Microsoft cartoon figures

This is just weird. Microsoft has released a set of collectible cartoon action figures, aimed at developers who attend their training sessions.

(Click image for full view.)

Apparently Microsoft hope that by ascribing "heroic justice crusader" virtues to the toys, people will be attracted to their products:

Slick, quick, and with a fistful of super-style tricks, Windows Vista Sensei is the new karate-kid on the scene. Born in the United States and trained in Tibet, he acquired hardcore martial arts moves, and the wisdom to use these powers wisely. Once he'd perfected his signature preying-mantis kick, the bullies at school stood no chance.

More nonsense about Open Source vulnerabilities

Computer World is claiming that Red Hat Linux and Firefox are "more buggy" than Microsoft Windows.

That at least is the conclusion you are supposed to draw from the article's title, the summary and the opening paragraph:

Windows not that bad after all
By Matthew Broersma, Techworld

Secunia has found that the number of security bugs in the open source Red Hat Linux operating system and Firefox browsers far outstripped comparable products from Microsoft last year.

So they say. But if you read on to midway down the second page of the article, you get a very different picture:

Red Hat [Linux] was found to have by far the most vulnerabilities, at 633, with 99 percent found in third-party components. ...

Windows had only 123 bugs reported, but 96 percent of those were found in the operating system itself.

So let's see how that works. Red Hat Linux, which ships with multiple hundreds of third party applications, almost all of which are non-critical and don't even get installed, has about six vulnerabilities in the operating system. Windows, which ships with a handful of applications, has about 118 vulnerabilities in the OS. According to Computer World, an OS with six vulnerabilities is more buggy than one with 118 vulnerabilities.

Yeah, right. Sure it is. Just how much advertising does Microsoft do with Computer World?

The article goes on:

In the browser field, Firefox led the way with 64 bugs, compared to 43 for Internet Explorer, and 14 each for Opera and Safari.

However, in an examination of zero-day flaws - reported by third parties before a patch was available - Secunia found that Firefox tended to get more patches, sooner, compared to IE.

Out of eight zero-day bugs reported for Firefox in 2007, five have been patched, three of those in just over a week. Out of 10 zero-day IE bugs, only three were patched and the shortest patch time was 85 days.

You got that? The shortest time IE was vulnerable to known security bugs was nearly three months, compared to just over a week for Firefox.

But IE only looks as good as it does because ActiveX bugs are counted separately: IE had no fewer than 339 ActiveX bugs in 2007. If you include them in the count for IE, as you should, then you're comparing 382 for IE versus 64 for Firefox.

You almost -- almost -- have to admire the journalist's gall in trying to push a whopper of this size. Sadly, this sort of behaviour is very common: half-truths and deceptive statements in paragraph one, the actual facts buried deep in the article. That way you're not lying, because all the facts are there.

The people doing this know that there is a strong correlation between the number of readers and how close to the top of the article: for each extra paragraph you bury something under, you reduce the number of readers by a surprisingly large percentage.

I've written about the tendency of the IT press and security industry to make misleading if not dishonest comparisons between Linux and Windows before.

Windows phones home

Windows Vista "phones home" when you install it. More details are coming out about what identifying information it sends to Microsoft. Not only does it send back identifying information, but it does so even if you cancel the installation or update.

Russia hits out at Microsoft

It's probably too much to hope for a nuclear first strike against Redmond, but the Russian Deputy IT minister, Dmitry Milovantsev, had a go at Microsoft recently:

He said the low average income of people in Russia is one of the factors in the relatively widespread use of cheaper pirated copies of software. But he also laid some of the blame on the behavior of the large software vendors for their restrictive and expensive licensing policies.

In particular he singled out Microsoft for its policy of not allowing partners to sell computers without copies of Windows pre-installed in Russia.

"If you want to install Linux you have to erase Microsoft, and that increases the cost of each computer by $50."

