Contact | About Futurepower ®

French version added December 31, 2002: Pour une version récente de cet article en Français, visitez http://www.hevanet.com/peace/microsoft-fr.htm.

November 15, 2002: Bruce Schneier recommends this article.   Bruce Schneier, well-known computer security analyst, said in his November 15 newsletter [counterpane.com] that this article is "A well-written analysis of the major security/ privacy/ stability concerns of Windows XP." Mr. Schneier wrote the books Applied Cryptography and Secrets and Lies: Digital Security in a Networked World, and other books [counterpane.com].

Spanish version added November 3, 2002:   Para la última versión del artículo en castellano, visite
http://www.hevanet.com/peace/microsoft-es.htm.

You have a right to know.   You have a right to all the information you need to make an informed choice about any product you buy.

The author wrote this article because of the need to give his customers fundamental information about the direction Microsoft wants to take them. Few people have the technical background to understand fully the advantages and disadvantages of software as complex as an operating system. Without fundamental information, it is difficult for non-professionals to understand the advice of professionals.

The author is not anti-Microsoft in any way. There appear to be management problems at Microsoft, but the author would like any problems to be fixed, rather than have the entire world suffer through Microsoft doing poorly. Because he has spent considerable time trying to understand the problems, and because he cares deeply about fixing the problems, the author is, in that sense, "more pro-Microsoft than Bill Gates".

This article is support for your own investigation.   Use this article to support your own thinking and investigation. It is not intended as direct advice. If you don't have enough technical knowledge to evaluate the information presented here, please do not simply believe the author of this article. To avoid misunderstanding, find someone with technical knowledge who can help you.

If you need help evaluating the issues here, the following remarks may be useful in choosing someone to help:

Computer professionals are sometimes not computer users.   Often those who know a lot about computers are not especially heavy users of their own computers. They may not have encountered some of the problems that are mentioned in this article. Often people who only use their computers for email, web browsing, and word processing wipe their hard disks clean and re-install everything every few months. This avoids some of the problems.

Some of the problems mentioned below are most serious for companies that have thousands of employees who use numerous special applications.

The seriousness of an objection is not proportional to its intensity.   Sometimes there have been people who have complained very strongly about something written here. When strong objections have been evaluated, they have sometimes been found to be small in comparison to the intensity of their expression.

There are people whose self-esteem is strongly tied to their knowledge of computers. When they discover something that they don't know they sometimes have a negative reaction that sounds like a serious objection.

Consider conflict of interest.   Consider whether the advice of a technically knowledgeable person is influenced by conflict of interest. For, example, if someone has spent many years taking expensive courses in administering Microsoft software, he or she may be very reluctant to say, or see, anything negative. This is particularly true if the person has a spouse and children and mortgage, and no other good way of earning money.

Consider each issue separately and carefully.   It's necessary to evaluate each issue carefully. If someone raises an objection that is discovered to be valid, that does not necessarily mean that other issues are without merit.

Notify the author of corrections.   If you find a mistake in this article, please write the author at the address at the end so that it can be corrected. On December 29, 2002, for example, someone mentioned that there was a mistake in wording in a section of a former version of this article. He also asked a question about something that was not well documented. Corrections were made and 14 new paragraphs were added the same day. Not all corrections and additions are made this quickly. However, the article has been revised and extended more than 50 times since it was first published.

Hidden Connections   Microsoft Windows XP connects with other computers, or expects to be allowed through the user's network protection firewall, in more than 16 ways. Network security is something the computer user and the operating system supplier need to do together, but Microsoft seems to show little sensitivity to the user's security needs.

The issue is not that the connections are always bad for the user. The issue is that Microsoft has moved from making operating systems that are independent to making operating systems that try to connect to Microsoft's own computers, and are somewhat dependent on new ways of having access through the software firewall. Windows XP is the first Microsoft operating system to challenge whether the user can have control over his or her own computer.

Windows 98 does not connect to Microsoft's computers.   Microsoft Windows 98 connects to Microsoft's computers only by user request.

Windows XP connects with Microsoft's computers and expects to be allowed through the user's firewall in many new ways.   Each user has a responsibility to control what goes in and out of his or her computer. Microsoft's new networking arrangements make this difficult. Here is a (probably incomplete) list of ways Windows XP tries to connect each user's computer to Microsoft's computers, or expects to be allowed through the user's software firewall:

1. Application Layer Gateway Service (Requires server rights. "Server rights" means that this Microsoft software inside your computer can set up an arrangement that allows other computers to control it.)
2. Fax Service
3. File Signature Verification
4. Generic Host Process for Win32 Services (Requires server rights.)
5. Microsoft Direct Play Voice Test
6. Microsoft Help and Support Center (If you don't stop it, using "Help and Support" notifies Microsoft of the subject of your search.)
7. Microsoft Help Center Hosting Server (Wants server rights.)
8. Microsoft Management Console
9. Microsoft Media Player (Tells Microsoft the music and videos you like. See the February 20, 2002 Security Focus article Why is Microsoft watching us watch DVD movies? [securityfocus.com].)
10. Microsoft Network Availability Test
11. Microsoft Volume Shadow Copy Service
12. Microsoft Windows Media Configuration Utility (Setup_wm.exe, sometimes runs when you use Windows Media Player.)
13. MS DTC Console program
14. Run DLL as an app (There is no indication about which DLL or which function in the DLL.)
15. Services and Controller app
16. Time Service, sets the time on your computer from Microsoft's computer. (This can be changed to get the time from another time server.)

The new connections create three major issues for users:

1) The new Microsoft policy creates security concerns:

a) The new policy creates enormous difficulty in making the user's computer secure. How can someone write rules about connecting for use with a firewall when Microsoft doesn't supply sufficient information about what each service is doing? It is possible for a skilled professional to research what each service normally does. However, even a professional cannot know the behavior of Windows XP in all unusual cases; the program is too complicated.

b) The new connections may have created new classes of security vulnerabilities. Microsoft software has consistently been found to be extremely defective. (See the section, Why so many defects?) There is apparently very little explanation from Microsoft and no review by security professionals outside Microsoft concerning the new methods of connecting.

2) Microsoft has programmed Windows XP to contact other computers and transfer information from the user's computer to the other computers:

a) If you have only three DVDs that your children watch sometimes on your home machine that is always connected to the Internet (through a broadband connection), you may not care that Microsoft knows when they watch them. If you seldom use the Windows XP help facility, you may not care that Microsoft is able to know the level of expertise of the people who use your computer.

However, if you are using Windows XP in a large corporation or a government, the fact that another organization believes that it can gather data from you may be completely unacceptable.

b) Even if, with an enormous amount of effort, professionals determined what information is sent to other computers, it cannot be known what information is sent in unusual circumstances. As mentioned above, there are simply too many pathways in complicated software to check all of them.

(Contrast this with the Linux and BSD operating systems: Changes are discussed intensively and openly before they are made. The instructions to the computer [source code] are open for anyone to see and criticize. Those who program open source software have no interest in collecting information about the people they serve.)

3) By changing the way its operating systems connect, Microsoft has created uncertainty about its intentions:

a) What is the purpose of the new policy? Where does Microsoft intend to go with this new direction? We don't have answers.

b) Microsoft has shown it feels free to create new kinds of connections without any review by or explanation to the computing community. Microsoft sees the user as someone who has no rights, apparently. Big companies that must plan their computer use years in advance commit their companies to an operating system. With Windows XP they cannot know what that commitment means; maybe if they accept Microsoft's behavior now, Microsoft will do something they cannot accept in the future, making a costly change necessary.

c) Not only does the new policy show that Microsoft believes it can make changes to its software at any time without review, but the company has shown that it believes it can force those changes on the user. For example, sometimes Microsoft has used security upgrades to change the operation of other components of its software, or to change the licensing terms. To get a necessary security upgrade, it is necessary to agree to whatever Microsoft has decided. Even if it could be known that Microsoft Windows XP makes no objectionable information available to Microsoft, and creates no new security vulnerabilities, that could change at any time.

To generate the above list of ways that Windows XP connects, disable Microsoft's firewall and use the Zone Labs [zonelabs.com] ZoneAlarm firewall, which is free for personal use. The free version is located at the link Download FREE ZoneAlarm.

(You may not want to buy a spyware removal program, as ZoneLabs suggests. Spybot [kolla.de] is a good spyware removal program, and it is free. Also see the Spybot mirror site [ejrs.com]. The former best spyware remover, Ad-Aware [lavasoftusa.com], was not updated from September 2002 to February 2003. Now there is a new version, but it seems sensible to wait to use Ad-Aware again until the new software has been extensively tried and reviewed.)

Also, Tiny Personal Firewall is reputed to be a good software firewall for Microsoft Windows. A software firewall is necessary, even for people who have a hardware firewall, and the Microsoft software firewall that comes with Windows XP has very limited features.

When Windows XP tries to connect to another computer, ZoneAlarm will display a dialog box asking whether that is okay. If you say no to some of the requests, some functions of Windows XP will not work (such as networking).

