SAN FRANCISCO - Keeping information secure in this age of laptop-lugging workers is the tech industry's most formidable challenge, Microsoft Corp. Chairman Bill Gates said Tuesday.
Speaking to an annual gathering of 15,000 computer security experts in San Francisco, Gates invoked the metaphor of a medieval castle to explain the problem: Programmers build bigger moats and thicker fortress walls -- but they don't bother to protect the corporate crown jewels when members of their fiefdom exit the castle and leave the drawbridge open.
"We used to think of the data center as a glass house that was very isolated," Gates said. "But if we look (at) what actually goes on -- consultants come into your company, employees who are not onsite need full access -- we cannot think of that glass house as the way to define what can connect to what. We need a far more powerful paradigm."
Gates repeated Microsoft's claim that Windows Vista, which launched last month, was the most secure operating system in the company's history. But he acknowledged that all software has "weak links" -- particularly when thieves steal servers with confidential information, or when employees use simple, obvious passwords on multiple accounts.
Instead of passwords, Gates favors "public key certificates" -- combinations of digital signatures and other identifying information such as a person's name, address, social security number and other data. He calls it the "identity metasystem."
"We all struggle to remember an ever-growing number of user names and passwords as we move between systems at work and home," Gates wrote Tuesday in a message posted on the company's Web site. "Because it is unlikely that a single digital identity system or technology will be universally adopted, a different approach is required."
Craig Mundie, Microsoft's chief research and strategy officer, said the software industry still views computer security in a dangerously outmoded way.
"It's like we've been in the medieval age of network protection. We build thicker walls, higher turrets, put drawbridges in front of the fortress," Mundie said at the security conference. "What we didn't see coming was the airplane and the long-range missile."
Evidence that no software is immune to attack came during Gates' and Mundie's keynote, when researchers at Core Security Technologies Inc. announced a vulnerability that could affect companies running Vista in conjunction with other programs from third-party software vendors.
Engineers at the Boston-based consulting and software company exploited a hole in a popular piece of backup software from Computer Associates Inc. to remotely compromise and take over a Vista machine. Researchers said they could repeat the hack using other third-party programs.
"We just want Vista users not to get lulled into a false sense of security. Vista can't solve all their problems," said Max Caceres, Core's director of product management.
The executives spoke at an annual conference sponsored by EMC Corp.'s RSA Security division.