January 2, 2003

Trustworthy Computing in 2002

- By Chris Pike, reprinted from Pikeus -

2002 was the year that Linux made big news and Microsoft admitted it was their greatest threat. Microsoft's continued attempts at spreading Fear, Uncertainty and Doubt (FUD) in an effort to turn people away from Linux and Open Source didn't get them anywhere. Their focus on increased security didn't get them anywhere either. To top it off, they even ended up paying people to use their software.

Trustworthy computing?
The multitude of virus and security related issues that occurred in 2001 left Microsoft with plenty of egg on their face. As a result of Microsoft's obvious failings the 'Trustworthy Computing' scheme was initiated, with its positive focus on reliability, security, privacy and business integrity. 2002 saw Microsoft marketing many 'initiatives' such as this, using names which stood for the opposite of how people actually felt about Microsoft and their software.

In a further bid to stop people from focusing on their failings, Microsoft decided to take a month out early in the year to perform a security review, apparently costing them $100 Million. Although appearing dedicated to become more secure, their security conscious 'plans' didn't do much for their attitude. Not only did they continue taking months (literally) to patch the multitude of fresh bugs that were appearing, but incidents such as the SSL flaw in August were deemed unimportant by Microsoft, and in the end they were forced (literally) to patch it. Their attitude against any reported bug was that if it didn't match their checklist criteria then they wouldn't fix it, even though it was in their power to do so (Microsoft's definition of a security vulnerability can be found here).

Even by the end of the year Microsoft hadn't shown any real signs of change. In December Microsoft provided a patch for a flaw in Internet Explorer but downplayed its importance, rating it 'moderate' although experts said it was serious and could be exploited to take over a user's machine. This came at a time where Microsoft had just earlier modified their rating service so that fewer vulnerabilities would get the higher ratings. The flaw was one of many that were discovered by security company GreyMagic as early as October, and with the patch in December Microsoft still hadn't fixed 18 flaws found at that time, six of which were reported to be serious.

Microsoft's trustworthiness was questioned earlier in the year as they voiced a desire to keep the discovery of bugs in their software to themselves, wishing only to disclose the information after a fix was available. This meant that applications could remain vulnerable indefinitely until Microsoft decided (if in fact they did decide) to fix the problems, and nobody would even be aware that a vulnerability existed - except maybe a few crackers and their friends. Needless to say, the vast majority of people were firmly against this stance.

Evidence of Microsoft's need for control was seen in their Xbox game console, which contained a hardware-based security system. This consisted of chips that used encryption to deter people from running any software except what Microsoft wanted them to run, preventing piracy and maintaining Microsoft's control over what the Xbox was used for. Microsoft were dependant on full control over the Xbox and the software it would run, as they were losing money producing the console and sought to make a profit from subsequent software sales.

The encryption was soon cracked, enabling the development of 'Mod chips' that removed any restrictions imposed by Microsoft. This also meant that the Xbox could be used as an inexpensive PC that would even run Linux, losing Microsoft valuable software sales. Shortly after the first Mod chips were available Microsoft discarded it's current stockpile of chips, at a further loss, and got nVidia (the supplier of the chips) to create new ones that were tougher to crack. About a week later the new chips were also cracked.

Obviously lacking in the area of security, near the end of the year Microsoft bought Liquid Audio's digital rights and file transferal patents, and also bought the company XDegrees to secure it's .Net core.

Microsoft openly admitted that security hadn't been at the forefront of their business model, but came up with a weak excuse that this was due to people being unwilling to pay for it. With this statement Microsoft tried to paint a picture of security being an optional extra rather than a necessary component they had neglected. Microsoft's Craig Mundie even went so far as to say "The operating system is designed to run on machines that are not designed yet", taking the blame from Windows and placing it with hardware manufacturers!

At this time Microsoft came out with the idea of Palladium, a combined software/hardware based security system. The idea was that only trusted and approved applications and data would be able to run on your computer. With 2002 seeing a great deal of conflict concerning digital rights, Microsoft jumped onto the scene pushing Palladium, as they themselves knew of the desire to maintain control of their own intellectual property. Palladium seemed a logical answer for digital rights, allowing the creator of an application or data to deny access to those things on any user's hard disk, even allowing files to be remotely deleted. The idea of what this system could do caused concern, and the idea of Microsoft having control over it caused even more concern.