An article from Microsoft called Managing Automatic Updating and Download Technologies in Windows XP [microsoft.com] mentions 11 ways in which Windows XP components automatically download software from Microsoft computers. The article says,

"Outlined below is a list of components, applications, and technologies discussed in this whitepaper that have the ability to automatically download and install updated software and information from the Internet."

Note that this does not say that the 11 are the only ways that Microsoft XP connects with Microsoft's computers. It says that the 11 are the only ones "discussed in this whitepaper".

The Microsoft article tells how to disable the hidden downloading. However, the disabling is very time-consuming. Also, Microsoft has a history of using defect fixes and security fixes to change the operating system settings. This means that all the settings would need to be checked after every defect fix or security vulnerability fix.

Windows XP will operate without a connection to the internet. Windows XP will operate if the user uses a hardware firewall that blocks unwanted connections. However, most users don't know how to block connections. They are connected without being notified.

It is expensive to evaluate the present privacy and security vulnerabilities of these connections and impossible to evaluate the future vulnerabilities. Not everyone can afford to pay.

If the huge change in direction from Windows 98 is continued, it seems reasonable to worry that future versions of Windows could become more dependent on Microsoft computers than Windows XP is now. That would fit with Microsoft's new policy of trying to convert customers to paying every year even if there have been no upgrades.

Often there is other hidden operation, no notification, and/or insufficient or no explanation.   There are other ways that Microsoft keeps control:

• All versions of Microsoft Office keep a number that identifies your computer in each file you create that includes Visual Basic macros. Office 97 keeps an identifying number even if there are no macros. (The free and excellent Open Office [openoffice.org] does not have this problem, even when it uses the Microsoft file formats.)
• The software that comes with some Microsoft mice has reduced functionality until you let it connect to Microsoft computers.

The major issue in this section is that, to satisfy the legitimate needs of users, computer software makers need to recognize a partnership between the themselves and the users. Microsoft, however, often devises methods without fully explaining them and changes the operation of its software without notice.

For example, there are strange protocols. Try putting each of these links that Microsoft calls "URLs" (Addresses are called Uniform Resource Locators.) in the address box of Microsoft Internet Explorer running on Windows XP. To do this test, it is necessary to take the spaces out of each of the lines shown. The spaces were inserted because unbroken lines prevent re-sizing the browser width.

1. MS-ITS:C:\WINDOWS\Help\ tcpip.chm::/sag_TCPIP_pro_Ping.htm
   (Remember to delete the spaces if you test this line.)
   

   "MS-ITS:" is a Microsoft help protocol. To see other examples, right-click on a link in the Windows XP Help and Support Center. Choose Properties. Note that in the screen image of a sample Properties window, Windows XP says that "MS-ITS:" is an "Unknown Protocol". It is not unknown, it is documented in an untitled Microsoft article with the heading To link from a contents or index entry to a topic in another compiled help file [microsoft.com]. The article says that "MS-ITS:" is a new version of the "mk:@MSITStore:" protocol.

   Note also that what Microsoft calls the "Address - URL" is not all shown. It is necessary to select the URL and scroll down to see the last part. The window size chosen by whoever programmed it is not large enough to display the average address.

2. mk:@MSITStore:C:\WINDOWS\ Help\whatnew.chm::/ idh_whatnew_tuneupwiz.htm
   (Remember to delete the spaces if you test this line.)
   

   The "mk:@MSITStore:" help protocol is the version that existed before "MS-ITS:", the above article says.

3. ms-help://MS.VSCC/MS.MSDNVS/ vbcon/html/vbconMigrating VI60ApplicationsToVS70.htm
   (Remember to delete the spaces if you test this line.)
   

   The "ms-help://" protocol is a help protocol associated with Microsoft Developer Network.

4. hcp://system/sysinfo/ sysInfoLaunch.htm
   (Remember to delete the spaces if you test this line.)
   

   For explanation of the "hcp://" protocol, see the May 23, 2000 Microsoft article, An Overview of PCHealth and Windows Millennium [microsoft.com]. The article discusses "HCP automation objects" which it says allow help content to "be located anywhere, including the local machine, the intranet, and the Internet." But the HTTP protocol allows this; why a new protocol?

These four help message protocols allow help information to be linked to other help information. But standard web pages do this using a world standard protocol, "HTTP://", the HyperText Transport Protocol, with HTML coding. Why invent four new protocols when an excellent one was already available?

Of course, all of the new protocols can be used only in Microsoft's browser, Internet Explorer. This tends to lock programmers and users to Microsoft Windows.

Consider the problem this creates for a computer professional. Someone concerned with computer security may wonder about the limits of these protocols. What is the definitive list of all the ways Microsoft uses them? In 2002, 71 security vulnerabilities were found in Internet Explorer. Are there bugs in the help protocols? Also, for example, firewalls cannot provide protection if a protocol tunnels through using the universally allowed HTTP protocol.

The protocols are implemented in a quirky way. They are sloppily documented. There are no world standards. If you send someone a URL in one of the Microsoft-invented protocols by email, you have to remember to tell him or her to use Internet Explorer, or he or she will only get an error message. It is difficult or impossible to learn why Microsoft invented four new protocols, and ignored the world standard. Whoever is served by having four new protocols, it does not seem to be the customer.

This example of the help protocols is only a very small one to illustrate an overall point. There are many, many quirky implementations like this. Each one, considered separately, might be accepted. When there are many it is a considerable burden for both professionals and users.

It is important to understand the nature of what is written in this section. Many people use software that only runs under a Windows operating system; for those people, Microsoft has a monopoly in operating systems. There is nothing in this section that would cause such a person to give up necessary software. The point is that the manner in which Microsoft manages its business creates difficulties. Microsoft has many initiatives and purposes that are not what its customers would choose.

Why so many defects?   The fact that Windows XP makes your computer dependent on Microsoft computers is bad not only because you lose control over your computer, but because Microsoft produces defective software and doesn't patch defects quickly.

For example, on December 9, 2002, there were 19 security vulnerabilities [pivx.com] in Microsoft's internet browser, Microsoft Internet Explorer. Some of these defects allow a malicious web site designer to "execute arbitrary commands, read local files, and do anything the user can ... do to his machine". These defects allowed an attacker to take control even if the user had a perfect software firewall and a perfect hardware firewall. The attack could use the HTTP protocol which all firewalls allow. This extreme exposure existed for years.

Here is the recent record. The list of defects has been similar for years. Also, this is a record only of security defects, not all defects:

• June 18, 2002: 18 vulnerabilities
• August 8, 2002: 22 vulnerabilities
• September 9, 2002: 19 vulnerabilities
• November 19, 2002: 32 vulnerabilities
• December 9, 2002: 19 vulnerabilities. (Microsoft fixed 15 on Nov. 20, but two new ones were found.)

This is a terrible record for a company that has $50 billion [biz.yahoo.com] in the bank. ("Total Current Assets") Obviously, with that kind of money, Microsoft could fix the defects if it wanted to fix them. Since the defects are very public and Microsoft has the money, it seems reasonable to suppose that top management at Microsoft has deliberately decided that some defects should remain.

The defects in Internet Explorer are examples in only one program. All of Microsoft's software seems to be of comparable quality. See, for example, the Microsoft Crash Gallery.

The security vulnerabilities are often very public. For one of many examples, see the December 21, 2001 Associated Press article published by USA Today, XP flaw due to 'buffer overflow' [usatoday.com].

There are a variety of plausible reasons why Microsoft would allow so many defects in its software. Since Microsoft has a virtual monopoly, it is enormously profitable to sell users sloppily written software, and then later sell them upgrades to that software.

It also seems possible that there is a connection between the huge number of defects and the U.S. government's friendly treatment of Microsoft's law-breaking [usdoj.gov]. The U.S. government's CIA and FBI and NSA departments spy on the entire world, and unpatched vulnerabilities in Microsoft software help spies.

Another theory is that the quality of management at Microsoft is so poor that the company simply cannot motivate its programmers to do better. One of the causes of security vulnerabilities is called "unchecked buffer", in which a program takes input, but does not check the input before it is used. A search using the Google search engine for web pages at Microsoft sites exclusively about "unchecked buffer" shows hundreds of entries. This and other indicators suggest that Microsoft may have for years allowed its programmers to submit sloppy programming, and now problems are difficult to find and fix.

Solve security problems: Don't let Microsoft connect.   There is a solution to problems with network security of Microsoft software that involves using two computers for each user. Use an old computer to connect to the Internet; it does not matter if it is slow. Run the Linux operating system and the Mozilla browser and email client on the old computer.

Use a new computer for all other tasks. Use a KVM switch to connect one Keyboard, Video monitor, and Mouse to both computers. Run both computers simultaneously. Remove the TCP/IP protocol software from the new computer running the new Microsoft operating system, so that it cannot possibly connect to the Internet. For file sharing, network the computers together using a protocol like NETBEUI or IPX, or other means. IOGear makes KVM switches that have no video degradation at high resolution.

