Slashdot Mirror

An anonymous reader writes "According to a story over at Washingtonpost.com, the latest definitions file for Microsoft's Anti-Spyware beta flags Symantec's Norton Antivirus products as a password-stealing trojan and prompts users to delete portions of the program. Users who follow the instructions hose their installation of Norton, requiring delicate Windows registry edits and a complete removal/reinstall of Norton. Microsoft's support forum is quickly filling up with complaints about this problem, many from businesses that have been pretty hard hit. This should be a cautionary tale about deploying beta products in production environments."

the JoshMeister writes "According to ZDNet, bug reports are already flooding in for Microsoft's new Internet Explorer 7 Beta 2 Preview. Specific issues include the possibility of arbitrary code execution as well as incompatibilities with McAfee Security Center, anti-spyware programs, and online banking sites." From the article: "... browser testers may already be at risk, according to security researcher Tom Ferris. Late Tuesday, Ferris released details of a potential security flaw in IE 7. An attacker could exploit the flaw by crafting a special Web page that could be used to crash the browser or gain complete control of a vulnerable system, Ferris said in an advisory on his Web site. Microsoft had no immediate comment on Ferris' alert."

spyrochaete writes "Microsoft has just made available their latest beta preview build of their Internet Explorer 7.0 web browser. New features such as tabbed browsing and RSS subscription are summarized in an animated tour. MS welcomes feedback at the Internet Explorer 7 newsgroup." There's also a Channel 9 interview available, as well as commentary on the IEBlog. Update: 01/31 19:58 GMT by Z : prostoalex wrote in with a link to a review of the release at PC Magazine.

spyrochaete writes "Microsoft has just made available their latest beta preview build of their Internet Explorer 7.0 web browser. New features such as tabbed browsing and RSS subscription are summarized in an animated tour. MS welcomes feedback at the Internet Explorer 7 newsgroup." There's also a Channel 9 interview available, as well as commentary on the IEBlog. Update: 01/31 19:58 GMT by Z : prostoalex wrote in with a link to a review of the release at PC Magazine.

spyrochaete writes "Microsoft has just made available their latest beta preview build of their Internet Explorer 7.0 web browser. New features such as tabbed browsing and RSS subscription are summarized in an animated tour. MS welcomes feedback at the Internet Explorer 7 newsgroup." There's also a Channel 9 interview available, as well as commentary on the IEBlog. Update: 01/31 19:58 GMT by Z : prostoalex wrote in with a link to a review of the release at PC Magazine.

cwolfsheep writes "According to CNet, Microsoft has lost a patent dispute with a developer involving the company's Excel and Access product lines; specifically how they interact via spreadsheets. Carlos Armando Amado had filed a patent in 1994: the dispute covers Microsoft's products from March 1997 to July 2003. Office 2003 users will need to upgrade to Service Pack 2; Office XP users will need to apply a patch."

cwolfsheep writes "According to CNet, Microsoft has lost a patent dispute with a developer involving the company's Excel and Access product lines; specifically how they interact via spreadsheets. Carlos Armando Amado had filed a patent in 1994: the dispute covers Microsoft's products from March 1997 to July 2003. Office 2003 users will need to upgrade to Service Pack 2; Office XP users will need to apply a patch."

theodp writes "Upgrade or keep crashing was the tagline when Windows XP was introduced. So how will Windows Vista be marketed? 'I'd hate to see something bad happen to your PC,' seems to be one pitch. Even if new features won't get you to upgrade to Vista, you should buy Vista for the security, urged Windows Chief Jim Allchin. Are commercials featuring Tony Soprano next? Bada Bing!"

You posted a lot of great questions for Mike Nash last week, and he put a lot of time into answering them. As promised, his answers were not laundered by PR people, which is all too common with "executive" interviews with people from any company. Still, he boosts Microsoft, as you'd expect, since he's a VP there. And obviously, going along with that, he says he likes Microsoft products better than he likes competing ones. But this is still a great look into the way Microsoft views security problems with their products, and what the company is trying to do about them. (1)
What has changed?
by suso

Besides the same old PR scripted answers that corporations like to give in order to obscure or downplay what is really going on. What assurance can you give us that Microsoft is more focused on security and that Vista is going to be any different from the previous incarnations of Windows? What proof can you give us? Information like "We have a new team doing X" or "our process for reviewing changes has gone to X" are helpful pieces of information to answer this question. What else have you seen in the way MS is developing Vista that is different from how you've developed previous products?

Nash: We have been thinking about security at Microsoft for some time. I would say it started back when we decided to do Windows NT back in the early 90s. There has been a big change in the way we approach security from a quality point of view that started in much more depth when Bill wrote the Trustworthy Computing Memo back in 2002.

What happened then was that we decided we were going to get much more focused on security since it was such a huge issue for customers. Remember, we were right on the heels of Code Red and Nimda and we had to do something. For the .NET Framework 1.0, Visual Studio 2002, ASP .NET and for Windows Server 2003, it started with a security push where we took the teams offline relatively late in the product cycle, taught the teams what it meant to write secure code, had them do threat models and code reviews, etc.

What is interesting is how much of this had to do with educating our engineers on what it means to write secure code and changing the culture. I will give you examples of both.

Two or three years ago, we had a vulnerability in Windows Media Player where an attacker could send out a piece of media content with a malformed copyright field and because of a flaw in the code that parsed the copyright, the attacker could over run a buffer and run arbitrary code on the machine. So the question was, should the developer of the Windows Media Player have thought about that kind of attack and take steps to prevent it? Remember, we want the people writing the Media Player to make the world's best media player. The answer has to be YES! While you could have a tiger team work around the organization reviewing all of the code in every product that we ship, that doesn't scale. You could never have enough dedicated security expertise; if they made changes they might break something since they really couldn't understand the details of the code they are making more secure. This works for final reviews, but final review needs to be like the guard rails on the side of the road -- they are a great last resort, but we need better drivers! So we trained everyone. Key thing here is that we also learn new things over time (better tools, new threat vectors, and new scenarios) so the training has to be continuously updated.

Culture is a huge issue as well. Microsoft is a company that is very focused on technology, very focused on business, and very focused on the competition. Getting groups to put security high in their list of priorities was a super hard thing to change at Microsoft. Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time. Today, generally, people get it. It's now clear to us that security is a competitive and business priority. While I still see escalations from people who want exceptions, the numbers are pretty low. A big change from four years ago is that when I say no, I get great support from above me in the organization.

A key thing that came out of our experience with Blaster in 2003 was something called the Security Development Lifecycle (SDL). Really the SDL is the formalization of work we were doing previously. Remember Blaster exploited a vulnerability in Windows Server 2003 -- a product that had been through a security push (it also affected Windows XP). When we did the post mortem on how the vulnerability happened, what we realized was that while there were huge improvements in the quality of our code between Windows 2000 and Windows Server 2003, there was still more work to do. In particular, we needed to have: 1) a documented, repeatable process, 2) internal education so that everyone involved in the product release process knew what to do, and 3) a checkpoint in the release process to make sure that this process was followed.

The key things about the SDL is that we basically have to update it every six months because the threat landscape changes, the scenarios we support grow and we learn more.

For Windows Vista, the key things that will make it great are a combination of the most rigorous execution of the SDL to date -- more training, newer tools, threat modeling, more comprehensive review of file parsers, review of code to identify and remove use of banned (risky) APIs and a whole lot of penetration testing.

As a part of this, a lot of work is also being done to change the default configuration to make it safer and more secure. We have done a lot of work to make the system work well for standard users (so that not everyone has to be an admin), but for users who still need or want to be logged on as an admin on their system we make it clear to them when they are about to do something that requires administrator privilege. The user can configure their system to either ask them if they want to escalate, or ask for a password when the system tries to elevate them. We have also gone through all of the system services in Vista to see which ones have admin privilege, verify which ones really need it, and for the ones that don't, remove it.

For Windows Vista we enhanced the engineering process with some new checkpoints in the engineering cycle. One such checkpoint requires that every team developing a system service in Vista go through the process of using a new Vista least-privilege operational model. A team of internal experts had to sign-off on the plan for each service, and in a significant number of cases, teams avoided creating a service altogether when an alternate approach was possible.

While quality is an important approach to improving security and safety, it's just one part of it. There are also some key features we have added to Windows Vista to make it safer and more secure. For example, we have taken the anti-spyware technology that we acquired from GIANT Company Software, improved it and integrated it into the operating system in something called Windows Defender. While the anti-malware technology will also be available to users who have licensed copies of Windows 2000 and Windows XP, for Vista the integration is pretty slick, which makes it much easier for customers to be protected. For Vista, we also improved the firewall built into the operating system. It's bi-directional and is designed to work well with IPSec.

Given the changing landscape on the Internet, and the continued focus on the Windows platform, sadly I know there will be vulnerabilities and exploits that target Windows Vista. Invariably, as we make it much harder for people to find and exploit vulnerabilities in Windows Vista, I am certain of two things: 1) the number and severity of both vulnerabilities and exploits on Windows Vista will be reduced, making the switch to Vista compelling if ONLY for security reasons, and 2) we will continue to focus on security even after we ship Windows Vista so that the work that comes after Vista will be even better.

(2)
Security/user friendly tradeoff
by qwijibo

Is there a general policy within Microsoft to help product teams make consistent security decisions? There are frequently issues where the decision has to be made between being more secure or more user friendly.

For example, file and printer sharing defaulting to off prevents people from unknowingly sharing their resources, but requires non-technical users who do wish to set up a small network to know more about the process than in previous versions.

Nash: This is an old issue that we have made quite a bit of progress on. At Microsoft we had a long history of turning things on by default in the spirit of making user's lives easier and showing off our key features. I have to admit, that in my past I have actually been part of the problem. As the director of product management back in 1995, I was part of the team that drove the decision to turn our web server, Internet Information Server (IIS), on by default in Windows NT Server 4.0.

What the events of the last 5-10 years have taught us (or at least taught me) is that the more you have turned on, the more attack surface area the system has and therefore the more vulnerable it is. If you assume near perfect quality or that there is no one out there trying to attack you, it might even be an ok decision. But since you can't, we need to be more selective about what things we turn on by default.

Consider the case of Code Red. That worm attacked a vulnerability in the ISAPI filter of the index server of IIS. Let's assume for a minute that you don't know or care what the ISAPI filter of the Index Server of IIS is. Even in that case it turns out that if you turned off the Index Server in Windows Server 2000 SP3, that ISAPI filter was still installed. So while you might have thought that shutting down the index service makes you less vulnerable, it turned out that you were not.