Microsoft sure have got the distribution channel locked up tight: it costs more to not buy their product than to buy it. I feel like Captain Spaulding (Groucho Marx) must have felt in Animal Crackers listening to Ravelli (Chico Marx) play the piano:

[Warning: May Contain Puns]

Spaulding: What do you fellas get an hour?
Ravelli: For playing, we get-a ten dollars an hour.
Spaulding: I see. What do you get for not playing?
Ravelli: Twelve dollars an hour.
Spaulding: Well, clip me off a piece of that.
Ravelli: Now for rehearsing, we make special rate. That's-a fifteen dollars an hour...That's-a for rehearsing.
Spaulding: And what do you get for not rehearsing?
Ravelli: You couldn't afford it. You see, if we don't rehearse, we a-don't play, and if we don't play (he snaps his finger) - that runs into money.
Spaulding: How much would you want to run into an open manhole?
Ravelli: Just-a the cover charge! Ha, ha, ha.
Spaulding: Well, drop in some time.
Ravelli: Sewer.
Spaulding: Well, we cleaned that up pretty well.
Ravelli: Well, let's see how-a we stand.
Spaulding: Flat-footed.
Ravelli: Yesterday, we didn't come. (To Mrs. Rittenhouse) You remember, yesterday we didn't come?
Spaulding: Oh, I remember.
Ravelli: Yes, that's three hundred dollars.
Spaulding: Yesterday, you didn't come, that's three hundred dollars?
Ravelli: Yes, three hundred dollars.
Spaulding: Well, that's reasonable. I can see that alright.
Ravelli: Now today, we did come. That's-a (pause)..
Spaulding: That's a hundred you owe us.
Ravelli: Hey, I bet I'm gonna lose on the deal. Tomorrow we leave. That's worth about (pause)..
Spaulding: A million dollars.

Windows Vista, DRM and security

Some interesting (as in the Chinese curse) things happening with Windows Vista and DRM:

Bruce Schneier writes:

Windows Vista includes an array of "features" that you don't want. These features will make your computer less reliable and less secure. They'll make your computer less stable and run slower. They will cause technical support problems. They may even require you to upgrade some of your peripheral hardware and existing software. And these features won't do anything useful. In fact, they're working against you. They're digital rights management (DRM) features built into Vista at the behest of the entertainment industry.

[...]

It's all complete nonsense. Microsoft could have easily told the entertainment industry that it was not going to deliberately cripple its operating system, take it or leave it. With 95% of the operating system market, where else would Hollywood go? Sure, Big Media has been pushing DRM, but recently some -- Sony after their 2005 debacle and now EMI Group -- are having second thoughts.

It seems also that Microsoft's commitment to increased security isn't necessarily a commitment as such... after Joanna Rutkowska found a serious security hole in Vista, one senior engineer and Microsoft Technical Fellow suggested that:

...potential avenues of attack, regardless of ease or scope, are not security bugs.

Well, I suppose if you define away security bugs by fiat, Microsoft will be able to say they have got rid of all security bugs in Vista.

At this point it is worth bringing up Peter Gutmann's cost analysis of Windows Vista content protection:

Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it's not used directly with Vista [...]

In order for content to be displayed to users, it has to be copied numerous times. For example if you're reading this document on the web then it's been copied from the web server's disk drive to server memory, copied to the server's network buffers, copied across the Internet, copied to your PC's network buffers, copied into main memory, copied to your browser's disk cache, copied to the browser's rendering engine, copied to the render/screen cache, and finally copied to your screen. If you've printed it out to read, several further rounds of copying have occurred. Windows Vista's content protection (and DRM in general) assume that all of this copying can occur without any copying actually occurring, since the whole intent of DRM is to prevent copying. If you're not versed in DRM doublethink this concept gets quite tricky to explain [...]

It's a fantastic document, long but not too technical.

Whose side are they on?

This story about the explosive growth of MySpace [no link for them -- the ex-spammers who run MySpace don't need my help to get rich, thank you very much] mentions what surely has got to be one of the craziest, misconceived, badly thought out misfeatures in Windows ever.

Last summer, MySpace's Windows 2003 servers shut down unexpectedly on multiple occasions. The culprit turned out to be a built-in feature of the operating system designed to prevent distributed denial of service attacks—a hacker tactic in which a Web site is subjected to so many connection requests from so many client computers that it crashes. MySpace is subject to those attacks just like many other top Web sites, but it defends against them at the network level rather than relying on this feature of Windows—which in this case was being triggered by hordes of legitimate connections from MySpace users.

