Post by Moderator Post by Linux Boy
Looking at all the security nightmares that you Windows users have to
endure I am so glad that I made the move last year to Linux.
I haven't regretted it for a single moment and while the release of SP2
piqued my curiosity, now that I see what a pile of poop it turned out to
be I am happy with my choice to use Linux.
If you want to be free from unstable systems, security headaches and high
cost computing, come and join us in the Linux community. We are always
willing to help noobs learn and install Linux and I guarentee that once
you go Linux you'll never go back to Windows.
alt.os.windows-xp Microsoft Windows XP operating system.
* The purpose of alt.os.windows-xp is to serve as a
forum for discussion of the Microsoft Windows XP OS
and related topics, eg. application software used with
the Windows XP OS (Office XP, disk management software etc).
* This is not a technical support group. Support questions
are off-topic. This is a discussion group. Please post
with some care and thought (in advance).
* Posts must not contain encoded material. This includes
HTML, which is FORBIDDEN. Also, posts must NOT be signed
with cryptological software, eg Gnu's Privacy Guard, PGP
* DO NOT post irrelevant commercial adverts, spam or money
making schemes here.
* DO NOT post messages that create new threads that have
any relationship to the Linux OS and its various
implementations. This is not a Linux newsgroup. Linux is
off-topic and the creation of new threads that reference it
is expressly FORBIDDEN. Violations will be reported to
relevant Internet Service Providers.
This revised charter was discussed in alt.config In February 2004.
The latest version of this article can be found at
An equivalent address is
French version: Pour une version récente de cet article en Français,
Spanish version: Para la última versión del artículo en castellano,
This article follows the settings of your browser.
Adjust your browser to a comfortable width for reading.
This article is frequently updated. If you have visited it before,
select View/Reload in your browser (or type Control-R),
so you read the version on the web site, and not the one stored in
French version added December 31, 2002: Pour une version récente de
cet article en Français, visitez
November 15, 2002: Bruce Schneier recommends this article. Bruce
Schneier, well-known computer security analyst, said in his November
15 newsletter [counterpane.com] that this article is "A well-written
analysis of the major security/ privacy/ stability concerns of Windows
XP." Mr. Schneier wrote the books Applied Cryptography and Secrets and
Lies: Digital Security in a Networked World, and other books
Spanish version added November 3, 2002: Para la última versión del
artículo en castellano, visite
You have a right to know. You have a right to all the information
you need to make an informed choice about any product you buy.
The author wrote this article because of the need to give his
customers fundamental information about the direction Microsoft wants
to take them. Few people have the technical background to understand
fully the advantages and disadvantages of software as complex as an
operating system. Without fundamental information, it is difficult for
non-professionals to understand the advice of professionals.
The author is not anti-Microsoft in any way. There appear to be
management problems at Microsoft, but the author would like any
problems to be fixed, rather than have the entire world suffer through
Microsoft doing poorly. Because he has spent considerable time trying
to understand the problems, and because he cares deeply about fixing
the problems, the author is, in that sense, "more pro-Microsoft than
This article is support for your own investigation. Use this article
to support your own thinking and investigation. It is not intended as
direct advice. If you don't have enough technical knowledge to
evaluate the information presented here, please do not simply believe
the author of this article. To avoid misunderstanding, find someone
with technical knowledge who can help you.
If you need help evaluating the issues here, the following remarks may
be useful in choosing someone to help:
Computer professionals are sometimes not computer users. Often those
who know a lot about computers are not especially heavy users of their
own computers. They may not have encountered some of the problems that
are mentioned in this article. Often people who only use their
computers for email, web browsing, and word processing wipe their hard
disks clean and re-install everything every few months. This avoids
some of the problems.
Some of the problems mentioned below are most serious for companies
that have thousands of employees who use numerous special
The seriousness of an objection is not proportional to its intensity.
Sometimes there have been people who have complained very strongly
about something written here. When strong objections have been
evaluated, they have sometimes been found to be small in comparison to
the intensity of their expression.
There are people whose self-esteem is strongly tied to their knowledge
of computers. When they discover something that they don't know they
sometimes have a negative reaction that sounds like a serious
Consider conflict of interest. Consider whether the advice of a
technically knowledgeable person is influenced by conflict of
interest. For, example, if someone has spent many years taking
expensive courses in administering Microsoft software, he or she may
be very reluctant to say, or see, anything negative. This is
particularly true if the person has a spouse and children and
mortgage, and no other good way of earning money.
Consider each issue separately and carefully. It's necessary to
evaluate each issue carefully. If someone raises an objection that is
discovered to be valid, that does not necessarily mean that other
issues are without merit.
Notify the author of corrections. If you find a mistake in this
article, please write the author at the address at the end so that it
can be corrected. On December 29, 2002, for example, someone mentioned
that there was a mistake in wording in a section of a former version
of this article. He also asked a question about something that was not
well documented. Corrections were made and 14 new paragraphs were
added the same day. Not all corrections and additions are made this
quickly. However, the article has been revised and extended more than
50 times since it was first published.
Hidden Connections Microsoft Windows XP connects with other
computers, or expects to be allowed through the user's network
protection firewall, in more than 16 ways. Network security is
something the computer user and the operating system supplier need to
do together, but Microsoft seems to show little sensitivity to the
user's security needs.
The issue is not that the connections are always bad for the user. The
issue is that Microsoft has moved from making operating systems that
are independent to making operating systems that try to connect to
Microsoft's own computers, and are somewhat dependent on new ways of
having access through the software firewall. Windows XP is the first
Microsoft operating system to challenge whether the user can have
control over his or her own computer.
Windows 98 does not connect to Microsoft's computers. Microsoft
Windows 98 connects to Microsoft's computers only by user request.
Windows XP connects with Microsoft's computers and expects to be
allowed through the user's firewall in many new ways. Each user has
a responsibility to control what goes in and out of his or her
computer. Microsoft's new networking arrangements make this difficult.
Here is a (probably incomplete) list of ways Windows XP tries to
connect each user's computer to Microsoft's computers, or expects to
be allowed through the user's software firewall:
1. Application Layer Gateway Service (Requires server rights.
"Server rights" means that this Microsoft software inside your
computer can set up an arrangement that allows other computers to
2. Fax Service
3. File Signature Verification
4. Generic Host Process for Win32 Services (Requires server
5. Microsoft Direct Play Voice Test
6. Microsoft Help and Support Center (If you don't stop it, using
"Help and Support" notifies Microsoft of the subject of your search.)
7. Microsoft Help Center Hosting Server (Wants server rights.)
8. Microsoft Management Console
9. Microsoft Media Player (Tells Microsoft the music and videos you
like. See the February 20, 2002 Security Focus article Why is
Microsoft watching us watch DVD movies? [securityfocus.com].)
10. Microsoft Network Availability Test
11. Microsoft Volume Shadow Copy Service
12. Microsoft Windows Media Configuration Utility (Setup_wm.exe,
sometimes runs when you use Windows Media Player.)
13. MS DTC Console program
14. Run DLL as an app (There is no indication about which DLL or
which function in the DLL.)
15. Services and Controller app
16. Time Service, sets the time on your computer from Microsoft's
computer. (This can be changed to get the time from another time
The new connections create three major issues for users:
1) The new Microsoft policy creates security concerns:
a) The new policy creates enormous difficulty in making the user's
computer secure. How can someone write rules about connecting for use
with a firewall when Microsoft doesn't supply sufficient information
about what each service is doing? It is possible for a skilled
professional to research what each service normally does. However,
even a professional cannot know the behavior of Windows XP in all
unusual cases; the program is too complicated.
b) The new connections may have created new classes of security
vulnerabilities. Microsoft software has consistently been found to be
extremely defective. (See the section, Why so many defects?) There is
apparently very little explanation from Microsoft and no review by
security professionals outside Microsoft concerning the new methods of
2) Microsoft has programmed Windows XP to contact other computers and
transfer information from the user's computer to the other computers:
a) If you have only three DVDs that your children watch sometimes on
your home machine that is always connected to the Internet (through a
broadband connection), you may not care that Microsoft knows when they
watch them. If you seldom use the Windows XP help facility, you may
not care that Microsoft is able to know the level of expertise of the
people who use your computer.
However, if you are using Windows XP in a large corporation or a
government, the fact that another organization believes that it can
gather data from you may be completely unacceptable.
b) Even if, with an enormous amount of effort, professionals
determined what information is sent to other computers, it cannot be
known what information is sent in unusual circumstances. As mentioned
above, there are simply too many pathways in complicated software to
check all of them.
(Contrast this with the Linux and BSD operating systems: Changes are
discussed intensively and openly before they are made. The
instructions to the computer [source code] are open for anyone to see
and criticize. Those who program open source software have no interest
in collecting information about the people they serve.)
3) By changing the way its operating systems connect, Microsoft has
created uncertainty about its intentions:
a) What is the purpose of the new policy? Where does Microsoft intend
to go with this new direction? We don't have answers.
b) Microsoft has shown it feels free to create new kinds of
connections without any review by or explanation to the computing
community. Microsoft sees the user as someone who has no rights,
apparently. Big companies that must plan their computer use years in
advance commit their companies to an operating system. With Windows XP
they cannot know what that commitment means; maybe if they accept
Microsoft's behavior now, Microsoft will do something they cannot
accept in the future, making a costly change necessary.
c) Not only does the new policy show that Microsoft believes it can
make changes to its software at any time without review, but the
company has shown that it believes it can force those changes on the
user. For example, sometimes Microsoft has used security upgrades to
change the operation of other components of its software, or to change
the licensing terms. To get a necessary security upgrade, it is
necessary to agree to whatever Microsoft has decided. Even if it could
be known that Microsoft Windows XP makes no objectionable information
available to Microsoft, and creates no new security vulnerabilities,
that could change at any time.