Technical Support is sometimes not available from Microsoft.   When there is an extremely technical problem with a Microsoft product, it is often difficult to get help. A common problem with technical support staff in general, not just with Microsoft technical support, is that they tend to work for themselves, not for the customer. Technical support people have greater job security if they give less help. If they are very efficient in reducing problems, it is likely that the company will reduce its staff. Also, there is an enormous conflict of interest: Companies pay their technical support staff less than $20 per hour, and they usually charge an average of $120 per hour or more to provide help. Having software defects is extremely profitable.

A friend of the author was the chief computer support person for a company with an annual gross income of $300 million. The company had purchased the most expensive technical support available from Microsoft, but Microsoft was unable to fix a problem in their SQL Server product for many months. SQL Server would become unusable and only re-booting the server would cure the problem. (This was several years ago. The problem has since been cured.)

Two programmers wrote a humorous article about difficulty getting help from Microsoft that compares Microsoft Technical Support to Psychic Friends Network. (Psychic Friends Network is a company in the U.S. that, in the author's opinion, takes advantage of poorly educated people who believe that a stranger can fix their personal problems by talking on the telephone.) The 1998 article, Microsoft Technical Support vs. The Psychic Friends Network [bmug.org (Dec. 29, 2002: Server down?)] or Microsoft Technical Support vs. The Psychic Friends Network [netscrap.com], says:

"In terms of technical expertise, we found that a Microsoft technician using Knowledge Base was about as helpful as a Psychic Friends reader using Tarot Cards. All in all, however, the Psychic Friends Network proved to be a much friendlier organization than Microsoft Technical Support."

That article is linked here because it reflects the author's extensive experience, too. The author has sold Microsoft products as part of complete business computer systems since 1983.

The author once reported several serious problems with Windows 98 to a Microsoft technical support representative who seemed especially knowledgeable and kind, and he just laughed. He was unable to get any answers, and he did not have any way of contacting someone who could get the answers. Some of the problems were never fixed. For the others, the author got help from the technical support department of a large computer parts distributor. Of course, these issues were much more difficult than those from average users.

The author reported the five problems in Windows XP mentioned below several months ago before the release of SP1 (Service Pack 1). Only one was cured with the release of SP1. That fix was not documented.

Open source software suppliers are often fast to fix defects.   On Sunday, December 8, 2002, the author found a very minor defect in version 1.2 of the Mozilla [mozilla.org] internet browser. Mozilla is entirely free software and the author's favorite browser. When testing fragments of HTML pages (not full web pages), the first line would sometimes be displayed in an incorrect font. This was a very minor defect, but it caused minor problems for the author because he often tests complicated HTML fragments to check how they look.

At 9:01 AM on Sunday, the author of this article used Bugzilla [mozilla.org], Mozilla's defect reporting web site, to report the defect. At 9:10 AM, 9 minutes later (9 minutes on a Sunday!), the author received an email saying that the defect had been already been fixed in version 1.2.1 of Mozilla. The author had not yet installed the new version because it had been reported that it only fixed one defect that the author had not experienced.

Recall from the section above that, on December 9, 2002, Microsoft's browser had 19 known unpatched security vulnerabilities, some of them extremely serious. Mozilla has none. This is different than would be expected, by a wide margin. In one case, you pay money for the product (The Internet Explorer browser is part of Windows XP.) and the service, and you get a poor product and poor service. In another case, the product and service are entirely free, and both are superb. The skepticism experienced by the average businessperson when someone says, "The product from the big company is poor quality; the free product is better", slows the acceptance of open source software.

Some web sites have been written to use proprietary Microsoft features, instead of the world standards. These sites must be visited using Internet Explorer.

Deliberately allowed to crash.   Resource Meter, a Microsoft program supplied with Windows 98, is able to predict most Windows 98 crashes. It would have been easy to integrate this program into the Win 98 operating system and program it to prevent the running of additional programs or to provide an error message, rather than let the OS crash. Microsoft did not do this. See below for information about how to run a test yourself.

Windows 95, Windows 98, and Windows ME (all closely related to each other) were designed in such a way that it was inevitable that they would crash. Windows 95 was originally designed with a 64 kilobyte limitation on some resources that would have caused it to crash sooner than it does. Protests by knowledgeable people at that time caused Microsoft to increase that artificial limit to 128 kilobytes. At that time, memory was very expensive. When memory became cheaper, and it became common that people would run more than one big program at the same time, crashing became extremely common.

Microsoft did nothing to solve the problem. It might not have been possible to fix the problem in an elegant way, but it was, and is, possible to fix the problem. Therefore, it seems reasonable to say that the crashing is deliberate Microsoft policy. The crashing is often given as the biggest problem users have with Windows 98 SE (Second Edition); if it were fixed with a simple patch, many people would not buy Windows XP.

Here's a test you can do easily on a Windows 98, Windows 98 SE, or Windows ME system. Start the program called Resource Meter by clicking on Programs/ Accessories/ System Tools/ Resource Meter. If you copy the icon and put it into your Startup folder, Resource Meter will start every time you start Windows.

Resource Meter displays three quantities: System Resources, User Resources, and GDI Resources. It is the limited User Resources and GDI Resources that cause Windows to crash. No matter how much memory you have in your computer, if you use close to the limit of User Resources or GDI Resources, Microsoft Windows 95, 98, or ME will crash. For 16 bit programs, User Resources and GDI Resources are limited to 128 kilobytes each. That's 128,000 bytes (approximately, because of a different scheme of counting memory), no matter how much memory you have installed. For 32 bit programs, User Resources and GDI Resources are limited to 2 Megabytes each. These limitations are known to a few computer professionals, and are sometimes discussed in technical forums. However, very few users know about the limitations, and most don't know why their systems crash.

If you run Resource Meter and watch it carefully, you can, usually, prevent crashes by closing a program whenever you get close to crashing. This doesn't work, however, when a program makes a request for memory that is unexpectedly large. Instead of refusing the request and giving a message to the user, Windows will crash.

The resource design limits are especially cruel to users because they lose their work when their systems crash. They are also cruel because users often spend money to install more memory in their computers, not realizing it won't make a difference.

Why would Microsoft allow deliberate limitations? Apparently because it be the only way to get users to spend more money to upgrade later. For most users, the only reason to buy Windows XP is because it crashes less.

Windows XP doesn't crash, it becomes less usable.    Windows XP doesn't have the artificial GDI and User resource limitations of Windows 95, 98, and ME. All of the installed memory is available to the Windows XP operating system when it needs it. However Windows XP becomes shaky when enough programs are loaded that all of the installed memory is in use.

Windows XP, and all modern operating systems, have a feature called virtual memory that is supposed to put programs on the hard disk that are loaded but not being currently used. However, this feature does not work well in Windows XP. When the memory limit is reached, a Windows XP system takes a long time to respond and does a lot of disk access. Sometimes the disk access, called "thrashing" because it indicates something is not working properly, continues for 45 seconds or 90 seconds or more after clicking on a loaded program to bring it to the top of the desktop. The result is that Windows XP becomes less usable and eventually must be rebooted.

In contrast, the virtual memory feature in the Linux operating system works extremely well. There is disk access, of course, but only what would be expected.

Microsoft seems to know about the problem. If there are more than 21 programs loaded, the programs may be presented out of order on the taskbar. Some programs may not be displayed on the taskbar, and the ones that aren't displayed change as you use them. This seems to be a way of discouraging users from opening many programs at the same time, so that they won't experience the problem with virtual memory.

Windows XP may provide no local security.   Managers are being allowed to believe that Windows XP is secure under conditions in which it isn't secure. Since it is necessary to supply a password, the impression is created that there is no other way of gaining access. That is not true. Neither Windows XP nor any other operating system provides security against an attacker who has physical access to a computer and can start the computer with another operating system.

The administrator password can be changed.   A product called Locksmith [winternals.com] can change the administrator password on any Windows XP, Windows 2000, or Windows NT system. This means that an attacker can have complete control over the computer.

There is free software for changing the password, also. For example, see the article, Offline NT Password & Registry Editor, Bootdisk [eunet.no].

The problem here is not that Microsoft could have provided better local security in this case. Anyone who has access to a diskette or CD-ROM drive attached to a computer and can run a different operating system can replace the file that contains the password. The problem is that Microsoft allows people to think that there is more security than actually exists.

Note that the attacker can change the administrator password, but cannot discover the password that existed originally, because it is made inaccessible in a manner that is completely secure. It is possible, however, for the attacker to 1) copy the file that contains the encrypted password, 2) change the password and gain access, and then 3) change the password back to the original by copying the original file back to the system. Since the password would the same as before, an unchanged password would not be evidence that no attack occurred.

A new copy of the operating system can be loaded.   An intruder can load a second copy of Windows XP or Windows 2000 in a different folder from the original, using an operating system CD that can be bought at any computer store. After starting the computer using the new copy, the intruder is able to access, copy, and use all files that have not been encrypted.

It is possible to use the Windows XP recovery console without a password.   A security flaw in Windows XP allows accessing the recovery console without a password. (The recovery console is a feature intended to allow emergency access to files by someone who knows the password.) The article, XP passwords rendered useless [briansbuzz.com], shows how.

