Unmistakable Marks

Microsoft: Not So Omnipotent, Either

In the light of the latest round of viruses, it's once again time for the standard round of Microsoft attacks. Salon takes up the baton:

On Jan. 15, 2002, Bill Gates, the chairman of Microsoft, sent his staff a remarkably candid e-mail outlining his thoughts on the company's products: Our software isn't secure enough, he said, and we need to make it stronger. In the memo, which Microsoft quickly made available to the public, Gates lamented that computers -- unlike telephones or the water and electricity system -- do not meet the level of "trustworthiness" that the public expects of them. ...

But a year and a half since Gates sent his memo, it doesn't seem as if Microsoft is doing much better. Its software appears as vulnerable to security threats as it's ever been; indeed, August 2003 may be the worst month for viruses on record.

Here's the problem with that reasoning: According to Google, nearly two-thirds of the Windows machines out there are running a pre-XP operating system -- Windows 2000, Windows 98, Windows NT, or even Windows 95. Even if, starting in 2002, Microsoft had produced absolutely flawless software, the majority of Windows machines would still be bug-ridden messes.

Given that the majority of machines out there predate Microsoft's commitment to security, it's disingenuous to pretend that a virus outbreak belies that commitment. (And I'll note anecdotally that my Windows XP machine was safe from the recent worm because Windows Update -- a security measure newly prominent and automatic in XP -- made sure that I downloaded and installed all the patches.)

(Digressive parenthetical paragraph: It's also disingenuous to imagine that Microsoft could solve the problem of attachment viruses. There's simply no way to allow people to a) exchange arbitrary programs via email and execute them, and b) prevent them from exchanging or executing harmful programs. The only way for Microsoft to prevent that sort of virus propagation would be to disallow executable attachments entirely. Which they did, in a patch to Outlook 2000. And which users predictably hated, refusing to install the patch. So Microsoft, newly focused on security, made the executable-attachment ban non-optional in Outlook XP -- and sites show how to hack around that, while excoriating Microsoft for being such meddling busybodies. They really can't win, can they?)

But if you want to know how serious Microsoft is about security, and would like a more realistic view of how hard their job is, read about it from the belly of the beast:

The company performed a much publicized and hugely expensive security push. Tons of bugs were filed and fixed. More importantly, the attitude of developers, PMs, testers and management was fundamentally changed. Nobody on our team discusses new features without considering security issues, like building threat models. Security penetration testing is a fundamental part of a test plan. ...

Unfortunately, it's still going to be a long time before all our code is as clean as it needs to be.

Some of the code we reviewed in the DCOM stack had comments about DGROUP consolidation (remember that precious 64KB segment prior to 32-bit flat mode?) and OS/2 2.0 changes. Some of these source files contain comments from the `80s. ...

We all know that Microsoft will remain a prime target for hacking. There's a reason that everyone attacks Microsoft rather than Apple or Novell. This just means that we have to do a lot better.

Unfortunately, this stuff is still way too difficult. It's a simple fact that only a small percentage of developers can write thread-safe free-threaded code. And they can only do it part of the time. The state of the art for writing 100% secure code requires that same sort of super-human attention to detail. And a hacker only needs to find a single exploitable vulnerability.

So if it's taking Microsoft more than a year and a half to get their code fixed; and if they maybe never quite get it entirely perfect... well, cut the guys some slack.

Comments | August 27, 2003

Microsoft: Not So Stupid

A cheap target for "Micro$loth" wags who want to rip on the Windows UI, is the fact that to shut down the computer, you need to first click start. What a bunch of maroons those Microsoft people are, never to realize how silly that is! Or not:

But one thing kept getting kicked up by usability tests: People booted up the computer and just sat there, unsure what to do next.

That's when we decided to label the System button "Start".

It says, "You dummy. Click here." And it sent our usability numbers through the roof, because all of a sudden, people knew what to click when they wanted to do something.

So why is "Shut down" on the Start menu?

When we asked people to shut down their computers, they clicked the Start button.

Comments | August 23, 2003

Open Candor

The coolest thing about open-source software is... well, actually it's how amazingly, indispensably useful it is. But among the coolest things about open-source software is that individual programmers can speak a lot more freely and knowledgeably than PR flacks for big companies. Linus Torvalds on SCO:

eWEEK: For its part though, SCO has said that there are so many lines of code, and a variety of applications and devices that use that code, that simply removing the offending code would not be technically feasible or possible and would not solve the problem. Do you agree?

Torvalds: They are smoking crack. Their slides said there are [more than] 800,000 lines of SMP code that are "infringing," and they are just off their rocker. The SMP code was written by a number of Linux people I know well (I did a lot of the SMP IRQ scalability myself, personally), so their claims are just ludicrous. And they claim they own JFS [journaled file system technology] too. Whee. They're not shy about claiming ownership of other people's code--while at the same time beating their breasts about how they have been wronged. So the SCO people seem to have a few problems keeping the truth straight, but if there is something they know all about, it's hypocrisy.