To generate the above list of ways that Windows XP connects, disable
Microsoft's firewall and use the Zone Labs [zonelabs.com] ZoneAlarm
firewall, which is free for personal use. The free version is located
at the link Download FREE ZoneAlarm.
(You may not want to buy a spyware removal program, as ZoneLabs
suggests. Spybot [kolla.de] is a good spyware removal program, and it
is free. Also see the Spybot mirror site [ejrs.com]. The former best
spyware remover, Ad-Aware [lavasoftusa.com], was not updated from
September 2002 to February 2003. Now there is a new version, but it
seems sensible to wait to use Ad-Aware again until the new software
has been extensively tried and reviewed.)
Also, Tiny Personal Firewall is reputed to be a good software firewall
for Microsoft Windows. A software firewall is necessary, even for
people who have a hardware firewall, and the Microsoft software
firewall that comes with Windows XP has very limited features.
When Windows XP tries to connect to another computer, ZoneAlarm will
display a dialog box asking whether that is okay. If you say no to
some of the requests, some functions of Windows XP will not work (such
An article from Microsoft called Managing Automatic Updating and
Download Technologies in Windows XP [microsoft.com] mentions 11 ways
in which Windows XP components automatically download software from
Microsoft computers. The article says,
"Outlined below is a list of components, applications, and
technologies discussed in this whitepaper that have the ability to
automatically download and install updated software and information
from the Internet."
Note that this does not say that the 11 are the only ways that
Microsoft XP connects with Microsoft's computers. It says that the 11
are the only ones "discussed in this whitepaper".
The Microsoft article tells how to disable the hidden downloading.
However, the disabling is very time-consuming. Also, Microsoft has a
history of using defect fixes and security fixes to change the
operating system settings. This means that all the settings would need
to be checked after every defect fix or security vulnerability fix.
Windows XP will operate without a connection to the internet. Windows
XP will operate if the user uses a hardware firewall that blocks
unwanted connections. However, most users don't know how to block
connections. They are connected without being notified.
It is expensive to evaluate the present privacy and security
vulnerabilities of these connections and impossible to evaluate the
future vulnerabilities. Not everyone can afford to pay.
If the huge change in direction from Windows 98 is continued, it seems
reasonable to worry that future versions of Windows could become more
dependent on Microsoft computers than Windows XP is now. That would
fit with Microsoft's new policy of trying to convert customers to
paying every year even if there have been no upgrades.
Often there is other hidden operation, no notification, and/or
insufficient or no explanation. There are other ways that Microsoft
* All versions of Microsoft Office keep a number that identifies
your computer in each file you create that includes Visual Basic
macros. Office 97 keeps an identifying number even if there are no
macros. (The free and excellent Open Office [openoffice.org] does not
have this problem, even when it uses the Microsoft file formats.)
* The software that comes with some Microsoft mice has reduced
functionality until you let it connect to Microsoft computers.
The major issue in this section is that, to satisfy the legitimate
needs of users, computer software makers need to recognize a
partnership between the themselves and the users. Microsoft, however,
often devises methods without fully explaining them and changes the
operation of its software without notice.
For example, there are strange protocols. Try putting each of these
links that Microsoft calls "URLs" (Addresses are called Uniform
Resource Locators.) in the address box of Microsoft Internet Explorer
running on Windows XP. To do this test, it is necessary to take the
spaces out of each of the lines shown. The spaces were inserted
because unbroken lines prevent re-sizing the browser width.
1. MS-ITS:C:\WINDOWS\Help\ tcpip.chm::/sag_TCPIP_pro_Ping.htm
(Remember to delete the spaces if you test this line.)
"MS-ITS:" is a Microsoft help protocol. To see other examples,
right-click on a link in the Windows XP Help and Support Center.
Choose Properties. Note that in the screen image of a sample
Properties window, Windows XP says that "MS-ITS:" is an "Unknown
Protocol". It is not unknown, it is documented in an untitled
Microsoft article with the heading To link from a contents or index
entry to a topic in another compiled help file [microsoft.com]. The
article says that "MS-ITS:" is a new version of the "mk:@MSITStore:"
Note also that what Microsoft calls the "Address - URL" is not
all shown. It is necessary to select the URL and scroll down to see
the last part. The window size chosen by whoever programmed it is not
large enough to display the average address.
2. mk:@MSITStore:C:\WINDOWS\ Help\whatnew.chm::/
(Remember to delete the spaces if you test this line.)
The "mk:@MSITStore:" help protocol is the version that existed
before "MS-ITS:", the above article says.
3. ms-help://MS.VSCC/MS.MSDNVS/ vbcon/html/vbconMigrating
(Remember to delete the spaces if you test this line.)
The "ms-help://" protocol is a help protocol associated with
Microsoft Developer Network.
4. hcp://system/sysinfo/ sysInfoLaunch.htm
(Remember to delete the spaces if you test this line.)
For explanation of the "hcp://" protocol, see the May 23, 2000
Microsoft article, An Overview of PCHealth and Windows Millennium
[microsoft.com]. The article discusses "HCP automation objects" which
it says allow help content to "be located anywhere, including the
local machine, the intranet, and the Internet." But the HTTP protocol
allows this; why a new protocol?
These four help message protocols allow help information to be linked
to other help information. But standard web pages do this using a
world standard protocol, "HTTP://", the HyperText Transport Protocol,
with HTML coding. Why invent four new protocols when an excellent one
was already available?
Of course, all of the new protocols can be used only in Microsoft's
browser, Internet Explorer. This tends to lock programmers and users
to Microsoft Windows.
Consider the problem this creates for a computer professional. Someone
concerned with computer security may wonder about the limits of these
protocols. What is the definitive list of all the ways Microsoft uses
them? In 2002, 71 security vulnerabilities were found in Internet
Explorer. Are there bugs in the help protocols? Also, for example,
firewalls cannot provide protection if a protocol tunnels through
using the universally allowed HTTP protocol.
The protocols are implemented in a quirky way. They are sloppily
documented. There are no world standards. If you send someone a URL in
one of the Microsoft-invented protocols by email, you have to remember
to tell him or her to use Internet Explorer, or he or she will only
get an error message. It is difficult or impossible to learn why
Microsoft invented four new protocols, and ignored the world standard.
Whoever is served by having four new protocols, it does not seem to be
This example of the help protocols is only a very small one to
illustrate an overall point. There are many, many quirky
implementations like this. Each one, considered separately, might be
accepted. When there are many it is a considerable burden for both
professionals and users.
It is important to understand the nature of what is written in this
section. Many people use software that only runs under a Windows
operating system; for those people, Microsoft has a monopoly in
operating systems. There is nothing in this section that would cause
such a person to give up necessary software. The point is that the
manner in which Microsoft manages its business creates difficulties.
Microsoft has many initiatives and purposes that are not what its
customers would choose.
Why so many defects? The fact that Windows XP makes your computer
dependent on Microsoft computers is bad not only because you lose
control over your computer, but because Microsoft produces defective
software and doesn't patch defects quickly.
For example, on December 9, 2002, there were 19 security
vulnerabilities [pivx.com] in Microsoft's internet browser, Microsoft
Internet Explorer. Some of these defects allow a malicious web site
designer to "execute arbitrary commands, read local files, and do
anything the user can ... do to his machine". These defects allowed an
attacker to take control even if the user had a perfect software
firewall and a perfect hardware firewall. The attack could use the
HTTP protocol which all firewalls allow. This extreme exposure existed
Here is the recent record. The list of defects has been similar for
years. Also, this is a record only of security defects, not all
* June 18, 2002: 18 vulnerabilities
* August 8, 2002: 22 vulnerabilities
* September 9, 2002: 19 vulnerabilities
* November 19, 2002: 32 vulnerabilities
* December 9, 2002: 19 vulnerabilities. (Microsoft fixed 15 on
Nov. 20, but two new ones were found.)
This is a terrible record for a company that has $50 billion
[biz.yahoo.com] in the bank. ("Total Current Assets") Obviously, with
that kind of money, Microsoft could fix the defects if it wanted to
fix them. Since the defects are very public and Microsoft has the
money, it seems reasonable to suppose that top management at Microsoft
has deliberately decided that some defects should remain.
The defects in Internet Explorer are examples in only one program. All
of Microsoft's software seems to be of comparable quality. See, for
example, the Microsoft Crash Gallery.
The security vulnerabilities are often very public. For one of many
examples, see the December 21, 2001 Associated Press article published
by USA Today, XP flaw due to 'buffer overflow' [usatoday.com].
There are a variety of plausible reasons why Microsoft would allow so
many defects in its software. Since Microsoft has a virtual monopoly,
it is enormously profitable to sell users sloppily written software,
and then later sell them upgrades to that software.