You cannot know now to what contract provisions you will be held in the future.   Microsoft has changed the terms of the contract to which users are bound by including the new contract with some security and other defect fixes.

Recent security patches require that the user agree to a contract that gives Microsoft administrator privileges over the user's computer [theregus.com]. (Administrator privileges give complete control over the computer and all data stored on it.) See also, Microsoft EULA requests root rights - again [theregus.com]. The contract says that if a user wants to patch his or her system against a defect that would allow an attack over the Internet, he or she must give Microsoft legal control over the computer.

This article explains the issue in more depth: Microsoft's Digital Rights Management-- A Little Deeper [bsdvault.net]. It helps to think like a lawyer when you take apart the crucial sentence. The sentence, "These security related updates may disable your ability to copy and/or play Secure Content and [my emphasis] use other software on your computer" legally includes this meaning: "These updates may disable your ability to use other software on your computer." Note that the term "security related updates" is meaningless since some of the updates have no relation to user security. So, the sentence effectively means that Microsoft can control the user's computer without notice and whenever it wants.

Since Microsoft can change the contract at any time and without control by the user, Microsoft can bind users to contracts that it invents in the future. This is a new development in contract law. A user is bound to a new contract if he or she wants defect fixes and security fixes. But this gives the user no control, since once security flaws are widely known, every computer must have the fixes or remain vulnerable. Users invest considerable money and time into their computers, and cannot avoid agreeing to the new contract without giving up their entire investment and disrupting their business and personal activities.

Microsoft Keeps Control: Microsoft has abandoned its earlier successful business model.   Previously, Microsoft did not write its software in such a way as to keep control after the software was sold. This was an extremely successful way to do business. Microsoft made hundreds of billions of dollars and became the largest software company in the world. In recent years, however, Microsoft has invented numerous ways of keeping control:

You must have permission from Microsoft to install software you own.   In Windows XP there is a system called Windows Product Activation (WPA) that requires users to get permission from Microsoft when first installing its software and every time the user's hardware changes significantly.

Note that WPA is used only on the Windows XP Home and Professional versions. The Windows XP Corporate version is identical to the Professional version, except that it does not use product activation.

Microsoft pretends that software dies.   Microsoft has recently been saying that its products have a limited life. For example, see Microsoft's October 15, 2002 revisions of the June 3, 2002 articles, Windows Desktop Product Life Cycle Support and Availability Policies for Businesses and Windows Desktop Product Life-Cycle Guidelines for Consumers [microsoft.com]. Microsoft calls these guidelines, but, for customers, they are rules.

Windows 98 dies on January 16, 2005.   The most widely used operating system in the world will be declared dead on January 16, 2005, according to a table at the bottom of the Life Cycle policy pages mentioned above. The right-hand column says, "End of Life (effective date after end of online self-help support)".

Microsoft often changes its policies.   Note that Microsoft's policies can and do change at any time without warning or discussion. There have been two versions of the "life-cycle" policy in a little more than four months. The version as this is being written (February 6, 2003) is at least the third. The articles say the policy was first published February 2001. Microsoft is also not required to make its policies clear; in this example, the writing is confusing.

Microsoft's customers often use software for 10 years or more.   Microsoft's artificial limits may be much shorter than the length of time computer systems are used by customers, who often use the same software for 10 years or more. If software is working well, customers often feel there is no reason to buy something new.

There are, basically, two kinds of software. There is content creation software like word processors, spreadsheets, and photo editing software. In the last several years, this kind of software has advanced rapidly. There may be good reason to have the latest version of this kind of software. Then there is production software for accounting and inventory, for example. With production software, someone does data entry and possibly someone else runs reports. If the reports are sufficient, there is no need to change the software, even if it has been used for 10 years or more. Since data entry speed is limited by typing speed, and report printing is limited by printer speed, there is often no need for faster hardware when using production software.

There are many reasons not to change a computer system that works well:

1) The new software probably has defects.   There may be defects in the new system that did not exist in the old. It is usually possible to fix the defects, but that usually takes time. When Windows XP was first released, the author had problems with crashing because of video drivers, for example. There were severe problems with an Intel driver call the Intel Application Accelerator. Many scripts written for Windows 98 needed to be re-written. The mouse software for both Microsoft mice and LogiTech mice did not work completely.

2) Do you want to pay for training?   A new computer operating system requires that staff be re-trained. This is more expensive than just the cost of employee time if the staff is already very busy.

3) If it works, why change?   It is wise not to change a system that has been carefully audited and shown to work perfectly, such as an accounting system. The security that comes from knowing that all the problems have been found has caused very large companies to continue to use an accounting system written in the COBOL computer language for more than 30 years.

4) Sometimes old software won't run.   Sometimes old software will not run on a new operating system. There are many programs that run perfectly under Windows 98 that cannot be used under Windows XP. At the time of this writing, February 6, 2003, the latest version of MAS 90, an accounting program for companies with complicated accounting needs, does not run reliably on Windows XP, but works fine on Windows 98.

5) Seriously Reduced Functionality   Sometimes the old software does things the new software doesn't. Windows XP has very seriously reduced functionality:

a) Windows 98 can copy all of its own files, Windows XP cannot.   The Windows XP file system is artificially crippled; it cannot copy some of its own system files. This makes it difficult to make functional backups. Microsoft apparently uses this crippling as copy protection.

b) Reduced Functionality: Hard disks cannot be moved.   Windows XP, and Windows 2000, make it very difficult to move a hard drive to another computer. Microsoft has written Windows XP so that it cannot be easily moved to another computer. This article on Intel's web site describes the problem: Moving a Hard Drive to a New Motherboard [Intel.com]. The article says, "Moving a hard drive with Windows 2000 or Windows XP already installed to a new motherboard without reinstalling the operating system is not recommended." (This is a universal problem; Intel motherboards are only being used as an example.) Note that the problem is not just moving a hard drive to a new motherboard; the same problem is encountered when moving a copy of all software on a hard drive to a new motherboard. It is thus impossible to make functional backups. Instead, it is necessary to re-install the operating system and all the programs, progam updates, and security patches.

Note that the link in the intel article called "Microsoft's knowledge base article" is a dead link. The other link, the one in the sentence, "For additional information, please refer to these instructions from Microsoft", is also dead. This issue is apparently not seen as important by Intel; Intel will sell more computer hardware if hard drive software organization cannot be moved from one computer to another. (It is possible to find the Microsoft information, which merely describes the difficulty of moving a hard drive installation to another computer in more detail.)

c) In some ways, even Windows 95 is better.   In some ways, Windows XP has less functionality than even Windows 95. For example, the command line interface (CLI, also called DOS) in Windows 95 is more responsive to shortcut keys. Sometimes when the user presses a shortcut key in Windows XP, the system does not respond for 20 seconds. Windows 95 responds immediately, Windows 98 is sometimes slow, but the shortcut facility in Windows XP is unusably slow.

WPA and software death can force users to pay more.   The two schemes of WPA and artificial software death together give Microsoft a way of preventing people from using Windows XP on a new computer, for example when they upgrade their hardware after several years. It would work like this: WPA prevents a customer from re-installing Windows XP on a new machine without Microsoft's permission. Microsoft may not give permission after declaring that that the software has died. If Microsoft won't give permission, the user may be required to buy new software; a customer could not move a working Windows XP system to new hardware.

Computer companies and consultants are required to disclose their customer information.   Those who supply computer services involving Windows XP Corporate version can no longer keep the names of their customers private. The policy of forced disclosure abandons a tradition of business privacy that is thousands of years old.

This may be an important fact for a large company to consider; possibly the fact that Microsoft forces disclosure will cause computer professionals to be less enthusiastic about supporting Microsoft products. This might become a big issue during the expected life of a computer system. If a system works well, there is no need to replace it. Sometimes companies keep their systems for 10 years or more.

Microsoft requires that professionals give this information about their customers:

1. Contact Name ("Full name")
2. END USER Company Name [Microsoft's emphasis]
3. Address ("No PO Boxes please. Must be physical address.")
4. Telephone Number
5. END USER Email Address [Microsoft's emphasis]
6. Purchase Order Number

Microsoft, or even a disloyal Microsoft employee, could decide to make use of this information, and approach a customer directly.

A government that uses proprietary software is not an independent government.   A government that wants to be independent of other governments, or that represents itself as controlled by its own people, can use proprietary software only if there is easy access to the source code. (The source code is the original instructions in which the software was written.) This is because it is possible for someone to put instructions in proprietary software to spy on or to sabotage government operations.

The alternative to closed source, proprietary, software is open source software. It is difficult to believe that so many people would be so charitable, but more than 100,000 programmers have donated their time to produce excellent free operating systems and word processors and many other programs. Not only is the source code and the entire product completely free, but the more popular programs get a lot of attention from programmers, so mistakes are found quickly.

The most popular open source, free operating systems are Linux and BSD. Linux, provided by companies like RedHat, SuSe, and others, is useful for desktop computers and servers. OpenBSD, FreeBSD, and NetBSD, all closely related, are very secure and excellent for server computers. Anyone can have as many free copies of this software as desired. The companies who sell open source software make money by selling technical support.

