Bill Gates is a tough act to follow, but Platforms Group VP Jim Allchin managed to raise the bar still higher in Microsofts drive to insult every possible party—including customers and partners, as well as the courts and its competitors—in the course of its antitrust defense.
Two weeks ago, Gates testimony in the U.S. District Court suggested that PC makers would maximize short-term profits by selling defective products, incapable of performing the tasks for which they were bought, unless they were constrained by Microsofts benevolent dictatorship. The court record shows the opposite to be true: it was Microsoft, for example, that demanded Hewlett-Packards removal (Findings of Fact, paragraph 214) of an alternative introductory interface for new users, resulting in higher user support costs and an increased rate of PC returns to retailers.
This week, Allchin implied that Microsofts security problems signify the weakness of existing technologies—as opposed to Microsofts implementations—and that future security can only be achieved by Microsoft innovations that are not subject to public disclosure or peer review. In the process, though, he flies in the face of proven encryption practices by defending, for example, the use of digital content rights management technologies that embed decryption keys in hardware products.
Paragraph 23 of Allchins testimony, as analyzed by cryptography authority Bruce Schneier (CTO of Counterpane Internet Security Inc.), accurately describes the problem of digital rights management—but then, with its endorsement of “obfuscation” techniques, “claims that a solution that doesnt work will fix it,” in Schneiers words; “Every digital rights management system has been broken, and will be…theres no way to hide the key.
“What [Allchin] seems to be saying,” added Schneier, is “We dont have time to wait for review, so we have to publish lousy stuff.” Schneier argues the opposite case: “Even if you must invent, and cant wait, you should publish—because then its discussed, instead of being broken in secret.”
In paragraph 30, Allchin asserted: “The more creators of viruses know about how anti-virus mechanisms in Windows operating systems work, the easier it will be to create viruses to disable or destroy those mechanisms.” It didnt take inside knowledge for the Melissa attack to disable the anti-virus tools in Microsoft Office: All that was needed was a script that called widely published APIs, but that is not an argument against disclosing future APIs. It is, rather, a demonstration of a flawed design that fails to define distinct privilege levels for the system, for the user, and for untrusted foreign code.
The worse the design, the stronger the moral as well as the technical imperative for full disclosure: obfuscation is, at best, a temporary defense against such flaws, and a temporary defense is only good enough if a vendor plans to produce a steady stream of flawed but novel technologies. As a tool for maximizing vendor revenues, this may make sense—but only until IT buyers catch on.
Allchin practices additional obfuscation in the matter of Microsofts support for open standards. He praises SOAP in paragraph 58, and UDDI in paragraph 60; a few breaths later, in paragraph 63, he says that “Each of the standards essential to the .NET platform is available to the industry at large. Microsoft does not own those standards or control their development.” And yet, UDDI 2.0 carries only a guarantee of “reasonable and non-discriminatory” licensing terms, rather than the royalty-free licensing that has been the distinguishing feature of Web standards to date; crucial security protocols proposed for SOAP are likewise yet to be opened to royalty-free use.
We would be remiss if we failed to acknowledge Allchins valid points. Yes, Microsoft has done an outstanding job of paving the way for Web services development in its newly released Visual Studio .Net, and Sun Microsystems has left itself open to criticism with its failure to pursue a clear path toward a neutral standards bodys control of the Java platform. Yes, Microsofts own implementations of Java have often set the standard for performance and even for their support of the full provisions of Suns specifications.
Overall, however, the thrust of Allchins testimony—like that of Bill Gates before him—is that Microsoft knows best, and that the government and the industry should allow the company to continue with business as usual. Whether the topic is the technology and practice of security, the openness of Internet standards, or the freedom and vigor of IT competition, Microsoft management must be made to understand that business as usual is the last thing that its customers will accept.