So coming out of the whole Code Red experience, we created the Trustworthy Computing Initiative (TwC). One of the key principles of TwC that drives the Security Development Lifecycle is the principle of Secure by Design, Secure by Default and Secure in Deployment (or what we call SD3).

The principle of Secure by Default says that unless most users are using a feature, it should be turned off by default. What we have also learned along the way (and my Code Red example shows this) is that you can't just look at the user visible features, but also need to look at the underlying services. So if the customer feature is off by default (or turned off by the user) then the underlying components that support them should also be turned off when the high level feature isn't using the service.

But you make a great point about complexity. If we turn more things off by default, we need to make it easier for users to turn things on when they want to use them. For example, in Windows Server 2003 SP1, we added something called the Security Configuration Wizard that is designed to help users configure their systems with as much turned off as necessary. The benefit of turning things off by default is two fold: 1) it protects the individual system from being attacked if a vulnerability exists in the feature because the feature is turned off by default, and 2) it also protects the populations of systems because the worm or virus can't assume that the feature is on and therefore the systems aren't broadly exploitable through the vulnerability.

I should note that while we usually think about what features to turn off, Secure by Default is also about what features to turn on. A great example of this is the firewall in Windows XP. Back when we first shipped Windows XP in 2001, we included a firewall, but turned it off by default. Why? Because many of the influential users we spoke to said that they had a firewall and didn't want ours turned on. They also said that they had too many apps that would be negatively affected by having a firewall on by default. That was a good answer for the small percentage of users who had their own firewall, but for most customers it was a mistake. In hindsight, consider that if we had the firewall turned on between October 2001 and August 2004 (when we shipped Windows XP SP2 with the firewall on by default) that Slammer and Blaster might not have been an issue for Windows XP customers to the extent it was. And with Zotob, this was also the case. By the way, for customers who have a third party firewall, or for OEMs that install a third party firewall, they can always turn ours off.

The Windows Security Center, first introduced in Windows XP SP2, is designed to make it easy for end-users to verify that the right security features are turned on and configured properly. We're going to make it even better in Windows Vista.

This is as much about culture (reminding people of the goal of safety and security being job #1) as it is about process (making sure that the default state of the feature is considered in the context of what most people need).

(3)
Top priority for security in 2006
by Anonymous Coward

Given that security is a major topic on IT manager's minds these days with security flaws and patches practically making front page news of some publications, What do you feel is going to be the main focus for security in 2006 for yourself and the industry as a whole?

Nash: The answer for me and for Microsoft is simple. The main focus for security in 2006 is nailing the security quality and features for Windows Vista and Windows Longhorn Server. Don't get me wrong, this doesn't mean that we don't care about the security of older products or products besides Windows, but given that Windows Vista and Windows Longhorn Server are going to be the most significant releases of Windows in the last five years or so, we know that they are going to be used broadly by a large set of users for sometime--so getting it right is critical.

As I noted above, we have the opportunity to apply the best practices in secure design, threat models, code quality, default configuration and penetration testing and more rigor than we have ever had in the past. We have also added some new features like a bi-directional firewall and Windows Defender to make the system safer and more secure. As the project becomes feature complete, we must verify that the system is secure and addresses the issues that are raised in testing.

There is also real work here for the industry as well. Some of this has to do with making sure that applications and security products work with Windows Vista. New applications need to work well for users who have standard (non-admin) user accounts. At the same time, we need to make sure that security products work well on Windows Vista. For example, no one is going to move to Windows Vista unless they have great anti-virus software that works well on it.

My other goal for the industry is that third party applications and internally developed applications adopt our Security Development Lifecycle. Here's why: As we improve the quality of Windows, we're making it harder for people to find vulnerabilities and therefore harder to write exploits. As a result, there will be a natural tendency for security researchers and exploit writers to move up stack. We are already seeing this. As we have learned, the only approach that scales here starts with a well defined process, taught through broad education and verified prior to shipping to drive accountability. The good news here is that we have documented our process pretty clearly and made it easy to learn. Checkout http://msdn.microsoft.com/security to learn more about it.

For customers, the top priority has to be defining and executing their security plan. I spend a ton of time with customers, many of whom have done a threat analysis of their environment and built a security plan. I am still surprised by the number of customers who have a plan but have not had a chance to execute it. The good news is that most have executed their security plan -- so the top goal for them is to reassess their environment and make sure that they are responding to new threats. We've also created a great set of tools to help customers (Developers, IT Administrators and End-Users) be more secure on our platform.

While we want customers to be evaluating Windows Vista, it's super important that business customers in particular, who have NOT yet deployed Windows XP SP2, think seriously about deploying it. While a large number of enterprise customers have deployed Windows XP SP2, many still haven't. While I get that not every desktop will get upgraded to Windows XP SP2 between now and Windows Vista, I think it's critical that laptops and Internet facing desktops move to SP2.

(4)
Outside influences on security
by kalpol

Has open-source software such as Linux influenced the way you think about security in Windows, and if so, how?

Nash: The open source approach has influenced the way I think about security, but I am not sure it's in the way you would have expected. The theory that more eyes makes software more secure is a premise that drove some anti-Microsoft PR back in late 2002, which caused my team and I to respond. My first step was to dig in and try to understand the open source process to see what I was missing.

I learned a few things. The first thing I learned was that while having lots of people look at code sometimes found issues, none of this mattered if there wasn't a good process to close issues. I spent some time reading Linux websites that contained reviews of Linux code. I was surprised by two things: 1) the lack of consistency in the way that software was reviewed, and 2) the lack of accountability to verify that things that were found actually got resolved. Then Blaster hit 10 months later in 2003 and I realized that like Linux we could also suffer from a lack of closure. So we invented the Secure Development Lifecycle, of which the key feature was that it drove consistency and accountability. Here is the background story . . . .

After Blaster happened, I wanted to find out who was responsible for the buffer overflow that was exploited and hold the individual accountable. But once we looked into it, we realized that there was not a documented a process that the developer was supposed to follow that would have prevented the mistake, nor did we have a set of procedures for our developers to verify that a secure development process was utilized. The Security Development Lifecycle is basically the institutionalization of these very things: a documented repeatable process, clear education and accountability. What I learned here was that because we have the ability to establish processes and reinforce them at every level of management that we had an opportunity to make our software do something that the open source approach couldn't replicate.

The second thing I learned about security from the open source approach was about serviceability. One of the things that proponents of the open source approach always talk about is the fact that with open source you don't have to wait for an official patch, since you can download the code, recompile it and create your own fix. I can't imagine this working at scale, since most users could never do this. For the customers who can manage to knit their own patches, the problem is that some distributions sometime update a component with new fixes but they don't always include some of the fixes that more sophisticated users may have done on their own. This effectively undoes the home built patch.

The key learning for me was four-fold. First, it is super important that we have our updates available on all supported versions and all supported languages at the same time. Second, we need to do whatever we can to make sure that our updates are available when vulnerabilities are publicly disclosed. Responsible disclosure helps us a lot since people can confidentially report things to us in return for acknowledgement when we do issue the update. Third, we must have great quality when we do issue the updates. If our updates break things, then people won't trust them. In my mind, the definition of our products is the product that we ship PLUS the latest service pack PLUS any security updates we shipped after the latest service pack. If we don't test our security updates in a broad set of scenarios, then we are likely to break something.

Finally (fourth), it's important that we have tools to simplify the process of deploying updates since it reduces the barriers to deploying the updates and increasing the likelihood that customers are up to date. That is why we have invested in tools to make patch deployment much more straightforward like Windows Update, Microsoft Update, Windows Server Update Services and Systems Management Server.

(5)
What is the basic approach to Microsoft security?
by kickabear

Does Microsoft lean more towards rigidly enforced coding standards as a way to prevent exploitable bugs, or does the company focus more on brute-force bug detection during testing?

I know the easy answer is to say "both, of course" but a 50/50 split is unlikely. So, does testing take the backseat, or does the code?

Nash: My short answer is actually a third choice, which is better design. This starts with really understanding the security threat that a feature might introduce to the system and making sure that the design of the feature or component is designed to reduce the risk. Then we go to implementation which, as you note, is partially about better standards which must be taught through education, but must be reinforced with tools to verify code quality wherever possible.

We also do spend a lot of time using a combination of ethical penetration and interface testing. While bug detection is critical, it really is a last resort -- in some sense the guard rails on the road to safe driving on the road of software engineering. Just like driving your car on a windy road, safety starts with better driver (in this case developer) education.

All of that said, if there is one thing I have learned in the last four years in this job is that there are no silver bullets in security. Instead we make progress through a combination of investments.

(6)
Why add DRM? Also, why not decouple IE?
by Bob_Villa

Why are you adding in DRM controls to Vista that regular users are not going to want? It may come in handy for corporations wanting to control their documents, but I can't see how regular users would knowingly want a product that restricts their access to their documents or files.

Also, I think you could dramatically improve security by decoupling Internet Explorer from Windows. Have it be a separate program similar to Opera, FireFox, Safari, etc... Is there really a valid reason that Windows Explorer has to be driven by Internet

Nash: First, a point of clarification. I assume in this case, you are talking about the Rights Management Services (RMS) client that is now integrated into Windows Vista and not the DRM technology that is used to protect media content that has been built into Windows for some time. In the case of RMS, you are right that corporations see value in protecting their information and controlling the usage of that information. A key piece of feedback we got from customers using the current version of RMS was that setting it up was hard, so we integrated the RMS client into Windows Vista. That said, some customers may not use it. You would only use it if an RMS-enabled application such as Office was installed and a user opted in to use that feature in Office.

We also believe that over time, that regular users will also want to protect their own information. For example in the future, home users may want to protect and control the usage of information such as lists of their friends, photos, banking account information and other personal data.

In terms of your question around Internet Explorer, there are two real aspects of this: 1) the platform implications of having IE in Windows, and 2) the user experiences that are possible with having IE in Windows.

From a platform point of view, decoupling IE would break a lot of things. There are many applications that depend on IE for rendering HTML and for accessing the Internet. Think about email applications, Internet-aware clients like the AOL Explorer or even Microsoft Money that use IE to render HTML in the application. Not only would this break a lot of applications, but it would also put a huge burden on developers who would now have to write their own HTML rendering capability.

