corner the market; shoulder the responsibility
October 31, 2000 (as amended)

an updated stance on this issue is available here

Security "experts" suggest harsher penalties for the creators of viruses and worms such as I Love You.. but this is missing the point.

Those viruses and worms would not be effective except for a particular flaw in the design of a given piece of computing equipment.

This indicates that it is more likely the manufacturer of the equipment which should be penalised, if anybody is to be, as it is they that produced the defective product in question.

A witchhunt does nothing to address the source of the problem: bad code at Microsoft Corporation. Poor design has been around at least since Windows 3.1 - people could embed malicious code into OLE objects as far back as 1994.

To step further back, there would not be such a problem at all, if there were alternative manufacturers to choose from. The anti-competitive nature of the personal computer operating system marketplace leaves customers vulnerable.

That is, if there were alternatives to Windows, it wouldn’t matter so much about some-such virus that infects [a particular vendor’s email program].

A witchhunt diverts attention from the systematic subversion of this market by the same aforementioned Microsoft Corporation.

The consequences of negligent coding by this company are varied:

  1. more benign virus, worm and trojan horse outbreaks
  2. loss of privacy and increased exposure to espionage
  3. increased exposure to hijacking (remotely seizing control of another computer and using it to commit further crime)

With reference to the first point, benign incidents are expensive; cleaning up after Melissa was expensive enough, yet it did almost nothing destructive; I Love You was more expensive - and took the opportunity to delete data, JPEG and MP3 files - popular formats for images and music. The next I Love You could be much more destructive - and more expensive still.

With reference to the second point, the recent penetration of Microsoft (by “hackers”) demonstrates the value of commercial intellectual property, and the potential loss it represents, should it emerge in the public domain.

With reference to the third point, it would be in everybody’s interests to ensure that its machines were not hijacked, as if they are then used in a serious crime, then the administrator of that machine may well be questioned as to whether they had taken reasonable steps to prevent such an occurrence. If they have not taken reasonable steps they may be liable for damages.

The cost of damages sustained while these three issues are resolved - and there is no indication that such a resolution is likely anytime soon, given the legal predicaments and proven ineptitude of the aforementioned Microsoft Corporation, and the sluggishness of the market they helped undermine - is likely to be very large.

Given that the aforementioned Microsoft Corporation has been found guilty of anti-competitive trade practice, and given that even their own network cannot be made safe - surely there is a case to be made that the cost of the aforementioned damages should be borne by them.

It may be prudent to audit the cost of security, with respect to operating system patches, upgrade expenses, downtime, lost productivity and wages, etc., so as to present them in a log of claims in a class action.

But perhaps most prudent would be to support, more than ever, alternatives to Microsoft products. There is no business case to rely on a single source or manufacturer of anything. And there are plenty of reasons to nurture the life back into the market. But supporting the status quo is a good way to demonstrate that you knowingly exposed yourself to the risks.

In March 2002 the CIO of the USAF, John Gilligan, said: "coding errors in commercially developed software account for roughly 80% of successful system intrusions... and that the overall life-cycle cost and vulnerability [of Microsoft products] may cause us to look at other products... it’s not an economic security issue anymore, it’s a national security one."

Note: If you remain unconvinced about the shadiness of Microsoft's corporate character, try this link. It's written by Andrew Schulman, Senior Editor, O'Reilly & Associates, and contributed to by Dr. Mark Russinovich, now a senior research scientist at SysInternals. And it once was hosted on a Digital/Compaq/HP webserver - although they've now taken it offline, the Wayback Machine has it. Read how Microsoft subverted the webserver marketplace, by restricting the licensing on NT Workstation to ten concurrent users, including connections from the internet, such as users of websites. NT Server, which has no such restriction, has IIS bundled. So there's no need, and a reduced incentive, to shop around.

Note: If you remain unconvinced about the unreliability of Microsoft's products, try this link. It's written by the National Infrastructure Protection Centre, part of the United States Government, and it's an advisory to system administrators to patch three dangerous vulnerabilities in NT Server and Workstation, IIS, and also Microsoft SQL Server and Microsoft Data Engine.

Note: A little more on anti-competitive trade practices. Office 2000 has features that magically activate if it's running on Windows 2000. So users who choose not to use Microsoft's operating system, but still use their Office software, are disadvantaged. This secondary boycott discourages users from acquiring alternative operating systems, and discourages developers from supplying them. Is this conduct for the purpose of, and would it have the likely effect of, substantially lessening competition?

"The threat to cancel Mac Office 97 is certainly the strongest bargaining point we have, as doing so will do a great deal of harm to Apple immediately." -- Ben Waldman, Microsoft manager of Macintosh Development, in email to Bill Gates and other Microsoft executives. [6/27/97]

"There are significant possibilities for product differentiation which could enhance competition but which at present are neutralized by Microsoft's conduct." -- Judge Bo Vesterdorf of the European Court of the First Instance, December 22, 2004 more ..

Still unconvinced? OK, here's my top 113 reasons not to run IIS - these came from an IIS webserver left on the net for a while. Why not try them out on your own IIS server? All patched up? These attack strings are out there, packaged in easy-to-use "autorooters". One can try and secure oneself against the blizzard - or one can take one of a multitude of easy, cost-effective, feature-laden, faster, more secure and more reliable unix-based alternatives.