Internet Security, Microsoft Lies

Internet Security

So, this semester I’m taking a class on Internet Security. Our textbook is Management of Internet Security, 2nd Edition by Michael E. Whitman and Herbert J. Mattord. It seems pretty basic, and very much focused on the management side of things (as opposed to technical). The table of contents is as follows:

1. Introduction to the Management of Information Security
2. Planning for Security
3. Planning for Contingencies
4. Information Security Policy
5. Developing the Security Program
6. Security Management Models and Practices
7. Risk Management: Identifying and Assessing Risk
8. Risk Management: Assessing and Controlling Risk
9. Protection Mechanisms
10. Personnel and Security
11. Law and Ethics
12. Information Security Project Management

Now, given that it’s really a “management” book, I can’t say I’m surprised that it reads like an essay that was graded on a scale of buzzwords-per-sentence. However, it seems to be missing the one chapter that’s the most important - actually, the only chapter that would be in the book if I wrote it - “How to get management to allocate the money you need for proper security.” In fact, skimming over the book, I found a lot of content on general management planning, job descriptions, sample policies, and a lot of other pie-in-the-sky stuff, but not one concrete section dedicated to the most difficult part of security - getting the “resources” to do it right!

Microsoft Lies

Why we would spend time analyzing corporate mission statements in an Internet Security class, I have no idea. That seems, to me, too much like what we covered in “Management of Technological Organizations.” But, we do, and one of the examples used is Microsoft’s Mission and Values statement. Perhaps, being the F/OSS advocate that I am, my reading of it was a bit cynical. Let’s take a look at it.

“At Microsoft, our mission and values are to help people and business throughout the world realize their full potential.” Well, we’re off to a good start. Aside from the fact that they want you to realize that potential using only their software, and use their power and money to actively monopolize (or attempt to) most industries that they enter, this seems pretty run-of-the-mill.

Corporate Citizenship:“Every successful corporation has a responsibility to use its resources and influence to make a positive impact on the world and its people. Microsoft’s Global Citizenship Initiative is focused on mobilizing our resources across the company and around the world, to create opportunities in the communities where we do business, and to fulfill our commitment to serving the public good through innovative technologies and partnerships.” Well. Now we’re getting somewhere. Apparently “a positive impact on the world and its people” is defined as trying to monopolize every sector that Microsoft touches, whether attempting to crush and then buy-out the competition, or through flat-out FUD and billion-dollar marketing campaigns. Hmm… innovative partnerships… as in Novell?

Legal and Corporate Affairs:“Microsoft’s Legal and Corporate Affairs Group works on the cutting edge of business and regulatory issues around the world.” Well, I can’t argue with that, they sure are on the cutting edge. What started with Bill Gates mailing out whiny letters about pirated Altair BASIC has now turned into a global juggernaut, capable of forcing the creation of ISO standards at their whim, and successfully quashing any dissent about obviously flawed and under-reviewed “standards” (which, in fact, simply describe current software, rather than setting any real standard).

Values:As a company, and as individuals, we value integrity, honesty, openness, personal excellence, constructive self-criticism, continual self-improvement, and mutual respect. We are committed to our customers and partners and have a passion for technology. We take on big challenges, and pride ourselves on seeing them through. We hold ourselves accountable to our customers, shareholders, partners, and employees by honoring our commitments, providing results, and striving for the highest quality.

1. integrity - i.e. not creating a draft ISO standard and then offering monetary incentives for acceptance.
2. honesty - when it works. Intentionally making Vista-Capable labeling so ambiguous that it even confuses Microsoft executives? Fine.
3. openness um… did they seriously say that? Openness like… protocol interoperability? Standards that can be implemented without patent violations? An “Open Specification Promise” that doesn’t come with a three page FAQ? Nope. Not Microsoft.
4. constructive self-criticism - Ok, I’ll give them this one. They do, rarely, criticize themselves. Though “constructive” usually means making comments about the poor design of a previous product, and suggesting that everyone upgrade to the new version.
5. continual self-improvement - I’ll give them this one too. In fact, they’re so crazy about it that they’ve been improving the same codebase for decades!
6. mutual respect - See above.
7. We hold ourselves accountable to our customers - Ok. They are offering to allow users to downgrade from Vista to XP.
8. striving for the highest quality - I don’t think so. They’re striving for products that have the highest market share. As long as the quality is acceptable to the majority of users, and the products do what the majority of users need, that’s fine. But wait… apparently they even missed that goal with Vista.

This is just the opinion of one person. My motivations may be diverse, and surely there’s a bit of zealotry in there. After all, if Ford told me I couldn’t put fog lights on my car myself, I had to bring it to the dealer and pay $400, I’d stop buying their cars - and make sure everyone else knew what they did. But there’s also my ever-present desire to make sure people know both sides of the story, and all the facts. The mainstream media (specifically dumbed-down television) rarely reports on the less cheerful side of Microsoft, like the ISO “standard” scandal, or the Vista letters, or the Vista-Capable fiasco. And I find this to be horribly disturbing. Many people don’t realize that there are alternatives to Microsoft products, even ones that are provided by such big names as Sun Microsystems and IBM. But, most striking, is Microsoft’s overwhelming monopoly. Windows’ market share is currently 90.66% or higher. I ask you, what other industries which affect not only consumers, but nearly every aspect of our daily lives (as computing does) would be allowed to have such a monopoly? It has happened in many other American industries - oil, steel, the railroads, telephone service. Where is the government now?

What happened to the America that made massive monopolies illegal? Have we forgotten a supremely part of our history that began in 1980 with the Sherman Act? Or even the recent events with Bell? In order to truly stimulate competition in the software industry, and provide for not only choice but the improved quality, reliability, and security that comes with true software competition, something needs to be done. For starters, how about breaking Microsoft into separate entities - browser, Office, OS, server, etc. And - the important part - preventing any package sales, discounts, or bundling between the separate types of software (and separate companies).