Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Donate Shop PBS Search PBS
I, Cringely - The Survival of the Nerdiest with Robert X. Cringely
Search I,Cringely:

The Pulpit
The Pulpit

<< [ The Best Revenge ]   |  Trust me, I'm From Microsoft  |   [ The 100 Mile-Per-Gallon Carburetor ] >>

Weekly Column

Trust me, I'm From Microsoft: What's Really Behind Microsoft's New Commitment to Data Security

Status: [CLOSED]
By Robert X. Cringely
bob@cringely.com

It would be very easy to write this column by simply reacting to the news. This week, for example, Microsoft has suddenly and very publicly embraced "Trustworthy Computing," which is to say the company is finally committing to make their products less vulnerable to worms, viruses, and hacking. I hate to be so cynical, but one has to wonder what has changed to push Microsoft into this new policy? After years of watching their customers suffering billions of dollars in losses caused by security problems, why is Microsoft suddenly changing? Why now? The analysts and pundits are saying this is Microsoft's response to negative news that might have eventually affected sales and some just see it as a public relations move. I'd say that rather than a marking a real change, this announcement is more a matter of executing a strategy that has been coming for a long time. It is neither a response to the insecure nature of Microsoft products or a PR move. Rather, this is Microsoft's new way to get us all to buy more stuff.

Bill Gates, in his message to Microsoft employees, positioned the new policy as a tradeoff between adding new product features and improving security. Microsoft will be adding fewer new features, he says, as an inevitable cost of improving security. I doubt that is the case at all. Adding features to Microsoft products has always been intended to drive sales. New buyers are attracted to new features, the idea goes, and current users can be convinced to upgrade to get those features. If that fails, it has always been possible to force users to upgrade by introducing new features that are not backward compatible with earlier versions. It is all intended to separate users from their money. But there are limits to this strategy. How many more features do we really need in a core productivity application? I'm writing this column using Word 97, and can't imagine changing versions as long as I am using this particular notebook computer.

I am not alone in taking this position. Businesses, especially, have become reluctant upgraders because it costs so much to do so, not only in money but also in IT manpower, user retraining and lost productivity. More and more often, it makes sense to just stay with the current versio,n and this emerging trend is not lost on Microsoft. The company needs a new way to drive sales. Exit new features (we have enough of those anyway), and enter the era of the security upgrade.

New products and upgrades based on increased security have a certain appeal. After all, you can never have too much security, so users can be convinced to upgrade over and over almost forever (just look at Mcafee). But there is a downside, too, which is that security and security performance are now firmly on the table. If Microsoft says it is going to make its products trustworthy and they aren't, then customers can rightly be upset. To this point, remember, Microsoft has pretty much disclaimed security, saying that all operating systems and applications are vulnerable. "It's not our fault." Well in the age of Trustworthy Computing, it WILL be their fault, though the cost to us will probably be continual and expensive upgrades.

Looking deeper into the event this week that spawned this whole issue — a memo to all employees from Bill Gates — we can see both the artificiality of it and how little Microsoft really understands this problem. Unlike previous "think week" memos, this one was released to the press, which means it is a marketing statement more than anything. And look at Microsoft's past behavior in this area that shows how little they grasp the complexities of security.

They placed an Internet server — often unbidden — into everyone's machine called "File and Printer Sharing." That caused a huge nightmare, but they didn't (apparently) learn anything useful from that. It takes INCREDIBLE PRESSURE on Microsoft to get them to do the right thing. As we know, I was unable to make that happen last summer with my columns on raw socket support in Windows XP. And with the more recent Plug-and-Play security problem, they COULD have taken the clue and disabled the PnP service until/unless it was needed. But they haven't. This is what forced the FBI to advise consumers to take matters into their own hands.

Also note that this is NOT the first serious problem they have had with their PnP service! A month before, they were informed of a similar problem, but the hacker wasn't eEye and didn't have the smarts to demonstrate an exploit — so Microsoft was able to soft peddle it, and no one noticed.

We can not know that this is the LAST serious problem with PnP, so continuing to leave a potentially dangerous and remotely exploitable service running in all of the PATCHED machines is just nuts. But that's what they are doing!Microsoft does not do security, it is not in their business interest — or hasn't been until now. They make probably the finest user-friendly enterprise scalable office software in the world. It does what it is supposed to. The problem is that it is not so good at what it is not supposed to do, and some of the things it does do well are of no use to anyone except the malicious. Nothing is worse than an expert out of his field, and Microsoft is very good at office software.

So what will happen next? If history follows its familiar course, here is what Microsoft will do, thanks to one of my smarter and most observant friends:

1. They get excited and announce an Initiative. The Initiative will involve creating a new standard even though there is an existing standard in the area, because the New Standard (a) will be totally way better; (b) is totally incompatible and; (c) is controlled by Microsoft. Note that at this point there IS NO new standard, just the announcement and the name.

2. They assign a person to spearhead the initiative. This is a 20-something who has no background in the area, and who finds the complexity of the existing standard "confusing."

3. Within months, Microsoft publishes a 1.0 standard and a 1.0 beta Software Development Kit, and announces that support will be included in upcoming versions of Windows. The 1.0 standard — which is ludicrously vague and incomplete, but includes code samples — is roundly criticized, if not ridiculed, by every knowledgeable person who reviews it.

4. Excuses and PR noises, with promises to include "your valuable feedback" into the next major revision ... but, so sorry, it's too late to change anything in the 1.0 release because it goes into code freeze next week!

5. The Microsoft person who was leading the effort quietly disappears to other duties.

6. Eventually the 2.0 standard appears, again with a beta SDK and a code-freeze date too close to allow for any substantive changes. Overall there is improvement, but the excitement has worn off, the early missteps have permanently scarred the standard, and it has dawned on the survivors that their personal brilliance and the power of Microsoft have NOT magically created something far better than the previous standard. In fact, they have a lot of hard work ahead just to match what they once promised to surpass. I can hear them telling themselves — "Sure, it's not perfect. OK, OK, it sucks! But it's totally incompatible, right, like we wanted? And we control it! Not like some lame-o committee."

7. The Microsoft PR machine resolutely directs its attention elsewhere.

8. Microsoft requires relevant vendors to support the standard, in order to use the next Windows logo on their box.

Comments from the Tribe

Status: [CLOSED] read all comments (0)