[DISCUSS] Critique of article on Microsoft and XP

Craig Buchek craig at buchek.com
Tue Oct 1 01:05:59 CDT 2002


[Note that this email is going to the article's author and the SLUUG 
DISCUSS list. I'm answering a DISCUSS member's question, but thought I'd 
offer my critique to the author as well.]

>> "Windows XP Shows the Direction Microsoft is Going."
>> http://www.hevanet.com/peace/microsoft.htm

I wrote:

> Actually, I found the article to not be all that fair to Microsoft.
> There were several points of misinformation regarding things that 
> Microsoft does that are completely justifiable or have valid technical
> reasons. 

Jonathan Goldberg queried:

> Defenses of Microsoft are not common on this list.  Would you go into
> more detail about what the problems with the piece are?  I've been
> stewing over this, and feel underinformed.

Well, I hate to go read the whole article again. But I suppose I need to 
back up what I've said. Note that I *do* agree with most of the gist of 
the article. I just don't care for the tone in which it is presented, and 
don't find it to be all that technically fair and accurate. So I don't 
think it is that effective in what it tries to accomplish.

Disclaimers: I hold an MCSE (NT 4.0), Novell CNE, 2 Linux certifications, 
and some others. (Google for my resume if you're that interested.) I've 
worked with Microsoft products, but I prefer Linux, and use it almost 
exclusively at home. I'm Chair of the St. Louis Linux Users Group and on 
the board of the St. Louis UNIX Users Group. I've never used Windows XP, 
because I dislike the EULA, but I think Windows 2000 is a pretty good OS.


"Microsoft Media Player (Tells Microsoft the music you like.)" 

Lots of non-Microsoft CD player programs report to a web site what CD you 
are listening to. There's really no way to ask for the info about the CD 
you are listening to from one of the online CD databases without somehow 
telling the database which CD you want the info for.


"Microsoft Office keeps a number in each file you create that identifies 
your computer. Microsoft has never said why."

The GUID (Globally Unique Identifier) is unique to each system in order to 
have every object in a networked application to have a unique ID. Unique 
IDs are required to distinguish one object from another, and in order to 
locate them. Not all applications store the GUIDs in their files, but it's 
the lazy way out, and most Microsoft programs do.


"Microsoft mouse software has reduced functionality until you let it 
connect to Microsoft computers."

Logitech mouse software has similar problems. (At least the last one I 
bought.) You have to use the software supplied on the disk in the box to 
get full functionality -- you can't download it. I've never figured out 
why. It really sucked when I bought a mouse that was missing the disk.


"Microsoft has a history of using bug fixes and security fixes to change 
the operating system settings."

That annoys the heck out of me too. But technically, you can get hot-fixes 
from Microsoft to patch the bugs and vulnerabilities. But the service 
packs are much more convenient.


"It also seems possible that there is a connection between the huge number 
of bugs and the U.S. government's friendly treatment of Microsoft's 
law-breaking [usdoj.gov]. The U.S. government's CIA and FBI and NSA 
departments spy on the entire world, and unpatched vulnerabilities in 
Microsoft software help spies."

That's a pretty irresponsible thing to say without any evidence. The DOJ 
was aggressively pursuing the case until the Bush administration came in. 
The Republicans are known for being more pro-business, so it was no 
surprise that the DOJ became less aggressive when they gained control.


"Deliberately designed to crash.... Windows 95, Windows 98, and Windows ME 
... were designed in such a way that it was inevitable that they would 
crash."

It wasn't a deliberate design, it's a design limitation. No matter what 
you are doing on what OS, eventually you are going to run out of 
resources. There have to be arbitrary limits -- every OS has arbitrary 
limits on various resources. Microsoft chose poor limits that look 
unreasonable on today's hardware. The same thing happened in DOS with the 
640K limit. Nobody claims that was a deliberate attempt to limit things -- 
it was merely a poorly chosen hard limit and a lack of foresight of future 
needs.


"Windows XP becomes shaky when enough programs are loaded that all of the 
installed memory is in use."