It also seems possible that there is a connection between the huge
number of defects and the U.S. government's friendly treatment of
Microsoft's law-breaking [usdoj.gov]. The U.S. government's CIA and
FBI and NSA departments spy on the entire world, and unpatched
vulnerabilities in Microsoft software help spies.
Another theory is that the quality of management at Microsoft is so
poor that the company simply cannot motivate its programmers to do
better. One of the causes of security vulnerabilities is called
"unchecked buffer", in which a program takes input, but does not check
the input before it is used. A search using the Google search engine
for web pages at Microsoft sites exclusively about "unchecked buffer"
shows hundreds of entries. This and other indicators suggest that
Microsoft may have for years allowed its programmers to submit sloppy
programming, and now problems are difficult to find and fix.
Solve security problems: Don't let Microsoft connect. There is a
solution to problems with network security of Microsoft software that
involves using two computers for each user. Use an old computer to
connect to the Internet; it does not matter if it is slow. Run the
Linux operating system and the Mozilla browser and email client on the
Use a new computer for all other tasks. Use a KVM switch to connect
one Keyboard, Video monitor, and Mouse to both computers. Run both
computers simultaneously. Remove the TCP/IP protocol software from the
new computer running the new Microsoft operating system, so that it
cannot possibly connect to the Internet. For file sharing, network the
computers together using a protocol like NETBEUI or IPX, or other
means. IOGear makes KVM switches that have no video degradation at
Technical Support is sometimes not available from Microsoft. When
there is an extremely technical problem with a Microsoft product, it
is often difficult to get help. A common problem with technical
support staff in general, not just with Microsoft technical support,
is that they tend to work for themselves, not for the customer.
Technical support people have greater job security if they give less
help. If they are very efficient in reducing problems, it is likely
that the company will reduce its staff. Also, there is an enormous
conflict of interest: Companies pay their technical support staff less
than $20 per hour, and they usually charge an average of $120 per hour
or more to provide help. Having software defects is extremely
A friend of the author was the chief computer support person for a
company with an annual gross income of $300 million. The company had
purchased the most expensive technical support available from
Microsoft, but Microsoft was unable to fix a problem in their SQL
Server product for many months. SQL Server would become unusable and
only re-booting the server would cure the problem. (This was several
years ago. The problem has since been cured.)
Two programmers wrote a humorous article about difficulty getting help
from Microsoft that compares Microsoft Technical Support to Psychic
Friends Network. (Psychic Friends Network is a company in the U.S.
that, in the author's opinion, takes advantage of poorly educated
people who believe that a stranger can fix their personal problems by
talking on the telephone.) The 1998 article, Microsoft Technical
Support vs. The Psychic Friends Network [bmug.org (Dec. 29, 2002:
Server down?)] or Microsoft Technical Support vs. The Psychic Friends
Network [netscrap.com], says:
"In terms of technical expertise, we found that a Microsoft technician
using Knowledge Base was about as helpful as a Psychic Friends reader
using Tarot Cards. All in all, however, the Psychic Friends Network
proved to be a much friendlier organization than Microsoft Technical
That article is linked here because it reflects the author's extensive
experience, too. The author has sold Microsoft products as part of
complete business computer systems since 1983.
The author once reported several serious problems with Windows 98 to a
Microsoft technical support representative who seemed especially
knowledgeable and kind, and he just laughed. He was unable to get any
answers, and he did not have any way of contacting someone who could
get the answers. Some of the problems were never fixed. For the
others, the author got help from the technical support department of a
large computer parts distributor. Of course, these issues were much
more difficult than those from average users.
The author reported the five problems in Windows XP mentioned below
several months ago before the release of SP1 (Service Pack 1). Only
one was cured with the release of SP1. That fix was not documented.
Open source software suppliers are often fast to fix defects. On
Sunday, December 8, 2002, the author found a very minor defect in
version 1.2 of the Mozilla [mozilla.org] internet browser. Mozilla is
entirely free software and the author's favorite browser. When testing
fragments of HTML pages (not full web pages), the first line would
sometimes be displayed in an incorrect font. This was a very minor
defect, but it caused minor problems for the author because he often
tests complicated HTML fragments to check how they look.
At 9:01 AM on Sunday, the author of this article used Bugzilla
[mozilla.org], Mozilla's defect reporting web site, to report the
defect. At 9:10 AM, 9 minutes later (9 minutes on a Sunday!), the
author received an email saying that the defect had been already been
fixed in version 1.2.1 of Mozilla. The author had not yet installed
the new version because it had been reported that it only fixed one
defect that the author had not experienced.
Recall from the section above that, on December 9, 2002, Microsoft's
browser had 19 known unpatched security vulnerabilities, some of them
extremely serious. Mozilla has none. This is different than would be
expected, by a wide margin. In one case, you pay money for the product
(The Internet Explorer browser is part of Windows XP.) and the
service, and you get a poor product and poor service. In another case,
the product and service are entirely free, and both are superb. The
skepticism experienced by the average businessperson when someone
says, "The product from the big company is poor quality; the free
product is better", slows the acceptance of open source software.
Some web sites have been written to use proprietary Microsoft
features, instead of the world standards. These sites must be visited
using Internet Explorer.
Deliberately allowed to crash. Resource Meter, a Microsoft program
supplied with Windows 98, is able to predict most Windows 98 crashes.
It would have been easy to integrate this program into the Win 98
operating system and program it to prevent the running of additional
programs or to provide an error message, rather than let the OS crash.
Microsoft did not do this. See below for information about how to run
a test yourself.
Windows 95, Windows 98, and Windows ME (all closely related to each
other) were designed in such a way that it was inevitable that they
would crash. Windows 95 was originally designed with a 64 kilobyte
limitation on some resources that would have caused it to crash sooner
than it does. Protests by knowledgeable people at that time caused
Microsoft to increase that artificial limit to 128 kilobytes. At that
time, memory was very expensive. When memory became cheaper, and it
became common that people would run more than one big program at the
same time, crashing became extremely common.
Microsoft did nothing to solve the problem. It might not have been
possible to fix the problem in an elegant way, but it was, and is,
possible to fix the problem. Therefore, it seems reasonable to say
that the crashing is deliberate Microsoft policy. The crashing is
often given as the biggest problem users have with Windows 98 SE
(Second Edition); if it were fixed with a simple patch, many people
would not buy Windows XP.
Here's a test you can do easily on a Windows 98, Windows 98 SE, or
Windows ME system. Start the program called Resource Meter by clicking
on Programs/ Accessories/ System Tools/ Resource Meter. If you copy
the icon and put it into your Startup folder, Resource Meter will
start every time you start Windows.
Resource Meter displays three quantities: System Resources, User
Resources, and GDI Resources. It is the limited User Resources and GDI
Resources that cause Windows to crash. No matter how much memory you
have in your computer, if you use close to the limit of User Resources
or GDI Resources, Microsoft Windows 95, 98, or ME will crash. For 16
bit programs, User Resources and GDI Resources are limited to 128
kilobytes each. That's 128,000 bytes (approximately, because of a
different scheme of counting memory), no matter how much memory you
have installed. For 32 bit programs, User Resources and GDI Resources
are limited to 2 Megabytes each. These limitations are known to a few
computer professionals, and are sometimes discussed in technical
forums. However, very few users know about the limitations, and most
don't know why their systems crash.
If you run Resource Meter and watch it carefully, you can, usually,
prevent crashes by closing a program whenever you get close to
crashing. This doesn't work, however, when a program makes a request
for memory that is unexpectedly large. Instead of refusing the request
and giving a message to the user, Windows will crash.
The resource design limits are especially cruel to users because they
lose their work when their systems crash. They are also cruel because
users often spend money to install more memory in their computers, not
realizing it won't make a difference.
Why would Microsoft allow deliberate limitations? Apparently because
it be the only way to get users to spend more money to upgrade later.
For most users, the only reason to buy Windows XP is because it
Windows XP doesn't crash, it becomes less usable. Windows XP
doesn't have the artificial GDI and User resource limitations of
Windows 95, 98, and ME. All of the installed memory is available to
the Windows XP operating system when it needs it. However Windows XP
becomes shaky when enough programs are loaded that all of the
installed memory is in use.
Windows XP, and all modern operating systems, have a feature called
virtual memory that is supposed to put programs on the hard disk that
are loaded but not being currently used. However, this feature does
not work well in Windows XP. When the memory limit is reached, a
Windows XP system takes a long time to respond and does a lot of disk
access. Sometimes the disk access, called "thrashing" because it
indicates something is not working properly, continues for 45 seconds
or 90 seconds or more after clicking on a loaded program to bring it
to the top of the desktop. The result is that Windows XP becomes less
usable and eventually must be rebooted.
In contrast, the virtual memory feature in the Linux operating system
works extremely well. There is disk access, of course, but only what
would be expected.
Microsoft seems to know about the problem. If there are more than 21
programs loaded, the programs may be presented out of order on the
taskbar. Some programs may not be displayed on the taskbar, and the
ones that aren't displayed change as you use them. This seems to be a
way of discouraging users from opening many programs at the same time,
so that they won't experience the problem with virtual memory.
Windows XP may provide no local security. Managers are being allowed
to believe that Windows XP is secure under conditions in which it
isn't secure. Since it is necessary to supply a password, the
impression is created that there is no other way of gaining access.
