Feeds

DoJ exculpa: why the MS deal doesn't stink at all, honest

And nobody will believe this one either

  • alert
  • submit to reddit

Security for virtualized datacentres

The Department of Justice's Competive Impact Statement, intended to explain why the deal it struck with Microsoft will tame The Beast and not, as widely advertised, simply renew its licence to kill, is as one might expect a lengthy mea exculpa. The flaws in the Proposed Final Judgment, which was unveiled earlier this month, have plenty of holes in them, and the Competitive Impact Statement won't do much to convince critics that these aren't holes after all.

It does in some areas - notably in the case of the security 'get out of jail free clause' - appear to tighten things up by saying what the Judgment is supposed to mean, rather than leaving us to wonder. This particular section, it says, "must be read in conjunction with subsection III.J.1.a., which exempts from[disclosure] certain very limited and specific portions or layers of Communications Protocols which would, if disclosed, compromise the system security provided by Microsoft anti-piracy, anti-virus, software licensing, digital rights management, encryption and authentication features. The exception provided by subsection III.J.1.a. is a narrow one, limited to specific end-user implementations of security items such as actual keys, authorization tokens or enforcement criteria, the disclosure of which would compromise the security of 'a particular installation or group of installations' of the listed security features."

So here the DoJ is stressing that there's no way Microsoft could keep secret anything it liked just by howling "security!" Nevertheless the company still has the ability to argue about what is and is not covered here, and it also has the ability to require that the recipient or licensee be of good character, i.e. "having no history of software counterfeiting or piracy or willful violations of intellectual property rights." Some might argue that certain historical incidents might rule Microsoft itself out on a couple of those counts, but we won't.

Microsoft can also insist on the licensee "having its programs verified by a third party to ensure compliance with Microsoft specifications for use of the information." Which could be used as another obstacle. The explanation of the security clause itself is as follows:

"For example, this subsection permits Microsoft to withhold limited information necessary to protect particular installations of the Kerberos and Secure Audio Path features of its products (e.g., keys and tokens particular to a given installation), but does not permit it to withhold any capabilities that are inherent in the Kerberos and Secure Audio Path features as they are implemented in a Windows Operating System Product. This is a critical distinction, because it ensures that Section III.E. will make these features available to competing software and hardware developers and permit them to offer competing implementations of these features, and products that rely on them, that can do the same things as Microsoft implementations of these features, while protecting the integrity of actual, particular end-user implementations of those systems."

Exactly how "portions of APIs or Documentation or portions or layers of Communications Protocols" (which is what it says in the Proposed Final Judgment) boils down to "keys and tokens particular to a given installation" is not made clear. One trusts the judge will make it so.

Overall, the latest document doesn't do anything significant to alter the widespread perception, which is held in some remarkably odd places, that the deal was a cave-in. If like most analysts you thought Microsoft still had plenty of scope to carry on as before, and that the Judgment would do nothing to obstruct future abuses using alternative mechanisms, you're still going to think that.

The sign-off pages are good though. It explains why the DoJ didn't push for something closer to Jackson's remedies, which is because it'd take two years more wrangling. This is however odd, given that Jackson could have imposed the remedies if he wanted, the present judge still could, if she wanted, and that the appeals court agreed with the original verdict. The DoJ quite likely could get relatively speedy relief based on imposed terms if it had pressed for it. Microsoft would certainly have appealed this, and might have won stays, but it might not. You don't ask, you don't get, surely.

Next, the host of alternative remedies that were submitted by "industry participants and other interested individuals" gets due consideration. We'll quote them in full:
"A requirement that Microsoft license the Windows source code to OEMs to enable them to modify, compile and distribute modified versions of the Windows Operating System for certain limited purposes, such as automatically launching Non-Microsoft Middleware, operating systems or applications; setting such non-Microsoft Middleware as the default; and facilitating interoperability between Non-Microsoft Middleware and the Windows Operating System.
"A requirement that Microsoft disclose the entire source code for the Windows Operating System and Microsoft Middleware, possibly within a secure facility for viewing and possibly without such a facility.
"A requirement that Microsoft must carry certain Non-Microsoft Middleware, including but not limited to the Java Virtual Machine, in its distribution of the Windows Operating System.
"A requirement that Microsoft manufacture and distribute the Windows Operating System without any Microsoft Middleware or corresponding functionality included.
"A requirement that Microsoft continue to support fully industry standards if it chooses or claims to adopt them or extends or modifies their implementation.
"A requirement that Microsoft waive any rights to intellectual property in related APIs, communications interfaces and technical information if the Court finds that Microsoft exercised a claim of intellectual property rights to prevent, hinder, impair or inhibit middleware from interoperating with the operating system or other middleware."

These are in general quite mild compared to some of the ideas that have been put forward, and indeed compared to splitting the company in two. One of them, covering source disclosure, was even originally thought to be part of the deal, but seems to have been chopped at the last minute. So what did the DoJ do about them?

"The United States carefully weighed the foregoing proposals, as well as others received or conceived, considering their potential to remedy the harms proven at trial and upheld by the Court of Appeals; their potential to impact the market beneficially or adversely; and the chances that they would be imposed promptly following a remedies hearing. The United States ultimately concluded that the requirements and prohibitions set forth in the Proposed Final Judgment provided the most effective and certain relief in the most timely manner."

And that is all the document has to say about the other proposals. You'll note that "the most effective and certain relief in the most timely manner" is DoJspeak for the most we could get Microsoft to agree to without having to go back to court. ®

Related stories:
Those new-look tougher MS judgment terms in full
All you ever wanted to know about the DoJ's Windows cave in

Website security in corporate America

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
'People have forgotten just how late the first iPhone arrived ...'
Plus: 'Google's IDEALISM is an injudicious justification for inappropriate biz practices'
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.