In October Gartner said that Microsoft would be unlikely to have anything that comes close to secure software until 2004 at the earliest. It was also around this time that Microsoft mentioned a desire to start selling security products. Later in October there was a security breach on the server operating the Windows Beta website, a repository for nearly all Microsoft software applications undergoing beta testing. Any number of applications currently in beta could have been compromised even though they weren't (according to Microsoft). Regardless of whether or not any applications were compromised, this was a further blow to Microsoft's increasingly poor security.

During the year there were a plethora of bugs in Microsoft's SQL server, IIS, Outlook/Outlook Express and components of Microsoft Office. There were a barrage of news articles pointing out the vast number of security issues within Microsoft's Internet Explorer (IE), some even going so far as to advise that people ditch IE altogether. While IE got bad press, Mozilla hit the press as it achieved it's 1.0 milestone, producing a stable Open Source browser adhering to Web standards better than IE. Microsoft's polluted Java implementation was reported to be full of holes, while the holes were not found in Sun's original version of Java on which Microsoft had developed. In fact, it appeared that Microsoft had a kind of Midas touch, where everything they touched turned to holes.

Even some of the patches Microsoft provided for the holes were poorly developed. There was the IE patch that claimed to fix vulnerabilities that it didn't, the IE patch that caused the browser to crash, the Outlook Express patch that wouldn't install, the Win2K service pack that caused a Blue Screen Of Death and various other patches that appeared to cause problems. Also, there was WinXP service pack 1.

WinXP service pack 1 was supposed to fix some issues and implement changes brought about by the Anti-Trust case, including the allowing of OEMs to replace middleware such as Internet Explorer from being the default browser. The service pack proved too complex for OEMs to deploy easily, therefore most chose not to deploy it with their PCs. The service pack was alternatively available by download, but appeared to push the user to download it via Internet Explorer 5 or above. Accepting the End User License Agreement for the Windows XP service packs allowed Microsoft to legally access your data remotely, which in turn sparked privacy fears.

OEMs had previously been under contract with Microsoft that they should only sell PCs with Windows (whether or not the user wanted to use Windows, or already had a copy), and the price of any PC automatically included the price of Windows. As a result of the Anti-Trust case, August 1st saw new Microsoft licensing terms put in place which prevented Microsoft from retaliating against OEMs. The new terms were that PC makers must ship PCs with an operating system, and Dell took advantage of the new terms and subsequently sold PCs with a copy of FreeDOS.

Passport / .Net
Based on Microsoft's Passport, their much hyped .Net service 'Hailstorm' was supposed to increase Windows' appeal, attracting people to the .Net platform. The problem was that it would put everybody's data in the hands of Microsoft, placing them in control of everybody's security - something which Microsoft apparently wasn't very good at. An attempt at renaming it from 'Hailstorm' to '.Net My Services' didn't fool anybody either, regardless of how nice the name was, people were not interested. In the end Microsoft pulled Hailstorm and took it back to the drawing board due to the obvious negativity towards it.
Earlier in the year, a poll by ZDNet to find out how many developers were considering developing for .Net showed that a large percentage of them were interested in it. It was later discovered by ZDNet that the poll was rigged by Microsoft employees voting multiple times and using automated scripts. To make things worse for both .Net and Microsoft's new stance on "Trustworthy Computing", their .Net Developer Kit was also found to have a security flaw in it.

In April Gartner produced information stating that users of Microsoft's Passport doubled. Although this news could cause us to assume that it was highly successful and loved by all, the survey also revealed that 84% of customers had only registered with Passport as it was required to access other Microsoft services such as Hotmail, WinXP and Messenger.

Later in the year the FTC investigated Passport concerning false representation of security and privacy by Microsoft who, as usual, never even admitted that they'd done anything wrong but agreed to do something about it.

Microsoft started out with their anti-piracy scheme in late 2001 with the release of Windows XP and its dreaded Product Activation. The Product Activation technique meant that any significant change of hardware on your system would cause Windows to prompt you to contact Microsoft and verify your activation code, failure to do this would mean that you would be denied access to your software. This didn't go down well with anybody, and drew attention to the fact that many people were using a copy of Windows on more than one PC, going against Microsoft's licensing regulations.

