Microsoft security spend greater than the Star Wars missile system

Microsoft has spent more on securing its software than was spent on the Star Wars missile project, the company's head of security has told conference guests. An unfortunate analogy for Iain Mulholland to use since the project was a complete failure and little more than the private obsession of a few top American ego-maniacs.

But, despite - and because of - this Herculean effort, viruses and worms are going to get worse. They will become more complex, more vicious and more dangerous because the days of quick and easy exploits have come to an end, thanks to the software giant's efforts. According to one expert anyway.

Former Bell Laboratories researcher, security author and founder of IT security firm Lumeta, Bill Cheswick said that improved security will force malicious code writers to construct more complex programs that will either circumvent or push conventional defenses such as anti-virus software and firewalls to their limits.

Recent examples of malicious code, that had not necessarily escaped into the wild, were generally becoming more time consuming and difficult to copy or neutralise, he said. "Virus emulators are slowing down. This game is not going to end nicely. What happens if there is a virus you cannot defeat? The spooks worry about viruses with their own compilers."

Cheswick said that he believed Microsoft was doing its level best to remedy the way it builds security into its code after some 20 years of less-than-perfect versions. If there may have been doubt about Microsoft's capacity to deliver secure computing, it was not reflected by lack of interest by the boss of Microsoft's Security Response Center, Iain Mulholland.

Mulholland backed Cheswick's assessment of more complex exploits appearing, saying that he was seeing "a commodity market being built that buys and sells exploits and vulnerabilities" which he likened to "the next big thing after the dot com boom". He continued: "The low hanging fruit is gone, some of the exploits we are seeing are very complex."

With security now promoted as the number one priority at Redmond's, output from its army of eager developers was now being put to the blowtorch by the "evil" minds of Microsoft's vulnerability police, he said.

Mulholland said that while holes were being discovered far more frequently than monthly patch releases, Microsoft was concentrating on getting the best possible quality out of its security updates so that more problems were not caused by the patches.

While no figures were offered on how much money is going into Microsoft's belated blitz on security, Mulholland said that the company's research and development expenditure exceeded that of the trouble-plagued Star Wars missile defense system.

Not everyone was convinced with one delegate, a government IT security manager who requested anonymity, said the current patching regime was a "heap of crap". He said software updates could potentially be hijacked by diverting the IP address - resulting in possible infection by Trojan horses.

Mulholland countered the allegation by saying that code downloaded from Microsoft was "intentionally very brittle" and that authentication by way of "baked in certificates" was there to protect users.

Comparing a security system to the Star Wars missile system would appear to be perfect territory for a one-liner. You got one? Share it with everyone on the forum.