Microsoft Versus
Dissecting Microsoft | Directory

Microsoft Secrets & Lies

Under pressure of a settlement with the U.S. Department of Justice, Microsoft® claimed to publicly document (i.e. "open up") the APIs to Windows™ in 2002. "Devos claims that Microsoft's disclosures remain sufficiently inaccurate and incomplete for developers to continue using his own documentation. Devos claims that Whirling Dervishes has discovered hidden Windows interfaces that are crucial for the development of [certain] applications, but whose existence is denied by Microsoft." (John Lettice. "API expert claims Windows Explorer app breakthrough." The Register 29 May 2003)

Microsoft's public relations tactics often involve spreading fear, uncertainty, and doubt (FUD) about the competition. Sometimes going beyond spreading misconceptions and leaving out facts, a line is crossed and lies are propagated. One week Steve Ballmer says the increase in Linux servers is exclusively at the expense of proprietary Unix. The next week Ballmer sends his employees a memo stating Linux is hurting Microsoft and is a serious threat.

Security Via Secrecy

Microsoft's policy is to only disclose [security] [vulnerabilities] which they find to a few select organizations. They believe informing the public of vulnerabilities will promote more abuse of these known problems. It has so far remained unproven that limiting disclosure reduces attacks. What it may do, however, is give the impression that the software is more secure by not informing everyone of how insecure it truely is. People intent on cracking into systems will find exploits. Informing whose who aren't interested in committing a breakin will not abuse the vulnerabilities, but instead will make every user of the software aware of problems.

One claim of some closed source vendors is security through obscurity. They believe that if they don't reveal the recipe no one else will be able to figure out what's in the pie. Well so far that hasn't worked. Most of the largest companies in the world have experienced breaches of security while using closed source and/or [open source] software. (See [Security])
Copyright © 2004-2007 Matthew Schwartz