Slashdot Mirror
MS Exec: 'Our products just aren't engineered for security'
Various Microsoft news tidbits contributed by numerous readers: Phoebus0 notes that Microsoft's Vice-President in charge of Windows development states flat out that Microsoft products aren't engineered for security, absolutely guaranteeing he'll have tomorrow's Ditherati quote. Many readers submitted this Knowledge Base article stating that Microsoft is mystified by a wave of successful hacks on assorted versions of Windows (there's also a news report on this). Microsoft has another security bulletin out on the digital certificate spoofing bug that has caused them so many problems recently.
...has finally gotten through to them -- Security is something that starts from the ground up, not when you reach the top and back down.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Another excuse to let people believe that palladium is needed :/
The XFree86 team admits xfree86 is not engineered for speed and RMS admits that GNU is not engineered for user-friendlyness.
The masses are the crack whores of religion.
The first step is admiting you have a problem.... now that Microsoft has gotten past the denial stage they can now move to stage 2, that is doing something about it....
the link above just goes to front of a tech section, here's a direct link to the story3 25075&REQSESS=HM5797&REQHOST=site1&REQAUTH=2313828 &2131REQEVENT=&CARTI=115571&CCAT=1&CCHAN=13&CFLAV= 1
http://www.cw360.com/bin/bladerunner?REQUNIQ=1031
...the sky is blue, and less fat and more exercise is good for you.
"Ask not what your country can do for you." --John F. Kennedy
This might be a stupid point, but of course microsoft products aren't engineered for security. The common man doesn't buy products for security, and even now the common man largely does not understand that they could even have their functionality in a secure environment (though arguably most salesguys cannot have the functionality they demand in a secure environment, but that's another debate.)
Brian Valentine, formally senior vice-president in charge of Microsoft's Windows development, looking for VP/management job with software company.
I have to use this cause I can't afford a real sig...
While working at Sony, Microsoft closed down a UK R&D facility. A whole department of ex-MS software engineers came to work in my department. They were the some of the best engineers I have ever worked with, designing innovative and stable code years ahead of its time.
Stop picking on MS engineers for poor products, and level the blame at the correct place - marketing and management.
----- Documentation is worth it just to be able to answer all your mail with 'RTFM' - Alan Cox.
So far all the replies to this story have been "we already knew that" and "duh". I find those comments idiotic. In that spirit, when cigarette execs admitted they knew their products were bad for people, there should have been no story.
This event is significant, because from the mouth of someone significantly important in MSFTs power structure, there is an admission of failing.
Maybe the exec just wanted to confess his (their) sins?
Is whether this will make the national news. Trust me, if CNN and MS/NBC and all the rest choose not to cover this, the general public won't know, and won't really make a decision based on this information.
Of course, this could just be a ploy to get M$'s most vile next O/S out, Palladium, that will let them 0\/\/|\| j00r s0ul (and credit card, and email, and music, and movies, and any personal items that may happen to be sitting on top of your computer...)
It seems he tries to say that it is impossible to make it 100% secure, because hackers are becoming more sophisticated in their attacks.
Sure, you can't make anything 100% secure (short of keeping it turned off), but there is a difference between something that has a few exploitable holes and something that resembles a sieve.
If you can't beat them, embrace and extend them.
#ifdef WIN32
#define snprintf _snprintf
#endif
Morphing Software
I wrote this the other day in an idle moment. It needs a bit more work but I'm thinking of making it into a Flash cartoon or something (if someone wants to steal the idea, feel free):
Billy Boy and Tux
One very hot day in summer, Billy Boy is stilling under a huge, impressive sign. It says "Lemonade, $5 a glass".
Customer: $5 a glass! That's expensive!
Billy Boy: Well, go buy from someone else.
Customer: But there's nobody else to buy drinks from here!
Billy Boy: Aha! I bullied all the other boys and they've gone home!
Customer: That's not very nice.
Billy Boy [Chuckling and rocking back and forth]: $5 a glass. Take it or leave it.
Customer: Damn. You're a nasty little boy, but it's a very hot day and I really need a drink.
Billy Boy takes the money.
The afternoon wears on, Billy Boys coffers fill.
The next day...
Billy Boy: Lemonade! Lemonade! $5 a glass!
A fat penguin waddles up and sets up a stall beside Billy Boy.
