-term goals." 'Results, Not Resolutions' | Schneier and Shostack on Gates memo |