From an experience point of view, a key goal for Windows has been to integrate the local experience and the remote (Internet) experience from a user interface perspective. Integrating the web browser into the operating system was a key part of delivering that experience for customers. The area where we can do much better is making sure that the kinds of things that can be done by a remote site is less than what can be done locally--this is especially true for sites that you don't know or don't trust. A key enhancement to the browser for Windows Vista is something called Protected Mode IE. The browser starts with minimal access to system and user resources. For example, when a remote site is accessed, the site will not have privileges to install software, copy files to the user's Startup folder, or hijack the settings for the browser's homepage or search provider. Of course users always can choose to use other browsers and even have other browsers be set as the default on the machine.

I do believe that the progress we are making with IE in Windows Vista will address many of the concerns people have with IE security today.

(7)
Do you ever spend time with "average users"?
by Caspian

Time and again, I've seen average end-users-- grandmothers, "soccer mom" types, businessmen-- whose computers are positively clogged to the gills with spyware, viruses, and other sorts of malware, the overwhelming majority of which they were infected with via the exploitation of security flaws in Microsoft software. I'm often tasked with disinfecting their computers.

How often do you (and the members of your team) spend time with average end-users-- not just in large corporate settings but in small businesses and (just as importantly) in real-world home settings? I believe that if you would spend time with Joe Average and see just how badly his computer's performance (not to mention his personal privacy and the integrity of his data) is suffering from the exploitation of certain bugs and design decisions (e.g. the fact that most end-users run with Administrator privileges) in Microsoft software, it would cause a significant shift in Microsoft's security strategy.

No matter how often $LATEST_WINDOWS_VERSION is touted as more secure than its predecessors, I still keep getting called to average homes to remove countless items of spyware which infected Windows systems via holes (and/or poor design decisions, e.g. the handling of ActiveX controls and the abilities they can have to alter files on the system) in Internet Explorer, and to this day (despite the wide use of antivirus software) most end-user systems I examine do contain at least a few viruses (which entered the system via Microsoft Outlook).

What are you doing to secure Joe Average's PC? Do you have any interaction with average end-users? And if not, why not?

Nash: I personally spend a ton of time with end-users -- often friends and family, but also people that I meet through my job at Microsoft. I have a wife, three brothers, a sister, five sisters-in-law, three brothers-in-law, two parents, one mother-in-law, a father-in-law, one uncle, two aunts, one living grandmother, three kids (although they are all too young to use a PC), five nephews and seven nieces, so I get a lot of calls from family members asking for tech support. It's actually amazing how much their feedback has driven decisions in our security strategy. I will give you two examples:

Right after Blaster happened, my uncle Ken called me to see how I was doing with everything going on with the event. My uncle is a little strange (although he is my only uncle, so I really don't have anything to compare him to) and he sometimes calls me "nephew." He said, "Nephew, what should I do about this latest Blaster thing?" I told him that he should turn on Automatic Updates and turn on his firewall. When he asked me how to do it, I talked him through the dialog boxes and we got him setup. In this process, I learned two important things. The first was that that the process of making these changes was a pain in the neck. The second was that when we really should have changed the default configuration for Windows Update.

When we shipped Windows XP Gold in 2001, we introduced Windows Update for the first time. At the time there were two options that the user had to choose from when they installed Windows: 1) tell me when updates are available, or 2) download the updates and tell me that they are ready to install (the default). When we shipped Windows XP SP1 about a year later, we added a third option which was to download the updates and install them. The problem was that when we added this third option (the best choice for most people), we left the second option (download and tell me) as the default. I am not sure why we did this, but my guess is that no one thought it through. So what did my experience with uncle Ken influence? A few things. First, we created a webpage at www.microsoft.com/pypc that included a little program that turned on your firewall, and helped you turn on the third option for Automatic Updates. We also changed the default setting for Automatic Updates in Windows XP SP2.

My second story is about my grandmother, Estelle (I am 42 years old and not too proud to tell you that I call her Nanny). Nanny got her first PC in 1992 soon after I came to Microsoft. In 1995 she got her second PC -- I was excited about Windows 95 and so was she. In late 2001, I sent a mail to all of my family members telling them that I would only help them with their PC if they were running Windows XP, so my grandmother ran out and bought an XP machine.

In February of 2004 I was down visiting Nanny in Florida. I was on my way home from a business trip, so I was only there for about a day. When I got to her house she fed me breakfast, looked at the latest pictures of her great-grandsons and then said to me that she needed some help with her PC. When I powered the thing on, it was clear that something was wrong. The machine was very slow and you could see the icons on her desk being drawn pixel by pixel.

It turns out that her machine was massively infected by spyware. She had gotten some mail offering her $10 to take an online survey which she had taken seven times. Without realizing it, each time she completed the survey and tried to claim her $10, she had agreed to the terms of a software license and downloaded spyware on her machine. She had effectively sold her $900 PC for 70 bucks. It took me about three hours to get her machine running again. I went back about a month later and installed Windows XP SP2 (beta at the time) on her machine, but what I realized was that we had a much bigger problem with spyware.

With that visit came the vision for Microsoft's anti-spyware strategy and our focus on delivering an anti-spyware solution.

Today, I travel a bit more prepared for situations like the one I encountered at Nanny's house. I have 512MB memory stick with me in my briefcase that includes a copy of Service Pack 2 for Windows XP, the latest beta of Windows AntiSpyware and the current month's release of the Malicious Software Removal Tool.

(8)
Windows updates to unregistered machines?
by Spy der Mann

Dear Microsoft Security VP:

I know a person who doesn't have his copy of Windows registered. His PC got infested by spyware, so my deduction is that his computer was probably used to send SPAM, spread viruses and whatnot. When He called me for tech support, I told him to download the Microsoft Anti-Spyware from Windows update, but his answer was that it required a registered copy.

My question is this: If Windows updates make the Internet SAFER from hackers, spyware and viruses, why limit them to registered copies of Windows? (IMHO this is analogous to not giving the vaccine of the bird flu to illegal aliens)

What do you plan to do about this?

Nash: This is a great question and one that we struggled with as we established the policy. First, I should clarity one thing. While the Windows AntiSpyware offering is only available to users of licensed copies of Windows, we do make our high priority security updates available to unlicensed users of Windows, primarily in order to prevent unlicensed Windows systems from posing a threat to the Internet if they get infected. Although, we do remind unlicensed users of Windows to get genuine.

At the end of the day, Microsoft's first commitment is to protect our paying customers. We made a decision last January to make Windows AntiSpyware technology available to licensed Windows customers at no charge. When we first acquired GIANT Company Software, the plan was to make scanning for spyware a free service on Microsoft.com, but charge for the technology that blocks spyware. The theory was that frequent scanning was a good substitute for people who didn't want to pay for the blocking capabilities. Within a few weeks of running the beta of the anti-spyware technology we realized that this premise wasn't valid since while it's easy to detect and remove the primary spyware infection, spyware often brings with it more spyware and detecting and removing the secondary and tertiary infections was much harder. So we made the decision to include this blocking capability in all licensed copies of Windows.

So the question is, why not protect non-licensed users from spyware? The short answer is that spyware primarily affects the machine that has the infection. Part of the value of owning a licensed copy of Windows is that you are protected from spyware. If you don't pay for your copy of Windows, you aren't protected.

It's hard for me to feel too bad for the person who you know who doesn't have a licensed copy of Windows and is infected. They are using stolen software. I have heard the arguments that Microsoft has lots of money and shouldn't care if people are using our software illegally. I don't buy it (no pun intended). You could make this argument in many other cases, but we don't tolerate people eating a meal at a restaurant and then not paying, or stealing a candy bar from a convenience store or taking a TV from an electronics store. In this case, your acquaintance wants the free meal, but can't understand why we don't throw in dessert.

If your acquaintance installed their own pirated copy of Windows, I recommend that they get a valid copy and install it. If they got their pirated copy of Windows preinstalled on a PC, then they should report the company that sold them their PC and we will use the information to get the vendor to make things right, and will get your acquaintance a valid license in return for the information.

(9)
MSFT employee here
by Anonymous Coward

Hi, Mike,

I have just one question for you. Why do we STILL ship products with KNOWN security issues?

I'll even tell you how it works in the trenches. Folks build the product. At the end of it all a "Security Push" gets declared. For two to three weeks people pretend they care about security by coming up with potential security issues and assigning DREAD+VR scores to them. Then management arbitrarily sets the "bar" below which we don't fix potential and real security issues. This bar is usually very high, sometimes at around 8, because hardly anyone has time in the schedule to fix all issues found. Now, DREAD score 8 means that flaw will affect a ton of customers and cost Microsoft significant litigation. Some of very severe bugs slip under the bar just because they don't affect more than 10% of customers. Now, even this exercise is a joke, because most developers don't know what DFD is and how to put one together.

This wasn't even the most ridiculous part of the exercise. The most ridiculous part is security "code reviews". It's when feature owners walk into a room with a huge stack of printouts and pretend they can be reviewed in a couple of hours they've allocated for this. You can barely glance through this much code in this much time, 90% of security issues remain unnoticed during this "code review".

After all is said and done, product is only slightly more secure (SOME of the most ridiculous things have been fixed), and management gets delusional saying that product is now Fort Knox secure.

If you ask me, that's abomination, not a proper security process. Are there any plans to change it?

Nash: Wow this is a great, yet difficult question. First, I should say that there is a great process for security quality called the Security Development Lifecycle (SDL) that is designed to make sure that we act consistently as a company. This means having a well documented, repeatable process, great education that teaches people how to follow the process and the accountability to make sure that process is being followed consistently. A part of this accountability is something called the final security review (FSR) that my team executes on behalf the company to make sure that the process is actually being followed. At the end of the day, the product group that ships the product is accountable to make sure that the process is followed.

I often get asked the question, "who has been fired for shipping insecure code at Microsoft?" My usual answer here is that we are still learning a lot about security at Microsoft and that most of the security issues that we deal with don't come as a result of carelessness or disregard for the process, but rather new vectors of attack that we didn't understand at the time.