In 2002 Microsoft looked to the nations where software piracy was strong, such as China, and made them do something about the problem. Rather than achieving the result where these nations repented, bought legitimate copies of Windows and increased Microsoft's profits, they announced that they would be switching to the free Linux operating system and Open Source software. Countries such as Mexico and Peru also took this stance. Realizing the threat posed by this, Microsoft flew out to these countries for talks with their governments and ended up handing out large amounts of cash, providing their education and software development sectors with free software worth millions of dollars. Although Microsoft would lose money short-term they would make money in the long run, a similar strategy to that of the Xbox. Software upgrades would ensure that Microsoft maintained their cash flow, and the threat of Linux would be significantly removed by the widespread use of Microsoft's proprietary protocols and file formats (locking users into Windows due to compatibility issues).

Microsoft's anti-piracy maneuvers also focused on schools. In the USA some schools were notified that an expensive software audit would need to be performed within 60 days, as Microsoft wanted to check that each machine was running fully licensed software. As this required documented evidence it seemed impossible to comply, and Microsoft advised that schools should not accept any PC (donated or otherwise) unless documentation was provided. If the schools failed the software audit then they could register all of the computers running Microsoft software for an annual fee (something that Microsoft was later to force upon everybody via Licensing 6).
After this incident Microsoft themselves ended up freely giving away money and software to third-world schools, under the commendable guise of bridging the digital divide (which itself was helped along by Microsoft's extortionate prices, proprietary file formats and forced software upgrades - which usually required a hardware upgrade too). Microsoft appeared even more two-faced as they continued to overcharge western schools that were already using Microsoft software - except for where Microsoft gave millions in software to those schools or colleges that voiced interest in switching to Open Source.

One incident that caused controversy was that of the university of Waterloo in Canada, where a pro-Microsoft curriculum was announced at the same time as a large donation from Microsoft was made, ensuring that students would be learning .Net development. There was another incident concerning universities in Texas where, to extinguish the high amount of piracy, tuition fees were raised to cover the software costs and the students would pay less for Microsoft software. Of course, to those who didn't use Microsoft software it meant that they were being charged unfairly, which is similar to Microsoft's tactics towards OEMs of "you can't sell a PC without selling a copy of Windows with it". This would mean people were more likely to stick with Microsoft software because they'd already paid for it.

These situations all showed Microsoft as desperately attempting to get everybody using their software (even by offering it at a loss), and once hooked extracting as much cash from them as possible, or using the situation to promote development for the proprietary Windows environment.

Microsoft not doing themselves any favors

Product Activation proved a bad start for Microsoft late 2001, getting people on the defensive side. In 2002, to cause further turmoil, Microsoft brought out a new Windows licensing plan labelled Software Assurance or Licensing 6. This forced people to upgrade their operating systems by paying an annual subscription fee or face paying anywhere from 45% up to 107% more for licenses later on, and all this during a technology recession. This caused many to buy before the deadline and others signed new multi-year contracts, doubling Microsoft's profits. Needless to say, this didn't go down too well, even those who were pro-Microsoft were frustrated with their attitude.

In late November Microsoft mentioned that the following year it would create a new "Open Value" licensing plan, due to the negativity generated by Licensing 6. Part of this new plan would mean that any sign of a large 'defection' from Microsoft products to Open Source products could get Microsoft to offer discounts of up to 50%.

The attempt at offering Microsoft Office as a subscription based service was dumped as nobody was interested. But Microsoft caused more than a stir when they later announced that Office 11, the upcoming version of Microsoft Office, would only run on Win2000 or above and would not be compatible with older versions. This was necessary (as reported by Microsoft) due to security issues.
To top it all, Craig Mundie stated that "Customers' continued reliance on earlier versions of Windows, rather than the current Windows 2000 and Windows XP, is slowing down efforts to secure the global computing infrastructure". This did little more than blame the bad state of computer security on those who were using older software, rather than the fact that Microsoft's older software was created with very poor security that they wouldn't freely fix.

Desperate measures
Open Source became the focus of everybody's attention, becoming more of a viable option due to big names such as IBM, HP, Dell and SUN all backing Linux, helped along with the growing lack of trust in Microsoft. The Open Source PHP scripting language overtook Microsoft's ASP, and Open Source Apache Web server overtook Microsoft's IIS.

In March Microsoft CEO Steve Ballmer Wept for Windows during the Anti-Trust season. Microsoft released a video of it in both Windows Media Player and RealPlayer format, obviously wanting everybody to be able to access it - probably for the first time in history.

