Microsoft versus EC

Adequate response - but who remembers the question?

Seven Steps to Software Security

Comment I went to a very interesting briefing with Microsoft last week, following up on the EC case documented here. Essentially, to comply with EC requirements the company has documented parts of its Windows Server code that were previously invisible to the outside world, and made this documentation available to its source code licensees.

But, does it really matter? The central question is supposed to be: "Has Microsoft done enough to convince the EC that it has provided an adequately documented code base to interested parties?"

From a developer's perspective, previously inaccessible elements of code are now as accessible to licensees, as code that was already available to MSDN subscribers. Documentation exists as Windows help files and is therefore as usable as other Windows help files, and the source is searchable and accessible through a simple but adequate browser-based system.

To say that these provisions are insufficient would be tantamount to saying that the Windows help system and the browser were inadequate mechanisms for text-based information access. Someone will have to spend the time to ensure that all the code is documented, and while they may identify weaknesses in the existing documentation, it is unlikely they will find too many gaps.

In other words, Microsoft’s efforts should be good enough for most developers that have the wherewithal to understand the code and, therefore, they are good enough for me.

There remain some open issues, notably around the licensing model itself - whether it is a workable framework for the competitors in the open source community, for example. Microsoft has made some efforts in this direction, but does stipulate that its code must remain private. Clearly, Microsoft is trying to balance openness with the need to protect its IP, but some may question whether it is going far enough.

Whatever the outcome, however, it becomes almost irrelevant, when compared to the real questions underlying the debate. Microsoft was instructed to open up its code to combat accusations of anti-competitive practices, and of abusing its pseudo-monopolistic position with desktops and departmental servers. The inordinately long and slow legal process links right back to the MS vs Netscape anti-trust cases in the US. The trouble is, whatever efforts Microsoft makes to open up its Windows Server code in the here and now, does not guarantee that confidence in the company’s desire to “"play fair" will be restored. Most importantly, however, the move won’t make a jot of difference to Microsoft's ability to compete.

There are a number of reasons for this. First, the scope is limited to Windows Server and doesn’t cover more current areas of direct competition – Microsoft Exchange, for example, has until recently locked out any direct connections with devices not running Microsoft software. Was this anti-competitive? You betcha. There are other examples – in the past we had C# and J# undermining C++ and Java, and today, Microsoft’s virtualisation engine should be subjected to far more scrutiny. In a bizarre twist, Microsoft itself is being prevented from developing features that should clearly be tied into the very heart of the operating system – anti-virus is one example, where these old legal battles are preventing legitimate innovation.

It’s the old adage: "if you want to get there, don’t start from here". The legal system is unable to keep up with a rapidly changing industry, so by the time anyone works out that company X is being uncompetitive to company Y, the world has already moved on and company Z has come from nowhere. In the midst of the browser wars, who expected such developments as Firefox or openoffice.org, or indeed Linux? There are plenty of other examples of where Microsoft doesn't have a monopoly, from gaming to Symbian.

Meanwhile, just as Bill Gates once predicted when talking about his fears, competition has come from left field, with the overvalued, industry darling, Google, establishing itself as a strong competitor and putting paid to the idea that Microsoft would take over the world. It seems laughable now, but there were plenty of people who believed it. Microsoft is the number three in the market, which is likely to see significant growth and innovation, and all bets are off as to who will dominate.

Meanwhile, Microsoft is using its position to push new technologies – Vista and Office 12 for example, or the small business suites from the likes of Navision and Great Plains – in ways that the EC may at some point in the future decide are anticompetitive. By then, however, it will be too late to do anything but follow through again with some ill-considered rearguard action.

Can anything be done at all? It is difficult to say, but the problem lies in the legislation, not the vendors. I would be looking at how software is imported into the EU, and considering import criteria on Microsoft that any new subsystems would require open interfaces that enable them to be swapped out and replaced with those of a competitor. The good news is, this is the way the world is going anyway, and Microsoft is following suit. No enterprise organisation will ever follow a floor to ceiling Microsoft model, and in the service based world, the historic walls between applications and software services are being forced open.

Microsoft knows that it is in its interest to open up a little if it wants to stay in the game. Technology constraints enabled Microsoft to get to where it was in the first place, but those constraints are no longer applicable. Even if Microsoft was anti-competitive in the past or abused its unique position, it is exceedingly unlikely that it would ever be able to do the same again, and any legal battle to rein it in or prevent it from doing so becomes less and less relevant.

Copyright © 2006 Macehiter Ward-Dutton

This article was originally published at IT-Analysis.com

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.