He erects a little badly drawn sign "Iced water. Free."
Billy boy [whispering, chuckling to himself]:Loser. You'll not get any custom with a crappy sign like that.
Tux ignores him.
The next customer approaches Billy Boy, but then notices Tux's sign and goes to him.
Billy Boy[angry]: Hey fatty, get off my patch. I was here first!
Tux ignores him.
Billy Boy: Hey stupid. Nobody wants iced water, everyone wants my lemonade, it's the best! I've got 100% of the market in soft drinks in this street.
Tux ignores him.
Another customer comes and has a glass of water from Tux.
Billy Boy: Listen idiot! How do you expect to get rich like me if you don't charge anything! What an idiot you are!
Tux ignores him.
More customers go to Tux.
Billy Boy [shouting at his customers]: Don't drink the penguin's water!! I won't make any profits and, erm, the economy will collapse!
Customers laugh.
Billy Boy [really angry]: If you drink the penguin's water, your next glass of lemonade from me will be $10!
Customers give Billy Boy the finger.
Billy Boy [insanely angry]: Don't drink the penguin's water! It'll give you cancer!
Customers shake their heads and move to Tux's queue.
All customers go to Tux now.
Billy Boy starts screaming and crying and runs home.
Tux and his customers ignore him.
Step 1: Admit that current MS OS is insecure.
Step 2: Allege that problem is fundamental due to the nature of the hardware platform. Fear. Uncertainty. Doubt.
Step 3: But wait! MS has the solution that will solve this crisis -- Palladium.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
neither was UNIX. UNIX is best in trusted, academic settings where it grew up. But, after some big problems with too much trust people figured out how to make it at least "secure enough."
MS needs to stop complaining and fix their buffer overflows.
You are completely clueless. Microsoft has lots of things that are completely specific to windows (like _ltot) that have leading underscores. That is how Microsoft (sometimes) tell you things aren't part of ANSI C. You are right, snprintf isn't part of the standard. Blame ANSI, not Microsoft.
And I doubt they use "%13s" or directives like this in sprintf(), or if their version even supports these constructs.
That works just fine.
Admitting you have a problem is the first step to recovery. Anybody want some more coffee!? *puffs on a cigarette* I'm gonna get some more coffee... *shakes and walks around of the room*
Why bother.
What does 'PSS' stand for in that Microsoft Knowledgebase article? [P]lease [s]top [s]niffing? ([s]poofing? '[s]ploiting?)
We have one windows web server left that we are now converting to run on linux. Our windows web server has been compromised over 8 times in the last week. We applied every single security patch we could on the machine. We also locked every single port but 80 out at the firewall. We shut down every single service that is not necessary and stripped the site to the bare minimum, but it continues to be compromised. Yes we even reloaded from scratch 3 times still no good. Even our MCSE is now a linux convert and begging me to get it converted quick as possible.
Got Code?
Microsoft: "Our products aren't engineered for security"
.net developer conference in Seattle, USA.
Friday 6 September 2002
Brian Valentine, senior vice-president in charge of Microsoft's Windows development, has made a grim admission to the Microsoft Windows Server
click here
"I'm not proud," he told delegates yesterday (5 September). "We really haven't done everything we could to protect our customers. Our products just aren't engineered for security," admitted Valentine, who since 1998 has headed Microsoft's Windows division.
In August the company put out eight security bulletins. This month it has released two, so far, with the latest urging users to patch a flaw in its digital certificate technology that could allow attackers to steal a user's credit card details.
Microsoft's regular stream of security bulletins has continued despite Bill Gates company-wide Trustworthy Computing Initiative, announced earlier this year.
The Initiative was launched with a memo from Bill Gates, Microsoft's chairman and chief software architect, and saw the company halt production on new code in all of its products while employees scanned every line of existing code in search of vulnerabilities.
"We realised that we couldn't continue with the way we were building software and expect to deliver secure products," Valentine said.
But the company is dealing with a problem that is not easily resolved. Valentine told developers at the conference that as the company works to shore up its products the security dilemma will evolve as hackers become more sophisticated.
"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."
Microsoft has also been employing new tools developed by Microsoft Research that are designed to detect errors in code during the development process, Valentine said.
According to Chandra Mugunda, a software consultant with Dell who attended Valentine's presentation, buggy software is "an industry-wide problem, not just a Microsoft problem. But they're the leaders, and they should take the lead to solve them," he said.