During the Anti-Trust case, the Alexis de Tocqueville Institution (a small think tank promoting free-market principles) published a white paper against the use of Open Source software. The paper was reported to be very weak and poorly-researched. The Alexis de Tocqueville Institution itself received a significant portion of it's funding from Microsoft, and much of their research was aimed at issues important to Microsoft.

Microsoft's Anti-Unix campaign wehavethewayout.com didn't get much credit as the Website was (at the time of release) discovered to be hosted on the Open Source Apache Web server running on the Open Source FreeBSD operating system.

Microsoft got a taste of their own medicine when Open Source zealots in California and the Philippines called upon their governments for laws supporting the use of Open Source software. Microsoft didn't like that and created the "Software Choice" movement, stating that it was unfair and that everybody should be free to choose what software they used. This was a very two-faced and self-condemning statement from Microsoft, considering their stand on proprietary formats that tie people to Microsoft products, the software bundling that gave them an unfair advantage and killed off their competitors, and the forced inclusion of Windows with every PC purchase (all things in which Microsoft have never admitted any wrongdoing).

Congressman Adam Smith, who's biggest political contributor was Microsoft, began circulating a letter asking for signatures in a petition against the Open Source GPL license. This caused a major outcry from the Open Source community, and rather than doing any damage it made congress aware of the strong support behind Open Source. The letter was withdrawn, and most who signed the petition said that they didn't even know what they were signing.

At one stage around September Microsoft repented about the FUD they had spread concerning Linux/Open Source, and proclaimed that they would be focusing on the strengths of Windows in the future. At that time, rather than focusing on the strengths of Windows, Microsoft expanded their attentions from the PC to other ways of spreading their grip: such as cellphones and PDAs, wireless networking, the Xbox game console, etc. (it was revealed in November that all of Microsoft's other ventures had made losses). In October, after many news articles commenting on Microsoft's poor security, Microsoft went back on their word and once again attempted to deride Open Source security via the medium of FUD.

Although criticising Open Source, Microsoft changed to accommodate some of the Open Source techniques, such as focusing on a development 'community' and opening their source code (although it was read-only). Microsoft created the Shared Source License which allowed developers to view the code for purposes of developing, debugging and supporting both commercial and non-commercial products. While deriding Open Source they were back to stating how open code did nothing for security, and mentioned that not many people had shown an interest in Shared Source. This was quite strange as Microsoft stated in the first place that they created it due to customer demand. A short while after this they were again promoting Shared Source as though it were a great asset. Microsoft certainly did appear to be changing with the times.

Microsoft stated that they were focused on listening to their customers needs, and did indeed appear to be making changes to their plans due to customers demands. However, when your customers are constantly complaining about you and are considering dealing with your competition instead, what else do you do? Yet again, Microsoft appear to look good in a bad situation.

Nearer the end of 2002 Microsoft started an advertising campaign for the Macintosh version of Microsoft Office. The advertisements showed Macs and PCs getting along together, promoting compatibility between the two. Some could see this as Microsoft deciding to get along with it's competitors, and as Microsoft said, it shows their commitment towards the Mac. But considering that until this time Microsoft had never shown any commitment to the Mac, and that disgruntled Windows users had at that time started to look towards an alternative operating system, I'm sure that Microsoft would rather they switch to the Macintosh than Linux. After all, Microsoft never said that the Macintosh was their greatest threat, and uncertainty of commitment had been one of the major reasons people were wary of any Open Source software.

India was becoming a key player in the tech/software market, and appeared to be looking towards Linux. In November Bill Gates travelled to India, giving them (from the Bill and Melinda Gates Foundation) $100 million towards fighting AIDS. Bill also announced that Microsoft was investing $400 million in India over the next three years to promote the use of Microsoft solutions, and a further $20 million for e-learning (adding the Microsoft influence to schools). At that time Bill said that "India is of strategic importance", appearing to openly admit that he was bribing India (via his self-owned charity) to go with Microsoft.

