Warranted Genuine Snarks
Microsoft: Not So Omnipotent, Either
In the light of the latest round of viruses, it's once again time for the standard round of Microsoft attacks. Salon
takes up the baton:
On Jan. 15, 2002, Bill Gates, the chairman of
Microsoft, sent his staff a remarkably candid e-mail outlining his
thoughts on the company's products: Our software isn't secure enough,
he said, and we need to make it stronger. In the memo, which Microsoft
quickly made available to the public, Gates lamented that computers --
unlike telephones or the water and electricity system -- do not meet
the level of "trustworthiness" that the public expects of them. ...
But a year and a half since Gates sent his memo, it doesn't seem as if
Microsoft is doing much better. Its software appears as vulnerable to
security threats as it's ever been; indeed, August 2003 may be the
worst month for viruses on record.
Here's the problem with that reasoning: According to Google, nearly two-thirds of the Windows
machines out there are running a pre-XP operating system -- Windows
2000, Windows 98, Windows NT, or even Windows 95. Even if, starting
in 2002, Microsoft had produced absolutely flawless software, the
majority of Windows machines would still be bug-ridden messes.
Given that the majority of machines out there predate Microsoft's
commitment to security, it's disingenuous to pretend that a virus
outbreak belies that commitment. (And I'll note anecdotally that my
Windows XP machine was safe from the recent worm because Windows
Update -- a security measure newly prominent and automatic in XP --
made sure that I downloaded and installed all the patches.)
(Digressive parenthetical paragraph: It's also disingenuous to imagine that Microsoft could solve the problem of attachment viruses. There's simply no way to allow people to a) exchange arbitrary programs via email and execute them, and b) prevent them from exchanging or executing harmful programs. The only way for Microsoft to prevent that sort of virus propagation would be to disallow executable attachments entirely. Which they did, in a patch to Outlook 2000. And which users predictably hated, refusing to install the patch. So Microsoft, newly focused on security, made the executable-attachment ban non-optional in Outlook XP -- and sites show how to hack around that, while excoriating Microsoft for being such meddling busybodies. They really can't win, can they?)
But if you want to know how serious Microsoft is about security, and would like a more realistic view of how hard their job is, read about it from the belly of the beast:
The company performed a much publicized and hugely expensive security
push. Tons of bugs were filed and fixed. More importantly, the
attitude of developers, PMs, testers and management was fundamentally
changed. Nobody on our team discusses new features without
considering security issues, like building threat models. Security
penetration testing is a fundamental part of a test plan. ...
Unfortunately, it's still going to be a long time before all our code
is as clean as it needs to be.
Some of the code we reviewed in the DCOM stack had comments about
DGROUP consolidation (remember that precious 64KB segment prior to
32-bit flat mode?) and OS/2 2.0 changes. Some of these source files
contain comments from the `80s. ...
We all know that Microsoft will remain a prime target for hacking.
There's a reason that everyone attacks Microsoft rather than Apple or
Novell. This just means that we have to do a lot better.
Unfortunately, this stuff is still way too difficult. It's a simple
fact that only a small percentage of developers can write thread-safe
free-threaded code. And they can only do it part of the time. The
state of the art for writing 100% secure code requires that same sort
of super-human attention to detail. And a hacker only needs to find a
single exploitable vulnerability.
So if it's taking Microsoft more than a year and a half to get
their code fixed; and if they maybe never quite get it entirely
perfect... well, cut the guys some slack.
Microsoft: Not So Stupid
A cheap target for "Micro$loth" wags who want to rip on the Windows UI, is the fact that to shut down the computer, you need to first click start. What a bunch of maroons those Microsoft people are, never to realize how silly that is! Or not:
But one thing kept getting kicked up by usability tests: People
booted up the computer and just sat there, unsure what to do next.
That's when we decided to label the System button "Start".
It says, "You dummy. Click here." And it sent our usability numbers through the roof, because all of a sudden, people knew what to click when they wanted to do something.
So why is "Shut down" on the Start menu?
When we asked people to shut down their computers, they clicked the Start button.
The coolest thing about open-source software is... well, actually it's how amazingly, indispensably useful it is. But among the coolest things about open-source software is that individual programmers can speak a lot more freely and knowledgeably than PR flacks for big companies. Linus Torvalds on SCO:
eWEEK: For its part though, SCO has said that there are so many lines
of code, and a variety of applications and devices that use that code,
that simply removing the offending code would not be technically
feasible or possible and would not solve the problem. Do you agree?
Torvalds: They are smoking crack. Their slides said there are [more
than] 800,000 lines of SMP code that are "infringing," and they are
just off their rocker. The SMP code was written by a number of Linux
people I know well (I did a lot of the SMP IRQ scalability myself,
personally), so their claims are just ludicrous. And they claim they
own JFS [journaled file system technology] too. Whee. They're not shy
about claiming ownership of other people's code--while at the same
time beating their breasts about how they have been wronged. So the
SCO people seem to have a few problems keeping the truth straight, but
if there is something they know all about, it's hypocrisy.