One of the key things that will make this work is consistent execution across the company. I won't say that we have or should have the same level of rigor across all of our products (Windows deserves more scrutiny than say, a game), but we must apply the process appropriately. Generally speaking, Microsoft product groups are following the process consistently. That said, Microsoft has over 60,000 employees, so it's not a huge surprise that we have some people who just don't get it. While it's not a huge surprise, it's also not acceptable. If we have a group that is not aware of the process, then we have an education issue. If we have a group that is knowingly ignoring the SDL or deprioritizing it, at best we have an accountability problem and at worst an HR problem. The only way that I can help is to know about it so I can have it addressed appropriately. While I see that you posted this question anonymously, I encourage you to contact me directly through email and we can meet to discuss this. I assure you that I will protect your identity. If you are not comfortable with this, call my direct line at Microsoft (using an outside line--so that caller ID is blocked or from a conference room) and I promise not to ask your name.

As I have said many times, the Trustworthy Computing Initiative is a journey that we started in 2002 with measurable improvements along the way. In this case we clearly have a problem that needs to be fixed so that we can improve.

(10)
Why no AES in SSL yet?
by jonathan_lampe

Why hasn't Microsoft added AES to its SSL stack yet? As a Microsoft developer, it's annoying to get beaten over the head when facing competing solutions that can use the AES (128-,192- and 256-bit) encryption algorithm in their SSL implementations.

(OpenSSL - including the Mozilla browsers - and Java SSL have all had AES support for a while. Most SSH implementations have also had it for a while.)

Nash: This is a great question. The AES was approved as a FIPS algorithm after Windows XP was released in 2001. Adding it to Windows XP RTM was basically not possible. Our approach for cryptography was and is to support a pluggable model and enable replacement in our platform in a broad sense. IE and IIS depend on the platform (OS) cryptography capabilities, so adding this capability was an operating system change vs. a change in the browser, as was the case with Mozilla.

While it's fair to say that we could have just dropped AES support into the platform, the approach for pluggable crypto enables a lot more flexibility for customers. For Windows Vista, we added support for pluggable cryptography, which we refer to as CAPI next generation or CNG. With CNG we not only add support for AES, but also add support for Elliptical Curve (ECC) Cryptography and the Sha-2 family of hash algorithms.

We are currently looking at the feasibility and benefits of making this capability available down-level. I should also note that in contrast to the existing AES implementations that have not been through an evaluation, we plan to get our implementation evaluated to meet FIPS guidelines and requirements.

(11)
VISTA users must still be administrators?
by arminw

In current Windows systems, many programs will only work correctly if the user is granted administrator rights. Will MS lean on developers to write their software such, that a normal user status is sufficient? Much malware today silently installs itself without so much as a warning to the user. Will VISTA incorporate some sort of warning and ask for a password before ANY executable file can run for the first time or install itself deep in the system? Will users be told NOT to type password unless they are SURE the file comes from a trusted source?

Nash: One of the key enhancements in Windows Vista is something called User Account Control, which in my mind is a fancy name for standard user that works. There are really two parts of User Account Control. The first is a significant set of changes to Windows Vista so that the system doesn't require admin rights in places that shouldn't, while still protecting the system in cases that should require admin. I will give you a simple example that illustrates what I mean. In Windows XP today, you need to be an administrator to run the clock applet in the control panel, but as it turns out there are cases where the user shouldn't need to be an admin to run this applet. For example, a standard user should be able to LOOK at the clock. In addition, while changing the time on the system should require admin privilege (to maintain the integrity of system logs, etc.), when I travel from Seattle to Boston, I should be able to change the time zone of the system so that I know the local time and show up for meetings on time, etc.

So in Vista we separated these functions so that standard users can do the things that standard users need to do, but still require admin for the things that need protection.

The other thing added is something we call protected admin. This is a mode that administrators run in by default. If someone is configured as an admin, their basic execution happens as a standard user. When they try to do something that requires the administrator privilege, the system prompts them to see if they want to elevate to admin to complete the task, and if they consent, just that task is elevated (this is more secure that SUPERUSR ON in Unix that elevates the entire session). When the task completes, the high privileged process is torn down. The system can also be configured to require a password on elevation.

As you note, this also has a lot of implications around application compatibility and a ton of work is being done to help ISVs building solutions for Vista to make sure that their applications run as standard user if appropriate.

For existing (legacy applications) we find that most applications break into one of four categories: 1) applications that already run well as standard user, 2) applications that really do require admin privilege (system utilities for example), 3) applications that check for admin privilege, but don't really need it, and 4) applications that require admin privilege for a some portion of their functionality.

For applications that run as standard user, we are set. Similarly, applications that really should require admin privilege run as they should. If a standard user encounters such an application, in the home (e.g., non domain joined scenario) the standard user is prompted to have someone who has admin privilege type in a password to elevate the system to run the application as appropriate. We call this the "over the shoulder" elevation case.

For applications that check for admin, but don't really need it, the situation is usually that the developer of the application didn't want to take the time to test the application in both the standard and admin user modes, so they put a check in at initialization. We have a pretty good list of these applications, so for the ones we know about, we put a little compatibility shim in the software so that when one of these known applications check to see if the user is running at admin level, the system will report back that they are even though they are a standard user. This preserves application compatibility, but provides no risk on unauthorized escalation since the user really is just a standard user.

For applications that require admin for some part of their execution, we are providing guidance to the ISVs on how to re-factor their applications so that the components that the end sees don't need the privilege and the ones that do need to can be isolated and componentized so that most users don't encounter the escalation.

(12)
OpenBSD
by hahiss

How is it that OpenBSD is able to be so secure by design with so few resources and yet all of Microsoft's resources cannot stem the tide of security problems that impact everyone, including those of us who do not use Microsoft programs?

Nash: First, I should say that OpenBSD includes a relatively small subset of the functionality that is included in Windows. You could argue that Microsoft should follow the same model for Windows that the OpenBSD Org follows for their OS. The problem is that users really want an OS that includes support for rich media content and for hardware devices, etc. So while OpenBSD has done a good job of hardening their kernel, they don't seem to also audit important software that are used commonly by customers, such as PHP, Perl, etc. for security vulnerabilities. At Microsoft we're focusing on the entire software stack, from the Hardware Abstraction Layer in Windows, all the way through the memory manager, network stack, file systems, UI and shell, Internet Explorer, Internet Information Services, compilers (C/C++, .NET), Microsoft Exchange, Microsoft Office, Microsoft SQL Server and much, much more. If a software company's goal is to secure customers, you have to secure the entire stack. Simply hardening one component, regardless of how important it is, does not solve real customer problems.

Second, it is not completely accurate to say that OpenBSD is more secure. If you compare vulnerability counts just from the last 3 months, OpenBSD had 79 for November, December and January compared to 11 for Microsoft (and that includes one each for Office and Exchange - so really 9 for all versions of Windows). I encourage you to look at the numbers reported at the OpenBSD site to verify that this is true.

("Bonus" question added by Mike Nash)

Differences Between Windows & Other Employers?
by eldavojohn

Mr. Nash, what are the greatest differences and similarities between Microsoft Corp. and Data General Corp., your two most recent employers? Most importantly, how drastic were the changes you saw (not necessarily changes due to job function but changes in general)? What do you like the most and what do you hate the most?

Nash: Great question. First, its been a while since I worked at DG (I left DG for business school in 1989). That said, I would say that the biggest difference between the two companies is that while DG was fundamentally a hardware company, Microsoft is first and foremost a software company. DG was primarily focused on driving a business based on selling hardware and software was a necessary component of that business, but not something that was valued on its own. In contrast, Microsoft's basic premise is that the hardest problems can be best solved with software and as a part of that the power of hardware can be realized best through great software.

The second biggest difference is while DG always measured itself in terms of other companies (Digital was the big deal back when I was at Data General), Microsoft is a company that is constantly trying to reinvent itself. As a result, Microsoft is much more self critical, but at the same time willing to make long term investments to address both new opportunities and short comings. The Trustworthy Computing Initiative is a great example. Soon after Blaster happened, a lot of people I spoke to (inside and outside Microsoft) asked me if Blaster was evidence that the Trustworthy Computing Initiative was a failure. My response was just the opposite. I was super glad that we had taken the time to focus on and improve our security. If we hadn't things would have been much worse. At the same time, Blaster did provide some pretty clear guidance on some changes we had to make around Trustworthy Computing (TwC). More than that, it reminded us all that we would have to continue make some major changes in TwC as we continued to learn, so we should just plan for it. That approach is mostly a matter of culture and frankly if the leadership of DG had had a similar point of view, their might be a DG today. For sure it's why there is great change and innovation at Microsoft more than 30 years in. And yeah, it's hard work.

Anonymous Coward writes "With little fanfare, Microsoft just announced that the x64 version of Windows Vista will require all kernel-mode code to be digitally signed. This is very different than the current WHQL program, where the user ultimately decides how they want to handle unsigned drivers. Vista driver developers must obtain a Publisher Identity Certificate (PIC) from Microsoft. Microsoft says they won't charge for it, but they require that you have a Class 3 Commercial Software Publisher Certificate from Verisign. This costs $500 [EUR 412] per year, and as the name implies, is only available to commercial entities."

Anonymous Coward writes "Xming has been released with latest Xorg X11R6.9. Xming is a Free Software port of the X Window Server to Microsoft Windows. It shares the same source code base as Cygwin/X but does not depend on the Cygwin environment or cygwin1.dll. Xming is a fully featured X Window Server that is very simple to install and use interactively. Xming X Server for Windows, is made from Xorg (X11R6.9), and a patch bundle, cross-compiled with MinGW and Pthreads-Win32 For MS Windows users who have never tried Linux this could prove to be the easiest way when used with Microsoft Services for Unix (SFU) or coLinux."

vitaly.friedman writes "Microsoft has published the due date for Windows XP SP3 (Service Pack 3) on its Windows Lifecycle Web site. The preliminary due date (the latter half of 2007) for the next collection of fixes and patches for Microsoft's desktop operating system is as more than a year later than many company watchers were expecting."

Graeme Williams writes "Beginning Excel What-If Data Analysis Tools: Getting Started with Goal Seek, Data Tables, Scenarios, and Solver makes it easy to learn about some neat features of Excel, including the four data-analysis tools mentioned in the title. I found the book useful, but the style is dry and unadorned, and others may find it less approachable than I did. The examples around which the book is built are clear and straightforward rather than insightful, and presented plainly rather than with a lot of discussion." Read the rest of Graeme's review. Beginning Excel What-if Data Analysis Tools: Getting Started with Goal Seek, Data Tables, Scenarios, and Solver author Paul Cornell pages xxii + 167 publisher Apress rating 7 reviewer Graeme Williams ISBN 1-59059-591-2 summary A clear but bare introduction to a useful set of Excel tools

This book reads and feels more like a textbook than an introduction. Other beginner books are full of diagrams, icons and text in boxes. This book has almost none of that – the occasional tip or note is set off with horizontal lines. In other books, text in boxes often seems to be put there for no reason at all, but this book has exactly one diagram. Comparing this book to others, I feel as though we've lost the middle way.

