A week with the Gates memo. A more careful re-reading has clarified what is specifically committed and what is not. The mix of the two is informative.
What is specifically committed
Three commitments I find substantive after careful reading.
Engineering-process changes. The memo commits to specific changes — threat modelling, security training, security review as a release gate. These are auditable. Microsoft can be held to whether the practices are actually implemented and whether they produce measurable changes.
Default-configuration changes. The memo commits to "secure by default" as an architectural principle. This is auditable through product releases — when IIS 6 ships, its defaults will tell me whether the commitment is real.
Customer-trust orientation. The memo explicitly frames security as a customer-trust problem rather than just a technical one. This produces incentives in the right direction; it commits Microsoft to actions that benefit customers, not just internal metrics.
What is conspicuously not committed
Three gaps I notice on careful reading.
No specific timeline. The memo does not commit to dates. "Trustworthy computing" is described as a long-term direction without specific milestones. Microsoft can claim progress at any pace; there is no public benchmark for "ahead of schedule" or "behind schedule".
No specific metrics. The memo does not commit to measuring security in any specific way. There is no commitment to publishing the rate of advisories, the time to patch, the percentage of products meeting a security standard. The improvement, even if real, may be hard to verify.
No public accountability. The memo is internal-facing in tone. It commits Microsoft to itself, not to an external audit body. There is no third-party verification of progress.
These gaps are not necessarily failings — a public commitment with public metrics would be much stronger but would also be politically harder. The internal commitment is real; the lack of external verification is a constraint.
What this implies
Three things.
The improvement will be hard to measure externally. Operators and the broader community will see evidence of the commitment — better defaults, faster patches, fewer advisories — but will not have authoritative metrics. The conversation about whether Microsoft has improved will be qualitative for years.
The improvement is more likely to compound over time than to produce a sharp shift. Cultural change in a large organisation is slow. The first 6 months will produce visible changes; the bulk of the improvement is probably 18-36 months out.
Customer pressure should continue. The memo is partly a response to customer pressure; sustaining the pressure helps the commitment land. Operators communicating that they continue to expect improvement is the right posture.
My calibration update
Following the careful re-reading, my probability estimates are essentially unchanged from last week. The memo is genuine; the visible improvements will be slow; the verification will be qualitative.
For the predictions in my 2002 list:
7. Trustworthy Computing memo published and substantive. Resolved AFFIRMATIVE.
8. Microsoft pauses Windows development for security review. Status: in progress; rumours suggest ongoing internal pause. Probably resolves H1 2002.
What I am doing
For my own writing: I will continue to track Microsoft's response. Specific posts will follow as concrete evidence of the commitment appears.
For friends running Microsoft infrastructure: the discipline is unchanged. Patch promptly; defend in depth; do not assume future products will solve current problems.
For the broader industry: this is a moment that, in 5 years, may be remembered as a turning point or as another disappointment. The next 18 months are the operational test.
More as the year develops.