Saying they are "not engineered" is a statement of your naivity. Imagine designing and coding a huge prog. such as Windows or MS Office... Do you think they sit a big room and just piece code together like a puzzle? Please don't say that they are not engineered...
Hrm... sit in a big room and just piece together code like a puzzle? Yeah, that's exactly what it feels like, half the time. Counter-intuitive commands, shoddy execution, worse then useless help systems.... yup, yup, yup.
Now, was it done that way? Obviously not. But they definitely need some improvement between the design phase, the engineering phase, and the implementation phase.
And quite frankly, I don't want pretty. I want functional. I want an easy to use system, not one that sparkles and gleams. I don't want bells and whistles. I don't want little pop-up paperclip buddies (and how freaking long did it take to add that piece of feces?), and I don't want programs that think they know what I want to do and are wrong half the time.
I want a system that does what I tell it to, not what it thinks I want. I want something that is coded efficiently, smoothly, and takes up a minimum of space.
And I want it by Thursday.
Kierthos
Mr. Hu is not a ninja.
Try changing the password.
My deviantArt site
You can't tell me that their is any linux distro that can match Windows ease of use. If their is, why arent the masses jumping on that bandwagon???
NOW who is being naive?
Have you not read the stories about M$'s strangle hold (or maybe a good Ric Flair style Figure-4?) on the OEM companies? Are you not aware that companines can not install ANY other OS in tandum with Win* on their machines? Remember the story about Dell putting FreeDOS on their machines just so they could beat the M$ policy?
So why aren't the masses jumping on it (Linux)? Because they are (almost) not allowed to buy a machine that doesn't run Win*.
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
I have not heard of any instances of marketeering guffbags and manglement ruining code, primarily because they don't code.
They ruin the code by ruining the requirements. In a firm that produces mass-market software, the marketing department generally writes each product's requirements document. If resistance to buffer overflow attacks isn't specified as a must-have in the requirements document, then it will surely get cut at the last minute in favor of other requirements such as ship date.
Will I retire or break 10K?
There is a guy recognized as a genius in the Tobacco industry. I read that twenty odd years ago he told other Tobacco industry executives that, while they could afford to hire the shrewdest, meanest, most dishonest lawyers on planet Earth, they could only fight a rear-guard action.
Eventually, he told his colleagues, even the meanest lawyers couldn't hold off lawsuits over the lethal effects of their product. Once suits go to trial, everything will start to unravel. We have no real defense. So, we need to plan ahead.
His plan? Pretend to fight against mandatory warnings, but actually let them go ahead. Keep stalling on the trials -- so that when the trials happen we have a defense.
"But, your honour, we have had to have health warnings on our products for fifteen years. The claimant can't say they didn't know our products were dangerous."
Are Microsoft executives any more ethical than Tobacco executives?
Nah.
I believe that MS planned ahead too. I believe that MS has wanted to "own" the desktop, to own our computers, all along.
Anyone could have foreseen that embedding a macro language in their data files, that was automatically executed when the file was opened, was a sure guarantee of terrible security problems.
This was not an accident. This was a design decision. They did this on purpose. I don't believe it was a mistake. I believe they knew exactly what they were doing.
I believed that they looked ahead, and planned to distribute insecure products, so that the could harness the publics anger at vandals, interlopers and spam artists to justify draconian security measures that we never wuold have agreed to otherwise.
I'd like to see Gates, Ballmer and the whole filthy crew serve serious hard time.
I installed this on the 4th and at that time they said that they would not be supporting anything else but XP and NT. I downloaded the file and installed it for my box but was rather upset about it. Hence my post today. However, since you and another have made mention of it I have reread it and noted that they did add it. I submit the revision of the bulletin to show that I am neither crazy ( well, maybe just a little bit ) nor a troll ( definitely not there - at least not intentionally )
V1.0 (September 04, 2002): Bulletin Created.
V2.0 (September 05, 2002): Bulletin updated to include patch availability for Windows 98, Windows 98 Second Edition, and Windows Me.
V2.1 (September 05, 2002): Bulletin updated to provide link to single download page for all Windows XP patches.
V2.2 (September 05, 2002): Bulletin updated to give correct reference to XP download locations for supported languages.