Comments | August 21, 2003

Notes From the Powerless

After 26 hours, our part of Detroit has its power back. (Though as I write this, my Web host in New York appears to still be down; if you're seeing this, it's obviously up now...) Fragmentary thoughts on a protracted outage:

• When I think of electricity's killer apps, I think of things like lights and computers. Well, those are nice (especially computers), but after 26 hours without power, I can definitively say that the things you really miss are refrigeration and pumps (of both the water and gasoline variety). You can shrug off the Internet for a day, but it's a lot harder to do the same to toilets. The 1970s-era gas lines at the few working stations are a bit amusing, admittedly; but then, I filled my car up Thursday morning.
• Within a half hour of power-down, the radio stations were talking about "what may come to be called The Great Blackout of 2003"; within an hour, they were talking about "what some are already calling The Great Blackout of 2003"; a day later, it's "The Northeast Blackout." So much for early nomenclature.
• I learned today a lesson that the good folks of Peshtigo, WI learned over a century ago -- if you're going to have a major problem and you'd like your area to get real attention, try not to have it happen on the same day as an identical problem in a larger area. Yeah, we feel for you, New York, but it'd be nice not to be "... and other cities, including Detroit." Hmph. (Peshtigo, by the way, burned down on the same day as the Chicago Fire. Their historical museum is a bit defensive about it, pointing out that more people died in Peshtigo than Chicago.)
• Thursday night, I went outside and looked at the sky. It's an odd thing to be in the middle of a major metro area and see more than a handful of stars. It still wasn't a full-on starry night like the ones I grew up with in ruralia, but something to see nonetheless.

Man, it's good to have power again. I promise never to take electricity for granted ever again. For the next week or so, anyway.

Comments | August 15, 2003

Incurious George

In his unceasing efforts to make the world a better place, Bush is a resolute pragmatic:

"I'm more worried about families finding jobs and putting food on the table than I am about economic theory and economic numbers," he said.

Yeah, what do theory and numbers have to do with the economy, anyway? Why, Bush has ignored all that ivory tower bullshit so far, enacting a policy that's been harshly and widely criticized by those egghead economists, and the results have been... oh, right. Well.

Comments | August 13, 2003

News Flash: Google Is Neat

Okay, okay, it's hardly news. But Brad DeLong points out a cool feature I didn't know about, the Google Calculator.

Not only can you do straight calculation, you can do unit conversions by just typing 45 degrees celsius in fahrenheit in the search box. (This is particularly helpful if you're wondering how powerful your car's engine needs to be to travel in time.)

Truly, all knowledge is contained in Google.

Comments | August 13, 2003

The March of Science

Following hot on the news of the creation of five-quark particles, scientists are now reporting another major breakthrough: the four-bladed Schick Quattro razor.

I'm looking forward to future advances in the field; we can no doubt expect to see the introduction of the Gillette Pentium five-bladed razor, and perhaps even the eventual development of massively parallel architectures and RAIB technology.

Why, if things get really advanced, there's even a chance that someday people will shave with electricity-powered "auto-razors." Truly, the future is bright and whisker-free.

Comments | August 12, 2003

A Day at the Track

In the last month, "electability" has made a surprising surge in the polls, and is now poised to leap to the front of the pack of Words I Never Want To Hear Again.

"Electability" is an irritating concept in the obvious horse-race ways, of course. It tells us nothing about a candidate's positions, competence, or even their general likability -- only where they stand in the race at the moment. But beyond that, it's a stupid concept because it's another example of the Motivation Guessing Game.

The Motivation Guessing Game is great fun. The way to play is to take a bunch of people who all share a common worldview, tell them a few random facts about a bunch of other people who seem not to share their worldview, and then ask them what the strangers would think about any particular issue. For extra fun, feel free to seed the game with focus group quotes, poll results, and "expert" studies.

This has long been a popular pastime on Slashdot, where a bunch of geeks sit around and try to imagine what goes on in the head of Suits. They postulate motivations and actions that bear little connection to the actual world, and proclaim that everyone should act in bizarre, unnatural ways so as to satisfy the imagined motivations of the Suits.

It's not limited to Slashotters, though. You can see the same situation when a group of Mac users talk about what it would take to convert PC users, when the audiophile editors of Stereophile wonder at the motivations of people who don't care about high-end sound, when resume writers try to game the hiring manager, and when Toyota executives transparently strive to appeal to the imagined tastes of those dang kids.

And in every case, the problem is the same: The people who are trying to understand the people they don't understand, don't understand those people. They take a few half-truths and received wisdoms, mix 'em up with some dubious psychology and wishful thinking, and come to preposterous conclusions. Every Pontiac Aztek and every resume on pink paper is a result of someone thinking, "Well, sure, I wouldn't want that -- but I bet they would."

Democrats guessing at what undecided voters want aren't likely to be any better at it than GM executives and desperate job seekers. Trying to guess what other people will like is never a high-percentage operation, despite all the polls and focus groups that can be brought to bear on the subject. All the talk about what (other, hypothetical) people will find "electable" is just dart throwing disguised as serious analysis.

