Re: Working Within the System

From: Martin Ling (martin@nodezero.org.uk)
Date: Sun Apr 30 2000 - 06:49:55 MDT


On Sat, Apr 29, 2000 at 08:57:54PM -0500, Billy Brown wrote:

> Martin Ling wrote:
>
> > However, there are very competent bodies who set out open industry
> > standards for software, hardware and the Internet.
>
> Open standards are primarily a marketing tool used by companies that have
> tiny market shares to persuade people to buy their products. Sometimes such
> a "standard" will actually become so commonly used as to become the normal
> way of doing things (i.e. HTML), but it is just as common for a completely
> proprietary standard produced by a big company to end up in that role (i.e.
> ODBC).

HTML is not a company-originated standard. As Adrian pointed out on this
thread, it was produced by a scientist (Tim Berners-Lee).
 
> Just because a bunch of companies get together and issue a 'standard' does
> not mean that their work should have any special protections, or that
> everyone should immediately adopt it.

As I point out below, I don't expect them to.

> > And you know what? I'm not even suggesting Microsoft has to use them!
> > They are more than welcome to go off and use their own proprietary
> > standards instead.
> >
> > What I *really* object to is the way they take the standards, claim they
> > are using them, and then produce their own broken implementation, add
> their
> > own undocumented features, and use their position to make sure those
> > changes get spread and used, causing incompatibilities everywhere.
>
> If you think this is some special sin of Microsoft's, you need to look
> around more often.

I'm not saying it is. But Microsoft is a particularly bad offender, and
their exploitation of their monopoly position allows them to magnify the
effects of this interference.

> Interoperability standards, like TCP and HTTP, are another matter. Because
> their purpose is to allow products from different vendors to work together,
> it is usually in everyone's best interests to fully codify and support them.
> No one has much to gain from adding proprietary features, or trying to
> sabotage someone else's implementation, so it doesn't happen very often. In
> this field Microsoft has actually done an outstanding job - in less than a
> decade they moved from a very primitive OS based entirely on proprietary
> software to a competitive product that supports every significant
> interoperability standard I've ever heard of (and a lot of insignificant
> ones as well).

Aha! But Microsoft can, and do, disrupt these. These are the ones I am
bothered about.

When HTTP/1.1 was introduced, Microsoft rushed ahead and implemented it
before the standard was finalised, so they could stick 'HTTP/1.1' on
their server products. As a result, there are incompatible versions of
HTTP/1.1 in circulation (not only Microsoft's). Now clients have to be
written to work around the broken parts of each one, and in some cases
features HTTP/1.1 was supposed to introduce cannot be effectively used.

A good recent example is the Kerberos authentication protocol. Windows
2000 clients and servers claim to use this, but Microsoft have added
undocumented features which make it incompatible.

(Given the spread of the WWW, I would personally say that HTML should be
considered an interoperability standard).

> > I have no objection to Microsoft writing and selling their
> > software, and making a hell a lot of money out of it. But they don't
> > have any right to make things difficult for those (who are *not*
> > competitors of theirs) trying to ensure people have the freedom to use
> > whichever tools they wish to make use of the infrastructure, for
> > whatever reason
>
> That sounds very noble and high-minded, but in practice what you want is for
> MS to be forbidden from competing with anyone who chooses to wrap themselves
> in the 'open standards' flag.

No, I'm not. I'm suggesting that if they choose to do so, they either
use those open standards without corrupting them, or invent their own
and at least be honest they're doing so.

> > (such as because Microsoft's are buggy and insecure).
>
> Ten years ago this remark would have been on target. Five years ago the
> matter would have been arguable. Today it is simply ignorant prejudice.
> Microsoft's current performance in both these areas is in the top 25% of the
> industry, and still improving at a steady rate. They aren't the best in the
> world, but they are much better than average, and unless the Unix vendors
> get their collective act together they *will* be the best in another five
> years or so.

This is not ignorant prejudice, this is based on my direct experience,
and observation of numerous security mailing lists and advisories.

Their security record is dreadful. Witness for one thing the critical
buffer overflow problem discovered last June in NT4/IIS, which they also
took some time to fix. More recently the IO.SYS problems in Win95/98,
which they have refused to release fixes for despite people *sending*
them patches.

Martin

-- 
+--------------------------------------------------------+
| Martin J. Ling              Tel: +44 (0)20 8863 2948   |
| martin@nodezero.org.uk      Fax: +44 (0)20 8248 4025   |
| http://www.nodezero.org.uk  Mobile: +44 (0)7940 482675 |
+--------------------------------------------------------+



This archive was generated by hypermail 2b29 : Thu Jul 27 2000 - 14:09:59 MDT