I worked there at one point and can say that this is definitely not the case. Microsoft products are just as well architected as any other product on the market - but for goodness sakes they are bigger than most applications on the market. Hell the Word codebase is larger than some application servers! The larger and more complex an application gets - the more interactions you have - the more bugs you're going to have. Any non-trivial piece of software is going to have bugs.
:)
That much should be obvious - even to the legendary trolls of slashdot
This is obviously part of the groundwork to get
the public behind palladium. Microsoft has
consistently proven itself to be the masters at
porting govermental public opinion swaying tactics
for their needs. It's almost admirable. Following
tradition, they'll produce stats and figures and
submit them as "proof", and the majority of
America will say "wow, we need to do this". Or,
as demonstrated recently, they'll hint at the
existence of proof for their "cause" and that
alone will swing a majority of people to their
side and give them time to fabricate it, or
draw attention away from producing it. Microsoft
will get palladium, and Dubya will get the war
he wants that nobody a few weeks ago wanted, but
now seem too want since they keep waving the flag
hard enough and hinting at "new evidence" that
probably doesn't exist as of yet.
Step 1: Convince everyone that your selfish
agenda is in their best interests in any way
you can.
Step 2: Pursue your selfish interests.
Being manipulated this way is part of being an
American. Microsoft is the most American company
I know of.
The most important thing any republican needs to know.
95 isn't supported ( ok, I can understand that )
98 isn't supported ( getting a little too close for my comfort )
ME isn't supported ( didn't that just come out 2 years ago? )
2K isn't supported ( What about people running servers? )
Just another tactic to force people to upgrade
As someone who is actually subscribed to receive these bulletins from MSFT, I note that they sent a second revision out today. I quote:
"And like that
Consider the above statement. Then go back to 1994 and set up three corporate LANs: one with Microsoft Lan Manager 2.x, one with Novell 3.11, and one with Vines. Use them intensively in a large, multi-site corporate environment for 6 months. Then tell me again that Microsoft's products are "just as well architected" as others on the market???
The point being that the LAN problem (to take one example) had already been solved by 199x. Microsoft ignored everything that had already been done and created its own "standard", which was decidedly inferior to the competition.
sPh
You mean fixed the same day it was announced by Microsoft. This bug has been discussed on Bugtraq for a month now.
Can you run apache on your windows web server? If they keep attacking, it would be interesting to see if they are hitting IIS or something else (assuming they are shitty little script kiddies).
Another possibility is to set up a Linux box with no open ports on the same ethernet segment and sniff all traffic so that you might be able to tell how they hack you, and where they come from (at least the box they are coming from).
But - changing to Linux is also a really good alternative. Just keep in mind that Linux itself does not offer you security, only an improved possibility of security. You will need to stay rigorously patched up, with a good firewall and a good intrusion detection system. I used my IDS to tighten my firewall whenever I found monkey business in the network traffic - with good results. The box ran without external protection or upgrades for a long time, and it was port-scanned every day. Of course, they eventually hit jack-pot at first try. Then, an IDS will only alert you that something is wrong..
Also, whatever application you run on your web server will need to be secure.
Remember - one vulnerability is usually enough.
Stop the brainwash
You have drives that contain \Winnt? That's a problem too: install to a different directory.
How many people create a restricted user for IIS, rather than running it as LocalService?
I suspect the problem lies more with the components installed on the system, than on Windows & IIS themselves. For example, our Linux server was being exploited for spam recently. They shut down sendmail as a daemon, but the spam still flowed. It turns out that somebody had installed an old version and buggy version of Formmail. Grrr.
Simple, brand name. Try to explain to a non tach savy person (yes they still exist, and in millions at a time) that they should buy a product that isn't Microsoft. They've probably never heard of the other company, and if it isn't microsoft "I won't work right with my computer because my computer had microsoft on it already". Believe me I've heard that hundreds of times. Now imagine that same attitude on a corporate scale, and you've got one hell of a succesful business nomattr what crap you feed these people.
T Money
World Domination with a plastic spoon since 1984
ASP apps running on it that maketing had contracted out without IT knowledge
That's not a valid reason to stick with IIS.
I believe by the next Windows distro, we'll have security that will stand for something.
Except that you miss exactly what Valentine means:
Windows cannot be secure - MS has finally realized (and admitted) this.