When you've used up all your physical RAM and start using swap, any OS is 
going to perform poorly. My Linux system performs quite poorly when 
Mozilla sucks up all the RAM. It often takes many seconds to redraw the 
screen when I switch back to another program.


"Windows XP provides no security against an attacker who has physical 
access to a machine."

This has nothing to do with the OS. An attacker with physical access can 
circumvent security on any OS. It's a moot point, not worth mentioning.


"A product called Locksmith [winternals.com] can change the Administrator 
password on any Windows XP, Windows 2000, or Windows NT system."

In fact, Linux makes it even easier -- just boot to the rescue disk.


"There is a fundamental security flaw in all Windows operating systems."

The Shatter Attack is controversial. Yes, it technically can be used to 
escalate privileges on a machine. But it does not appear that it can be 
scripted in any way. The only way I can tell that you could get it to work 
is by having administrative privileges on an identically-configured 
(hardware and software) system. It does not appear that the problem can be 
fixed -- it is a fundamental design problem. Although the actual exploit 
may depend on a buffer overflow in the implementation.


"Microsoft can control the user's computer without notice and whenever it 
wants."

That's always been the case. See the article "Reflections on Trusting 
Trust" by Ken Thompson (http://www.acm.org/classics/sep95/), where it is 
demonstrated that the OS (and compiler) can always do whatever they want, 
even if you have the source code. The only difference now is that 
Microsoft can dynamically change the logic via the Internet to change how 
it controls your PC. But the whole concept of an OS is to control the 
computer at all times so you don't have to notice it.


"It has been estimated that the cost to U.S. businesses for only four 
Windows-based infections, Nimda, Code Red, SirCam and Love Bug, was about 
$13 billion. These infections were possible because of the unusually poor 
security design of Microsoft Windows. No other operating system has had 
such vulnerability."

First of all, these numbers are always wildly inflated. They assume that 
the folks working on fixing the problem wouldn't have otherwise been paid, 
and those whose systems were effected were unable to do anything else 
while their systems were being fixed.

As I've stated many times, it isn't usually a poor Microsoft design that 
causes problems, but a poor implementation. Windows NT (and 2000) actually 
has a really good underlying security system. Unfortunately, the 
higher-level implementation doesn't take very good advantage of it and 
makes many mistakes.

Other OSes have had such vulnerabilities. They just haven't had their day, 
and the lower market share of the others tends to make worms spread less 
effectively. Users of other OSes are also generally more experienced, and 
patch their systems more quickly.


"Microsoft is the computer industry's top contributor of political money"

Using this logic, Microsoft wasn't so bad a couple of years ago. Until 
recently, Microsoft stayed largely out of the political arena. They got 
burned when some of their competitors used their political clout against 
Microsoft.


"Support for Microsoft products may be affected by ongoing legal 
vulnerabilities."

All large companies have legal issues pending. I don't see how that 
effects their products. The company isn't going to disappear. If anything, 
the legal cases are likely to be advantageous to Microsoft's customers.


"In summary, Microsoft was found by the courts to have broken the law. 
[...] Companies may want to evaluate the possible future problems in 
partnering with, and being dependent on, a company that has broken the 
law."

It's unlikely that you'll find any large company you do business with that 
hasn't broken the law in some way. Anyway, it's better to be a customer of 
such a company than a stock-holder, employee, or lender.


"you may not use the Product to permit any Device to use, access, display, 
or run other executable software residing on the Workstation Computer, nor 
may you permit any Device to use, access, display, or run the Product or 
Product's user interface, unless the Device has a separate license for the 
Product."

This clause in Microsoft's license isn't all that unreasonable. Otherwise, 
you could buy 1 Windows license for a bunch of people, run Windows on 1 
PC, and then have a bunch of people run the programs on that PC but show 
the programs on their own PCs.


"The registry file is a single very vulnerable point at which failure can 
occur. Microsoft apparently designed it this way to provide copy 
protection. Since most entries in the registry are poorly documented or 
not documented, the registry effectively prevents control by the user."

