Trustworthy Computing in 2002

2002 was the year that Linux made big news, and Microsoft admitted that Linux was its greatest threat. Microsoft's continued attempts at spreading Fear, Uncertainty and Doubt (FUD) in an effort to turn people away from Linux and Open Source didn't get anywhere. Microsoft's major focus on increasing security didn't get anywhere either. To top it off, Microsoft even ended up paying people to use its software.

Trustworthy computing?
The multitude of virus and security related issues that occurred in 2001 left Microsoft with plenty of egg on its face. As a result of such obvious failings, Microsoft initiated the 'Trustworthy Computing' scheme, with its positive focus on reliability, security, privacy and business integrity. 2002 saw Microsoft marketing many 'initiatives' such as this, using names which stood for the opposite of how people actually felt about the company and its software.

In a further bid to stop people from focusing on its failings, Microsoft decided to take a month out early in the year to perform a security review, apparently costing $100 Million. Although appearing dedicated to becoming more secure, the security-conscious 'plans' didn't do much for Microsoft's attitude. Not only did Microsoft continue taking months (literally) to patch the multitude of fresh bugs that were appearing, but it deemed incidents such as the SSL flaw in August as unimportant, and in the end it was forced (literally) to patch it. The attitude against any reported bug was that if it didn't match Microsoft's checklist criteria then it wouldn't be fixed, even though it was in its power to do so (Microsoft's definition of a security vulnerability can be found here).

Even by the end of the year Microsoft hadn't shown any real signs of change. In December Microsoft provided a patch for a flaw in Internet Explorer, but downplayed its importance, rating it 'moderate' although experts said it was serious and could be exploited to take over a user's machine. This came at a time where Microsoft had just earlier modified its rating service, so that fewer vulnerabilities would get the higher ratings. The flaw was one of many discovered by security company GreyMagic as early as October, and with the patch in December Microsoft still hadn't fixed 18 flaws found at that time, six of which were reported to be serious.

Microsoft's trustworthiness was questioned earlier in the year, as it voiced a desire to keep the discovery of bugs in its software hidden from public knowledge, wishing only to disclose the information after a fix had been made available. This meant that applications could remain vulnerable indefinitely, until Microsoft decided (if in fact it did decide) to fix the problems, and nobody would even be aware that a vulnerability existed - except maybe a few crackers and their friends. Needless to say, the vast majority of people were firmly against this stance.

The success of Microsoft's Xbox game console was dependant on Microsoft maintaining full control over the Xbox and the software it would run (the same lock-in based situation that applies to all console manufacturers), as it was losing money producing the console and sought to make a profit from subsequent software sales.

Xbox used a hardware-based security system, consisting of chips that used encryption to deter people from running any software except what Microsoft wanted them to run, preventing piracy and maintaining Microsoft's control over what the Xbox was used for.

The encryption was soon cracked, enabling the development of 'Mod chips' that removed any restrictions imposed by Microsoft. This also meant that the Xbox could be used as an inexpensive PC that would even run Linux, losing Microsoft valuable software sales. Shortly after the first Mod chips were available, Microsoft discarded its current stockpile of chips - at a further loss - and got nVidia (the supplier of the chips) to create new ones that were tougher to crack. About a week later the new chips were also cracked.

Obviously lacking in the area of security, near the end of the year Microsoft bought Liquid Audio's digital rights and file transferal patents, and also bought the company XDegrees to secure its .Net core.

Microsoft openly admitted that security hadn't been at the forefront of its business model, but came up with a weak excuse that this was due to people being unwilling to pay for it. With this statement Microsoft tried to paint a picture of security being an optional extra rather than a necessary component that had been neglected. Microsoft's Craig Mundie even went so far as to say "The operating system is designed to run on machines that are not designed yet", taking the blame from Windows and placing it with hardware manufacturers!

At this time Microsoft came out with the idea of Palladium, a combined software/hardware based security system. The idea was that only trusted and approved applications and data would be able to run on your computer. With 2002 seeing a great deal of conflict concerning digital rights, Microsoft jumped onto the scene pushing Palladium, as it also had the desire to maintain control of its own intellectual property. Palladium seemed a logical answer for digital rights, allowing the creator of an application or data to deny access to those things on any user's hard disk, even allowing files to be remotely deleted. The idea of what this system could do caused concern, and the idea of Microsoft having control over it caused even more concern.

In October, Gartner said that Microsoft would be unlikely to have anything that comes close to secure software until 2004 at the earliest, and it was also around this time that Microsoft mentioned a desire to start selling security products! Later in October there was a security breach on the server operating the Windows Beta website, a repository for nearly all Microsoft software applications undergoing beta testing. Any number of applications currently in beta could have been compromised even though they weren't (according to Microsoft). Regardless of whether or not any applications were compromised, this was a further blow to Microsoft's increasingly poor security.

During the year there was a plethora of bugs in Microsoft's SQL server, IIS, Outlook/Outlook Express and components of Microsoft Office. There were a barrage of news articles pointing out the vast number of security issues within Microsoft's Internet Explorer (IE), some even going so far as to advise that people ditch IE altogether. While IE got bad press, Mozilla hit the press as it achieved it's 1.0 milestone, producing a stable Open Source browser adhering to Web standards better than IE. Microsoft's polluted Java implementation was reported to be full of holes, while the holes were not found in Sun's original version of Java on which Microsoft had developed. In fact, it appeared that Microsoft had a kind of Midas touch, where everything it touched turned to holes.