There is a strong movement away from proprietary software. However, at present using Microsoft software is sometimes necessary because there are many programs that users need that are not supplied in Linux or BSD versions. Also, Linux and BSD are sometimes more difficult to configure.

Microsoft's shared source policy is not equivalent to open source.   On January 14, 2003, Microsoft announced in a press release that it would allow governments to look at the source code of Microsoft products: A Matter of National Security: Microsoft Government Security Program Provides National Governments with Access to Windows Source Code [microsoft.com].

Microsoft's policy of allowing government programmers to see source code is not equivalent to having open source code. A thorough review of the more than 40 million lines of source code in Windows XP is far more than even a government can attempt. It would be easy for someone to hide spy instructions that could be controlled from outside. This is not unlikely. The U.S. government's spy agencies, the CIA, NSA, and others, have an essentially unlimited amount of money. They can and do exploit any method of spying. The U.S. government has bombed 14 countries in 35 years. Organizations should not assume that those who think killing is a way of solving problems will suddenly become moral when they consider computer software.

Good programmers are not willing to sign the non-competition and non-disclosure agreements that Microsoft requires. They fear that would put them at risk of a Microsoft lawsuit. Even if they were found in court not to have infringed on Microsoft's contract, the cost of the lawsuit would be enormous. Also, they could lose their jobs over any such dispute. It is possible that the only real effect of Microsoft's shared source policy is to cripple an organization's best programmers, so that they cannot work in any field in which Microsoft has an interest.

The article Why isn't Microsoft's shared source a step forward? [linux.org.au] discusses many of the reasons why Microsoft's policy does not solve the problems of closed source software. One section of the article, Question Time mentions questions that can be asked of Microsoft representatives. The Summary suggests a way to score closed source, open source, and shared source software based on your organization's needs.

Open source software provides the security that anyone in the world can see the source code, not just a few government programmers. In practice, this means that there is a high likelihood that sneaky elements in software will be found.

It has occasionally happened that someone has hidden sneaky software in changes that were submitted to open source software developers. The intensity of review of open source software is such that it seldom happens that destructive changes are accepted, and, when it has happened, the corruption has been quickly found.

Microsoft could allow everyone to see its source code. But most software companies, not just Microsoft, have been unwilling to show anyone their source code because they feel that would help someone else make a competing product. This is not as big a problem as it might appear at first. For example, everyone can see everything about the Star Wars movies. That has not made Star Wars movies unprofitable. Everyone can borrow books at the library. That has not meant that booksellers cannot sell books. Intellectual property is not easily copied legally even when it is completely open.

True open source would prevent Microsoft's monopoly.   Microsoft maintains its monopoly by using hidden operations in the Microsoft Word word processor, and in Microsoft's networking, for example. If Microsoft were to allow anyone to see its source code, the monopoly would eventually disappear.

Cost is a small factor.   Sometimes organizations with thousands of computers have adopted Linux or another free operating system. They have saved millions of dollars in licensing costs. Surprisingly, however, cost is not a large factor in choosing software. If the non-free software is slightly easier to use, the time saved can easily be worth the purchase cost.

Microsoft keeps control.   Another reason that independent organizations cannot logically use Microsoft software is that Microsoft has both old and new methods of keeping control of software that it sells. It is very expensive to begin using an operating system, and once an operating system is in use, it is difficult to stop using it. Changes cannot be made quickly if some new undesirable aspect is discovered, as when Microsoft changes the terms of its licenses. Governments cannot bind themselves to unknown future limitations and invasion of privacy and remain free.

A bill introduced to the Congress of Peru, Bill Number 1609, Free Software in Public Administration [English translation at pimientolinux.com], gives several reasons why government software must be open. The reasons given in paragraphs 10, 11, and 12 of the bill have been re-written below to make them easier to read and to avoid problems with inaccurate translation.

A government must guarantee that the citizens have free access to government information.   To achieve this, it is necessary that the coding of the data [file format] not be tied to a sole provider. The use of standard and open formats guarantees this free access, making possible the creation of compatible software [and software that does not require paying money to get access].

A government must guarantee that public information is permanently available.   It is necessary that the use and maintenance of software does not depend on the good will of the providers, nor on monopolistic conditions imposed by them. Permanent availability of public information can be guaranteed only by the availability of the source code of the software used to access the information.

A government must guarantee national security.   It is necessary to have systems that are devoid of elements that allow remote control or the secret transmission of information to third-parties. Therefore, it is required to have systems whose source code is freely accessible to the public, so that its inspection is allowed by the State, the citizens and a great number of freelance experts in the world.

Introduction of the bill caused Microsoft to write a letter of protest [English translation at pimientolinux.com]. The English translation of the response to this letter [pimientolinux.com] stated the reasons for the bill more clearly in paragraphs 5 to 8.

The letter of response to Microsoft also discusses what the Peruvian bill does not do:

• The law does not forbid the production of proprietary software.
• The law does not forbid the sale of proprietary software.
• The law does not specify which concrete software to use. [The word "concrete" should probably be "specific".]
• The law does not dictate the supplier from whom software will be bought.
• The law does not limit the terms under which a software product can be licensed.

(The punctuation was changed to agree with the standards used in this article.)

Microsoft arranged that the U.S. ambassador to Peru tried to stop the bill. See the July 27, 2002 Wired News article, Microsoft's Big Stick in Peru [wired.com]. The article says,

"Congressman Edgar Villanueva, the bill's chief sponsor, said he considers Hamilton's letter to be "overt pressure" on Peru by the United States and Microsoft. If so, the letter would continue the long-standing U.S. tradition of meddling in Latin American affairs, political analysts say."

Information about the Peruvian bill is collected on a web page called Peruvian Activism.

The government of the United Kingdom (England, Scotland, Northern Ireland, and Wales) is considering these issues, also. A policy called Open Source Software, Use within U.K. Government issued on July 15, 2002 by the U.K. Office of Government Commerce says, (Scroll down almost to the bottom of the page; there is no need to use the links.)

"Security of government systems is vital. Properly configured OSS can be at least as secure as proprietary systems, and OSS is currently subject to fewer Internet attacks. A balance needs to be struck between the availability of security administration skills and the advantages of many diverse systems. In some cases mainstream proprietary products may be significantly less secure than open source alternatives (see Gartner report Nimda Worm shows you can't always patch fast enough dated 19/9/01 by John Pescatore)."

The article about the Nimda worm mentioned above is available at Gartner's web site: Nimda Worm Shows You Can't Always Patch Fast Enough [gartner.com]. The Nimda work is a vulnerability only in Microsoft software. It has done enormous damage. About Microsoft's product IIS, the article said,

"Thus, using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out - almost weekly."

Many other governments are considering moving away from closed source software.   One of the state governments of India, for example, is considering a Memorandum Submitted by Members of the Free Software Users' Group [symonds.net]. The memorandum objects to the planned purchase by the Kerala state government of Microsoft Windows 98 software. The memorandum discusses several very serious reasons why closed source software should not be used in the schools in Kerala state. The memorandum says, for example, "... by confining students' training to a particular brand of software, the government would be giving undue preference to a particular vendor and their software thus discriminating against vendors of other software. Thus, even by providing software free of cost to the schools, the said company will make immense profits, ..."

In the United States, Microsoft has considerable political power.   It has been estimated that the cost to U.S. businesses for only four Windows-based infections, Nimda, Code Red, SirCam and Love Bug, was about $13 billion. These infections were possible because of the unusually poor security design of Microsoft Windows. No other operating system has had such vulnerability.

However, the U.S. government seems to be taking little or no action to correct the problem. One reason may be that there is an unusually close relationship between Microsoft and top U.S. government agencies. For example, Howard Schmidt, vice chairman of the White House's National Critical Infrastructure Protection Board, was previously Microsoft's chief security officer. Scott Charney, Microsoft's current security officer, is a former federal official.

Microsoft is one of the computer industry's top contributors of political money, according to the Top Contributors spreadsheet of the Center for Responsive Politics [opensecrets.org]. Microsoft contributed $2,997,854 to political campaigns for the 2002 elections.

There are people in the U.S. government who heavily favor the un-enlightened interests of U.S. businesses. For example, see the Computer & Communications Industry Association's [ccianet.org] July 24, 2002 news release, CCIA Opposes Hollywood Vigilante Legislation [ccianet.org], which discusses a bill sponsored by Congressman Howard Berman of California. The bill would allow big companies to intrude upon or destroy web sites if they think the sites are infringing their copyrights. Will Rodger of the CCIA has been quoted as saying,

"The larger question, which the [U.S.] government seems to be ignoring, is, why aren't we looking at the problems caused by a monoculture, a single operating system which serves as a single point of failure on the Internet? If there are 60,000 Windows viruses, fewer than 100 Mac viruses, and maybe a dozen Unix viruses, why aren't the problems with Windows an issue?"