That is not true. Neither Windows XP nor any other operating system
provides security against an attacker who has physical access to a
computer and can start the computer with another operating system.
The administrator password can be changed. A product called
Locksmith [winternals.com] can change the administrator password on
any Windows XP, Windows 2000, or Windows NT system. This means that an
attacker can have complete control over the computer.
There is free software for changing the password, also. For example,
see the article, Offline NT Password & Registry Editor, Bootdisk
The problem here is not that Microsoft could have provided better
local security in this case. Anyone who has access to a diskette or
CD-ROM drive attached to a computer and can run a different operating
system can replace the file that contains the password. The problem is
that Microsoft allows people to think that there is more security than
Note that the attacker can change the administrator password, but
cannot discover the password that existed originally, because it is
made inaccessible in a manner that is completely secure. It is
possible, however, for the attacker to 1) copy the file that contains
the encrypted password, 2) change the password and gain access, and
then 3) change the password back to the original by copying the
original file back to the system. Since the password would the same as
before, an unchanged password would not be evidence that no attack
A new copy of the operating system can be loaded. An intruder can
load a second copy of Windows XP or Windows 2000 in a different folder
from the original, using an operating system CD that can be bought at
any computer store. After starting the computer using the new copy,
the intruder is able to access, copy, and use all files that have not
It is possible to use the Windows XP recovery console without a
password. A security flaw in Windows XP allows accessing the
recovery console without a password. (The recovery console is a
feature intended to allow emergency access to files by someone who
knows the password.) The article, XP passwords rendered useless
[briansbuzz.com], shows how.
You cannot know now to what contract provisions you will be held in
the future. Microsoft has changed the terms of the contract to which
users are bound by including the new contract with some security and
other defect fixes.
Recent security patches require that the user agree to a contract that
gives Microsoft administrator privileges over the user's computer
[theregus.com]. (Administrator privileges give complete control over
the computer and all data stored on it.) See also, Microsoft EULA
requests root rights - again [theregus.com]. The contract says that if
a user wants to patch his or her system against a defect that would
allow an attack over the Internet, he or she must give Microsoft legal
control over the computer.
This article explains the issue in more depth: Microsoft's Digital
Rights Management-- A Little Deeper [bsdvault.net]. It helps to think
like a lawyer when you take apart the crucial sentence. The sentence,
"These security related updates may disable your ability to copy
and/or play Secure Content and [my emphasis] use other software on
your computer" legally includes this meaning: "These updates may
disable your ability to use other software on your computer." Note
that the term "security related updates" is meaningless since some of
the updates have no relation to user security. So, the sentence
effectively means that Microsoft can control the user's computer
without notice and whenever it wants.
Since Microsoft can change the contract at any time and without
control by the user, Microsoft can bind users to contracts that it
invents in the future. This is a new development in contract law. A
user is bound to a new contract if he or she wants defect fixes and
security fixes. But this gives the user no control, since once
security flaws are widely known, every computer must have the fixes or
remain vulnerable. Users invest considerable money and time into their
computers, and cannot avoid agreeing to the new contract without
giving up their entire investment and disrupting their business and
Microsoft Keeps Control: Microsoft has abandoned its earlier
successful business model. Previously, Microsoft did not write its
software in such a way as to keep control after the software was sold.
This was an extremely successful way to do business. Microsoft made
hundreds of billions of dollars and became the largest software
company in the world. In recent years, however, Microsoft has invented
numerous ways of keeping control:
You must have permission from Microsoft to install software you own.
In Windows XP there is a system called Windows Product Activation
(WPA) that requires users to get permission from Microsoft when first
installing its software and every time the user's hardware changes
Note that WPA is used only on the Windows XP Home and Professional
versions. The Windows XP Corporate version is identical to the
Professional version, except that it does not use product activation.
Microsoft pretends that software dies. Microsoft has recently been
saying that its products have a limited life. For example, see
Microsoft's October 15, 2002 revisions of the June 3, 2002 articles,
Windows Desktop Product Life Cycle Support and Availability Policies
for Businesses and Windows Desktop Product Life-Cycle Guidelines for
Consumers [microsoft.com]. Microsoft calls these guidelines, but, for
customers, they are rules.
Windows 98 dies on January 16, 2005. The most widely used operating
system in the world will be declared dead on January 16, 2005,
according to a table at the bottom of the Life Cycle policy pages
mentioned above. The right-hand column says, "End of Life (effective
date after end of online self-help support)".
Microsoft often changes its policies. Note that Microsoft's policies
can and do change at any time without warning or discussion. There
have been two versions of the "life-cycle" policy in a little more
than four months. The version as this is being written (February 6,
2003) is at least the third. The articles say the policy was first
published February 2001. Microsoft is also not required to make its
policies clear; in this example, the writing is confusing.
Microsoft's customers often use software for 10 years or more.
Microsoft's artificial limits may be much shorter than the length of
time computer systems are used by customers, who often use the same
software for 10 years or more. If software is working well, customers
often feel there is no reason to buy something new.
There are, basically, two kinds of software. There is content creation
software like word processors, spreadsheets, and photo editing
software. In the last several years, this kind of software has
advanced rapidly. There may be good reason to have the latest version
of this kind of software. Then there is production software for
accounting and inventory, for example. With production software,
someone does data entry and possibly someone else runs reports. If the
reports are sufficient, there is no need to change the software, even
if it has been used for 10 years or more. Since data entry speed is
limited by typing speed, and report printing is limited by printer
speed, there is often no need for faster hardware when using
There are many reasons not to change a computer system that works
1) The new software probably has defects. There may be defects in
the new system that did not exist in the old. It is usually possible
to fix the defects, but that usually takes time. When Windows XP was
first released, the author had problems with crashing because of video
drivers, for example. There were severe problems with an Intel driver
call the Intel Application Accelerator. Many scripts written for
Windows 98 needed to be re-written. The mouse software for both
Microsoft mice and LogiTech mice did not work completely.
2) Do you want to pay for training? A new computer operating system
requires that staff be re-trained. This is more expensive than just
the cost of employee time if the staff is already very busy.
3) If it works, why change? It is wise not to change a system that
has been carefully audited and shown to work perfectly, such as an
accounting system. The security that comes from knowing that all the
problems have been found has caused very large companies to continue
to use an accounting system written in the COBOL computer language for
more than 30 years.
4) Sometimes old software won't run. Sometimes old software will not
run on a new operating system. There are many programs that run
perfectly under Windows 98 that cannot be used under Windows XP. At
the time of this writing, February 6, 2003, the latest version of MAS
90, an accounting program for companies with complicated accounting
needs, does not run reliably on Windows XP, but works fine on Windows
5) Seriously Reduced Functionality Sometimes the old software does
things the new software doesn't. Windows XP has very seriously reduced
a) Windows 98 can copy all of its own files, Windows XP cannot. The
Windows XP file system is artificially crippled; it cannot copy some
of its own system files. This makes it difficult to make functional
backups. Microsoft apparently uses this crippling as copy protection.
b) Reduced Functionality: Hard disks cannot be moved. Windows XP,
and Windows 2000, make it very difficult to move a hard drive to
another computer. Microsoft has written Windows XP so that it cannot
be easily moved to another computer. This article on Intel's web site
describes the problem: Moving a Hard Drive to a New Motherboard
[Intel.com]. The article says, "Moving a hard drive with Windows 2000
or Windows XP already installed to a new motherboard without
reinstalling the operating system is not recommended." (This is a
universal problem; Intel motherboards are only being used as an
example.) Note that the problem is not just moving a hard drive to a
new motherboard; the same problem is encountered when moving a copy of
all software on a hard drive to a new motherboard. It is thus
impossible to make functional backups. Instead, it is necessary to
re-install the operating system and all the programs, progam updates,
and security patches.
Note that the link in the intel article called "Microsoft's knowledge
base article" is a dead link. The other link, the one in the sentence,
"For additional information, please refer to these instructions from
Microsoft", is also dead. This issue is apparently not seen as
important by Intel; Intel will sell more computer hardware if hard
drive software organization cannot be moved from one computer to
another. (It is possible to find the Microsoft information, which
merely describes the difficulty of moving a hard drive installation to
another computer in more detail.)
c) In some ways, even Windows 95 is better. In some ways, Windows XP
has less functionality than even Windows 95. For example, the command
line interface (CLI, also called DOS) in Windows 95 is more responsive
to shortcut keys. Sometimes when the user presses a shortcut key in
Windows XP, the system does not respond for 20 seconds. Windows 95
responds immediately, Windows 98 is sometimes slow, but the shortcut
facility in Windows XP is unusably slow.
WPA and software death can force users to pay more. The two schemes
of WPA and artificial software death together give Microsoft a way of
preventing people from using Windows XP on a new computer, for example
when they upgrade their hardware after several years. It would work
like this: WPA prevents a customer from re-installing Windows XP on a
new machine without Microsoft's permission. Microsoft may not give
permission after declaring that that the software has died. If
Microsoft won't give permission, the user may be required to buy new
software; a customer could not move a working Windows XP system to new
Computer companies and consultants are required to disclose their
customer information. Those who supply computer services involving
Windows XP Corporate version can no longer keep the names of their
customers private. The policy of forced disclosure abandons a
tradition of business privacy that is thousands of years old.