"We were scratching our heads for about a month trying to figure out why our Windows 2003 servers kept shutting themselves off," Benedetto says. Finally, with help from Microsoft, his team figured out how to tell the server to "ignore distributed denial of service; this is friendly fire."

How's that again? A "Denial Of Service" attack is designed to prevent people from accessing the server being attacked; Windows 2003 defends from such a DOS attack by... er, shutting itself down, thus preventing people from accessing the server being attacked.

Oh man, I'd give my right eye to have been in the meeting where Microsoft's Pointy Haired Bosses suggested that to their tech people.

How To Switch To Windows

Over the last four or five years, there has been a virtual flood of journalists, familiar with Windows and little else, who have tried to migrate to Linux. Generally they fumble ham-fistedly with the system for a few hours or days, then self-importantly declare that Linux isn't ready for the desktop.

Long-time Linux user Matthias Endler decided to go the other way. As a Linux user, how easy is it to migrate to Windows?

I’ve heard of a new Operating System called Microsoft Windows the other day and wanted to give it a try because it is said to be easy to use and intuitive. Unfortunately the author offers no live-cd to test everything before I have to install. Instead of downloading it from the Internet as I always do I had to go to the computer store and buy it for a price of €150. There is also a so called "Professional Edition" but it would cost even more. [...]

[...] The Internet Explorer doesn’t have a popup filter and seems to attract ads and after fifteen minutes my taskbar looked like a battlefield full of spam. I had to close every window manually. My former Browser Firefox had tab-functionality included but IE seems to have own browsing rules and standards. But that was just the beginning: When I wanted to chat with my friends I found out that Windows Messenger doesn’t support ICQ, AIM, TOM and Jabber. I was forced to create a so called MSN-Account to continue but I refused.

(Sometimes the author's language is a little clumsy, but I believe English is not his native tongue, so a little understanding is in order.)

Beyond the satire, there are a couple of serious points: complaints that some system or another is not easy to use often merely means it is different from what the complainer is used to. Ease of use often also focuses on making simple things easy to do, at the expense of making complicated things impossible (or at least very difficult): a hammer is easy to use, but if you are used to having access to a complete tool box, having to use nothing but a hammer makes things harder to do, not easier.

Windows XP -- if we only knew then

The Washington Post discusses Windows XP's upcoming fifth anniversary, and notes that if Microsoft knew back in 2001 what it now knows, it would (should have?) delayed the release of XP to fix a lot of major problems.

This operating system has needed a steady diet of patches to stay close to healthy. On a machine with a September 2001-vintage copy of Windows XP Home Edition, installing every bug-fix released as of August ballooned its Windows directory from 987 megabytes to 2.43 gigabytes.

You can think of Windows XP as a house with a second floor built of spackle, wood filler and duct tape.

And even with all those updates, the operating system has met only a few of its goals while falling short of others in a catastrophic manner. And it's done so for reasons that can't all be blamed on XP's design or Microsoft's own actions. That, in turn, means that its long-delayed replacement, Windows Vista -- now due to ship in January -- may run into the same problems.

[...]

Software that looks ugly can work ugly, and XP has been too forgiving of that as well. The operating system has done little to ensure that programs move in and move out in an orderly manner; they can throw supporting files and data all over the hard drive, then leave the junk behind when software is uninstalled. As a result, something that should have been fixed in Win 95 -- the way Windows slowly chokes on the leftovers of old programs -- remains a problem.

Microsoft also did nothing to make the system registry -- the collection of settings that constitutes a single, system-wide point of failure -- less of a nightmare. It should have slain that dragon five years ago, instead of waiting to move away from it in Vista.

Microsoft did get one aspect of system maintenance right in XP -- software updates -- although it needed to ship a major system patch first. With the changes that Service Pack 2 brought in August 2004, you don't have to touch a single setting to have Windows get the latest fixes for you.

But Microsoft has had trouble getting users to trust its automatic updates. Some of the suspicion can be understood (remember how Microsoft installed its "Windows Genuine Advantage Notifications" anti-piracy software through this mechanism), but it becomes self-defeating when people keep copies of XP in a less-secure state because they think somebody in Redmond is out to get them.

[...]

The root problem is XP's inability to police the conduct of any program. Its default "administrator" setup grants the user and every application the run of the entire system.