Notes From the Powerless
After 26 hours, our part of Detroit has its power back. (Though as
I write this, my Web
host in New York appears to still be down; if you're seeing this,
it's obviously up now...) Fragmentary thoughts on a protracted
- When I think of electricity's killer apps, I think of things
like lights and computers. Well, those are nice (especially
computers), but after 26 hours without power, I can definitively say
that the things you really miss are refrigeration and pumps (of both
the water and gasoline variety). You can shrug off the Internet for a
day, but it's a lot harder to do the same to toilets. The 1970s-era
gas lines at the few working stations are a bit amusing, admittedly;
but then, I filled my car up Thursday morning.
- Within a half hour of power-down, the radio stations were talking
about "what may come to be called The Great Blackout of 2003"; within
an hour, they were talking about "what some are already calling The
Great Blackout of 2003"; a day later, it's "The Northeast Blackout."
So much for early nomenclature.
- I learned today a lesson that the good folks of Peshtigo, WI
learned over a century ago -- if you're going to have a major problem
and you'd like your area to get real attention, try not to have it
happen on the same day as an identical problem in a larger area.
Yeah, we feel for you, New York, but it'd be nice not to be "... and
other cities, including Detroit." Hmph. (Peshtigo, by the way, burned down on the same
day as the Chicago Fire. Their historical museum is a bit defensive about
it, pointing out that more people died in Peshtigo than Chicago.)
- Thursday night, I went outside and looked at the sky. It's an odd
thing to be in the middle of a major metro area and see more than a
handful of stars. It still wasn't a full-on starry night like the
ones I grew up with in ruralia, but something to see nonetheless.
Man, it's good to have power again. I promise never to take electricity for granted ever again. For the next week or so, anyway.
In his unceasing efforts to make the world a better place, Bush is a resolute pragmatic:
"I'm more worried about families finding jobs and putting food on the
table than I am about economic theory and economic numbers," he said.
Yeah, what do theory and numbers have to do with the economy,
anyway? Why, Bush has ignored all that ivory tower bullshit so far,
enacting a policy that's been harshly and widely criticized by those
egghead economists, and the results have been... oh, right. Well.
News Flash: Google Is Neat
Okay, okay, it's hardly news. But Brad DeLong points out a cool feature I didn't know about, the Google Calculator.
Not only can you do straight calculation, you can do unit conversions by just typing 45 degrees celsius in fahrenheit in the search box. (This is particularly helpful if you're wondering how powerful your car's engine needs to be to travel in time.)
Truly, all knowledge is contained in Google.
The March of Science
Following hot on the news of the
creation of five-quark particles, scientists are now reporting another major breakthrough: the
four-bladed Schick Quattro razor.
I'm looking forward to future advances in the field; we can no doubt expect to see the introduction of the Gillette Pentium five-bladed razor, and perhaps even the eventual development of massively parallel architectures and RAIB technology.
Why, if things get really advanced, there's even a chance that
someday people will shave with electricity-powered "auto-razors."
Truly, the future is bright and whisker-free.
A Day at the Track
In the last month, "electability" has made a surprising surge in
the polls, and is now poised to leap to the front of the pack of Words
I Never Want To Hear Again.
"Electability" is an irritating concept in the obvious horse-race
ways, of course. It tells us nothing about a candidate's positions,
competence, or even their general likability -- only where they stand
in the race at the moment. But beyond that, it's a stupid concept
because it's another example of the Motivation Guessing Game.
The Motivation Guessing Game is great fun. The way to play is to
take a bunch of people who all share a common worldview, tell them a
few random facts about a bunch of other people who seem not to share
their worldview, and then ask them what the strangers would think
about any particular issue. For extra fun, feel free to seed the game
with focus group quotes, poll results, and "expert" studies.
This has long been a popular pastime on Slashdot, where a bunch of geeks
sit around and try to imagine what goes on in the head of Suits. They
postulate motivations and actions that bear little connection to the
actual world, and proclaim that everyone should act in bizarre,
unnatural ways so as to satisfy the imagined motivations of the
It's not limited to Slashotters, though. You can see the same
situation when a group of Mac users talk about what it would take to
convert PC users, when the audiophile editors of Stereophile wonder at
the motivations of people who don't care about high-end sound, when
resume writers try to game the hiring manager, and when Toyota
executives transparently strive to
appeal to the imagined tastes of those dang kids.
And in every case, the problem is the same: The people who are
trying to understand the people they don't understand, don't
understand those people. They take a few half-truths and received
wisdoms, mix 'em up with some dubious psychology and wishful thinking,
and come to preposterous conclusions. Every Pontiac Aztek and every
resume on pink paper is a result of someone thinking, "Well, sure, I
wouldn't want that -- but I bet they would."
Democrats guessing at what undecided voters want aren't likely to
be any better at it than GM executives and desperate job seekers.