This may be an important fact for a large company to consider;
possibly the fact that Microsoft forces disclosure will cause computer
professionals to be less enthusiastic about supporting Microsoft
products. This might become a big issue during the expected life of a
computer system. If a system works well, there is no need to replace
it. Sometimes companies keep their systems for 10 years or more.
Microsoft requires that professionals give this information about
1. Contact Name ("Full name")
2. END USER Company Name [Microsoft's emphasis]
3. Address ("No PO Boxes please. Must be physical address.")
4. Telephone Number
5. END USER Email Address [Microsoft's emphasis]
6. Purchase Order Number
Microsoft, or even a disloyal Microsoft employee, could decide to make
use of this information, and approach a customer directly.
A government that uses proprietary software is not an independent
government. A government that wants to be independent of other
governments, or that represents itself as controlled by its own
people, can use proprietary software only if there is easy access to
the source code. (The source code is the original instructions in
which the software was written.) This is because it is possible for
someone to put instructions in proprietary software to spy on or to
sabotage government operations.
The alternative to closed source, proprietary, software is open source
software. It is difficult to believe that so many people would be so
charitable, but more than 100,000 programmers have donated their time
to produce excellent free operating systems and word processors and
many other programs. Not only is the source code and the entire
product completely free, but the more popular programs get a lot of
attention from programmers, so mistakes are found quickly.
The most popular open source, free operating systems are Linux and
BSD. Linux, provided by companies like RedHat, SuSe, and others, is
useful for desktop computers and servers. OpenBSD, FreeBSD, and
NetBSD, all closely related, are very secure and excellent for server
computers. Anyone can have as many free copies of this software as
desired. The companies who sell open source software make money by
selling technical support.
There is a strong movement away from proprietary software. However, at
present using Microsoft software is sometimes necessary because there
are many programs that users need that are not supplied in Linux or
BSD versions. Also, Linux and BSD are sometimes more difficult to
Microsoft's shared source policy is not equivalent to open source.
On January 14, 2003, Microsoft announced in a press release that it
would allow governments to look at the source code of Microsoft
products: A Matter of National Security: Microsoft Government Security
Program Provides National Governments with Access to Windows Source
Microsoft's policy of allowing government programmers to see source
code is not equivalent to having open source code. A thorough review
of the more than 40 million lines of source code in Windows XP is far
more than even a government can attempt. It would be easy for someone
to hide spy instructions that could be controlled from outside. This
is not unlikely. The U.S. government's spy agencies, the CIA, NSA, and
others, have an essentially unlimited amount of money. They can and do
exploit any method of spying. The U.S. government has bombed 14
countries in 35 years. Organizations should not assume that those who
think killing is a way of solving problems will suddenly become moral
when they consider computer software.
Good programmers are not willing to sign the non-competition and
non-disclosure agreements that Microsoft requires. They fear that
would put them at risk of a Microsoft lawsuit. Even if they were found
in court not to have infringed on Microsoft's contract, the cost of
the lawsuit would be enormous. Also, they could lose their jobs over
any such dispute. It is possible that the only real effect of
Microsoft's shared source policy is to cripple an organization's best
programmers, so that they cannot work in any field in which Microsoft
has an interest.
The article Why isn't Microsoft's shared source a step forward?
[linux.org.au] discusses many of the reasons why Microsoft's policy
does not solve the problems of closed source software. One section of
the article, Question Time mentions questions that can be asked of
Microsoft representatives. The Summary suggests a way to score closed
source, open source, and shared source software based on your
Open source software provides the security that anyone in the world
can see the source code, not just a few government programmers. In
practice, this means that there is a high likelihood that sneaky
elements in software will be found.
It has occasionally happened that someone has hidden sneaky software
in changes that were submitted to open source software developers. The
intensity of review of open source software is such that it seldom
happens that destructive changes are accepted, and, when it has
happened, the corruption has been quickly found.
Microsoft could allow everyone to see its source code. But most
software companies, not just Microsoft, have been unwilling to show
anyone their source code because they feel that would help someone
else make a competing product. This is not as big a problem as it
might appear at first. For example, everyone can see everything about
the Star Wars movies. That has not made Star Wars movies unprofitable.
Everyone can borrow books at the library. That has not meant that
booksellers cannot sell books. Intellectual property is not easily
copied legally even when it is completely open.
True open source would prevent Microsoft's monopoly. Microsoft
maintains its monopoly by using hidden operations in the Microsoft
Word word processor, and in Microsoft's networking, for example. If
Microsoft were to allow anyone to see its source code, the monopoly
would eventually disappear.
Cost is a small factor. Sometimes organizations with thousands of
computers have adopted Linux or another free operating system. They
have saved millions of dollars in licensing costs. Surprisingly,
however, cost is not a large factor in choosing software. If the
non-free software is slightly easier to use, the time saved can easily
be worth the purchase cost.
Microsoft keeps control. Another reason that independent
organizations cannot logically use Microsoft software is that
Microsoft has both old and new methods of keeping control of software
that it sells. It is very expensive to begin using an operating
system, and once an operating system is in use, it is difficult to
stop using it. Changes cannot be made quickly if some new undesirable
aspect is discovered, as when Microsoft changes the terms of its
licenses. Governments cannot bind themselves to unknown future
limitations and invasion of privacy and remain free.
A bill introduced to the Congress of Peru, Bill Number 1609, Free
Software in Public Administration [English translation at
pimientolinux.com], gives several reasons why government software must
be open. The reasons given in paragraphs 10, 11, and 12 of the bill
have been re-written below to make them easier to read and to avoid
problems with inaccurate translation.
A government must guarantee that the citizens have free access to
government information. To achieve this, it is necessary that the
coding of the data [file format] not be tied to a sole provider. The
use of standard and open formats guarantees this free access, making
possible the creation of compatible software [and software that does
not require paying money to get access].
A government must guarantee that public information is permanently
available. It is necessary that the use and maintenance of software
does not depend on the good will of the providers, nor on monopolistic
conditions imposed by them. Permanent availability of public
information can be guaranteed only by the availability of the source
code of the software used to access the information.
A government must guarantee national security. It is necessary to
have systems that are devoid of elements that allow remote control or
the secret transmission of information to third-parties. Therefore, it
is required to have systems whose source code is freely accessible to
the public, so that its inspection is allowed by the State, the
citizens and a great number of freelance experts in the world.
Introduction of the bill caused Microsoft to write a letter of protest
[English translation at pimientolinux.com]. The English translation of
the response to this letter [pimientolinux.com] stated the reasons for
the bill more clearly in paragraphs 5 to 8.
The letter of response to Microsoft also discusses what the Peruvian
bill does not do:
* The law does not forbid the production of proprietary software.
* The law does not forbid the sale of proprietary software.
* The law does not specify which concrete software to use. [The
word "concrete" should probably be "specific".]
* The law does not dictate the supplier from whom software will be
* The law does not limit the terms under which a software product
can be licensed.
(The punctuation was changed to agree with the standards used in this
Microsoft arranged that the U.S. ambassador to Peru tried to stop the
bill. See the July 27, 2002 Wired News article, Microsoft's Big Stick
in Peru [wired.com]. The article says,
"Congressman Edgar Villanueva, the bill's chief sponsor, said he
considers Hamilton's letter to be "overt pressure" on Peru by the
United States and Microsoft. If so, the letter would continue the
long-standing U.S. tradition of meddling in Latin American affairs,
political analysts say."
Information about the Peruvian bill is collected on a web page called
The government of the United Kingdom (England, Scotland, Northern
Ireland, and Wales) is considering these issues, also. A policy called
Open Source Software, Use within U.K. Government issued on July 15,
2002 by the U.K. Office of Government Commerce says, (Scroll down
almost to the bottom of the page; there is no need to use the links.)
"Security of government systems is vital. Properly configured OSS can
be at least as secure as proprietary systems, and OSS is currently
subject to fewer Internet attacks. A balance needs to be struck
between the availability of security administration skills and the
advantages of many diverse systems. In some cases mainstream
proprietary products may be significantly less secure than open source
alternatives (see Gartner report Nimda Worm shows you can't always
patch fast enough dated 19/9/01 by John Pescatore)."
The article about the Nimda worm mentioned above is available at
Gartner's web site: Nimda Worm Shows You Can't Always Patch Fast
Enough [gartner.com]. The Nimda work is a vulnerability only in
Microsoft software. It has done enormous damage. About Microsoft's
product IIS, the article said,
"Thus, using Internet-exposed IIS Web servers securely has a high cost
of ownership. Enterprises using Microsoft's IIS Web server software
have to update every IIS server with every Microsoft security patch
that comes out - almost weekly."
Many other governments are considering moving away from closed source
software. One of the state governments of India, for example, is
considering a Memorandum Submitted by Members of the Free Software
Users' Group [symonds.net]. The memorandum objects to the planned
purchase by the Kerala state government of Microsoft Windows 98
software. The memorandum discusses several very serious reasons why
closed source software should not be used in the schools in Kerala
state. The memorandum says, for example, "... by confining students'
training to a particular brand of software, the government would be
giving undue preference to a particular vendor and their software thus
discriminating against vendors of other software. Thus, even by
providing software free of cost to the schools, the said company will
make immense profits, ..."
In the United States, Microsoft has considerable political power. It
has been estimated that the cost to U.S. businesses for only four
Windows-based infections, Nimda, Code Red, SirCam and Love Bug, was
about $13 billion. These infections were possible because of the
unusually poor security design of Microsoft Windows. No other
operating system has had such vulnerability.
