The emperor has no clothes: What the Microsoft breakin really means

Surely Microsoft knows that Windows is unsafe.

technofile
Al Fasoldt's reviews and commentaries, continuously available online since 1983

The emperor has no clothes: What the Microsoft breakin really means

Nov. 1, 2000

By Al Fasoldt
Copyright ©2000, Al Fasoldt
Copyright ©2000, The Syracuse Newspapers

   I used to think that the security leaks in Windows showed that Microsoft didn't care. Now I know I was wrong.
   The fact that someone can break into the computers at Microsoft's headquarters and cruise around undetected for weeks -- perhaps even months -- shows something much more disturbing.
   It shows that Microsoft is incompetent.
   Businesses show they don't care all the time. You can make a lot of money running a company that way.
   But competence is another matter. Perhaps we assume too much, but most of us probably believe that people at the top got where they are because they know what they're doing.
   But what happened at Microsoft tells us something else.
   Surely Microsoft knows that Windows is unsafe. I know for a fact Microsoft knows this. Microsoft posted a public statement recently saying it does not use Windows PCs to create installation CDs. Windows PCs aren't safe enough from attacks by computer viruses, so Microsoft said it creates CDs on Unix computers.
   Fair enough. I respect that kind of honesty. Forget Microsoft for a minute. Think about normal businesses. If I owned a company that made pea shooters, and if I knew how puny pea shooters are, I'd make sure the guards at the company's gates were armed with real weapons. Wouldn't you? If I ran a lock company that specialized in 99-cent padlocks, you can be sure I'd put somebody else's locks on my doors. Wouldn't you?
   Then how could Microsoft be so smart in one example and so abysmally dumb in the other? How could it know that it is impossible to keep all viruses out of a Windows network in one case and not know it in the other?
   Because that's exactly what happened at Microsoft's headquarters. A virus got into someone's Windows PC. Experts call the kind of virus that did it a "trojan," named for the Trojan Horse of ancient Greece. A trojan is a destructive program that looks innocent.
   There are 48,000 different viruses that can infect Windows. Microsoft knows this. But one got through anyway. It either infected a Windows PC inside Microsoft or a Windows PC at the home of a Microsoft employee. Microsoft allows employees to connect to its secret corporate computers, so if the initial attack hit an employee's home computer, the effect would have been the same as an attack on the main private network itself.
   So far, this shows a kind of bumbling know-nothing attitude. But listen to the rest of the story. Microsoft keeps the program code for Windows and Microsoft Word and Excel and everything else that it makes on its private computer network. This is called the "source code." It's not just valuable. It's invaluable.
   The people who broke into Microsoft's private computers were able to look at the source code for software that hasn't been released yet. They were also able to change it, although it's not clear if they did that or not.
   The source code is Microsoft's most valuable asset. It's the crown jewels.
   Something like that needs to be guarded very carefully. You can bet the Hope Diamond isn't left out in the open. You can be sure the secret recipe for Coke is locked up in a double vault.
   If you know you have a hole in your pocket and that's where you put your money last week, you're dumb.
   If you know you have a hole in your pocket and that's where you put your money every time I give you a dollar, you're not just dumb. You're a buffoon.
   You're incompetent to carry money.
   Does this ring a bell with someone?
   Microsoft runs a special Web site for security information. The very first sentence on this site says the following: "Microsoft is committed to protecting customers' information."
   Oh? When it can't even protect the source code to Windows?
   Back in January, Microsoft tried to assure everyone that it knew how to handle security in the latest version of Windows. The guy in charge of Windows 2000 told a security conference that he was there "to do an industry call-to-action."
   I hope he gets what he wants. But security, like charity, begins at home. And the housecleaning at Microsoft is long overdue.
   If this doesn't happen -- if Microsoft continues to run off millions of copies of Windows that are full of security holes and if it continues to guard its doors with its own padlocks -- it will have no one but itself to blame.