Ever wonder why Microsoft has historically been so bad at crushing bugs? I think I know why.
Bugs, Bugs, and More Bugs
Historically Microsoft has been slow to crush bugs, including bugs that led to security holes. A lot of analysts have burnt a lot of lamp oil trying to understand why.
Microsoft’s lack of action has often been inexplicable. Security breaches have been reported to Microsoft, and the company has taken no action. In some cases the security researcher finally went public in an attempt to force Microsoft to act. So why didn’t the company move?
There have been two main theories as to why Microsoft has been so slow to act.
The Arrogance Theory
The propounders of the “Arrogance Theory” believe that Microsoft just doesn’t care. When you own 95% of the operating system marketplace, and your customers (the computer OEMS) have no where else to turn, then why waste the effort.
There’s a huge problem with this theory though. Microsoft Windows XP was released in January 2001. The next version of Windows should have been released in 2004, but Microsoft suddenly stopped working on it. Instead the firm dedicated an immense amount of time working on security updates for Windows XP, which culminated in Service Pack 2.
That Microsoft was willing to delay the release of the next version of Windows (Windows Vista was released January 2007 – and included further enhanced security features) indicates that arrogance isn’t the issue. If Microsoft was as arrogant as some people have claimed, the company wouldn’t have stopped development of the new operating system to fix the old one…
The Incompetence Theory
The propounders of the “Incompetence Theory” believe that Microsoft is, well, incompetent. There’s a variety of different reasons given for the incompetence. One group believes that shear size of the company has caused it to be unable to respond.
The problem with the incompetence argument, is that if Microsoft was as incompetent as a lot of people have been arguing, Windows XP Service Pack 2 wouldn’t have been any good. Then there’s Microsoft Office. Love it, or hate it, it is a pretty solid piece of software in most ways.
What about Internet Explorer? It has issues, but it does work. Microsoft has a long, and fairly decent history of producing large, complex software projects. They aren’t perfect, but they are often pretty damned good.
If the company was incompetent, they wouldn’t be able to do that.
So if Arrogance and Incompetence aren’t the answer…
This is where I do the 2+2 routine, and get 1,000.
In other words, I don’t know that this is the correct answer. It is fairly simple. It matches everything that is known about Microsoft, and the milieu where they operate. But is it right?
I don’t know.
On September 5, 2013, the Guardian reported that the NSA had forced software producers to include backdoors. The NSA also apparently has staff that are dedicated to finding security breaches in software.
Think about it. You’ve got a spook who is using a security hole to enter computers used by a foreign government, possible terrorist organization, or whoever you want to keep an eye on. You don’t want those holes closed, because that would cut you off from the information you argue you need. A Secret Security Court tells the company that it can’t fix the software…
Unfortunately yes. The NSA, and its equivalents worldwide have been treating the general public as enemies. It isn’t just the spy agencies either. British Police infiltrated a wide range of political groups, treating them as terrorist threats. Canadians know about the Royal Canadian Mounted Police Barn Burning incident. The FBI has been using hacker tricks to spy on suspects. There are hundreds of other cases which I could list, going back hundreds of years.
So I consider it quite likely, that if a Government agency was using a security hole in an investigation, that would use the Secret Courts to keep that hole open. The court might present Microsoft with an injunction, preventing the company from discussing the injunction, and forbidding them from fixing the security hole.
We know that the Secret Courts have been using such injunctions against the Internet companies. That’s been solidly confirmed. So why not against the software companies in the same way?
The software company would get the blame for not fixing bugs. We’d consider them arrogant, incompetent, or just plain stupid.
I can’t prove that this is what happened. Logically it makes sense, and explains the inexplicable lack of action by Microsoft.
The same might be impacting Apple, Oracle, Red Hat, Google, etc. And probably is. We don’t know, and if it is happening, they can’t tell us.
Could it affect the Free of Open Source software groups? Possibly, in that a programmer could try to implement a back door, but since the source code is available to inspect, that’s far less likely.
Once again, Richard Stallman sounds like a prophet. An accurate prophet.
Sunday September 15, 2013