The book seems to go out of its way to avoid diagrams. To fill out a dialog box, for example, the instructions are to click on the first field, type in the value, click on the second field, type in the value, and so on. I just don't understand why you wouldn't put in a screen shot, with the instructions, "Make it look like this". I don't know if screen shots weren't used because they're more expensive, or harder to translate, but if so, a table could have achieved a similar result.

Goal Seek is a simple one-variable equation solver. You put x in one cell and f(x) in another. You point Goal Seek at the two cells, give it a value of c and it attempts to solve f(x) = c. It's a simple enough feature, and the book goes through a number of straightforward examples.

The examples are relevant and clearly explained, but they seem only to be examples of themselves. They don't trigger any new ideas, and none of them jump out at you as "Neat!". I wish the author had put a little more creativity into the examples. They seem a little dry and occasionally repetitive, and don't seem to build on one another. An example shouldn't be just, "Here it is", but rather, "Here's something important to know about how it works" or "Here's an idea you can use in other places as well as here".

At the end of each chapter, there's a list of possible errors, but the suggested fixes aren't all equally helpful. If Goal Seek can't solve f(x) = c, the book suggests (page 19) changing the value of c! This is an area where a set of related examples would have been very helpful: first showing a simple example, followed by a more complicated example that fails, and finally with the failure repaired.

Data Tables are a way to automatically generate a one- or two-dimensional tables of values, given a formula and one or two sets of values. The book shows how to build data tables, going through a number of good examples, but I was somewhat mystified why this would be better than doing the same thing by hand. Building a data table by hand means you have to understand the difference between A1, $A1, A$1 and $A$1, which I guess is one reason for using the automatic mechanism. A1 and $A$1 are referred to as relative and absolute references, in case you want to google this particular mystery. But building a table by hand gives you more control over the layout. Unfortunately Microsoft has made the layout of two-dimensional data tables both odd and inflexible (the formula for the table is stuck in the upper left corner). It would have been clearer if the book had explained that the examples looked the way they did because that was the only way they could look. It would also have been useful if the book had at least briefly compared data tables to the manual equivalent.

Scenarios allow you to store versions of a spreadsheet that have different input values. This is neater than it sounds, since you can vary any number of input variables and calculate any number of output variables, including charts. You can also generate a summary sheet which tabulates the corresponding inputs and outputs. The book explains all this very well, going from a clear explanation to three good examples.

Any book with code samples risks confusion about whether the reader should type in the examples or download them, but this book crosses the line. In some examples (the most egregious example is on page 51), the discussion assumes that some cells have defined names, something that would only have been possible if the reader downloaded the example, since names were not included in the step-by-step instructions. The odd thing is that in some of the examples, the instructions DO include the defined name for each cell.

When presenting Excel examples like these, you have to deal with the possibility that a cell will have three pertinent properties: a formula, a value, and a name. This is another case where the book seems to lack a good designer who could show this graphically.

The Solver is a general-purpose equation solver that will handle multiple variables and multiple constraints. For a given function f(x1, ..., xn), the solver can either solve for f(...) = c, or maximize f(...). The book explains how to set this up, and the meaning of the dozen or so options (tolerance, maximum iterations, and so on) pretty clearly.

The Solver provides a sensitivity report (how much the result will change if one of the inputs changes fractionally), but this report is disabled if even one of the variables is restricted to whole numbers. There are two obvious ways around this: run the sensitivity analysis as though the constraint wasn't there (which would provide the counter-factual information about how much the solution would change if the whole number value changed fractionally); or run the sensitivity analysis without the restricted variables. Microsoft doesn't provide either of these workarounds, and the book doesn't discuss them either.

The sensitivity report is disabled if any variable has either an "integer" or "binary" constraint, but the book repeatedly mentions only integer constraints, which could be confusing to a beginner. It doesn't help that Microsoft gives the same error message ("Sensitivity Report and Limits Report are not meaningful for problems with integer constraints") for both cases.

The appendices are quite good – I'd almost recommend reading the book backwards. There's an overview of the data and financial analysis functions in Excel, such as average, median, floor, ceiling and mortgage payment, with enough detail to lead you to the right part of Microsoft's documentation. Another appendix describes ways of handling data that aren't discussed in the body of the book, such as Lists, Subtotals, sorting, filtering and consolidating data. These extras add a considerable amount to the usefulness of the book.

At $34.95 list, the book is expensive for an introductory book, but I'm not sure that should count against it. If you use the techniques described in the book, the time you'll save will quickly pay back the cost. On the other hand, if you need more explanation and discussion than the book provides, it's going to seem like a whole lot of money. I strongly recommend downloading the sample chapter. It will give you an excellent view of the book's strengths and weaknesses."
You can purchase Beginning Excel What-If Data Analysis Tools from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

There's always lots of discussion on Slashdot about Microsoft's security problems, and whether Windows is or isn't more secure than other popular operating systems. In a "Let's clear the air" move, Mike Nash, Microsoft Corporate Vice President, Security Technology Unit, has agreed to answer 12 of the highest-moderated questions you submit here. (You can skip the "Microsoft and security in the same sentence?" comments we've all heard 1000 times, and ask actual questions, since Mike is answering for himself instead of having PR do it for him.) We'll post his answers next week.

GrayWolf42 writes "SecuriTeam Blogs has posted an interview with Ilfak Guilfanov, one of the people developing the IDA Pro disassembler, who also happens to have written the unofficial WMF vulnerability patch. In this short interview he discusses the patch, how it works, and why he wrote it." From the article: "Q: When you heard of this vulnerability, you created a temporary patch to close the hole until Microsoft updated its software. Could you tell us more about what the patch does? A: The patch just removes this powerful command. It does not do anything else. The fix modifies the memory image of the system on the fly. It does not alter any files on the disk. It modifies [the image of] the system DLL 'gdi32.dll' because the vulnerable code is there." Microsoft has released an official update, which you should be able to download from the windows update site.

Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm ET, instead of Tuesday, as originally planned. Microsoft writes: "Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."

JorgeDeLaCancha writes "Microsoft has recently confirmed plans to bring an external HD-DVD drive to the Xbox 360. This has been previously speculated numerous times, with Bill Gates himself stating 'future versions of Xbox 360 will incorporate an additional capacity of an HD-DVD player.' Do consumers even want another format war?"

VeryVito writes "Portableapps.com has released Portable OpenOffice.org 2.01 -- the complete office suite you can run from a USB drive for complete access to both your files and your office apps -- anywhere you go. More than just a neat idea, some say it's a perfect example of "the kind of innovation developers can make when they don't have to worry about selling as many licenses of their work as possible." I don't imagine we'll see a portable Microsoft Office suite any time soon."

An anonymous reader writes "Microsoft Research recently released SNARF, the Social Network and Relationship Finder. It works in the Outlook email client to prioritize and sort emails based on the relationship to the sender and other characteristics of incoming email messages. Trusted Reviews wonders if 2006 is the year of ordering information and reports on ClearContext, which does similar prioritization of emails as well as some email driven task management."

Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."

An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."

Microsoft Windows still dominates the desktop. But in many other areas, including Web servers and supercomputing, Microsoft is just one player among many, and often a weak player at that. On the gaming side, despite the latest xBox getting all kinds of media buzz as "the" console to buy, Sony's Playstation outsells the xBox at least two to one, and many analysts expect Sony to widen that gap even more when Playstation 3 comes out in the Spring of 2006. On the Internet, MSN and MSN Search are so far behind AOL and Google that it isn't funny. And even on the desktop, Linux keeps getting stronger, while Mac OS X is commonly accepted as more reliable, secure, and user-oriented than Windows. So why do we keep saying Microsoft is a monopoly? Microsoft (Slowly) Moves Away from Monopolistic Behavior

If a major IT user tells a Microsoft salesperson that he or she is thinking about switching to Linux, Microsoft will usually come back with a cut-price offer, something the company never used to do. Microsoft also now sells something called Windows Starter Edition in some parts of the world -- supposedly for as low as $37 or $38 (US) in Thailand, including a basic version of Microsoft Office. In other words, Microsoft is starting to compete on price, which is not monopoly-style behavior.

This does not mean Microsoft has suddenly adopted a "let's all love one another" attitude.I believe Microsoft is getting more concerned about interoperability not out of goodness, but because of market pressure. But in the long run, as long as Microsoft stops treating every other operating system and file format as some sort of devilspawn, life is a little easier for those of us who would rather not use their products, and that's what really matters.

Microsoft Explorer No Longer Rules the Online World

A majority of desktop computer users may still run Microsoft's Internet Explorer browser, but it no longer has 95% market share. In a 2002 book, and again last year in an online article, I warned Web designers not to make IE-only sites, just as in the (distant) past I'd warned them not to make Netscape-only sites. Some listened. Some didn't.

Firefox adoption may have slowed in 2005, but it certainly hasn't stopped. Opera has become enough of a force that we hear rumors about first Google, then Microsoft, buying it. In any case, whether MSIE is currently running on 90% of all desktops or on only 70% (as a few surveys indicate), it is becoming less popular every month. Now Microsoft has decided that Explorer is no longer fit for Mac users, so its market share will drop even more. Sure, there's a new version of Explorer coming out, but it isn't going to help the millions of "legacy" Windows users who don't want to buy XP. If they want modern browser functionality, they must switch to Firefox, Opera or another non-Microsoft browser.

'The Network is the Computer'

I don't think this is quite true today, if by "the network" we're talking about applications delivered over the Internet instead of over well-maintained LANs. Back in October I explained why I don't think Internet-delivered applications are quite "there" yet. More recently, Salesforce.com had an outage that angered many of its (claimed) 350,000 subscribers. Worse, ZDNet blogger Phil Wainewright pointed out that Salesforce.com compounded the problem, and possibly made users leery of all Internet-delivered applications' claims of "99.9% reliability," by poor communication with its users.

Most of the Web 2.0 (and even Web 3.0) stuff that's getting so much hype these days is not OS-dependent. You can run things like Google Maps on Linux, Mac OS, Unix, and even Windows, using any standards-compliant browser you choose.