Trying to guess what other people will like is never a high-percentage
operation, despite all the polls and focus groups that can be brought
to bear on the subject. All the talk about what (other, hypothetical)
people will find "electable" is just dart throwing disguised as
Font of Wisdom
Here's the part where I use this blog for my own selfish gain: Does
anyone know of a site that lists which fonts come with which operating
systems and major software packages?
Because I'm sitting here staring at "Palatino Linotype," and it's
nice enough that I'd like to be able to use it somewhere (with
Georgia, Times New Roman, and generic serif families as fallbacks).
If it came with Windows, I think I'm fine with that. If it came with
Office, I'm ambivalent. If it came with some random program that I
installed at some point, I probably shouldn't even bother. But I have
no idea which of these is the case. Do you?
In Defense of Plastic
The Wall Street Journal's Jeff Opdyke has
a conversion experience, and switches from his sinful credit card
ways to a virtuous cash-based financial system. Oh, how I roll my
Credit cards get a bad rap, and seemingly the first step in any
"improve your finances" checklist is to avoid using them -- advice
which is not merely bad, but actively counter-productive.
Yes, yes, I'll freely admit that if you're an undisciplined
money-waster, credit cards will fuck you up. But then, so will cash.
I know far too many people who budget by the balance on their ATM, pay
pointless overdraft fees, and have no idea at the end of the month how
much they've spent on anything. Credit cards offer a larger scale for
upfuckage, perhaps -- it's hard to get your net worth too far below
zero with cash -- but if your money management is undisciplined,
you're fucked no matter what you do. A perpetual $0 balance may be
better than a $10K debt, but neither of them is good.
The only way to ever get your finances under control is to have a
budget, and a feedback loop for comparing reality against the budget.
The feedback loop is crucial: You might think you spend $60 on
gas a month, but when you actually get the numbers, it might turn out
to be more than $100. You might guess that eating out costs you $40,
but it's actually $80. Without accurate numbers, you don't know
anything; plans based on guesses and wishful thinking aren't likely to
With cash, it's almost impossible to collect the data. At the end
of every month, all you'll know from your bank statements is that you
withdrew $480 in cash from ATMs over the course of the month; you'll
know nothing at all about where you spent it. But with credit, you
get a convenient little monthly report listing every dollar you spent
and where you spent it.
And with modern tools, it gets even easier: Downloading data into
Quicken is a ten second process, and can give you accurate, up-to-date
information about the current state of everything; expenditures can be
easily assigned to budget categories; discrepancies can be examined;
graphs can be generated. With credit cards plus Quicken, you have a
piercing, insightful, and objective eye. With cash, you've got
There are other benefits of credit cards, too, like greater
fault-tolerance (better a one-month loan at 12% than a $30
insufficient funds fee, if you accidentally go over budget), float,
rewards, and credit score improvement; but transparency is the killer
feature of credit cards that makes them invaluable for financial
(This entry paid for by the Credit Card Council of America. Credit: It's What's For Dinner.TM)
Corporations As People
It's natural to talk about corporations as entities-in-themselves, with phrases like "Microsoft is evil," but there are times when that sort of loose talk just confuses things. Consider the MCI bankruptcy plan, to which there is inexplicable opposition:
Critics of telecommunications giant WorldCom (now renamed MCI) blasted
its bankruptcy reorganization plan during a U.S. Senate committee
hearing Tuesday, saying the plan in place neglects to punish the
company for its past accounting fraud and puts competitors at a
disadvantage in the marketplace. ...
Sen. Richard Durbin (D-Ill.) questioned why the U.S. government
continues to award contracts to MCI after the fraud scandal. "Eleven
billion dollars in accounting fraud ... and what was the net result
for MCI/WorldCom?" he asked. "It appears that they've done quite well.
It appears that their approach is, 'everyone has a bad day.'"
This is, as far as I can make out, an absolutely incoherent
position. What does it mean to punish "the company"? Surely it must
mean punishing the people who own the company, and who made money off
its chicanery; but the bankruptcy plan already does that -- it
transfers ownership of the company from its current owners to its
creditors. How can you possibly say that the owners of MCI have "done
quite well", when they've lost everything they had invested in the
If you want to talk sensibly about the WorldCom bankruptcy, don't
talk about abstract notions like "the company"; talk about concrete
groups of people -- the owners, the creditors, the employees, the
customers. As it is, I have no idea if there's really anything
objectionable about the MCI deal, or if the other evil telco companies
are just trying to eliminate competition via a smear campaign that
provides good sound bites but no meaning.
James Gosling (who, no matter what else he does in his life, will be forever known as "the Java guy"), has a mathematical look at the standards process.
Amusingly, I thought this was a dig at the W3C's recent spate of controversial XML specs, until I saw the August 1990 date on it. Now I'm just trying to wonder what standards would have been considered politically contentious in 1990. CORBA?
Spamming Van Gogh
It's my theory that you can divide the Internet into eras based on
the most prevalent type of spam. I came on board during the tail end
of the "MAKE MONEY FAST" era, have passed through the Viagra and
Nigerian eras, and now find myself -- bizarrely -- in the Dead
European Artists era.