Security is something that must be designed in from the beginning - it's not something that can be 'bolted on' after the product is finished, any more than you can make pudding, and decide you want it to be a house instead - you can't make a house out of pudding.
I think we can all agree that MSFT has succeeded in creating simple, easy-to-use products
You think wrong. I certainly wouldn't characterize MS products as easy-to-use. Easier than some other products, in some situations, perhaps.. but not easy.
As for simple? Have you seen MS Word lately? Bloated with dozens upon dozens of feeatures that nobody uses - you categorize that as simple?
whether you like it or not, there is no easier OS
Spoken like someone who's never tried any other OS.
Ever try MacOS?
How about Amiga?
VMS? Anything besides Linux and Windows?
As an advanced user, I find Linux MUCH easier to use than Windows, because everything is laid out as I expect. I used Windows before I used Linux, and most of the learning curve I experienced came from attempting to do things the Windows way - but after one or two times, I realized that the best way to learn a task was to ask myself "if I had designed this system, how would I implement it?" - and all of a sudden, everything became easy.
Sure you can. You start by disabling all contact with the outside world by default. If I'm not listening, they can't tell me what I don't want to hear. You then, slowly and with rigorous testing, implement a small set of interfaces that let you talk where you need to, e.g., by reading and drawing a body of text. Bingo, you just covered most of e-mail, Usenet, web browsing and the rest in one go.
The problem is MS' approach: every application should do everything. For goodness' sake, Office 2002 apps that I use to write my letters and do my accounts have several dozen hooks that try to access the Internet in them. Why? That's just silly, and it's not surprising that in such an environment, people get careless.
Writing basic interfaces to support e-mail, ftp, web browsing, Usenet, time sync'ing and such is not hard. Writing them to be secure requires a modest amount more effort. It shouldn't be beyond the average CS grad, though, and it certainly shouldn't be beyond a group with the resources that Microsoft has at its disposal.
People have been telling me for years that since I program in C++ and don't use a GC, my programs must have memory leaks. I've told them no, because I use good basic practices. They claim I'm wrong. I claim I have rigorous, objective diagnostic tools that back me up on this. That's not hard, either, but most of the programming world would tell me it can't be done. So it is with security.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Simple, brand name
r t
This is correct. Microsoft's genius lies in the marketing. Not that their products are all terrible, and thrive ONLY because of marketing, but marketing got them and keeps them where they are today.
Microsoft's corporate sales pitch deliberately glosses over the technical side of things. The corporate execs aren't technical people anyway, so why try to explain the benefits of a product in technical terms that only a select few understand? No, Microsoft invented the term "TCO" (Total Cost of Ownership) and sold the concept that Microsoft was the less costly way to go. Execs understand the concept of money very well. Everyone responds to emotional sales pitches (unless they are Noam Chomsky or something). Through a combination of $$$ claims about lower TCO and carefully placed FUD, they have established a dominant position on the LANs they were merely clients on ten years ago.
Another thing Microsoft realized is that computers would be everywhere, and they wouldn't always be under the control of UNIX admins with pocket protectors and advanced CS degrees. There just aren't enough uber-geeks to go around for all the offices in the world. Billiant foresight. It might be the CFO who suddenly finds the company has grown and now they need to bring the network back under control. Microsoft has hands down the slickest sales materials I've seen in the computer field.
Microsoft sells a culture, a lifestyle, in which you don't have to worry about computer problems because there are teeming millions of MCSEs and phone support and etc. to hold your hand through whatever problems may arise. And in fact this is true. Microsoft will smile and nod and politely empty your wallet.
A few months ago, there was a story on Slashdot about MS sending the BSA after school districts in the Northwest. After the admins got into a tizzy and threated to install Linux everywhere, Microsoft had the Come to Jesus meeting. "The themes for today are friendly and flexible," the sales lady said. It's the classic good cop/bad cop routine, a pure psychology play, and Microsoft knows their shit in this regard. Geeks, being socially stunted and sexually frustrated, are putty in Microsoft's hands, especially when the nice woman in the business suit shows up to put down the rebellion.
That is how Microsoft has achieved their monopoly. Unlike the other computer companies, they don't try to sell the technology itself. Instead they sell the REWARDS of implementing a Microsoft solution, they sell a warm fuzzy bundle of love, a pre-made community of smiling, personable non-geeks who are there to ease your assimilation into the Collective.