However, the U.S. government seems to be taking little or no action to
correct the problem. One reason may be that there is an unusually
close relationship between Microsoft and top U.S. government agencies.
For example, Howard Schmidt, vice chairman of the White House's
National Critical Infrastructure Protection Board, was previously
Microsoft's chief security officer. Scott Charney, Microsoft's current
security officer, is a former federal official.
Microsoft is one of the computer industry's top contributors of
political money, according to the Top Contributors spreadsheet of the
Center for Responsive Politics [opensecrets.org]. Microsoft
contributed $2,997,854 to political campaigns for the 2002 elections.
There are people in the U.S. government who heavily favor the
un-enlightened interests of U.S. businesses. For example, see the
Computer & Communications Industry Association's [ccianet.org] July
24, 2002 news release, CCIA Opposes Hollywood Vigilante Legislation
[ccianet.org], which discusses a bill sponsored by Congressman Howard
Berman of California. The bill would allow big companies to intrude
upon or destroy web sites if they think the sites are infringing their
copyrights. Will Rodger of the CCIA has been quoted as saying,
"The larger question, which the [U.S.] government seems to be
ignoring, is, why aren't we looking at the problems caused by a
monoculture, a single operating system which serves as a single point
of failure on the Internet? If there are 60,000 Windows viruses, fewer
than 100 Mac viruses, and maybe a dozen Unix viruses, why aren't the
problems with Windows an issue?"
Senator John McCain [senate.gov] and many others say that the U.S.
government has been corrupted by money disguised as campaign
contributions. (Those who live outside the U.S. may need to be told
that Senator McCain is a Republican, the same political party as
President Bush.) A December 6, 2002 CNN article Documents: Donors
promised political access [cnn.com] mentions another method of
corruption. The article says,
'When Microsoft Corp., a $100,000-plus donor to Republicans, planned
to attend the party's major fund-raising gala in 2000, it asked to be
seated next to "Sen. (Paul) Coverdell or leadership, Commerce
Committee or Judiciary Committee," according to a GOP memo. At the
time, the company was battling a major antitrust case that threatened
to break the company into two. The memo added Microsoft did not want
to sit with Sen. Orrin Hatch, R-Utah, a major critic.'
Support for Microsoft products may be affected by ongoing legal
vulnerabilities. The antitrust case against Microsoft is now 12
years old. See the timeline [washingtonpost.com] by the Washington
Post. ABC News also indexes information about the cases; see Microsoft
vs. DOJ: An Index to Microsoft Trial Coverage [abcnews.go.com]. A
group called ProComp [procompetition.org] publishes a text-only
timeline it calls Timeline of Events Surrounding Microsoft Antitrust
Case [procompetition.org]. ProComp is an "umbrella organization for
companies and groups supporting the Department of Justice's action
In summary, Microsoft was found by the courts to have broken the law.
The case has resulted in considerable bad feeling toward Microsoft.
Companies may want to evaluate the possible future problems in
partnering with, and being dependent on, a company that has broken the
For more information about the Microsoft anti-trust case, see the
November 5, 1999 U.S. government document Court's Findings of Fact
[usdoj.gov]. The 207 double-spaced pages of this document list abuses
for which Microsoft was found guilty. There are numerous sentences
like this one: 411. Many of the tactics that Microsoft has employed
have also harmed consumers indirectly by unjustifiably distorting
competition. A legal documents company, FindLaw, has better indexing
of this document: Microsoft Antitrust Trial Findings of Fact
The U.S. Department of Justice maintains an index of the current case,
United States v. Microsoft Current Case [usdoj.gov].
The case was decided on November 1, 2002. Section J on page 7 of the
final decree, which begins "No provision of this Final Judgment
shall", is interpreted by most technically knowledgeable people to
mean that basically there is no penalty for Microsoft, because all of
Microsoft's abusive behavior is allowed.
For a list of all the official U.S. government documents of United
States of America v. Microsoft Corporation, see the index of Judge
Colleen Kollar-Kotelly's actions [uscourts.gov].
These PDF format files on the official U.S. government web site give
the details: Final Decree, Memorandum Opinion, Public Interest Order,
Opinion on the State Settlement, and State Settlement Order [all
The case is not over. There will be an appeal. Also, U.S. state
governments and governments outside the U.S. are continuing to pursue
Because of the common perception that Microsoft has broken U.S. law
and yet not been forced to pay a significant penalty, there is
considerable resentment of Microsoft. Microsoft is considered by many
to have participated in corrupting the U.S. government, partly through
giving money to politicians [opensecrets.org]. The outcome of the case
may increase the distrust of Microsoft and hasten the rate at which
companies change to other operating systems, such as RedHat Linux and
Mandrake Linux, and other office software, such as the excellent Open
Office [openoffice.org]. Companies don't want to use software from an
organization that is not trustworthy because software can be
programmed to have hidden operations. Mandrake and RedHat Linux and
Open Office are publicly designed and supported software, and are
The Washington Post discussed perceptions of the Court decision in the
November 2, 2002 article, Microsoft Pleased; Foes Critical
The anti-trust case was started partly because of Microsoft's
aggressive actions toward Netscape, a company that made an Internet
browser and Internet server software. It is interesting to note that
Microsoft lost that contest anyway. Many people consider that Mozilla
is the best browser and e-mail software, and that Apache [apache.org]
is the best Internet server software. These are both publicly
supported, free programs. Apache server is the most popular Internet
server software in the world.
Microsoft restricts your software options. When you use Microsoft
Windows XP, you are prevented by the license from using valuable
software that competes with Microsoft's. See Brian Livingston's column
[infoworld.com] in which this is discussed, beginning in the fifth
paragraph. The license says:
"Except as otherwise permitted by the NetMeeting, Remote Assistance,
and Remote Desktop features described below, you may not use the
Product to permit any Device to use, access, display, or run other
executable software residing on the Workstation Computer, nor may you
permit any Device to use, access, display, or run the Product or
Product's user interface, unless the Device has a separate license for
Although this restriction is probably illegal even in the United
States where it was written, a large company might not feel that it
could risk legal involvement with a rich company like Microsoft, even
if it knew it would win.
The license restriction apparently is partly directed toward
preventing the use of VNC, excellent free software designed in the AT
& T research labs that were formerly in England.
An article on a web site that is very pro-Linux and open software
gives another testimonial about the usefulness of VNC:
"I used to work for IBM and one of my great achievements (ok, small
achievements) there was to save a particular very large client a great
deal of time and money by recommending and then implementing a remote
control support option using VNC."
The Registry is a single point for failure. There are many other big
shortcomings in Windows XP. Windows XP, and all current Windows
operating systems, have a file called the registry in which
configuration information is written. There are several files which,
all taken together, Microsoft calls the registry, but the one that
causes most of the problems is, in Windows XP, called SOFTWARE. (The
name is in all caps and has no file name extension.) On one machine,
for example, this file is 25.69 megabytes; it is a huge file
considering that it contains configuration information.
If this one large, often fragmented, file becomes corrupted, the only
way of recovering may be to re-format the hard drive, re-install the
operating system, and then re-install and re-configure all the
The registry file is a single very vulnerable point at which failure
can occur. Microsoft apparently designed it this way to provide copy
protection. Since most entries in the registry are poorly documented
or not documented, the registry effectively prevents control by the
user. There are many areas like this where Microsoft's design
conflicts with the needs of the users.
Microsoft's documentation includes language that gives the proper
sense of fear about corruption of the registry. The Microsoft
Knowledge Base Article number Q318159, Damaged Registry Repair and
Recovery in Windows XP [microsoft.com] says,
"When a registry hive becomes damaged, your computer may become
unbootable, and you may receive one of the following Stop error
messages on a blue screen:
* Unexpected Shutdown
"CAUSE: Registry damage often occurs when programs with access to the
registry do not cleanly remove temporary items that they store in the
registry. This problem may also be caused if a program is terminated
or experiences a user-mode fault."
The article says, "The hotfix that is described in this article
automatically repairs the registry during startup, ..."
However, the article does not say that this only fixes one kind of
damage, and cannot always fix this kind of damage. The registry is a
primitive database that cannot always be repaired. There are many
programs from other companies that try to repair registry damage, but
they also cannot repair all kinds of damage. Putting the configuration
information in one file has caused some of the best educated people on
earth to lose time and money, all so that Microsoft can make a crude
kind of copy protection.
More Details about Registry Problems The problem with the registry
is this. Suppose the registry becomes corrupted, but the software that
the corruption affects is not used for a considerable time. After the
corruption occurs, the computer is upgraded, perhaps with new
application software, perhaps with new drivers. Then maybe new system
preferences are applied. Suppose the company has saved backups of all
previous versions of the registry on CD (an unlikely event).
See the problem? Since all the software is connected to all the other
software by the registry, corruption that goes unnoticed for a while
can create an impossible situation. If the company goes back to the
original, known good registry, they must give up all the time they
spent upgrading the computer. This may be substantial, especially
since they may not have complete records about what upgrading was
In actuality the situations caused by the registry are far, far more
complicated than this. For example, you may think that some failure
you are having is caused by registry corruption. However, it may take
far too much time to prove whether that is the case. If you think of
all the combinations of difficult circumstances, you will see that
having most configuration settings in one file is sometimes
devastating for the user.