Even Microsoft is trying to get into the Web 2.0 game. I got a press release from their PR people that included this sentence:"And if you enjoy taking a drive to check out your neighborhood’s Christmas lights visit this great Windows Live Local developer application at http://msnsearch101.com/searchmap."

I found this online utility's behavior strange and primitive, not nearly up to the standards of Google Maps and some of the mashups based on it. "Ah," I thought, "that's probably because I'm trying to use it with Linux and Mozilla." So I turned to my one Windows (XP) computer and checked the site with both Firefox and Explorer. For some reason the map background didn't load at all in Firefox, on Windows, and its behavior in Explorer, on Windows, was just as clunky as it was in Mozilla, on Linux.

If this is supposed to be a sample of what Windows Live Local can do, I don't think Microsoft is headed for any kind of monopoly -- or even much market share -- in the online map business. Not only that, it makes me wonder how good their promised Microsoft® Office Live is going to be. If even a quarter of the rumors we've heard about Google and Sun joining up to produce a Webified version of OpenOffice.org are true, I suspect Microsoft is going to be a distant also-ran in the (inevitable) Internet-delivered office software business, too.

Hundreds of Thousands of Competitors

It's fun to play the "Google is cooler than Microsoft" game and talk about how Google, not Microsoft, has become the hot place for top-end programmers to work if they want to make their mark on the world, but even Google can only hire a tiny fraction of the world's software development talent. There are over 100,000 Open Source projects on SourceForge.net (which is owned by the same company that owns Slashdot), and SourceForge.net is but one of many Open Source and Free Software hosting services out there. There are literally millions of programmers working on Free and Open Source Software, plus countless others working on personal proprietary projects.

We've all heard -- probably too many times -- the old saw, "If you have enough monkeys banging randomly on typewriters, they will eventually type the works of William Shakespeare." This may or may not be true. But it is certain that if you put millions of programmers in front of millions of computers and let them do whatever they want, some of them will turn out brilliant, world-changing work. Even if 999 out of 1000 of our putative programmers work on established projects or never finish what they start, that still gives us thousands of potential world-changing software projects, most of which won't be developed by Google (or Microsoft) employees.

I've been to India, and the smartest programmers I met there weren't working for outsourcing mills but worked for themselves. I'm sure there are plenty of self-employed programmers in China, Brazil, Kenya, and almost everywhere else on this planet, too, and there are certainly plenty of them here in the United States. And, all over the world, millions of programmers have day jobs doing routine work for corporate employers to put food on the table, and do their "real work" at home, at night.

Neither you nor I nor Google's management nor Microsoft's management know what might be going on right now in the mind of a brilliant Saudi woman with a computer science degree who can't work outside her home because her country's laws keep her from mixing with men who aren't related to her. There may be a poorly-dressed young man coding furiously in a Beijing Internet cafe, while you read this article, whose new operating system will make all current ones obsolete -- and you may not learn about his work until it shows up in a Chinese-made $100 laptop computer.

When Bill Gates and his friends started Microsoft, it was one of very few companies that sold nothing but personal computer software, and the others were so small that Microsoft managed to buy most of its competitors -- or at least license their best work or hire away their best programmers. Back then, programmers were scarce and expensive, as were the computers they programmed on. Now there are both programmers and computers all over the world, linked together by the Internet. The Internet not only helps programmers collaborate with each other across geographic boundaries, but allows them to distribute their work without shipping physical products.

The only reason to have a software company's employees work in an office these days is control, both of employees' schedules and of what they work on. Self-motivated geniuses have no need of offices and may even resent being asked to show up at one on a regular schedule, which means that many of the world's best programmers will never work for Google, Microsoft or any other company. Instead, they'll start their own software companies or, in many cases, Open Source-based consultancies.

So Microsoft doesn't face a few dozen competitors, as it did in the 1980s, but hundreds of thousands. And these competitors are spread all over the world. This kind of competition is a lot harder to co-opt, buy out or fend off than competition from a single company, a la Netscape, or even from a group of companies as substantial as IBM, Sun, Oracle, and their computing industry peers.

Competition has Forced Microsoft to Improve its Products

Microsoft may no longer be able to hire all the top programmers it wants, but there is already plenty of talent among its 60,000-plus employees, and they have done some excellent work in recent years. Windows XP is immeasurably better and more stable than Windows ME or Windows 98. The next generation of Explorer will have many of the modern browser features that those of us who use Firefox or Opera have gotten accustomed to. Microsoft Office may not have some of the features OpenOffice.org users take for granted, like a built-in graphics utility, the ability to act as a front end for industrial-strength free databases like MySQL, and the ability to save your work in 30+ different Open and proprietary formats, including PDF. But Microsoft Office today is a lot better than it was 10 years ago, and the next version may even use a sort-of free XML file format that may not be as open and standardized as the OASIS Open Document Format used by OpenOffice.org, but is less closed and less proprietary than previous Microsoft file formats.

A true monopoly would not need to make these improvements in its products. It would give you whatever it wanted, at whatever price it wanted to charge. It would not be selling cut-down versions of its products at cut-rate prices in developing countries -- many of which, you may note, are rapidly turning into "software developing" countries.

Without Linux, combined with Apple's move to BSD-based Mac OS X, I doubt that Microsoft would have put much development effort into Windows. They sure didn't do much with Explorer between the time they crushed Netscape and the time when Firefox started making a big splash, did they?

The U.S. antitrust case against Microsoft wasn't about the company being a monopoly (which courts agreed that it was at the time), but about illegal misuse of that monopoly. That case was settled in a way that left Microsoft essentially unharmed, but with a judge overseeing its actions for five years, a time period that is going to end before long.

The Age of the Software Monopoly is Over

IBM tried to create a monopoly in the business desktop computer business, but failed to hold onto its market-leading position as dozens, then hundreds, and later thousands of competitors made better/faster/cheaper PCs. Even today, while Dell is the world's largest personal computer vendor, if you add up all the market share reports from major computer vendors in this C|Net article, you'll see that they account for around 60% -- not 100% -- of total sales, with smaller companies getting the rest. (And some of those companies are *really* small, like the one-man Bradenton, Florida, shop where my sailing buddy Gene just bought his latest home computer.)

The personal computer hardware business has become totally demonopolized, decentralized, democratized, and internationalized. If you have enough mechanical ability to assemble components neatly (and enough sales ability to get people to buy what you make), you can get into it yourself with a very small investment, just as Michael Dell started out reselling computer components and assembling systems in his college dorm room.

Starting a software business takes even less investment. If you're a competent programmer -- or you have a friend who is a competent programmer and you are a whiz-bang marketing person -- you have everything you need to get going. You can either produce and sell proprietary software or customize (and probably install and maintain) Free or Open Source Software for corporate clients. If the Internet is your primary sales and distribution channel, you don't need to live and work in expensive IT business hotbeds like Silicon Valley or Boston, either: JBoss, for example, is based in Atlanta, Georgia; and Digium, the company behind Asterisk, is in Huntsville, Alabama.

There are software businesses springing up all over the place. Most of them are tiny, and few of them will ever get big enough that analyst firms like Gartner or IDC will track their market share (or even notice them). But there are so many of them being started that, in aggregate, they are becoming a more significant market force than any single big software company, even Microsoft.

This doesn't mean Microsoft will be replaced next year by 100,000 startups. The company will still be around, it will still get lots of press, and -- assuming it embraces (but does not keep trying to extend and extinguish) Open Standards -- it will still be a powerful force in the software world.

But no matter what Microsoft does, it will never have a software monopoly again. Nor will any other company. The barriers to entry in the software business have become too low for that to happen, and too many skilled software developers are learning that they can earn at least as much working for themselves as they would by working for big software companies.

Small is Beautiful was a fine book title in 1973. Today, it's a fine description of the software industry's future.

-----

Have something important to say to the Slashdot community? Email roblimo at slashdot period org the complete article (or an article proposal).

Microsoft Windows still dominates the desktop. But in many other areas, including Web servers and supercomputing, Microsoft is just one player among many, and often a weak player at that. On the gaming side, despite the latest xBox getting all kinds of media buzz as "the" console to buy, Sony's Playstation outsells the xBox at least two to one, and many analysts expect Sony to widen that gap even more when Playstation 3 comes out in the Spring of 2006. On the Internet, MSN and MSN Search are so far behind AOL and Google that it isn't funny. And even on the desktop, Linux keeps getting stronger, while Mac OS X is commonly accepted as more reliable, secure, and user-oriented than Windows. So why do we keep saying Microsoft is a monopoly? Microsoft (Slowly) Moves Away from Monopolistic Behavior

If a major IT user tells a Microsoft salesperson that he or she is thinking about switching to Linux, Microsoft will usually come back with a cut-price offer, something the company never used to do. Microsoft also now sells something called Windows Starter Edition in some parts of the world -- supposedly for as low as $37 or $38 (US) in Thailand, including a basic version of Microsoft Office. In other words, Microsoft is starting to compete on price, which is not monopoly-style behavior.

This does not mean Microsoft has suddenly adopted a "let's all love one another" attitude.I believe Microsoft is getting more concerned about interoperability not out of goodness, but because of market pressure. But in the long run, as long as Microsoft stops treating every other operating system and file format as some sort of devilspawn, life is a little easier for those of us who would rather not use their products, and that's what really matters.

Microsoft Explorer No Longer Rules the Online World

A majority of desktop computer users may still run Microsoft's Internet Explorer browser, but it no longer has 95% market share. In a 2002 book, and again last year in an online article, I warned Web designers not to make IE-only sites, just as in the (distant) past I'd warned them not to make Netscape-only sites. Some listened. Some didn't.

Firefox adoption may have slowed in 2005, but it certainly hasn't stopped. Opera has become enough of a force that we hear rumors about first Google, then Microsoft, buying it. In any case, whether MSIE is currently running on 90% of all desktops or on only 70% (as a few surveys indicate), it is becoming less popular every month. Now Microsoft has decided that Explorer is no longer fit for Mac users, so its market share will drop even more. Sure, there's a new version of Explorer coming out, but it isn't going to help the millions of "legacy" Windows users who don't want to buy XP. If they want modern browser functionality, they must switch to Firefox, Opera or another non-Microsoft browser.

