You buy a house. After you move in, your walls and floors are suddenly soaking wet because all the pipes are leaking. You learn that your builder is infamous for constructing popular houses that have porous plumbing. Then you find some plumbing companies that specialize in fixing your builder's pipes. These plumbers have become hugely successful by understanding how to cut holes in your walls, access the pipes, fix them in whatever way they feel is appropriate, then charge you for getting rid of the leaks your builder was responsible for. The plumbers might have knocked holes in your walls, but at least you're no longer drowning.
Naturally, you join your neighbors in demanding that your builder stop constructing houses with dangerous plumbing. After years of complaints, the builder finally sees the light and revamps the whole plumbing system. The builder also realizes that when plumbers need to work on the pipes (as they inevitably must), whacking holes in random walls isn't the best approach and burglars could also use those holes to plunder the house. So the builder decides to create access panels through which plumbers can reach the pipes but that shut burglars out.
Everybody lives happily ever after, right? Not really. Plumbers are outraged: Not only has the builder eliminated a huge plumbing market by constructing houses with better pipes, but the builder is also preventing the plumbers from taking the quickest, easiest route to reaching the pipes. No more knocking holes in walls. How dare the builder improve its product in ways that prevent other businesses from profiting from the product's defects?
Builders? Plumbers? Microsoft?
I didn't set out to write this column about the construction industry. I was
planning to write about the latest RCs of Microsoft Office 2007 System and Windows
Vista. (In a nutshell: Office is great; Vista still has a way to go, especially
on Tablet PCs.) But I was watching the morning news today, and my writing plan
changed radically.
CNBC was interviewing security product vendors and Microsoft security Corporate Vice President Ben Fathi. The vendors were outraged that security precautions such as Kernel Patch Protection in Windows x64 technology will no longer allow anyone access to alter the Windows kernel at runtime. The vendors complained that this new security restriction is damaging to their business because they've previously had such access.
Ben responded with an unimpressive and unclear analogy about plugging your stereo headset directly into the guts of your CD player (Ben's analogy for the Windows kernel) instead of using the manufacturer's plugin outlets (Ben's analogy for Windows APIs). The CNBC anchors had no idea what Ben was talking about and snickered that this was another typical example of Microsoft squashing its competitors.
I'm the first to say that Microsoft has plenty of flaws that we should (and do) complain about—in fact, security is one of the biggest. But the CNBC reaction to this issue floored me because of the complete lack of understanding it displayed. After taking so much heat about its weak security, Microsoft is finally working to fix it. And people immediately complain that fixing security is wrong because it keeps out the good guys along with the bad guys. Catch-22 for Microsoft.
No Analogies
I asked Microsoft to clarify its position on this issue and got a long, boring
marketing-speak message that makes my builder/plumber analogy look like great
writing in comparison. I'll spare you the entire message, but here's the gist:
Current 32bit implementations of the Windows Kernel-contain undocumented and unsupported interfaces that modify key services of the kernel. This creates significant performance, reliability, and security risks. Not only can ISV's modify the 32bit kernel in place, causing operating system crashes and slowdowns, but attackers have equal access. Kernel Patch Protection, which is not new to Windows Vista and is available for x64bit systems only, removes the ability to modify or utilize undocumented or unsupported capabilities of the core of the operating system...Microsoft is providing documented, supported methods for industry partners and Microsoft product teams to implement new innovative functionality in defined and supported ways that will result in greater security and reliability for our mutual customers on x64bit systems. s
In Short: To Ensure Security, Kernel Access—Bad, APIs—Good
Let's continue to hold Microsoft's feet to the fire on security and other important
issues. But let's also distinguish between attempts to squash the competition
(which are a reality I've seen firsthand in different contexts) and attempts
to do the right thing for customers.