Consider that the person who is using the computer probably has an
important job in the company, and wants to use the computer, since
only some functions don't work, but others do. Consider that a repair
person must be supervised 100% of the time at some companies, because
of security needs.
There seems to be nothing like this in the Linux or BSD operating
systems. First, there is no single file in which corruption can make
an entire installation worthless, even if the user has backups.
Second, there is far better error checking, so corruption of any kind
is less likely to occur. With Windows XP, sometimes a faulty program
can cause the entire OS to become unstable. (I have personally seen
this at least 50 times.) My experience with Linux is that the OS just
throws the faulty application out of memory and comes back and says,
okay, what else do you want to do?
With Linux, a software upgrade that you much later discover was bad
causes you to re-install a known good version. With Microsoft Windows
XP, because of the connection between all programs by the registry,
you may have to start over with a re-formatted hard drive. This
usually takes many hours, especially in situations in which a company
employee uses a system with special adjustments or programs, as is
often the case. Installation and configuration of all the programs
used by a professional graphic artist, for example, may require 30
hours or more. A graphic artist might use numerous graphics packages
and utilities, and also a word processor, an address book, accounting
software, text utilities, color balancing software, and other
programs, for example.
Users have always had the option of making backups of the registry,
but making useful backups is often difficult or impossible. Backing up
the registry in Windows XP is even more difficult because the registry
in now not in the two files system.dat and user.dat, but is spread to
several files, with one containing most of the information. Windows XP
prevents making copies of any of these files with the xcopy.exe
program or any other copy program. So, you cannot create your own
backup tools, as you could in Windows 98.
Backup Problems: Windows XP cannot copy some of its own files.
Windows XP cannot make functional backups of the Windows operating
system or of the installations and settings of the applications.
Microsoft Windows 98 can copy all of its own files. Using a program
called xcopy32.exe, which is supplied, Windows 98 can copy all of its
files to another, blank hard drive to make a fully working copy of all
of the operating system and applications.
Microsoft Windows XP is crippled. It is designed to be unable to copy
some of its own operating system files. This article from Microsoft
discusses the policy of not supporting the making of functional
complete backups under Windows XP: Q314828 Microsoft Policy on Disk
Duplication of Windows XP Installation [microsoft.com]. See the
section, Microsoft Policy Statement, that says,
"Microsoft does not provide support for computers on which Windows XP
is installed by duplication of fully installed copies of Windows XP.
Microsoft does support computers on which Windows XP is installed by
use of disk-duplication software and the System Preparation tool
The meaning of Microsoft's policy, "Microsoft does not provide
support" is also that, if you have tools from other companies for
making backups, Microsoft could make changes that prevent those tools
The wider significance of Microsoft's policy is somewhat hidden. Since
almost all programs use the XP operating system's registry file, if
you cannot make a functional copy of the operating system you cannot
make a functional copy of all your application installations and
There are other software companies that make products for creating
functional backups, but these products don't work well. They cannot,
for example, run under Windows XP, because XP actively prevents that.
The backup tools from other companies must run under another operating
system; to use them it is necessary to exit Windows XP, restart the
computer, and load the other operating system.
As was mentioned, Microsoft could break the third-party backup
software at any time by issuing necessary software upgrades that also
prevent the third-party backup software from functioning, as the
company has done in other cases. See, for example, Sneaky service
packs [infoworld.com], an August 26, 2002 column by InfoWorld writer
Brian Livingston, who is perhaps the best-known computer industry
Note that Microsoft's Sysprep software does not provide a workable
backup method in most cases. Sysprep images are for preparation of
initial installations of Windows XP only, and support only the exact
hardware for which they were made. In cases in which there is a
hardware failure a year or more after initial purchase, it would be
unusual if the replacement hardware were identical.
Because the configuration information for the motherboard and the
configuration information for the applications are mixed together in
the registry file, the registry tends to prevent you from moving a
hard drive containing the Windows XP operating system to a computer
with a different motherboard. That's another implication of the above
Microsoft policy. So, if you have a motherboard failure, and a good
complete backup that you made using tools you got from someone other
than Microsoft, you may not be able to recover unless you have a spare
computer with the same motherboard.
"What is your name and address?" means "Can we invade your privacy?"
Only technically knowledgeable people know how to avoid signing up for
a Microsoft Passport account during initial use of Windows XP.
Most people are honest and also intimidated by the complexity of a
computer system. Apparently about 95% do whatever they are asked on
the screen. They give their personal information to Microsoft. They
don't realize that, if they feel forced to get a Passport account,
they should enter almost completely fictitious information, since the
real question is not "What is your name and address", but "Can we
invade your privacy". The honest answer to this is "No, you cannot
invade my privacy", and the only effective way to communicate that is
to give completely fictitious information.
Passport accounts are advertised as a way of making it easier to buy
online, because the account identifies you to online sellers. In
actuality, Passport accounts allow Microsoft to make money from every
online transaction. Any money paid by sellers to Microsoft is
ultimately paid by the buyer in higher prices, of course.
There is absolutely no need for Microsoft's Passport. There is a free
Internet browser called Mozilla [mozilla.org] that provides the same
benefit to the user as Passport, but doesn't involve the extreme
privacy invasion of the Microsoft method. Mozilla's Password Manager
(under the Tools menu choice) remembers what you type when you supply
any personal information, not just passwords. Next time you visit that
web page, Mozilla asks if you want the web form information supplied
automatically. If you want, Mozilla can encrypt all of your password
and credit card and other form information; you then enter your master
password to access the automatic data entry.
The Mozilla browser is very highly regarded among computer
professionals. It has other features that don't exist in Microsoft's
Internet Explorer browser. Mozilla is open source software, which
means that anyone can read the instructions that the program uses. The
source code of Microsoft's Internet Explorer is hidden to anyone but
Users may not want to give away their personal information to
Microsoft, the company that has been the world's biggest source of
Internet security risk. There are many, many examples of that risk.
For example, Microsoft's Hotmail contained a defect that allowed
anyone to read anyone else's email. For one of the many stories, see
the August 30, 1999 article, Hotmail hole exposes free email accounts
[CNET]. Microsoft's Passport is partly based on Hotmail accounts. See
also the CNN article, Web site provides access to millions of Hotmail
messages [CNN.com]. In an article titled Hotmail hole exposed free
email accounts [abcnews.go.com] ABC News reported that one of the web
pages that demonstrated the vulnerability was written on June 7, 1998,
more than a year before Microsoft fixed the problem. Given the ease of
using the vulnerability, and the wide publicity before it was fixed,
it seems plausible that tens of thousands of people visited Hotmail
email accounts without using passwords.
Since it is the educated people who have computers, Passport accounts
help Microsoft build a database of the personal lives of educated
people. Microsoft knows when they connect and from what IP address
(which tends to show the area), for what kind of help they ask, and
information about what they are doing with their computers, including
what music they like. It is not known, and there is no way to know,
how much Microsoft or other organizations make use of this
information, or their plans for future use. It is also not known if
there are vulnerabilities that allow unauthorized people or
organizations to access Microsoft's database.
In the past, Passport has been shown to have zero security. See the
Wired News article, Stealing MS Passport's Wallet [wired.com].
On August 8, 2002, the U.S. Government's Federal Trade Commission
(FTC) ordered Microsoft to stop lying about its Passport service. The
FTC's order is titled Microsoft Settles FTC Charges Alleging False
Security and Privacy Promises [ftc.gov].
Microsoft's response to the FTC order was to lie about the
significance of the order in an e-mail message.
Palladium gives Microsoft the ability to prevent users from seeing
their own documents and data. Not only has Windows XP definitely
gone further in the direction of allowing the user less control over
his or her own machine, but with Palladium, Microsoft apparently
intends to finish the job: Microsoft will have ultimate control over
the user's computer; users won't even be able to read their own data
without permission from Microsoft. This Register article discusses
where Microsoft wants to go: MS Palladium protects IT vendors, not you
[theregus.com]. See this ZDNet article, also: MS: Why we can't trust
your 'trustworthy' OS [zdnet.com].
Reduced Functionality in Windows XP In some areas, Microsoft Windows
XP has reduced functionality. For example, the command line interface
does less in some ways than the CLI in Windows 98 SE (Second Edition).
The CLI is a big embarrassment because of its limited capabilities,
but at least in Win 95 it worked. With every version since then it has
worked less well. (There are two kinds of command prompt [cmd.exe and
command.com], and, according to Microsoft employees, the differences
between them are not fully documented.)
The command line prompt sometimes begins to display short file names.
Microsoft employees say that Microsoft has no fix, although someone
not connected with Microsoft did make a work-around.
Cutting and pasting into a command line program often puts successive
extra spaces before each line. Microsoft employees say that there is
no plan to fix this.
The fast paste mode that is in Windows 98 is gone in Windows XP.
Microsoft employees say there is no plan to fix this.
The DOS QuickEdit mode sometimes flashes wildly when trying to edit
from a DOS box.
There is a DOS program called START.EXE that can be used to start
other programs. But it does not operate the same way as in other
versions of Windows. It starts a program, but cannot be made to return
control to the command line program as previous versions did. There is
no technical reason for this; it is just one of the shortcomings that
are allowed to exist.