Senator John McCain [senate.gov] and many others say that the U.S. government has been corrupted by money disguised as campaign contributions. (Those who live outside the U.S. may need to be told that Senator McCain is a Republican, the same political party as President Bush.) A December 6, 2002 CNN article Documents: Donors promised political access [cnn.com] mentions another method of corruption. The article says,

'When Microsoft Corp., a $100,000-plus donor to Republicans, planned to attend the party's major fund-raising gala in 2000, it asked to be seated next to "Sen. (Paul) Coverdell or leadership, Commerce Committee or Judiciary Committee," according to a GOP memo. At the time, the company was battling a major antitrust case that threatened to break the company into two. The memo added Microsoft did not want to sit with Sen. Orrin Hatch, R-Utah, a major critic.'

Support for Microsoft products may be affected by ongoing legal vulnerabilities.   The antitrust case against Microsoft is now 12 years old. See the timeline [washingtonpost.com] by the Washington Post. ABC News also indexes information about the cases; see Microsoft vs. DOJ: An Index to Microsoft Trial Coverage [abcnews.go.com]. A group called ProComp [procompetition.org] publishes a text-only timeline it calls Timeline of Events Surrounding Microsoft Antitrust Case [procompetition.org]. ProComp is an "umbrella organization for companies and groups supporting the Department of Justice's action against Microsoft".

In summary, Microsoft was found by the courts to have broken the law. The case has resulted in considerable bad feeling toward Microsoft.

Companies may want to evaluate the possible future problems in partnering with, and being dependent on, a company that has broken the law.

For more information about the Microsoft anti-trust case, see the November 5, 1999 U.S. government document Court's Findings of Fact [usdoj.gov]. The 207 double-spaced pages of this document list abuses for which Microsoft was found guilty. There are numerous sentences like this one: 411. Many of the tactics that Microsoft has employed have also harmed consumers indirectly by unjustifiably distorting competition. A legal documents company, FindLaw, has better indexing of this document: Microsoft Antitrust Trial Findings of Fact [findlaw.com].

The U.S. Department of Justice maintains an index of the current case, United States v. Microsoft Current Case [usdoj.gov].

The case was decided on November 1, 2002. Section J on page 7 of the final decree, which begins "No provision of this Final Judgment shall", is interpreted by most technically knowledgeable people to mean that basically there is no penalty for Microsoft, because all of Microsoft's abusive behavior is allowed.

For a list of all the official U.S. government documents of United States of America v. Microsoft Corporation, see the index of Judge Colleen Kollar-Kotelly's actions [uscourts.gov].

These PDF format files on the official U.S. government web site give the details: Final Decree, Memorandum Opinion, Public Interest Order, Opinion on the State Settlement, and State Settlement Order [all uscourts.gov].

The case is not over. There will be an appeal. Also, U.S. state governments and governments outside the U.S. are continuing to pursue legal action.

Because of the common perception that Microsoft has broken U.S. law and yet not been forced to pay a significant penalty, there is considerable resentment of Microsoft. Microsoft is considered by many to have participated in corrupting the U.S. government, partly through giving money to politicians [opensecrets.org]. The outcome of the case may increase the distrust of Microsoft and hasten the rate at which companies change to other operating systems, such as RedHat Linux and Mandrake Linux, and other office software, such as the excellent Open Office [openoffice.org]. Companies don't want to use software from an organization that is not trustworthy because software can be programmed to have hidden operations. Mandrake and RedHat Linux and Open Office are publicly designed and supported software, and are completely free.

The Washington Post discussed perceptions of the Court decision in the November 2, 2002 article, Microsoft Pleased; Foes Critical [washingtonpost.com].

The anti-trust case was started partly because of Microsoft's aggressive actions toward Netscape, a company that made an Internet browser and Internet server software. It is interesting to note that Microsoft lost that contest anyway. Many people consider that Mozilla is the best browser and e-mail software, and that Apache [apache.org] is the best Internet server software. These are both publicly supported, free programs. Apache server is the most popular Internet server software in the world.

Microsoft restricts your software options.   When you use Microsoft Windows XP, you are prevented by the license from using valuable software that competes with Microsoft's. See Brian Livingston's column [infoworld.com] in which this is discussed, beginning in the fifth paragraph. The license says:

"Except as otherwise permitted by the NetMeeting, Remote Assistance, and Remote Desktop features described below, you may not use the Product to permit any Device to use, access, display, or run other executable software residing on the Workstation Computer, nor may you permit any Device to use, access, display, or run the Product or Product's user interface, unless the Device has a separate license for the Product."

Although this restriction is probably illegal even in the United States where it was written, a large company might not feel that it could risk legal involvement with a rich company like Microsoft, even if it knew it would win.

The license restriction apparently is partly directed toward preventing the use of VNC, excellent free software designed in the AT & T research labs that were formerly in England.

An article on a web site that is very pro-Linux and open software gives another testimonial about the usefulness of VNC:

"I used to work for IBM and one of my great achievements (ok, small achievements) there was to save a particular very large client a great deal of time and money by recommending and then implementing a remote control support option using VNC."

The Registry is a single point for failure.   There are many other big shortcomings in Windows XP. Windows XP, and all current Windows operating systems, have a file called the registry in which configuration information is written. There are several files which, all taken together, Microsoft calls the registry, but the one that causes most of the problems is, in Windows XP, called SOFTWARE. (The name is in all caps and has no file name extension.) On one machine, for example, this file is 25.69 megabytes; it is a huge file considering that it contains configuration information.

If this one large, often fragmented, file becomes corrupted, the only way of recovering may be to re-format the hard drive, re-install the operating system, and then re-install and re-configure all the applications.

The registry file is a single very vulnerable point at which failure can occur. Microsoft apparently designed it this way to provide copy protection. Since most entries in the registry are poorly documented or not documented, the registry effectively prevents control by the user. There are many areas like this where Microsoft's design conflicts with the needs of the users.

Microsoft's documentation includes language that gives the proper sense of fear about corruption of the registry. The Microsoft Knowledge Base Article number Q318159, Damaged Registry Repair and Recovery in Windows XP [microsoft.com] says,

"When a registry hive becomes damaged, your computer may become unbootable, and you may receive one of the following Stop error messages on a blue screen:

• Unexpected Shutdown
• Stop:0xc0000135

"CAUSE: Registry damage often occurs when programs with access to the registry do not cleanly remove temporary items that they store in the registry. This problem may also be caused if a program is terminated or experiences a user-mode fault."

The article says, "The hotfix that is described in this article automatically repairs the registry during startup, ..."

However, the article does not say that this only fixes one kind of damage, and cannot always fix this kind of damage. The registry is a primitive database that cannot always be repaired. There are many programs from other companies that try to repair registry damage, but they also cannot repair all kinds of damage. Putting the configuration information in one file has caused some of the best educated people on earth to lose time and money, all so that Microsoft can make a crude kind of copy protection.

More Details about Registry Problems   The problem with the registry is this. Suppose the registry becomes corrupted, but the software that the corruption affects is not used for a considerable time. After the corruption occurs, the computer is upgraded, perhaps with new application software, perhaps with new drivers. Then maybe new system preferences are applied. Suppose the company has saved backups of all previous versions of the registry on CD (an unlikely event).

See the problem? Since all the software is connected to all the other software by the registry, corruption that goes unnoticed for a while can create an impossible situation. If the company goes back to the original, known good registry, they must give up all the time they spent upgrading the computer. This may be substantial, especially since they may not have complete records about what upgrading was done.

In actuality the situations caused by the registry are far, far more complicated than this. For example, you may think that some failure you are having is caused by registry corruption. However, it may take far too much time to prove whether that is the case. If you think of all the combinations of difficult circumstances, you will see that having most configuration settings in one file is sometimes devastating for the user.

Consider that the person who is using the computer probably has an important job in the company, and wants to use the computer, since only some functions don't work, but others do. Consider that a repair person must be supervised 100% of the time at some companies, because of security needs.

There seems to be nothing like this in the Linux or BSD operating systems. First, there is no single file in which corruption can make an entire installation worthless, even if the user has backups. Second, there is far better error checking, so corruption of any kind is less likely to occur. With Windows XP, sometimes a faulty program can cause the entire OS to become unstable. (I have personally seen this at least 50 times.) My experience with Linux is that the OS just throws the faulty application out of memory and comes back and says, okay, what else do you want to do?

With Linux, a software upgrade that you much later discover was bad causes you to re-install a known good version. With Microsoft Windows XP, because of the connection between all programs by the registry, you may have to start over with a re-formatted hard drive. This usually takes many hours, especially in situations in which a company employee uses a system with special adjustments or programs, as is often the case. Installation and configuration of all the programs used by a professional graphic artist, for example, may require 30 hours or more. A graphic artist might use numerous graphics packages and utilities, and also a word processor, an address book, accounting software, text utilities, color balancing software, and other programs, for example.

Users have always had the option of making backups of the registry, but making useful backups is often difficult or impossible. Backing up the registry in Windows XP is even more difficult because the registry in now not in the two files system.dat and user.dat, but is spread to several files, with one containing most of the information. Windows XP prevents making copies of any of these files with the xcopy.exe program or any other copy program. So, you cannot create your own backup tools, as you could in Windows 98.

