[Am-info] Anti-Trust Remedy Threatens Security, says Allchin

Sujal Shah sujal@sujal.net
17 May 2002 14:16:42 -0400 

On Fri, 2002-05-17 at 13:39, Felmon Davis wrote:
[SNIP]
> 
> Thank you for a very illuminating discussion. I've taken the liberty 
> of cutting out a couple of pieces which I wanted to focus on, very 
> briefly.
> 
> What they tell me is that exposing Windows code would be:
> (a) costly to consumers, 
> (b) likely to generate instabilities as bugs get discovered and 
> abused by undisciplined software writers, 
> (c) likely to generate insecure code (as a result of (b)), and 
> (d) costly to MS as it struggles to fix bugs, fend off liability and 
> protect its 'value' and standing.
> 
> Of course, in the long run (but somewhere short of its death) it 
> might strengthen Windows code, improve its security, stability and 
> coherence, etc.
> 
> (I suppose there may also be 'trade secrets' that could be exposed 
> with 'intellectual property' issues.)
> 
> I take the point then is not that Open Source _as such_ is insecure 
> (etc. etc.) but that the novel (?) experiment of transitioning a 
> large proprietary bundle to Open Source would be precarious and 
> fraught with risk. And moreover, MS might be right that the risk is 
> not worth it to _them_.
> 
> Am I getting a bit closer?

I think that's basically what I'm saying.  Releasing source code when
you never intended for it to see the light of day is like letting diners
into the kitchen at a restaurant. At a well run restaurant, the diners
will find a clean kitchen, clean and conscientious staff, and maybe some
dirt in the corner.  At a poorly run restaurant, the diner may be sorry
he went into the kitchen at all.

Microsoft, IMHO, is like going to the rest stop McDonalds or Pizza Hut
(with no offense intended to those restaurants).  You go there because
it's the only practical choice, you being on a highway, this being the
only rest stop for 50 miles, and it being the only restaurant at the
rest stop.  You eat the food, even though, every once in a while,
someone finds a bug, chicken's foot, or hair in their food (maybe not at
your particular restaurant, but at a similar one elsewhere).  You know
that it probably isn't the most sanitary kitchen in the world, but you
don't really want to think about it. 

It's tricky, and has to be managed carefully (phased rollout?).  

Also, your point b) above is really irrelevant.  This happens today, and
exposing more of the source isn't going to seriously affect that (again,
IMHO).  Most commercial companies try to follow the rules, and I've
never worked anywhere that tried to use undocumented or unofficial APIs
for a released project or product.  It's just not good practice.

The real issue is virus authors and crackers that might be able to
exploit newly uncovered bugs.  This would be the greatest concern.

Having said all of this, I actually would suggest to Microsoft that they
look into releasing the source code to Windows, simply because it will
make it stronger in the long run.  If they roll out the source code in
phases, they should be able to have trusted third parties vet the source
before releasing it to a larger audience.  Once they get it out there,
bug fixes will come, simply because soooo many people use Windows that
there should be a number of experienced hackers that would be willing to
contribute fixes.

It's also the least obnoxious remedy I can think of.  While it lays bare
any hidden plumbing that places other products at a disadvantage, it
does little to affect Microsoft's ability to write contracts, which has
been their big stick.

Finally, I think the states only asked for IE's source code, so this
isn't ANYWHERE near as broad as the hypothetical we've been discussing. 
It's a freaking browser, for crying out loud. :-)  I can download the
source to 5 or 6 browsers right now and all of those haven't bred worms
or security problems at a rate even equal to IE, let alone at a higher
rate.

The rest of Allchin's testimony is just too much to be believed. 
Digital Piracy?  A security exemption would have NO impact on technical
disclosure?  He's just making broad claims that amount to FUD.  I hope
the states are able to show the judge how unrealistic his statements
are.  

Sujal

> 
> F.
> _______________________________________________
> Am-info mailing list
> Am-info@lists.essential.org
> http://lists.essential.org/mailman/listinfo/am-info
-- 
---- Sujal Shah --- sujal@sujal.net ---

        http://www.sujal.net

Now Playing: Pearl Jam - The Color Red