However, when critics accused him of bribery and said he was doing it to make his company look good, Bill responded that this was not the case, the foundation was independent of Microsoft and was founded long before any claims of anti-trust. Still, one could question why the foundation always appeared to follow Microsoft around whenever they needed to coax governments into using Microsoft solutions. As Bill said, the foundation was independent from Microsoft, but it wasn't independent of Bill Gates - and when you think of Bill Gates you think Microsoft. And just because the foundation was created before the odor of anti-trust was found around Microsoft doesn't mean that Bill couldn't be using it in an impure way, Microsoft's conduct had been questionable long before the Anti-Trust case started. Giving money to fight AIDS was far from bad, however, Bill's motives for doing this (especially at this critical time of 'strategic importance') would appear questionable. And if Bill's giving of money to fight AIDS is considered to be generosity, shouldn't we also consider why Bill gave four times that amount of cash towards investing in India's tech sector?

Ironically Bill's visit to India gave a huge publicity boost to Linux and Open Source, causing the Indian government to seriously consider the use of Linux.

In late December, users of Microsoft Office in Norway asked Microsoft to translate it into their New Norwegian, or Nynorsk, language. Microsoft declined, pointing out the large cost involved in such a task. Eventually Microsoft agreed to translate it after most of Norway's high schools threatened to boycott all Microsoft software if they didn't.

After the Anti-Trust case concluded, when Microsoft had been found guilty of acting as a monopoly and settlement plans had been made, Steve Ballmer said that Microsoft have "learned and grown through the experience of the last four years. We are committed to moving forward as a responsible leader in an industry that is constantly, constantly changing."
Microsoft have treated everybody with contempt for years, and all they can say is that they've learned from it? Bill Gates proclaimed, "This settlement puts new responsibilities on Microsoft, and we accept them," and also that he was "personally committed to full compliance." It's a pity that he wasn't so happy to play fair for the past few years.

Again, Microsoft never admitted that they did anything wrong. They pleaded innocent, yet they were found guilty.

Leaked Memo
In November a memo leaked from Microsoft showed the results of a telephone survey of developers, sysadmins and business executives who make decisions on IT spending. This concluded that Microsoft's efforts at turning people away from Linux/Open Source by attacking it were ineffective. In fact, it showed that most people were already quite familiar with Open Source, and were in favor of it. The main reasons why people were pro-Open Source was due to the Total Cost of Ownership being lower and also purely because it was an alternative to Microsoft products.

Sun v Microsoft

In December Sun Microsystems, creators of the Java programming language, took Microsoft to court hoping to get their Java Virtual Machine (JVM) distributed with Windows. Previously Microsoft had distributed their own 'doctored' JVM but had been found guilty of polluting and defragmenting Java. During the court case Microsoft attorney David Tulchin said, "The antitrust laws were not promulgated so that one competitor could take a free ride on the back of another competitor". But would this statement not confirm that Microsoft's own software bundling with Windows was anti-competitive, giving their own separate products the advantage of this free ride? If the 'free ride' on Windows is worth so much, should Microsoft be allowed this advantage just because they own Windows and are not in competition with themselves?

Around this time Microsoft were preparing themselves to face a separate anti-trust case by the European courts. If Microsoft were found guilty of anti-competitive practices by the European courts then one resolution being considered was to "unbundle" Windows Media Player from Windows. Microsoft didn't like this idea at all, saying that removing Windows Media Player would damage Windows, and it was something they were not prepared to consider. From this it was clear to see that Microsoft were desperate and determined to bundle their software with Windows, signifying that they believed it was important and did give them an advantage.

Microsoft have continually brushed off the big problems or unfavorable situations they've created with smooth sales talk, acting as if they're the ones who have been wronged and announcing extravagant plans to make everything better. Foolishly people continually come back to take another beating, still believing the hype that Microsoft thrive on.
Microsoft would like to put the past behind them, however, this is no reason for everybody to forget what they've done. The Microsoft we see now are still trying to force themselves upon everybody, cutting out consumer choice and sucking as much money out of people as possible.
For Microsoft, 2002 was filled with failings, inadequacies, lies, cover-ups, passing-the-buck and (as usual) relentless pressure to upgrade. These are the actions of a company promoting 'Trustworthy Computing'.

But are they trustworthy?


Chris Pike would try and persuade your cat to use Linux, and frequently
studies Linux/Microsoft related news. His verbose comments are ignored by
thousands throughout the world.

The above opinions are the author's and may or may not be the same as those held by OSDN or OSDN editors. This article appears here with the author's permission. For republishing information, please contact the author directly. If you have written (or plan to write) an article that might be suitable for NewsForge, please submit the entire article, a link or an inquiry to editors@newsforge.com.

Click Here!