Microsoft was the first to bring big-time Madison Avenue marketing psychology to an exponentially growing computer market, that's why they're on top now.
This T-shirt I saw said it best:
Political <---------- You are here
Presentation
Session
Application
Transpo
Network
Data link
Physical
However, the "Every operating system out there is about equal in the number of vulnerabilities reported" statement of Valentine's fails to take into consideration that in most cases Unix, open source and free licensed software has been designed from the outset with at least the issue of security in mind.. Whereas, some Microsoft systems such as their embedded scripting systems have not.
The result is that is far easier to exploit an easy, scriptable vulnerability in a Microsoft system, that has no patch for months, than to exploit a difficult, binary hole in a LInux/BSD system that has a patch within days.
...I just generated a message to people and potential clients regarding these issues.
The jist of it is that there are security problems that cannot ever be fixed by Microsoft with their products. If they wish to stay with Microsoft, they have to remain vulnerable until such time they release their new products which address the concern and in most cases, pay a lot of money to get them.
Meanwhile, free solutions exist to replace the proble products and while they aren't trouble-free themselves, they do tend to get fixed much more quickly and there is no additional cost for those fixes in most cases.
When addressing securty concerns of today, NOW is the time -- not waiting for the next generation OS and then waiting for it to be stabilized.
One of my targets for the message was "Resident Data" (http://www.residentdata.com) which is a company that functions by serving up the results of background checks to its subscribers. (It shares sensitive and private information about individuals for money to clients.) They are PROUDLY a ",,,Microsoft Only..." shop.
Frankly, that attitude scares the $#!+ out of me. It's all well and good to favor one product over another due to familiarity and comfort, etc. But it's utterly irresponsible to attempt to call "secure" their data when it's housed in a "...Microsoft Only..." environment.
If the company I cite as an example is any indication of what is actually going on out there in practice, I'm genuinely frightened at how our public and private records are being managed.
To me this is a major privacy concern and there should be an initiative that demands that SECURE STORAGE and SECURE METHODS be deployed to secure the information. If there are significant threats discovered, it should be their legal responsibility and requirement to either secure the data properly or shut down the operation until such a time that is can be certified as secure. This is not "Anti-Microsoft" sentiment speaking -- this is Privacy/Security sentiment.
The problem is much larger than just the products -- it's how and where they are used.
So they say, "Our products aren't secure... but our NEW stuff will be! For real! Honest!" And then Palladium comes out. And wonder of wonders, it won't be secure. And they'll say, "Oh, well, yeah, this isn't perfectly secure, but our *NEXT* generation will be! For real! Honest!" And then the next generation will come out, and it will have holes, too.
I'm fairly well convinced at this point that Microsoft's history of poor security technologies and practices is, if not entirely deliberate, at least unconsciously encouraged. An evolutionary defense, perhaps. If products are touted as secure, but aren't really secure, and if the next generation is claimed to be the fix to all the current problems... then the average person/company will probably eat it up. Why?
Because eternal vigilance is the price of freedom, and most people don't want to believe that. There is no magic bullet for safety or security. The only way to have anything resembling good security, is to keep working at it. The more you work at it, the better it will be. There's a point of diminishing returns, of course, and if you spend all your time on safety, you'll never get to spend any of your time doing the things that you're protecting... but if you spend no time on security, you have no right to complain when it fails. This goes for computer software, physical security, national security, whatever.
But a lot of people don't understand that. They hear about "new, *really* secure" things, and they think, "Well, once we have that, then we'll be secure, and won't need to think about security any more!" But it doesn't work that way. It never has, and it seems unlikely that it ever will. People need to be made to understand, whether they like it or not, that the only way you can have security, is if you keep working at it. And a lot of people don't want to have to think about failures of security, and what they have to do to prevent them.
The worst part is, no matter what you do, there's always ways around it. Before a year ago, how many people would have thought it absurd that terrorists could simultaneously hijack four airplanes and use them to entirely demolish the World Trade Center towers and severely scar the Pentagon? Surely our security was better than that?
This is not a call to action for our country, or Linux advocacy, or whatever. I'm just trying to analyze why it is that Microsoft can keep getting away with this. I think the main reason is that when Microsoft says things, people believe them, even when what Microsoft says is the same known lies they've been saying for years. Why do they believe? Because human denial is an immensely powerful force. And Microsoft knows it.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased