Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Donate Shop PBS Search PBS
I, Cringely - The Survival of the Nerdiest with Robert X. Cringely
Search I,Cringely:

The Pulpit
The Pulpit

<< [ May the Source Be With You ]   |  Stream on  |   [ Stupid Microsoft Tricks ] >>

Weekly Column

Stream on: How Microsoft, on the Brink of Defeat, Could Still Win the Streaming Video War

Status: [CLOSED]
By Robert X. Cringely
bob@cringely.com

Have you heard about Mailinator, the brainchild of my friend, Paul Tyma? Mailinator is ad hoc e-mail for those times when just maybe you don't want to use your regular e-mail address. Say you are snitching on the boss, buying inflatable people, or want 32 different PayPal accounts. Just tell someone -- anyone -- that your e-mail address is fatman@mailinator.com or skinnykid@mailinator.com, or clueless@mailinator.com or any other address you like at mailinator.com. But this is no dead-end. When people write to you at that address the message will go through. That's because Mailinator accepts any message going to that domain and automatically assigns an e-mail account to it. But what about passwords? There are none. Anyone can go to Mailinator and check the mail for clueless or any other name. But with so many names and the idea that Mailinator is only for occasional use, who cares?

As an anonymous communication device I can only find two faults with Mailinator, and one of those has already been solved. What if your network e-mail czar won't allow messages to or from the mailinator.com domain? That's okay because clever troublemakers who own parked domains with e-mail forwarding as part of the parking package are setting those domains to forward all mail to mailinator.com. With tens of thousands of parked domains owned by a wide variety of twitchy people, the number of Mailinator proxy domains will grow faster than the mail admins can blacklist them. It may not have a business model, but Mailinator looks unstoppable.

The problem for Mailinator that hasn't been solved is the inevitable e-mail spider program, which I like to think I thought of first. Yes, it is a search engine for anonymous e-mail. And why not? Since Mailinator has no passwords it is possible for a spider program to check every e-mail account every day, maybe even every hour. The trick is to try checking mail on every server to start and those that don't ask for a password are Mailinator proxies. What's interesting about the idea of an anonymous e-mail search engine is that you could search on content keywords and probably get your mail without even remembering your account name. It would be like General Delivery at the Post Office, where you just show up and ask for your mail.

Mailinator is obviously going to give fits to lots of uptight people, with at least some of those people being at the FBI. If you get a chance to, check out Mailinator.

And speaking of annoying the legal system, that pesky worm is still running amok and transmuting itself all over. Last week, I mentioned a friend who back in 1991 asked Microsoft to make some structural changes in Windows to avoid problems just such as this. Readers asked me specifically what Microsoft could have done, but didn't do. Here is the answer.

"To answer your reader’s question," says my buddy, who was once one of Microsoft's larger customers, "one of the basic functions of an operating system is to run programs. There is a RUN API and the command line interpreter is simply an interface to the RUN API. Many viruses are sent through e-mail because it is easy to access the RUN API from an e-mail attachment. Our first suggestion was within e-mail to restrict the ability to run applications and interact with the e-mail system (post office, address book, etc). Only the e-mail client should be able to interact with the e-mail system. Only programs that have registered and authenticated user IDs [ought to be able to] independently interact with the e-mail system. There should be a way to manage and control the RUN API's control by e-mail attachments.”

"While this in itself would not have prevented the MSBLAST worm, the extension of the idea would have. At that point (1991), Microsoft was thinking about their e-mail strategy, the product that became Exchange. To create an e-mail product you need to have a directory. In time, the logical step (even to Microsoft) was to extend the concept of the user directory to cover other security uses, like file and print access.”

"Our second suggestion was at that point to improve the security of the RUN API. The operating system internals would also be registered as users. Legitimate OS functions could use the RUN API. The user could use the RUN API. Any registered and authenticated applications (no longer limited to e-mail) could use the RUN API. Anything else that attempted to use the RUN API would have to ask the user for permission, or would be prevented from working altogether.”

"In this scenario MSBLAST would have gotten past the RPC flaw. It might have been able to download its payload code. But that code would have had a hard time running.”

"Some of the worst IIS bugs involved the ability to basically access the command interpreter from the Internet. If there had been a security interface to the command interpreter (via the RUN API), IIS would have been a lot easier to protect.”

"These were well understood computer concepts in 1991. We realized in 1991 that an operating system with wide-open e-mail and network connectivity would provide a very easy conduit for viruses. At the time, there were virtually no viruses in the PC/DOS/Windows world, but viruses were a big problem in the Macintosh world. We knew e-mail and networks would make PCs a big virus risk. Our suggestions focused on interfering with the means viruses could and would be spread. This approach works BEFORE the code is even recognized as a virus. Prevention is a much more effective way to deal with a problem.”

"Imagine how easy software licensing would have been if you could register applications in a security database and that would permit them to run on one's PC.”

"We also asked for a standard API to give a virus scan application the ability to intercept and scan all e-mail attachments. Basically, you should not be able to touch an attachment until your virus scan checks it.”

"We asked that attachments be stored separately on the e-mail server (post office) so that a virus scanning application could access them. If an attachment was sent to several people, a single copy of that attachment should be kept on the server. If the attachment was infected, its deletion should remove it from everyone's e-mail account.”

"We discussed how we intercepted the Windows password system so that we could track password age and verify one's password followed our security rules (min 6 characters, mix of letters and numbers, etc). Microsoft needed to provide this service. We also brought to their attention they were sending passwords in plain text, over the LAN."

At least that last part has improved, though the rest seems as it was 12 years ago. Despite specific suggestions from a big customer, Microsoft did almost nothing, and here we are, wormier than ever.

Worms and viruses will always be with us in some form, but these are transitory problems. Something else happened last week that is far more serious and is going to create a major disruption in the fabric of cyberspace, yet nobody seems to have noticed. I'll present the evidence and let you decide.

There are several legal cases winding up right now that involve Microsoft. Last week, a jury in Chicago granted Eolas $520 million in damages from Microsoft for violations of its patent on certain types of web links. I covered this story a couple years ago, and you can find a link to that column under the Links of the Week button on this page. While $520 million is a lot of money even at Bill Gates' house, the Eolas award is actually larger than that. It has been accumulating interest since 1998, and now stands at $600+ million. By the time Microsoft appeals (and presumably loses), according to Eolas CEO Mike Doyle, the deferred award will be up around $1.3 billion.

What's interesting is not that Microsoft owes all that money, but what Eolas plans to do with the cash. I would move to the islands, myself, but Doyle plans to pursue other infringers (that would be almost every other Internet software company, so stop gloating you vendors) after Microsoft is vanquished and then to develop new technology with the money. "Our basic model hasn't changed," says Doyle. "[We will] build new technologies as a result of applied research, license some of those technologies to others, commercialize some of them ourselves, and spin others off into companies that Eolas maintains a significant stake in. In terms of the technologies that we plan on commercializing ourselves, the focus there will be on the browser application platform and the tools and facilities needed to enrich it to the point where it becomes a viable 'Web-OS.’"

Uh-oh. Isn't that what Netscape was purporting to be doing (a Web OS) back in the late 1990s when Microsoft decided that company had to die? Look for Microsoft to fight to the death on this one. And if they lose in the end I can't even imagine what will happen. Doyle swears he won't license his patents to Microsoft under any terms, so maybe Eolas will become the next Microsoft.

But Eolas is not the end of Microsoft's legal troubles, just the beginning. This is where it gets VERY interesting and where the element of time comes into real play.