Backup Problems: Windows XP cannot copy some of its own files.   Windows XP cannot make functional backups of the Windows operating system or of the installations and settings of the applications.

Microsoft Windows 98 can copy all of its own files.   Using a program called xcopy32.exe, which is supplied, Windows 98 can copy all of its files to another, blank hard drive to make a fully working copy of all of the operating system and applications.

Microsoft Windows XP is crippled. It is designed to be unable to copy some of its own operating system files.   This article from Microsoft discusses the policy of not supporting the making of functional complete backups under Windows XP: Q314828 Microsoft Policy on Disk Duplication of Windows XP Installation [microsoft.com]. See the section, Microsoft Policy Statement, that says,

"Microsoft does not provide support for computers on which Windows XP is installed by duplication of fully installed copies of Windows XP. Microsoft does support computers on which Windows XP is installed by use of disk-duplication software and the System Preparation tool (Sysprep.exe)."

The meaning of Microsoft's policy, "Microsoft does not provide support" is also that, if you have tools from other companies for making backups, Microsoft could make changes that prevent those tools from operating.

The wider significance of Microsoft's policy is somewhat hidden. Since almost all programs use the XP operating system's registry file, if you cannot make a functional copy of the operating system you cannot make a functional copy of all your application installations and configurations.

There are other software companies that make products for creating functional backups, but these products don't work well. They cannot, for example, run under Windows XP, because XP actively prevents that. The backup tools from other companies must run under another operating system; to use them it is necessary to exit Windows XP, restart the computer, and load the other operating system.

As was mentioned, Microsoft could break the third-party backup software at any time by issuing necessary software upgrades that also prevent the third-party backup software from functioning, as the company has done in other cases. See, for example, Sneaky service packs [infoworld.com], an August 26, 2002 column by InfoWorld writer Brian Livingston, who is perhaps the best-known computer industry columnist.

Note that Microsoft's Sysprep software does not provide a workable backup method in most cases. Sysprep images are for preparation of initial installations of Windows XP only, and support only the exact hardware for which they were made. In cases in which there is a hardware failure a year or more after initial purchase, it would be unusual if the replacement hardware were identical.

Because the configuration information for the motherboard and the configuration information for the applications are mixed together in the registry file, the registry tends to prevent you from moving a hard drive containing the Windows XP operating system to a computer with a different motherboard. That's another implication of the above Microsoft policy. So, if you have a motherboard failure, and a good complete backup that you made using tools you got from someone other than Microsoft, you may not be able to recover unless you have a spare computer with the same motherboard.

"What is your name and address?" means "Can we invade your privacy?"    Only technically knowledgeable people know how to avoid signing up for a Microsoft Passport account during initial use of Windows XP.

Most people are honest and also intimidated by the complexity of a computer system. Apparently about 95% do whatever they are asked on the screen. They give their personal information to Microsoft. They don't realize that, if they feel forced to get a Passport account, they should enter almost completely fictitious information, since the real question is not "What is your name and address", but "Can we invade your privacy". The honest answer to this is "No, you cannot invade my privacy", and the only effective way to communicate that is to give completely fictitious information.

Passport accounts are advertised as a way of making it easier to buy online, because the account identifies you to online sellers. In actuality, Passport accounts allow Microsoft to make money from every online transaction. Any money paid by sellers to Microsoft is ultimately paid by the buyer in higher prices, of course.

There is absolutely no need for Microsoft's Passport. There is a free Internet browser called Mozilla [mozilla.org] that provides the same benefit to the user as Passport, but doesn't involve the extreme privacy invasion of the Microsoft method. Mozilla's Password Manager (under the Tools menu choice) remembers what you type when you supply any personal information, not just passwords. Next time you visit that web page, Mozilla asks if you want the web form information supplied automatically. If you want, Mozilla can encrypt all of your password and credit card and other form information; you then enter your master password to access the automatic data entry.

The Mozilla browser is very highly regarded among computer professionals. It has other features that don't exist in Microsoft's Internet Explorer browser. Mozilla is open source software, which means that anyone can read the instructions that the program uses. The source code of Microsoft's Internet Explorer is hidden to anyone but Microsoft employees.

Users may not want to give away their personal information to Microsoft, the company that has been the world's biggest source of Internet security risk. There are many, many examples of that risk. For example, Microsoft's Hotmail contained a defect that allowed anyone to read anyone else's email. For one of the many stories, see the August 30, 1999 article, Hotmail hole exposes free email accounts [CNET]. Microsoft's Passport is partly based on Hotmail accounts. See also the CNN article, Web site provides access to millions of Hotmail messages [CNN.com]. In an article titled Hotmail hole exposed free email accounts [abcnews.go.com] ABC News reported that one of the web pages that demonstrated the vulnerability was written on June 7, 1998, more than a year before Microsoft fixed the problem. Given the ease of using the vulnerability, and the wide publicity before it was fixed, it seems plausible that tens of thousands of people visited Hotmail email accounts without using passwords.

Since it is the educated people who have computers, Passport accounts help Microsoft build a database of the personal lives of educated people. Microsoft knows when they connect and from what IP address (which tends to show the area), for what kind of help they ask, and information about what they are doing with their computers, including what music they like. It is not known, and there is no way to know, how much Microsoft or other organizations make use of this information, or their plans for future use. It is also not known if there are vulnerabilities that allow unauthorized people or organizations to access Microsoft's database.

In the past, Passport has been shown to have zero security. See the Wired News article, Stealing MS Passport's Wallet [wired.com].

On August 8, 2002, the U.S. Government's Federal Trade Commission (FTC) ordered Microsoft to stop lying about its Passport service. The FTC's order is titled Microsoft Settles FTC Charges Alleging False Security and Privacy Promises [ftc.gov].

Microsoft's response to the FTC order was to lie about the significance of the order in an e-mail message.

Palladium gives Microsoft the ability to prevent users from seeing their own documents and data.   Not only has Windows XP definitely gone further in the direction of allowing the user less control over his or her own machine, but with Palladium, Microsoft apparently intends to finish the job: Microsoft will have ultimate control over the user's computer; users won't even be able to read their own data without permission from Microsoft. This Register article discusses where Microsoft wants to go: MS Palladium protects IT vendors, not you [theregus.com]. See this ZDNet article, also: MS: Why we can't trust your 'trustworthy' OS [zdnet.com].

Reduced Functionality in Windows XP   In some areas, Microsoft Windows XP has reduced functionality. For example, the command line interface does less in some ways than the CLI in Windows 98 SE (Second Edition). The CLI is a big embarrassment because of its limited capabilities, but at least in Win 95 it worked. With every version since then it has worked less well. (There are two kinds of command prompt [cmd.exe and command.com], and, according to Microsoft employees, the differences between them are not fully documented.)

The command line prompt sometimes begins to display short file names. Microsoft employees say that Microsoft has no fix, although someone not connected with Microsoft did make a work-around.

Cutting and pasting into a command line program often puts successive extra spaces before each line. Microsoft employees say that there is no plan to fix this.

The fast paste mode that is in Windows 98 is gone in Windows XP. Microsoft employees say there is no plan to fix this.

The DOS QuickEdit mode sometimes flashes wildly when trying to edit from a DOS box.

There is a DOS program called START.EXE that can be used to start other programs. But it does not operate the same way as in other versions of Windows. It starts a program, but cannot be made to return control to the command line program as previous versions did. There is no technical reason for this; it is just one of the shortcomings that are allowed to exist.

People often say that DOS has gone away. But Microsoft still calls the command line interface "DOS", and in Windows XP Microsoft has added new programs for configuring the OS that work only under DOS.

There are many other insufficiencies in Windows XP. Sometimes when you press a key while using Windows XP, it is seconds until there is any response. Apparently there is something wrong with the CPU scheduler in XP, because there are a lot of complaints about this in the forums and MS people have said that they are working on it. On one particular fresh installation of XP, on an Intel motherboard with either a Matrox G550 or an ATI Radeon video adapter, it requires 18 seconds to display a directory listing of 94 items. This is apparently related to a defect in the video software, not the adapter drivers.

As was mentioned, something is wrong with the taskbar and the Alt-Tab display of running programs under Windows XP. If there are a lot of programs, not all of them are displayed. The order jumps around in a seemingly random way.

A reader sent a diagram showing that, when there are more than 21 programs loaded, the programs over 21 are shown, or not shown, in an order that is not easily guessed. Sometimes when a program is not represented on the taskbar it can look as though it is no longer loaded. This can be dismaying when the program contains a complicated setup, as when doing research on the internet and loading numerous web pages.

Many people think the Windows XP user interface is poorly designed.   As people use their computers more, they become more reliant on good design. Recently, Apple Computer released an operating system that has a version of Unix underneath and Apple's design for the user interface. Apple's article, Switch to Mac OS X (Macintosh Operating System 10) [apple.com], discusses the differences in user experience. The article is meant for software companies who are designing Apple versions of their existing Windows programs. The article gives a good idea of the flaws many people perceive in the Windows XP design.