That's why each new Windows-transmitted disease -- such as invasive spyware like Aurora or MoviePass.tv -- is so hard to eradicate. The only guaranteed cure for such infections is to reformat the hard drive and reinstall everything from scratch.

Windows Media Player DRM worse than ever

The Inquirer has an article about the new restrictions added to Windows Media Player.

Your DRMed music is tied to a single PC, so you can't move it. You can no longer backup your licences to another machine, and if your PC dies, or if you simply replace it, say goodbye to your music.

One thing which is interesting is a quote from Microsoft:

"If the file is a song you ripped from a CD with the Copy protect music option turned on, you might be able to restore your usage rights by playing the file. You will be prompted to connect to a Microsoft Web page that explains how to restore your rights a limited number of times."

Microsoft's Media Player will, by their own admission, take away your rights to use your own property. Can't get any clearer than that.

I'm surprised that Microsoft would admit this in such explicit, clear language. What's going on? A tiny little act of rebellion from a Microserf who hates what he's doing?

It also implies that Microsoft tracks who is playing what files. You have to ask Microsoft permission to play songs from your own CDs.

This is why people prefer to download mp3s of random quality from the Internet, even when they have access to legal content, even free legal content: because so many legal sources of music come with copy protection, digital restrictions, access control, and other methods of taking away people's control over their own computers.

I'm shocked

You can knock me over with a feather.

As a Linux and former Macintosh user, I'm quite used to being sent proprietary, Windows-only file formats that can't be read except by specific, commercial software -- although it must be said that over the last few years, Linux software has become very good at coping with all sorts of secret file formats. It's been a while I've come across a file I wasn't able to open under Linux.

And then the other day, I received an email with an attached .mht file, and neither Kmail, Firefox, Konqueror or Mozilla seemed able to deal with it correctly.

That's not the shocking thing. The shocking thing is that .mht files are a standard, open file format, with a RFC from 1999 specifying the format: HTML plus external resources such as images, in a MIME encoding. It is simply a MHTML file. Essentially, it is a web page, plus all its images, sounds or other extras, in a single file.

Internet Explorer has supported MHTML in the form of .mht files for years; Opera has recently added support for it. Konquorer does something similar, except it puts the files in a compressed tar ball (.tar.gz or .tgz) and calls it a .war (Web ARchive) file.

As far as I can tell, this is a case where Microsoft has actually done the right thing, using a standard, open file format, and the Linux world is lagging behind. Shocking, but true.

The end of the Wintel duopoly?

Are Microsoft and Intel in trouble? The signs are troubling for the major players in the Wintel world, with Microsoft's earnings cut by 29%, Intel's by 90%, while IBM, Texas Instruments and Red Hat seeing some major growth.

Windows 2012

A serious of startup messages from Windows 2012 has fallen through a timewarp and found their way to Mark Gibbs of Network World.

08:52 Welcome to the Microsoft Windows Horizon operating system. Today is July 10, 2012. The temperature outside is 105 degrees Fahrenheit, the wind speed is 40 knots gusting to 80 knots, the air pollution level is extreme and the UV level is dangerous. The Homeland Security Threat Level is red.

09:03 To log on, please enter your name and password. Thank you, your account is valid. Please touch the fingerprint scanner. Thank you, your fingerprint is recognized. Please look into the retinal scanner. Thank you, retinal scan passed.

Read more.

Another record for Microsoft

PC Pro is reporting that the number of security vulnerabilities patched by Microsoft have broken their previous record.

The number of critical flaws in Microsoft software has hit a record high, offering a prime opportunity for hackers to exploit the backlog of unprotected vulnerabilities, according to security experts.

So far this year, the software giant has already addressed more critical vulnerabilities than in 2004 and 2005 combined, according to security specialist McAfee.

In further news, Paul Thurrott, writing for Windows IT Pro, describes Internet Explorer 7 as "a cancer" and recommends that both developers and end-users avoid it:

My advice is simple: Boycott IE. It's a cancer on the Web that must be stopped. IE isn't secure and isn't standards-compliant, which makes it unworkable both for end users and Web content creators.

How things have changed. It wasn't that long ago that you couldn't find a more pro-Microsoft journalist than Paul Thurrott.

Lock down that printer

Bruce Schneier has a timely reminder that one of the most vulnerable parts of any computer network is the printer. Printers are computers. Many of them are running Windows themselves, but even if they're not, no software is perfectly secure.