The European Union two weeks ago announced its intention to both fine Microsoft and order unbundling of Windows Media Player from all versions of Windows sold in Europe. Oddly, the EU didn't order the fine and other changes, just indicated that it would shortly do so. Microsoft gets one last chance to comment, but it won't do any good because Microsoft won't willingly change anything. So I predict the EU will impose a fine of up to $3 billion and make Microsoft unbundle. Microsoft will claim it is being murdered, but will grudgingly comply.

Intertrust, a Digital Rights Management company owned by Philipsand Sony, is suing Microsoft for patent infringement and seems to be making the case stick. Microsoft may soon be forced to pay another huge fine, remove the infringing DRM code from nearly all of its products, or license the DRM code from Intertrust at horrendous expense.

Those are the clues -- trouble for Microsoft in Europe, trouble for Microsoft in Digital Rights Management, and legal trouble for Microsoft in general. A lot is at stake here since Bill Gates has pinned the future success of his company on digital content delivery. Without Windows Media Player, that strategy is hobbled. I know that is only for Europe, but losing Europe is a fatal blow to a strategy that assumes global dominance. And without strong Digital Rights Management, Microsoft will lose the support of copyrighted content providers -- another fatal blow. Finally, juries are turning on Redmond as the company's modus operandi becomes clear. The question in the minds of Bill Gates and Steve Ballmer has to be, "How do we retake control of this strategy gone sour without getting into even greater legal trouble?"

There is a way, but only one way. These guys are smart and they'll eventually find it.

The forced unbundling of Windows Media Player in Europe will make Microsoft compete on a level playing field with companies like Real Networks and Apple Computer. That will be the whole point of the EU order, to encourage fair competition. But Microsoft HATES fair competition and hates a level playing field even more. In his heart of hearts, Bill Gates feels he needs an uneven playing field and will do whatever he can to create one.

Another Microsoft legal battle that looms is against Burst.com, a case about which I have also written in the past (Links of the Week). Burst says Microsoft stole its patented technology for creating instant-on streaming and improving streaming bandwidth utilization by an average of 30 percent by sending some data down the pipe before it is actually needed, thus keeping the pipe 100 percent full all the time. Something that looks remarkably like Burstware is a key component of Windows Media Player 9, which prompted the Burst lawsuit against Microsoft. Similar code (which Burst would probably say infringes its patents, too) can be found in the latest versions of RealPlayer and QuickTime. Right now, bursting is a key component of almost every mainstream media player.

The Burst v. Microsoft trial begins this fall, and it looks bad for Microsoft. If Eolas had a claim, well, Burst's claim is bigger, and the damages it will likely prove are greater. It might take another year or more, but this trial is likely to be extremely expensive for Microsoft, which could end up minus another billion or more and no longer have the right to use bursting in Windows Media Player, which would effectively kill the product.

Until a week ago, I would have said Microsoft's only hope was to settle with Burst, and in that settlement, gain a Burstware license. But now the EU has revealed its hand and just buying-off Burst and taking a license isn't enough. Microsoft -- which probably hasn't quite figured this out yet but eventually will -- now has to OWN the 37 Burst patents.

Owning the Burst patents would tilt the playing field again in Microsoft's favor. Even unbundled from Windows, Windows Media Player could continue to burst while RealPlayer and QuickTime could not. Microsoft's lawyers would see to that. Microsoft is accused of having an illegal monopoly, but a patent is by definition a LEGAL monopoly, even in Europe. Buying Burst or its patents would not only help Microsoft in Europe, it would kill Microsoft's competitors there and in the rest of the world while avoiding another embarrassing defeat in court. Even Microsoft's Digital Rights Management problems would be solved because Redmond could barter streaming licenses for DRM licenses. At the end of the day, Microsoft wins, but it all depends on a settlement in which Microsoft buys out Burst.

There is only one event that would prevent this outcome, and that's if someone else moves quicker than Microsoft to grab Burst.

Let the games begin.

Comments from the Tribe

Status: [CLOSED] read all comments (0)