'The Network is the Computer'

I don't think this is quite true today, if by "the network" we're talking about applications delivered over the Internet instead of over well-maintained LANs. Back in October I explained why I don't think Internet-delivered applications are quite "there" yet. More recently, Salesforce.com had an outage that angered many of its (claimed) 350,000 subscribers. Worse, ZDNet blogger Phil Wainewright pointed out that Salesforce.com compounded the problem, and possibly made users leery of all Internet-delivered applications' claims of "99.9% reliability," by poor communication with its users.

Most of the Web 2.0 (and even Web 3.0) stuff that's getting so much hype these days is not OS-dependent. You can run things like Google Maps on Linux, Mac OS, Unix, and even Windows, using any standards-compliant browser you choose.

Even Microsoft is trying to get into the Web 2.0 game. I got a press release from their PR people that included this sentence:"And if you enjoy taking a drive to check out your neighborhood’s Christmas lights visit this great Windows Live Local developer application at http://msnsearch101.com/searchmap."

I found this online utility's behavior strange and primitive, not nearly up to the standards of Google Maps and some of the mashups based on it. "Ah," I thought, "that's probably because I'm trying to use it with Linux and Mozilla." So I turned to my one Windows (XP) computer and checked the site with both Firefox and Explorer. For some reason the map background didn't load at all in Firefox, on Windows, and its behavior in Explorer, on Windows, was just as clunky as it was in Mozilla, on Linux.

If this is supposed to be a sample of what Windows Live Local can do, I don't think Microsoft is headed for any kind of monopoly -- or even much market share -- in the online map business. Not only that, it makes me wonder how good their promised Microsoft® Office Live is going to be. If even a quarter of the rumors we've heard about Google and Sun joining up to produce a Webified version of OpenOffice.org are true, I suspect Microsoft is going to be a distant also-ran in the (inevitable) Internet-delivered office software business, too.

Hundreds of Thousands of Competitors

It's fun to play the "Google is cooler than Microsoft" game and talk about how Google, not Microsoft, has become the hot place for top-end programmers to work if they want to make their mark on the world, but even Google can only hire a tiny fraction of the world's software development talent. There are over 100,000 Open Source projects on SourceForge.net (which is owned by the same company that owns Slashdot), and SourceForge.net is but one of many Open Source and Free Software hosting services out there. There are literally millions of programmers working on Free and Open Source Software, plus countless others working on personal proprietary projects.

We've all heard -- probably too many times -- the old saw, "If you have enough monkeys banging randomly on typewriters, they will eventually type the works of William Shakespeare." This may or may not be true. But it is certain that if you put millions of programmers in front of millions of computers and let them do whatever they want, some of them will turn out brilliant, world-changing work. Even if 999 out of 1000 of our putative programmers work on established projects or never finish what they start, that still gives us thousands of potential world-changing software projects, most of which won't be developed by Google (or Microsoft) employees.

I've been to India, and the smartest programmers I met there weren't working for outsourcing mills but worked for themselves. I'm sure there are plenty of self-employed programmers in China, Brazil, Kenya, and almost everywhere else on this planet, too, and there are certainly plenty of them here in the United States. And, all over the world, millions of programmers have day jobs doing routine work for corporate employers to put food on the table, and do their "real work" at home, at night.

Neither you nor I nor Google's management nor Microsoft's management know what might be going on right now in the mind of a brilliant Saudi woman with a computer science degree who can't work outside her home because her country's laws keep her from mixing with men who aren't related to her. There may be a poorly-dressed young man coding furiously in a Beijing Internet cafe, while you read this article, whose new operating system will make all current ones obsolete -- and you may not learn about his work until it shows up in a Chinese-made $100 laptop computer.

When Bill Gates and his friends started Microsoft, it was one of very few companies that sold nothing but personal computer software, and the others were so small that Microsoft managed to buy most of its competitors -- or at least license their best work or hire away their best programmers. Back then, programmers were scarce and expensive, as were the computers they programmed on. Now there are both programmers and computers all over the world, linked together by the Internet. The Internet not only helps programmers collaborate with each other across geographic boundaries, but allows them to distribute their work without shipping physical products.

The only reason to have a software company's employees work in an office these days is control, both of employees' schedules and of what they work on. Self-motivated geniuses have no need of offices and may even resent being asked to show up at one on a regular schedule, which means that many of the world's best programmers will never work for Google, Microsoft or any other company. Instead, they'll start their own software companies or, in many cases, Open Source-based consultancies.

So Microsoft doesn't face a few dozen competitors, as it did in the 1980s, but hundreds of thousands. And these competitors are spread all over the world. This kind of competition is a lot harder to co-opt, buy out or fend off than competition from a single company, a la Netscape, or even from a group of companies as substantial as IBM, Sun, Oracle, and their computing industry peers.

Competition has Forced Microsoft to Improve its Products

Microsoft may no longer be able to hire all the top programmers it wants, but there is already plenty of talent among its 60,000-plus employees, and they have done some excellent work in recent years. Windows XP is immeasurably better and more stable than Windows ME or Windows 98. The next generation of Explorer will have many of the modern browser features that those of us who use Firefox or Opera have gotten accustomed to. Microsoft Office may not have some of the features OpenOffice.org users take for granted, like a built-in graphics utility, the ability to act as a front end for industrial-strength free databases like MySQL, and the ability to save your work in 30+ different Open and proprietary formats, including PDF. But Microsoft Office today is a lot better than it was 10 years ago, and the next version may even use a sort-of free XML file format that may not be as open and standardized as the OASIS Open Document Format used by OpenOffice.org, but is less closed and less proprietary than previous Microsoft file formats.

A true monopoly would not need to make these improvements in its products. It would give you whatever it wanted, at whatever price it wanted to charge. It would not be selling cut-down versions of its products at cut-rate prices in developing countries -- many of which, you may note, are rapidly turning into "software developing" countries.

Without Linux, combined with Apple's move to BSD-based Mac OS X, I doubt that Microsoft would have put much development effort into Windows. They sure didn't do much with Explorer between the time they crushed Netscape and the time when Firefox started making a big splash, did they?

The U.S. antitrust case against Microsoft wasn't about the company being a monopoly (which courts agreed that it was at the time), but about illegal misuse of that monopoly. That case was settled in a way that left Microsoft essentially unharmed, but with a judge overseeing its actions for five years, a time period that is going to end before long.

The Age of the Software Monopoly is Over

IBM tried to create a monopoly in the business desktop computer business, but failed to hold onto its market-leading position as dozens, then hundreds, and later thousands of competitors made better/faster/cheaper PCs. Even today, while Dell is the world's largest personal computer vendor, if you add up all the market share reports from major computer vendors in this C|Net article, you'll see that they account for around 60% -- not 100% -- of total sales, with smaller companies getting the rest. (And some of those companies are *really* small, like the one-man Bradenton, Florida, shop where my sailing buddy Gene just bought his latest home computer.)

The personal computer hardware business has become totally demonopolized, decentralized, democratized, and internationalized. If you have enough mechanical ability to assemble components neatly (and enough sales ability to get people to buy what you make), you can get into it yourself with a very small investment, just as Michael Dell started out reselling computer components and assembling systems in his college dorm room.

Starting a software business takes even less investment. If you're a competent programmer -- or you have a friend who is a competent programmer and you are a whiz-bang marketing person -- you have everything you need to get going. You can either produce and sell proprietary software or customize (and probably install and maintain) Free or Open Source Software for corporate clients. If the Internet is your primary sales and distribution channel, you don't need to live and work in expensive IT business hotbeds like Silicon Valley or Boston, either: JBoss, for example, is based in Atlanta, Georgia; and Digium, the company behind Asterisk, is in Huntsville, Alabama.

There are software businesses springing up all over the place. Most of them are tiny, and few of them will ever get big enough that analyst firms like Gartner or IDC will track their market share (or even notice them). But there are so many of them being started that, in aggregate, they are becoming a more significant market force than any single big software company, even Microsoft.

This doesn't mean Microsoft will be replaced next year by 100,000 startups. The company will still be around, it will still get lots of press, and -- assuming it embraces (but does not keep trying to extend and extinguish) Open Standards -- it will still be a powerful force in the software world.

But no matter what Microsoft does, it will never have a software monopoly again. Nor will any other company. The barriers to entry in the software business have become too low for that to happen, and too many skilled software developers are learning that they can earn at least as much working for themselves as they would by working for big software companies.

Small is Beautiful was a fine book title in 1973. Today, it's a fine description of the software industry's future.

-----

Have something important to say to the Slashdot community? Email roblimo at slashdot period org the complete article (or an article proposal).

RandomMacUser writes "A while ago, Microsoft stopped updating IE for Mac, freezing it at version 5. But according to this Microsoft webpage, all support will cease December 31, 2005, and any official distribution with cease January 31, 2006. Also, the webpage suggests 'that Macintosh users migrate to more recent web browsing technologies such as Apple's Safari.'"

An anonymous reader writes "A worm called 'Dasher' is exploiting a flaw in Windows that Microsoft issued a patch for in October, dropping keyloggers on infected machines, according to F-Secure. The SANS Internet Storm Center warned earlier this week about the weird traffic generated by the first version of this worm, which apparently was crippled by programming errors. Washingtonpost.com has some information that indicates the worm appears to have originated in China. It appears from the Microsoft advisory that Dasher is a threat mainly to Windows 2000 users, although it could impact Windows Server 2003 and Windows XP users who aren't running SP2." Update: 12/17 17:20 GMT by Z : Fixed link to SANS center.

Strauss writes "Windows Server 2003 R2 was launched. Press coverage by eWeek and BetaNews. [Insert here some FUD/funny question about Microsoft Windows future]"

dizzy_p writes "Microsoft released yesterday more information on their earlier announced extensions to the RSS format(s). The specifications can be found on MSDN. The question is, will the mainstream developer adopt these specifications, or will they only live in the Microsoft "Blogosphere" (To quote MSDN). The specifications in question are named Microsoft Simple Sharing Extensions Specification and Microsoft Simple List Extensions Specification"

dizzy_p writes "Microsoft released yesterday more information on their earlier announced extensions to the RSS format(s). The specifications can be found on MSDN. The question is, will the mainstream developer adopt these specifications, or will they only live in the Microsoft "Blogosphere" (To quote MSDN). The specifications in question are named Microsoft Simple Sharing Extensions Specification and Microsoft Simple List Extensions Specification"

dizzy_p writes "Microsoft released yesterday more information on their earlier announced extensions to the RSS format(s). The specifications can be found on MSDN. The question is, will the mainstream developer adopt these specifications, or will they only live in the Microsoft "Blogosphere" (To quote MSDN). The specifications in question are named Microsoft Simple Sharing Extensions Specification and Microsoft Simple List Extensions Specification"

mikemuch writes "ExtremeTech just come out with a new Media Center PC build-it project. This one takes advantage of Windows Media Center Edition 2005 Rollup 2 and uses a fanless graphics card, four tuners--two standard TV and two HDTV, the Creative Labs DTS-610, which lets you bypass some DRM, and a good-looking SilverStone LaScala chassis that fits in your media rack. The new system is way more versatile, and maybe more importantly, a lot quieter than any previous media PC DIY boxes. One drawback: We're still waiting for the cable and satellite companies to get it together on CableCard, so the system has to do without."