There are plenty of "single" points of failure in any OS. The registry 
isn't a bad idea. In fact, GNOME now has a small registry, and I believe 
the MacOS X property lists are similar. It's just the way that Microsoft 
implemented the registry wasn't all that great. The hierarchy is poorly 
defined (there are lots of examples of Microsoft programs using it in 
incompatible ways). And the possbility of corruption is inexcusable, given 
modern database technology. But a registry is a much better solution than 
a bunch of disparate config and INI files, all with different formats. I 
don't know that preventing programs from being transferred to other 
systems was a goal of the registry -- that can be accomplished just as 
easily by keeping configuration and other files in system locations.


"Using a program called xcopy32.exe, which is supplied, Windows 98 can 
copy all of its files to another, blank hard drive."

Nobody in their right mind would use XCOPY to back up their system.


"Microsoft Windows XP is crippled. It is designed to be unable to copy 
some of its own operating system files."

Almost all OSes prevent copying files that are currently being written to. 
Windows happens to leave several system files open for writing, so you 
can't copy them via normal system calls.


"There is absolutely no need for Microsoft's Passport."

Actually, there is a high demand for something like Passport to provide 
authentication services on the Internet. Passport is horrible, but it has 
more advantages than just storing passwords. There are several competing 
standards in the works.


"Palladium gives Microsoft the ability to prevent users from seeing their 
own documents and data."

While Digital Restrictions Management is a terrible thing, it is unlikely 
that they'll ever get away with keeping you from accessing your own files. 
Generally the way it works is that the file has to have a watermark to 
fall under the DRM restrictions. You wouldn't watermark your own files, 
and if you did, you would get to decide how to restrict them.


"Microsoft Windows XP has reduced functionality."

Every upgrade to every program is going to have some regression problems, 
where it performs worse in some border cases than the previous version. 
And in big upgrades (or merged programs in the case of XP) there will be 
some esoteric functionality removed that a few people will miss. Look at 
MacOS X. There are a ton of things that are missing from MacOS 9.

Then the author goes into excruciating detail nit-picking about some minor 
bugs. Every system as big as Windows is going to have tons of such bugs.


"Many people think the Windows XP user interface is poorly designed."

Many people think the Linux UI is poorly designed, even most Linux 
experts. In fact, the XP GUI is quite good in many respects. Personally, I 
think Windows 2000 had the best Windows GUI -- it's nice and crisp and 
conservative. Of all OSes I've used, NeXTSTEP had the best GUI. MacOS X 
(the current incarnation of NeXTSTEP) is good, but not as solid as the 
original. Windows GUIs have generally improved over time, but the subtle 
differences between similar versions are extremely annoying. (Things like 
accessing the Network settings in 95, 98, NT 4, and 2000.)


"Microsoft is widely disliked."

So? I'm not sure how that should effect *my* decisions. A lot of people 
don't like Ford, but that's not goint to keep me from buying a Ford 
product.


"in Windows XP, menus are sometimes 7 levels deep"

Lots of programs have poorly designed menus. There are a bunch of things 
that are deeply nested in other products. (Unfortunately the only good 
examples I can think of off the top of my head are Outlook, Word, and IE. 
I'm sure FrameMaker has some good examples -- I just haven't used it 
recently.)


There are a lot of other small things in the article that I found to be 
inaccurate or misleading. For example, it wasn't disclosed that ProComp is 
made up mostly of Microsoft's competitors. And I've never heard of Brian 
Livingston, "who is perhaps the best-known computer industry columnist", 
even though I read a ton of industry articles.

For the article to be effective, I think it needs to be more even-handed. 
And I don't believe the author when he claims not to be anti-Microsoft. If 
so, he would likely have been more forth-coming in problems that 
Microsoft's competition shares with them. 

Personally, I find that people respect my opinions on Linux, etc. *more* 
because I obviously know Microsoft ("the competition") very well and am 
willing to point out the problems with Linux and the good points of 
Windows. I gain a lot of points by being objective as possible, and 
conceding that everything has its down sides.

Craig Buchek
---
All OSes suck. Linux just sucks less.
-------
St. Louis Unix Users Group - http://www.sluug.org/
To unsubscribe from the SLUUG discussion mailing list, send a message to
discuss-request at sluug.org with the word 'unsubscribe' as the body



More information about the Discuss mailing list