Even some of the patches Microsoft provided for the holes were poorly developed. There was the IE patch that claimed to fix vulnerabilities that it didn't, the IE patch that caused the browser to crash, the Outlook Express patch that wouldn't install, the Win2K service pack that caused a Blue Screen Of Death and various other patches that appeared to cause problems. Also, there was WinXP service pack 1.

WinXP service pack 1 was supposed to fix some issues and implement changes brought about by the Anti-Trust case, including the allowing of OEMs to replace middleware such as Internet Explorer from being the default browser. The service pack proved too complex for OEMs to deploy easily, therefore most chose not to deploy it with their PCs. The service pack was alternatively available by download, but appeared to push the user to download it via Internet Explorer 5 or above. Accepting the End User License Agreement for the Windows XP service packs allowed Microsoft to legally access your data remotely, which in turn sparked privacy fears.

OEMs had previously been under contract with Microsoft that they should only sell PCs with Windows (whether or not the user wanted to use Windows, or already had a copy), and the price of any PC automatically included the price of Windows. As a result of the Anti-Trust case, August 1st saw new Microsoft licensing terms put in place which prevented Microsoft from retaliating against OEMs. The new terms were that PC makers must ship PCs with an operating system, and Dell took advantage of the new terms and subsequently sold PCs with a copy of FreeDOS.

Passport / .Net
Based on Microsoft's Passport, its much hyped .Net service 'Hailstorm' was supposed to increase Windows' appeal, attracting people to the .Net platform. The problem was that it would put everybody's data in the hands of Microsoft, placing it in control of everybody's security - something which Microsoft apparently wasn't very good at. An attempt at renaming it from 'Hailstorm' to '.Net My Services' didn't fool anybody either, regardless of how nice the name was, people were not interested. In the end Microsoft pulled Hailstorm and took it back to the drawing board due to the obvious negativity towards it.

Earlier in the year, a poll by ZDNet to find out how many developers were considering developing for .Net showed that a large percentage of them were interested in it. It was later discovered by ZDNet that the poll was rigged by Microsoft employees voting multiple times and using automated scripts. To make things worse for both .Net and Microsoft's new stance on "Trustworthy Computing", the .Net Developer Kit was also found to have a security flaw in it.

In April Gartner produced information stating that users of Microsoft's Passport doubled. Although this news could cause us to assume that it was highly successful and loved by all, the survey also revealed that 84% of customers had only registered with Passport as it was required to access other Microsoft services such as Hotmail, WinXP and Messenger.

Later in the year the FTC investigated Passport concerning false representation of security and privacy by Microsoft which, as usual, never even admitted that it had done anything wrong but agreed to do something about it.

Anti-Piracy
Microsoft started out with its anti-piracy scheme, late 2001, with the release of Windows XP and its dreaded Product Activation. The Product Activation technique meant that any significant change of hardware on your system would cause Windows to prompt you to contact Microsoft and verify your activation code, failure to do this would mean that you would be denied access to your software. This didn't go down well with anybody, and drew attention to the fact that many people were using a copy of Windows on more than one PC, going against Microsoft's licensing regulations.

In 2002 Microsoft looked to the nations where software piracy was strong, such as China, and made them do something about the problem. Rather than achieving the result where these nations repented, bought legitimate copies of Windows and increased Microsoft's profits, they announced that they would be switching to the free Linux operating system and Open Source software. Countries such as Mexico and Peru also took this stance. Realizing the threat posed by this, Microsoft representatives flew out to these countries for talks with their governments and ended up handing out large amounts of cash, providing their education and software development sectors with free software worth millions of dollars. Although Microsoft would lose money short-term, it would make money in the long run, a similar strategy to that of the game console manufacturers. Software upgrades would ensure that Microsoft maintained its cash flow, and the threat of Linux would be significantly removed by the widespread use of Microsoft's proprietary protocols and file formats (locking users into Windows due to compatibility issues).

Microsoft's anti-piracy maneuvers also focused on schools. In the USA, because Microsoft wanted to check that each machine was running fully licensed software, some schools were notified that an expensive software audit would need to be performed within 60 days. As this required documented evidence, it seemed impossible to comply, and Microsoft advised that schools should not accept any PC (donated or otherwise) unless documentation was provided. If the schools failed the software audit then they could register all of the computers running Microsoft software for an annual fee (something that Microsoft was later to force upon everybody via Licensing 6).

After this incident Microsoft itself ended up freely giving away money and software to third-world schools, under the commendable guise of bridging the digital divide (which itself was helped along by Microsoft's extortionate prices, proprietary file formats and forced software upgrades - which usually required a hardware upgrade too). Microsoft appeared even more two-faced as it continued to overcharge western schools that were already using Microsoft software - except for where Microsoft gave millions in software to those schools or colleges that voiced interest in switching to Open Source.

One incident that caused controversy was that of the university of Waterloo in Canada, where a pro-Microsoft curriculum was announced at the same time as a large donation from Microsoft was made, ensuring that students would be learning .Net development. There was another incident concerning universities in Texas where, to extinguish the high amount of piracy, tuition fees were raised to cover the software costs and the students would pay less for Microsoft software. Of course, to those who didn't use Microsoft software it meant that they were being charged unfairly, which is similar to Microsoft's tactics towards OEMs of "you can't sell a PC without selling a copy of Windows with it". This would mean people were more likely to stick with Microsoft software because they'd already paid for it.

These situations all showed Microsoft as desperately attempting to get everybody using its software (even by offering it at a loss), and once hooked extracting as much cash from them as possible, or using the situation to promote development for the proprietary Windows environment.