Comments | August 11, 2003

Font of Wisdom

Here's the part where I use this blog for my own selfish gain: Does anyone know of a site that lists which fonts come with which operating systems and major software packages?

Because I'm sitting here staring at "Palatino Linotype," and it's nice enough that I'd like to be able to use it somewhere (with Georgia, Times New Roman, and generic serif families as fallbacks). If it came with Windows, I think I'm fine with that. If it came with Office, I'm ambivalent. If it came with some random program that I installed at some point, I probably shouldn't even bother. But I have no idea which of these is the case. Do you?

Comments | August 4, 2003

In Defense of Plastic

The Wall Street Journal's Jeff Opdyke has a conversion experience, and switches from his sinful credit card ways to a virtuous cash-based financial system. Oh, how I roll my eyes.

Credit cards get a bad rap, and seemingly the first step in any "improve your finances" checklist is to avoid using them -- advice which is not merely bad, but actively counter-productive.

Yes, yes, I'll freely admit that if you're an undisciplined money-waster, credit cards will fuck you up. But then, so will cash. I know far too many people who budget by the balance on their ATM, pay pointless overdraft fees, and have no idea at the end of the month how much they've spent on anything. Credit cards offer a larger scale for upfuckage, perhaps -- it's hard to get your net worth too far below zero with cash -- but if your money management is undisciplined, you're fucked no matter what you do. A perpetual $0 balance may be better than a $10K debt, but neither of them is good.

The only way to ever get your finances under control is to have a budget, and a feedback loop for comparing reality against the budget. The feedback loop is crucial: You might think you spend $60 on gas a month, but when you actually get the numbers, it might turn out to be more than $100. You might guess that eating out costs you $40, but it's actually $80. Without accurate numbers, you don't know anything; plans based on guesses and wishful thinking aren't likely to succeed.

With cash, it's almost impossible to collect the data. At the end of every month, all you'll know from your bank statements is that you withdrew $480 in cash from ATMs over the course of the month; you'll know nothing at all about where you spent it. But with credit, you get a convenient little monthly report listing every dollar you spent and where you spent it.

And with modern tools, it gets even easier: Downloading data into Quicken is a ten second process, and can give you accurate, up-to-date information about the current state of everything; expenditures can be easily assigned to budget categories; discrepancies can be examined; graphs can be generated. With credit cards plus Quicken, you have a piercing, insightful, and objective eye. With cash, you've got nothing.

There are other benefits of credit cards, too, like greater fault-tolerance (better a one-month loan at 12% than a $30 insufficient funds fee, if you accidentally go over budget), float, rewards, and credit score improvement; but transparency is the killer feature of credit cards that makes them invaluable for financial control.

(This entry paid for by the Credit Card Council of America. Credit: It's What's For Dinner.^TM)

Comments | August 4, 2003

Corporations As People

It's natural to talk about corporations as entities-in-themselves, with phrases like "Microsoft is evil," but there are times when that sort of loose talk just confuses things. Consider the MCI bankruptcy plan, to which there is inexplicable opposition:

Critics of telecommunications giant WorldCom (now renamed MCI) blasted its bankruptcy reorganization plan during a U.S. Senate committee hearing Tuesday, saying the plan in place neglects to punish the company for its past accounting fraud and puts competitors at a disadvantage in the marketplace. ...

Sen. Richard Durbin (D-Ill.) questioned why the U.S. government continues to award contracts to MCI after the fraud scandal. "Eleven billion dollars in accounting fraud ... and what was the net result for MCI/WorldCom?" he asked. "It appears that they've done quite well. It appears that their approach is, 'everyone has a bad day.'"

This is, as far as I can make out, an absolutely incoherent position. What does it mean to punish "the company"? Surely it must mean punishing the people who own the company, and who made money off its chicanery; but the bankruptcy plan already does that -- it transfers ownership of the company from its current owners to its creditors. How can you possibly say that the owners of MCI have "done quite well", when they've lost everything they had invested in the company?

If you want to talk sensibly about the WorldCom bankruptcy, don't talk about abstract notions like "the company"; talk about concrete groups of people -- the owners, the creditors, the employees, the customers. As it is, I have no idea if there's really anything objectionable about the MCI deal, or if the other evil telco companies are just trying to eliminate competition via a smear campaign that provides good sound bites but no meaning.

Comments | August 4, 2003

Standard Snarks

James Gosling (who, no matter what else he does in his life, will be forever known as "the Java guy"), has a mathematical look at the standards process.

Amusingly, I thought this was a dig at the W3C's recent spate of controversial XML specs, until I saw the August 1990 date on it. Now I'm just trying to wonder what standards would have been considered politically contentious in 1990. CORBA?

Comments | August 2, 2003

Spamming Van Gogh

It's my theory that you can divide the Internet into eras based on the most prevalent type of spam. I came on board during the tail end of the "MAKE MONEY FAST" era, have passed through the Viagra and Nigerian eras, and now find myself -- bizarrely -- in the Dead European Artists era.

Comments | August 1, 2003