When companies pick an operating system, they are partly guessing the future. The investment in software is huge, not because of the cost of the software usually, but because of the training and maintenance. If a company makes the wrong guess, they may in the future need to spend a lot of management time, employee time, and money in switching to a new system. This makes it necessary that top managers understand the direction the industry is going.

The combination of an excellent user interface and the power of Unix underneath has led many computer professionals to consider Mac OS 10 presently the world's best operating system. Acceptance is slowed because there is no version that will run on Intel or AMD processors, the kind that most people have.

Microsoft is widely disliked.    It seemed that there were a lot of negative comments about Microsoft. Searches on Google for the words "hate Microsoft" or "hate Microsoft XP" returned many, many results. Not all these results are associated with disliking Microsoft, but the intensity and accuracy of the discussions on even the last page of the search results gives a general idea. (The plus signs in the search terms mean that the term is required.)

Some of the web pages appeared soon after the introduction of Windows 95, such as So Why Hate Microsoft?? [tripod.com] and Why many Computer Lovers hate Microsoft: Questions & Answers [amazing.com]

Some of the people who dislike Microsoft write for industry publications, such as Daniel Dern at Byte.com, whose August 6, 2001 article, Why I Hate Microsoft - This Week [byte.com], discusses his problems with Microsoft's licensing provisions.

Some of the articles in general interest publications are surprisingly technical, such as the June 1999 article in the Boulder County Business Report (Boulder County, Colorado, USA), Why programmers love to hate Microsoft -- code out of control [bcbr.com].

The articles sometimes go into considerable detail, such as Why I hate Microsoft [euronet.nl] and The SMASH MICRO$OFT page [zip.com.au].

Apparently users are becoming much more technically knowledgeable, and beginning to resist practices that they previously did not understand.

A lot of the dislike of Microsoft is caused by Microsoft's hostile behavior. Dislike of Microsoft first became strong among people who weren't computer users when Microsoft's Bill Gates testified in the anti-trust case, and was perceived by many to be lying. Internal Microsoft documents such as those called The Halloween Documents [opensource.org] discuss the impossibility of using FUD to compete with Open Source software. FUD stands for "Fear, Uncertainty, Doubt"; it is deliberate lying to take advantage of people who have less technical knowledge. See the section labeled "Key Quotes" in the Halloween Document I [opensource.org].

There have often been stories of Microsoft using its operating system monopoly to cause trouble for other software companies. An example is the August 1, 2000 WinInfo article Microsoft knew about, ignored SP1 [Service Pack 1] personal firewall issues [wininformant.com]. Here's a quote from the article: "Microsoft refused to fix the problem despite numerous complaints during the lengthy SP1 beta". Microsoft's behavior caused a huge amount of lost time. Merely documenting the problem would have saved many people many hours.

It is difficult to evaluate what this strong negative sentiment toward Microsoft might mean to a company with 10,000 employees. Will it make Microsoft less able to hire good programmers, and therefore less able to fix security vulnerabilities? If an alternative to a Microsoft product appears, will the negative sentiment result in rapid movement away from the Microsoft product, making it less economically viable?

Windows XP Service Pack 1   On September 9, 2002, Microsoft released Windows XP Service Pack 1 (SP1). This included, according to Microsoft, 311 kinds of fixes, involving more than 1,600 files. However, apparently none of the problems mentioned in this article were fixed.

Although Microsoft says that there are 311 kinds of fixes in Windows XP SP1, industry writers have claimed that there are fixes that Microsoft has not documented.

The Microsoft article, Release Notes for Windows XP Service Pack 1 [microsoft.com], lists the defects that have been found in SP1 since it was released. Bruce Kratofil, an industry writer, said about Microsoft's automatic updating process: "There could be a whole lot of grief if this stuff gets automatically updated without you knowing about the issues ahead of time." Automatic updating makes changes to the user's computer without the user's knowledge.

Some people report major problems after installing SP1. For example, see the September 20, 2002 PC World article: Win XP Update Crashes Some PCs [pcworld.com]. (To put this issue in perspective, most users are not having problems.) Those who decide not to install SP1 must fix a very serious security defect immediately. See the September 28, 2002 Gibson Research article, Without XPdite, or XP's Service Pack 1, clicking on a simple, but malicious, URL can delete the entire contents of your directories. [grc.com]

On one computer in which the author of this article installed SP1, the operating system power options were changed so that the system was allowed to go into Standby mode. The computer, which has an Intel motherboard of a type that is currently being sold by Intel, locks up when it goes into standby. All work is lost. Only someone quite knowledgeable would guess why the computer was ceasing to function.

Microsoft has a history of allowing defect fixes to change the operating system settings without notice. Also, often installing new hardware, or a contact failure that seems to the system that hardware has been removed, or repairing the operating system by reloading, changes the system settings without notice. For example, in Windows 98 Second Edition, changing networking driver software resets the network to the least secure setting. There is no warning.

Where is Microsoft taking us?   There are many other indications of where Microsoft is taking its customers. People who buy Microsoft mice don't get the full functionality until they let the mouse software (!) connect to Microsoft's computers.

Microsoft makes it quite difficult to upgrade a computer to fix defects if it isn't connected to the Internet. Sometimes the downloadable updates lag behind those available with Windows Update, that requires that the computer be connected to the internet. The downloadable updates are not in an order that makes it easy to decide what you need.

Windows Media Player reports your music choices to Microsoft. The EULA (End User License Agreement) for a security defect fix [bsdvault.net] to Windows Media Player gives Microsoft complete control over your computer: They own it, not you. That shows that Microsoft can and will be sneaky. (The EULA says that it is limited to Digital Rights Management, but Microsoft is trying, with Palladium, to extend Digital Rights Management to everything you do on your computer.) This gives an idea of the moral limits felt by Microsoft. See also the 12th paragraph of a comment about the settlement of the Microsoft anti-trust case [usdoj.gov], on the DOJ web site.

Another indication of the direction Microsoft is going is that, in Windows XP, menus are sometimes 7 levels deep. This seems to show a lack of ability to manage the development of useable software.

Unhealthy control leads to more unhealthy control.   Managers at Microsoft seem to be trying to create a situation in which Microsoft operating systems are not independent software, but are dependent on Microsoft computers. They apparently feel that there is no limit to the control they should have, and are strongly determined to extend that control.

The attempt to take more control, and to take more control without adequate explanation, is a huge gamble with investor's money. If it strongly alienates people from Microsoft, there may be a time when the company has difficulty selling even good products.

Wanting more control, and a desire for control that cannot be controlled, is a common psychological problem. For example, dictators of governments often test the limits until they destroy themselves.

Design effective resistance to abuse.   Human society in general is not effective at stopping abuse. People have a difficult time being clear about abusiveness, and therefore about protesting it and stopping it. It is especially difficult for the average person to feel clear about something technical like software. People tend to blame themselves rather than the software that should serve their needs.

Instead of efficiently moving to limit the destructiveness of the abuser, the abused people often begin to attack each other. Often technically knowledgeable people have the presumption that, if they know something another person doesn't know, that gives them a license to attack the other person, or to feel superior. The fighting among themselves of people knowledgeable about computers is part of the reason there has been very little effective resistance to Microsoft's abuse.

Microsoft's self-destructiveness does not mean that the user should be self-destructive. There is no need to apologize for using Microsoft software, as many people do who know a lot about computers. The correct solution to abuse is persuading the abuser to stop being abusive. Rather than feel embarrassed because Microsoft is abusive, action needs to be taken to prevent the abuse. If you protest effectively against Microsoft abuse, you are not against Microsoft; you are more pro-Microsoft than Bill Gates.

Michael Jennings
Futurepower ®
P.O. Box 14491
Portland, OR  97293-0491
U.S.A.

E-Mail: ms-article AT myrealbox DOT com

(Take out the spaces, change AT to @, and change DOT to a period to e-mail the author. The coded e-mail address helps discourage misuse of the address by computer robots that harvest email addresses for sale to those who send unwanted e-mail.)

This version was made available on February 16, 2003. It is revision #1 of that day. (file micro08h.htm)

The latest version of this article can be found at http://www.hevanet.com/peace/microsoft.htm.

An equivalent address is http://www.futurepower.net/microsoft.htm.

(Always select View/Reload on your browser, so you read the version on the web site, and not the version you read before, that was stored in your computer.)

If you want other people who have an Internet connection to read this article, please send them this link, rather than sending the article by e-mail. That way they will read the latest version.

This article may be sent to anyone by e-mail without permission from the author, provided that no changes are made, and provided you have some knowledge of the person to whom you are sending the e-mail.

If you print this article with no changes, you may give it to anyone you know. Other use requires permission.

Copyright 2002-2003. Futurepower ® is a trademark in the U.S. and other countries.

Please mention errors and shortcomings to the author so that he can correct them.

Microsoft and Windows XP are trademarks of Microsoft Corporation.

Contact | About Futurepower ® | Go to top

Futurepower ®
Copyright 2002-2003