Truth About Computer Security Hysteria
Gates lost — because I didn't file an amicus curiae
Wednesday, 17 November 1999
I FINALLY DIGESTED judge Jackson's
Microsoft Trial Findings of Fact.
Three excerpts stand out from a computer security perspective, so let's tackle them in order. First up:
[para #174] Microsoft has unjustifiably jeopardized the stability and security of the operating system...
[They] made it easier for malicious viruses that penetrate the system via Internet Explorer to infect non-browsing
parts of the system.
I fail to see His Honor's logic. I assert the Internet itself is
the true "common" threat, not the browser. It simply doesn't matter what OS you run or what email/web
client you prefer. Their commonality comes in second with respect to Internet security. Remember: we designed
the Internet to link diverse network architectures so they could communicate with each other after a
Java or Linux or whatever comes next will give us even more homogeneity, which in turn will foreshadow greater
common threats. What difference does it make if Microsoft paved the way a little bit? You can't blame an
individual element for a common threat, folks — it's like blaming one cloud for the threat of a hurricane.
Let's move on. Judge Jackson chimed in with an interesting "fact" about consumer-driven security
You can't blame an individual element like Microsoft for a common threat posed by the Internet. It's like blaming
one cloud for the threat of a hurricane.
[para #197] Consumers recognize that the Web contains ... viruses that are capable of causing devastating and
irreversible harm to their security and privacy interests. Accordingly, consumers prefer, and benefit from,
innovations in Web browser technology that help them identify and avoid harmful Web resources.
Consumers want innovative security in non-security products? His Honor overlooks reality. GartnerGroup,
for example, recommends clients avoid innovation even in genuine security products. A
PC Magazine reviewer said basically the same thing earlier this year. I could bore judge
Jackson to tears with anecdotes like this. When it comes to security, users react like those sheep in the movie
"Babe." Fear drives sales, not innovation.
Symantec, Network Associates, and other antivirus firms know what consumers want in a product. They want to see
great-looking boxes on store shelves! Software marketing teams (I didn't say "antivirus marketing
teams") do everything they can to attract your eye as you walk through the aisles. Judge Jackson should go
to Best Buy, pick up a useless cardboard container of antivirus software, and
If & when consumers want innovative security, they will dump ActiveX, stop using Word as their email editor,
switch to Linux, and demand profile-based virus detection. Users can talk all they want,
but actions speak louder than words.
(Yeah, like I should talk about innovation. I still run DOS & Win31 on my personal systems. In my defense, I
don't lose sleep about computer security — and I've used "innovative" products from Command Software,
Stiller Research, FoundationWare, and some other firms you never heard of.)
Okay, let's continue:
Bill, Bill, Bill. Did your lawyers offer these counter-arguments? If I need to file a "friend of the
court" brief, just let me know...
[para #198] Far from demonstrating that Internet Explorer is currently a "best of breed" Web
browser, the evidence reveals Microsoft's awareness of the need for continuous improvement of its products. For
example, Microsoft frequently releases "patches" to address security and privacy vulnerabilities in
Internet Explorer as they are discovered. In sum, there is no indication that Microsoft is destined to provide a
"best of breed" Web browser that makes continuing, competitively driven innovations unproductive.
Again, I fail to see how judge Jackson's argument leads to this conclusion. His Honor implies a best-of-breed
product needs little improvement, and he further implies a best-of-breed product needs little security tweaking.
Bah! All major products undergo constant improvement, folks. All major products contain security
Look no farther than the "ping-o-death" discovery in 1996 — most (if not all) Internet-aware OSs
required security patches. Netscape suffered their own security woes the
same year. The first true Java applet virus made its debut
last year. Want something more recent? I identified a
widespread (and easily exploitable) flaw in antivirus software this summer.
By His Honor's logic, no security product can call itself a "best of breed." They constantly undergo
improvement, they require numerous updates, and they need security patches.
Man, I hope Gates didn't lose this round because I failed to submit an amicus curiae. Did Microsoft's
lawyers present these counter-arguments to the court?
Computer security experts don't recommend daily updates for Internet Explorer, Your