Tenacious Dee writes "The patent quarrel between Microsoft and Eolas takes a strange turn with an announcement from Redmond that the Internet Explorer browser will be modified to change the way ActiveX controls are handled. A Microsoft white paper details the behavior change."

duffbeer703 asks: "My employer runs alot of desktop and laptop computers -- something in the neighborhood of 40,000 PCs. Currently they are all Windows 2000 & XP managed by Active Directory and other big, complicated enterprise management tools, all of which can support Linux in one form or another. I'm looking for ways of making Linux (and maybe Unix or even Apple desktops) an option as we replace or add PCs. The problem is, most of the resources that you find online about deploying Linux focuses on server environment, and the articles that I do find about desktop Linux focus on standalone developer workstations, the IBM conversion to Linux (which doesn't seem to have happened) or things like LTSP, that won't integrate well with our infrastructure. Is anyone out there successfully using Linux for regular users? How did it go, and how did your IT and user communities adapt to the new kid on the block?"

lukOh asks: "in the US, 802.11b/g (2.4Ghz) devices use an 83Mhz-wide frequency range; in-use channels spanning 22Mhz and centered on one of 11 5Mhz steps (badly named as "channels"). This means there should be no more that 3 networks in close proximity, 5 'channels' far from each other, to avoid harmful interference. Now, in the middle of the mixed area where I am, the number of usable WLANs (SNR>20dBm) has gone from 10 to an unworkable number of 20, in just one month. Has the community/the market overestimated the practicality of wireless networks? Are we generally relying too much on such a young, IMHO immature technology made on 'startups hope' and broken firmwares? How can this mess possibly be handled in a working environment, especially the moment your boss asks you to give him access to 'the wireless'?" "Access points can be easily detected, but the same isn't always true for every single client (or Bluetooth device) searching or using a network. Bluetooth itself employs the same 2.4Ghz range with 1Mhz-wide channels and much less power. To avoid interference a device jumps channel-to-channel, when the currently selected one is busy.

Most WLANs are managed by less-than-perfect SOHO access points. Connecting to an AP in such an environment is a gamble (even from 1ft away), especially when: WPA/WPA2 must be used; 802.11g stability is a dream; anywhere up to 7 networks are on the same 'channel' (1 and 11, being the most used, are standard on many devices); and now 'channel wars' are very common (i.e. 2 or more users concurrently hunting to set a free channel for their network, making the entire range unusable for hours)."

An anonymous reader writes "ZDNet has posted a top 10 list of things you need to know about Visual Studio 2005 Team System. From the article: Everybody talks about collaborative development tools, and heaven knows you can't surf the major developers' for 10 minutes without getting hit by banners trumpeting the latest. We can't fault Microsoft for wanting a piece of that action; but we need more than just a collaborative environment."

News for nerds writes "Next Generation magazine runs a quick report for the Xbox 360 Zero Hour launch event. According to avid Xbox fans joining the party in Mojave Desert, while games to be released in mid 2006 such as Gears of War and Ninety Nine Nights got positive reviews, the initial offers on 360 couldn't impress them as much." Kotaku has a pair of photo essays from the event.

GraemeDonaldson writes "According to this IE Blog entry, Microsoft seems to be serious about supporting non-IE browsers. Mention is made of a Windows Media Player plugin for Firefox. The Windows Genuine Advantage validation process now works in Firefox too. From the article: 'Basically, customers said "We want to make sure our PCs are running genuine Windows and have access to all the content on the Microsoft Download Center; the experience when we're running a Mozilla browser is not great. Do something about it." Brad's team did. I think that's a good thing for customers.'"

maxifez writes writes to tell us that Microsoft has released yet another independent study downplaying the viability of Linux at the enterprise level. The study claims that Windows is "more consistent, predictable, and easier to manage than Linux." From the article: "The study, commissioned by the software giant from Security Innovation, a provider of application security services, claimed that Linux administrators took 68 per cent longer to implement new business requirements than their Windows counterparts." Vnunet.com has also provided a PDF of the original report.

Ant writes "ReelSplatter.com has a copy of the video showing Bill Gates, dressed in a black trench coat and carrying a shotgun, within id software's Doom. The downloadable 11 MB 3.25 minute Windows Media Video (WMV) file (Putfile has a streaming copy) was used to introduce Windows 95 and DirectX at the Microsoft Judgement Day event on October 30th, 1995. Note: The DOOM game map is episode 1, map 2."

Mortimer.CA writes "In a weblog entry, Paul Murphy mentions a Microsoft report (40 page PDF) that in many instances FreeBSD 5.3 and Linux perform better than Windows XP SP2. The report is about MS' Singularity kernel (which does perform better than the OSS kernels by many of the metrics they use), and some future directions in OS design (as well as examination of the way things have been done in the past)." From the post: "What's noteworthy about it is that Microsoft compared Singularity to FreeBSD and Linux as well as Windows/XP - and almost every result shows Windows losing to the two Unix variants. For example, they show the number of CPU cycles needed to "create and start a process" as 1,032,000 for FreeBSD, 719,000 for Linux, and 5,376,000 for Windows/XP."

Mortimer.CA writes "In a weblog entry, Paul Murphy mentions a Microsoft report (40 page PDF) that in many instances FreeBSD 5.3 and Linux perform better than Windows XP SP2. The report is about MS' Singularity kernel (which does perform better than the OSS kernels by many of the metrics they use), and some future directions in OS design (as well as examination of the way things have been done in the past)." From the post: "What's noteworthy about it is that Microsoft compared Singularity to FreeBSD and Linux as well as Windows/XP - and almost every result shows Windows losing to the two Unix variants. For example, they show the number of CPU cycles needed to "create and start a process" as 1,032,000 for FreeBSD, 719,000 for Linux, and 5,376,000 for Windows/XP."

rupert0 writes "A research paper on the Microsoft website gives an insight into the way that gamers will be ranked on the new-style Xbox Live. The paper outlines some existing ranking systems, as well." From the article: "The TrueSkill(TM) ranking system is a skill-based ranking system designed to overcome the limitations of existing ranking systems, and to ensure that interesting matches can be reliably arranged within a league. It uses a technique called Bayesian inference for ranking players. Rather than assuming a single fixed skill for each player, the system characterises its belief using a bell-curve belief distribution (also referred to as Gaussian) which is uniquely described by its mean (speak [mju:]) ("peak point") and standard deviation (speak [sigma])("spread")."

mnovotny writes "Computerworld reports that Microsoft is finally set to release their belated SQL Server 2005. From the article: 'Despite a two-year delay, several users who have tested the software cited the improved performance and new functionality it brings as positive developments that likely will convince them to upgrade soon.' The free version can be downloaded directly from Microsoft."

jose parinas writes ""Microsoft Research has published the first details of a wholly new operating system under development called Singularity, designed new from the ground up, built on a new language and designed with emphasis on dependability instead of performance.""

av_2_0 writes "Microsoft has released a web accessible Game Advisor for Windows. This will check your system's configuration, compare it with a knowledge base of around 360 games and tell you if your system is compatible." Requires the use of IE and the install of an ActiveX thingie. My system is apparently faster than 58% of systems checked.

jpkunst writes "Ryan Paul at Ars Technica provides an in-depth, 13 page review of the new Microsoft Command Shell (Monad). (The beta release can be downloaded for free from Microsoft.) From the conclusion: 'Despite my initial skepticism, I am deeply impressed with MSH technology, and I am legitimately excited about the future of the Windows command line.'"

Xlylith writes "BBC News is reporting that Bill Gates and software giant Microsoft have signed to become first "Founding Partner" of the new Wembley stadium, in a five-year deal worth at least £5m. Microsoft technology will be used in the stadium, and the firm will get use of the pitch for 90 minutes a year. Guess where Vista will be launched in UK next year? Microsoft's press release is also available."

UltimaGuy writes to tell us eWeek is reporting that Microsoft will be reducing the number of licenses that it will use for its Shared Source Initiative. Instead of more than 10 different licenses they are aiming for just three core licenses. The first license format, Ms-PL (Microsoft Permissive License), is similar to the BSD license while the second, Ms-CL (Microsoft Community License), is based on the Mozilla Public License. The third format, Ms-RL (Microsoft Reference License), "has no open-source alternative and is a reference-only license that allows licensees to view source code in order to gain a deeper understanding of the inner workings of Microsoft technology."

akhomerun writes "Microsoft has released version 1.0 of its experimental new VirtualWiFi Software. The free software enables Windows users to use a single wireless card to connect to multiple wireless networks simultaneously. The current build is a very primitive release, with no support for WEP or WPA encryption."

jasonmicron asks: "I am curious as to what you Linux/UNIX people use for a media player that supports both license lookup on the internet and DVD Playback support. I am quite sick of Microsoft's media player telling me that my 'license is invalid', even on DVDs that I own. I find that VERY lame. I ask because not only does Microsoft tell me that my license is invalid but Real Network's Real Player tells me the same thing (even though I place my totally VALID and self-owned DVD in my DVD-ROM player in my DVD-ROM, which runs on Windows). What media players does Slashdot recommend to bypass the total ignorance of Microsoft and Real Networks? I am looking for a Windows solution, though any Linux / UNIX solution is completely welcome."

Brandon writes "BitTorrent just got a massive infusion of cash from venture capital firm DCM Doll. It looks like BitTorrent is hoping to cozy up with the content creators. From the article, 'Neither BitTorrent nor DCM have publicly stated how a legitimate service would work, but industry insiders have been busy speculating on how the distributed peer-to-peer service could help movie studios and filmmakers make for-pay content available.' Will this awaken Microsoft's Avalanche?"