Microsoft locks out security firms

According to The Register, Microsoft's recently introduced security measures will make it much more difficult for third-party software companies to integrate their security tools with Windows.

Software firm Agnitum says that Microsoft's new "Kernel Patch Protection" technology makes it virtually impossible for legitimate security firms to integrate their software with Windows, unless they use the same tactics and tricks as crackers and black-hat hackers.

Agnitum's security researchers suggest that the Kernel Patch Protection is:

susceptible to reverse engineering attacks by skilled hackers, while preventing legitimate software developers from installing software at the kernel level, unless ISVs similarly reverse-engineer access to the OS kernel. Such an approach would make it more difficult to install and maintain independent security products on Windows, Agnitum argues. Hackers, by contrast, have no need to fret about compatibility issues.

"As the vendor of Outpost Firewall Pro, we have to install at the kernel level," said Alexey Belkin, chief software architect at Agnitum. "In addressing the potential problem of not being able to install Outpost on new versions of Windows, we have discovered that it is possible to drill past the new security measures introduced by Microsoft - if we use the same techniques used by hackers."

So, let me get this straight. Microsoft's anti-rootkit and malware software blocks legitimate non-Microsoft security products, but allows the bad guys to install malware on your Vista PC?

"Microsoft made a logical move with this attempt to protect Windows against rootkits," said Mikhail Penkovsky, vice president of sales and marketing at Agnitum. "Unfortunately, it doesn't really resolve the problem, and also makes it a great deal more difficult for independent security software developers to be fully compatible with Windows."

"Nobody knows if Microsoft has done this intentionally, but we can't avoid the suspicion that this move may have been designed to force users to rely on Microsoft and only Microsoft for Windows security," he added.

You think??? Say it ain't so!!!

Software demos gone bad

Last week, Microsoft's Vista product manager Shanen Boettcher gave a demonstration of how easy to use, and powerful, Vista's speech recognition technology will be. Boettcher decided to dictate a simple letter to mom.

The result, as Reuters explains, was embarrassing.

Instead of the simple greeting "Dear Mom", Microsoft's software came up with "Dear Aunt, let’s set so double the killer delete select all." Attempts to fix the error only made it worse.

Microsoft CEO Steve Ballmer attempted to blame the failure on "a little bit of echo" in the room. But a later demonstration during the same meeting showed the software able to recognise fixed menu commands perfectly well. Perhaps the echo had gone away by then?

Microsoft loves Open Source now

Microsoft was virtually the last major IT company to discover the Internet (despite what Bill Gates would tell you in the second edition of his autobiography). Now, after years of describing Open Source as a "cancer", Microsoft has discovered that they and Open Source are bestest buddies.

Director of business development, intellectual property and licensing at Microsoft, David Kaefer, said open source had bolstered innovation in a distributed fashion.

He called the open source software movement a very powerful force in the industry.

"I think one of the exciting things about the open source software movement is it actually brought together a very distributed group of developers," he said, speaking at Business of Innovation,a Valley Speakers Series event held at Microsoft's Silicon Valley offices.

In fairness, some of the Shared Source licences are quite reasonable, and some even qualify as truly open source, but with Microsoft you always have to be on look out for the bait-and-switch. Just because a Shared Source licence is described by Microsoft as "open" doesn't mean it is.

Windows uses pirate software

Windows XP ships with sound files which were created with a pirated copy of Sound Forge, cracked by the warez hacker "DeepzOne".

The evidence of this is surprisingly easy to find: look in the Windows\Help\Tours\WindowsMediaPlayer\Audio\Wav directory under Windows XP, and open up the WAV files in Notepad. Scroll to the end and you will find a reference in the sound file to DeepzOne.

The question is, what is DeepzOne's name doing in nine WAV files supplied with Windows XP? Lacking any other explanation, it seems on the face of it that the files were generated with a pirated copy of Sound Forge. Without further information from Microsoft, it is impossible to say whether it was a Microsoft employee or a freelancer who was responsible for that -- only the Windows Media Player team will know for sure, and so far they haven't said.

As "kaskangar" points out, there are deeper implications:

The topic still raises a moral problem, though, as Microsoft is quick to report every oh-so-minor success in the fight against piracy. In the wake of that move, the company also joined the BSA (Business Software Alliance), which has devoted itself to the "fight against software piracy" and persecutes violaters around the globe. But maybe BSA knows which office door it should knock on[.]

WGA false positives

There's nothing official, as yet, but the rumour-mill has it that Microsoft's beta WGA software, pushed out as a critical update, is finding a lot of false positives:

And you really, really don't want to inform a client like Proctor and Gamble that it is pirating code; and, my sources insist, that's exactly what the beta code has been doing.
[...]
When the rumour started spreading, users got together to share outrage. It quickly became apparent that some of them weren't at P&G and instead of having corporate rank, were quoting military rank. Yes; the USAF has also been tagged, say my sources, as a corporate pirate.

Is Microsoft about to release a Windows kill switch?

Is Microsoft planning to make their new anti-piracy tool, Windows Genuine Advantage compulsory? And if they do, what happens to people who refuse to install WGA?

Could Microsoft be planning to remotely shut down incorrectly licenced or unlicenced copies of Windows?

June 27: David Pollak over at Interesting People quotes a Microsoft help-desk operator:

in the fall, having the latest WGA will become mandatory and if its not installed, Windows will give a 30 day warning and when the 30 days is up and WGA isn't installed, Windows will stop working, so you might as well install WGA now.

June 27: Ed Bott at Zdnet picks up on the story. Being suspicious of anything coming from "a front-line tech support drone", he asked Microsoft for an official confirmation or denial. Instead, he got the following:

As we have mentioned previously, as the WGA Notifications program expands in the future, customers may be required to participate. [emphasis added by Ed Bott] Microsoft is gathering feedback in select markets to learn how it can best meet its customers' needs and will keep customers informed of any changes to the program.

June 30: Microsoft's Public Relations firm contact Ed Bott, and deny -- sort of -- that Microsoft could or would shut down copies of Windows remotely:

I’m still trying to reconcile this rambling response with the terse statement I received from a Microsoft representative on Monday, flatly refusing to deny a report that WGA will become mandatory in the fall. [...] In fact, I can’t find anything in this new response that contradicts the earlier statement I received from a Microsoft spokesperson

Later that day, Microsoft, via their PR firm, flatly refuse to answer any more questions about WGA.

June 30: Respected computer security researcher Bruce Schneier blogs about the hypothetical kill switch:

The stupidity of this idea is amazing. Not just the inevitability of false positives, but the potential for a hacker to co-opt the controls. I hope this rumor ends up not being true.

Although if they actually do it, the backlash could do more for non-Windows OSs than anything those OSs could do for themselves.

I'm going to put my reputation (such that it is) on the line here:

Microsoft is absolutely positively working on a Windows kill switch, no doubt about it.

How do I know? One word: FlexGo.

If Microsoft is serious about FlexGo ("Pay as you go computing") -- and you better believe that they are -- then they absolutely have to be thinking about ways to ensure people do, in fact, pay as they go. Otherwise, FlexGo will be just the world's biggest give-away of PCs and software.

Microsoft says:

Microsoft FlexGo makes it possible to lower the entry cost of PCs and let people pay for computers as they use them. This technology supports two models today: a pay-as-you-go model enabled by prepaid cards or a subscription model with monthly payments.

People on the subscription model have to pay the monthly bill or else the debt collector will come take the PC back. But what about those on prepaid cards? If the PC keeps working, what's going to motivate them to buy recharge cards?

There is only one thing that can ensure they keep buying those cards. Windows has to lock itself down and stop working until they do. And that means a kill switch. Windows will have to recognise when the prepaid card has run out, and stop working.

That kill switch may or may not be put into standard Windows (XP or Vista). It may never work sufficently well for Microsoft to inflict it on developed nations; Microsoft might decide the backlash from the kill switch will hurt them too much; they might even decide to open-source the whole of Windows. (Yeah, right, and the Queen of England is a lizard.)

But you can bet the farm on Microsoft working on a kill switch right now. They know that this could be a PR disaster, but they need it desperately -- which is why they're so reluctant to comment on it. They're hoping that people will just get used to WGA, just like they got used to Product Activation. Microsoft are counting on users not realising the long-term consequences until they have the ability to lock people out of their own computers.