People often say that DOS has gone away. But Microsoft still calls the
command line interface "DOS", and in Windows XP Microsoft has added
new programs for configuring the OS that work only under DOS.
There are many other insufficiencies in Windows XP. Sometimes when you
press a key while using Windows XP, it is seconds until there is any
response. Apparently there is something wrong with the CPU scheduler
in XP, because there are a lot of complaints about this in the forums
and MS people have said that they are working on it. On one particular
fresh installation of XP, on an Intel motherboard with either a Matrox
G550 or an ATI Radeon video adapter, it requires 18 seconds to display
a directory listing of 94 items. This is apparently related to a
defect in the video software, not the adapter drivers.
As was mentioned, something is wrong with the taskbar and the Alt-Tab
display of running programs under Windows XP. If there are a lot of
programs, not all of them are displayed. The order jumps around in a
seemingly random way.
A reader sent a diagram showing that, when there are more than 21
programs loaded, the programs over 21 are shown, or not shown, in an
order that is not easily guessed. Sometimes when a program is not
represented on the taskbar it can look as though it is no longer
loaded. This can be dismaying when the program contains a complicated
setup, as when doing research on the internet and loading numerous web
Many people think the Windows XP user interface is poorly designed.
As people use their computers more, they become more reliant on good
design. Recently, Apple Computer released an operating system that has
a version of Unix underneath and Apple's design for the user
interface. Apple's article, Switch to Mac OS X (Macintosh Operating
System 10) [apple.com], discusses the differences in user experience.
The article is meant for software companies who are designing Apple
versions of their existing Windows programs. The article gives a good
idea of the flaws many people perceive in the Windows XP design.
When companies pick an operating system, they are partly guessing the
future. The investment in software is huge, not because of the cost of
the software usually, but because of the training and maintenance. If
a company makes the wrong guess, they may in the future need to spend
a lot of management time, employee time, and money in switching to a
new system. This makes it necessary that top managers understand the
direction the industry is going.
The combination of an excellent user interface and the power of Unix
underneath has led many computer professionals to consider Mac OS 10
presently the world's best operating system. Acceptance is slowed
because there is no version that will run on Intel or AMD processors,
the kind that most people have.
Microsoft is widely disliked. It seemed that there were a lot of
negative comments about Microsoft. Searches on Google for the words
"hate Microsoft" or "hate Microsoft XP" returned many, many results.
Not all these results are associated with disliking Microsoft, but the
intensity and accuracy of the discussions on even the last page of the
search results gives a general idea. (The plus signs in the search
terms mean that the term is required.)
Some of the web pages appeared soon after the introduction of Windows
95, such as So Why Hate Microsoft?? [tripod.com] and Why many Computer
Lovers hate Microsoft: Questions & Answers [amazing.com]
Some of the people who dislike Microsoft write for industry
publications, such as Daniel Dern at Byte.com, whose August 6, 2001
article, Why I Hate Microsoft - This Week [byte.com], discusses his
problems with Microsoft's licensing provisions.
Some of the articles in general interest publications are surprisingly
technical, such as the June 1999 article in the Boulder County
Business Report (Boulder County, Colorado, USA), Why programmers love
to hate Microsoft -- code out of control [bcbr.com].
The articles sometimes go into considerable detail, such as Why I hate
Microsoft [euronet.nl] and The SMASH MICRO$OFT page [zip.com.au].
Apparently users are becoming much more technically knowledgeable, and
beginning to resist practices that they previously did not understand.
A lot of the dislike of Microsoft is caused by Microsoft's hostile
behavior. Dislike of Microsoft first became strong among people who
weren't computer users when Microsoft's Bill Gates testified in the
anti-trust case, and was perceived by many to be lying. Internal
Microsoft documents such as those called The Halloween Documents
[opensource.org] discuss the impossibility of using FUD to compete
with Open Source software. FUD stands for "Fear, Uncertainty, Doubt";
it is deliberate lying to take advantage of people who have less
technical knowledge. See the section labeled "Key Quotes" in the
Halloween Document I [opensource.org].
There have often been stories of Microsoft using its operating system
monopoly to cause trouble for other software companies. An example is
the August 1, 2000 WinInfo article Microsoft knew about, ignored SP1
[Service Pack 1] personal firewall issues [wininformant.com]. Here's a
quote from the article: "Microsoft refused to fix the problem despite
numerous complaints during the lengthy SP1 beta". Microsoft's behavior
caused a huge amount of lost time. Merely documenting the problem
would have saved many people many hours.
It is difficult to evaluate what this strong negative sentiment toward
Microsoft might mean to a company with 10,000 employees. Will it make
Microsoft less able to hire good programmers, and therefore less able
to fix security vulnerabilities? If an alternative to a Microsoft
product appears, will the negative sentiment result in rapid movement
away from the Microsoft product, making it less economically viable?
Windows XP Service Pack 1 On September 9, 2002, Microsoft released
Windows XP Service Pack 1 (SP1). This included, according to
Microsoft, 311 kinds of fixes, involving more than 1,600 files.
However, apparently none of the problems mentioned in this article
Although Microsoft says that there are 311 kinds of fixes in Windows
XP SP1, industry writers have claimed that there are fixes that
Microsoft has not documented.
The Microsoft article, Release Notes for Windows XP Service Pack 1
[microsoft.com], lists the defects that have been found in SP1 since
it was released. Bruce Kratofil, an industry writer, said about
Microsoft's automatic updating process: "There could be a whole lot of
grief if this stuff gets automatically updated without you knowing
about the issues ahead of time." Automatic updating makes changes to
the user's computer without the user's knowledge.
Some people report major problems after installing SP1. For example,
see the September 20, 2002 PC World article: Win XP Update Crashes
Some PCs [pcworld.com]. (To put this issue in perspective, most users
are not having problems.) Those who decide not to install SP1 must fix
a very serious security defect immediately. See the September 28, 2002
Gibson Research article, Without XPdite, or XP's Service Pack 1,
clicking on a simple, but malicious, URL can delete the entire
contents of your directories. [grc.com]
On one computer in which the author of this article installed SP1, the
operating system power options were changed so that the system was
allowed to go into Standby mode. The computer, which has an Intel
motherboard of a type that is currently being sold by Intel, locks up
when it goes into standby. All work is lost. Only someone quite
knowledgeable would guess why the computer was ceasing to function.
Microsoft has a history of allowing defect fixes to change the
operating system settings without notice. Also, often installing new
hardware, or a contact failure that seems to the system that hardware
has been removed, or repairing the operating system by reloading,
changes the system settings without notice. For example, in Windows 98
Second Edition, changing networking driver software resets the network
to the least secure setting. There is no warning.
Where is Microsoft taking us? There are many other indications of
where Microsoft is taking its customers. People who buy Microsoft mice
don't get the full functionality until they let the mouse software (!)
connect to Microsoft's computers.
Microsoft makes it quite difficult to upgrade a computer to fix
defects if it isn't connected to the Internet. Sometimes the
downloadable updates lag behind those available with Windows Update,
that requires that the computer be connected to the internet. The
downloadable updates are not in an order that makes it easy to decide
what you need.
Windows Media Player reports your music choices to Microsoft. The EULA
(End User License Agreement) for a security defect fix [bsdvault.net]
to Windows Media Player gives Microsoft complete control over your
computer: They own it, not you. That shows that Microsoft can and will
be sneaky. (The EULA says that it is limited to Digital Rights
Management, but Microsoft is trying, with Palladium, to extend Digital
Rights Management to everything you do on your computer.) This gives
an idea of the moral limits felt by Microsoft. See also the 12th
paragraph of a comment about the settlement of the Microsoft
anti-trust case [usdoj.gov], on the DOJ web site.
Another indication of the direction Microsoft is going is that, in
Windows XP, menus are sometimes 7 levels deep. This seems to show a
lack of ability to manage the development of useable software.
Unhealthy control leads to more unhealthy control. Managers at
Microsoft seem to be trying to create a situation in which Microsoft
operating systems are not independent software, but are dependent on
Microsoft computers. They apparently feel that there is no limit to
the control they should have, and are strongly determined to extend
The attempt to take more control, and to take more control without
adequate explanation, is a huge gamble with investor's money. If it
strongly alienates people from Microsoft, there may be a time when the
company has difficulty selling even good products.
Wanting more control, and a desire for control that cannot be
controlled, is a common psychological problem. For example, dictators
of governments often test the limits until they destroy themselves.
Design effective resistance to abuse. Human society in general is
not effective at stopping abuse. People have a difficult time being
clear about abusiveness, and therefore about protesting it and
stopping it. It is especially difficult for the average person to feel
clear about something technical like software. People tend to blame
themselves rather than the software that should serve their needs.
Instead of efficiently moving to limit the destructiveness of the
abuser, the abused people often begin to attack each other. Often
technically knowledgeable people have the presumption that, if they
know something another person doesn't know, that gives them a license
to attack the other person, or to feel superior. The fighting among
themselves of people knowledgeable about computers is part of the
reason there has been very little effective resistance to Microsoft's
Microsoft's self-destructiveness does not mean that the user should be
self-destructive. There is no need to apologize for using Microsoft
software, as many people do who know a lot about computers. The
correct solution to abuse is persuading the abuser to stop being
abusive. Rather than feel embarrassed because Microsoft is abusive,
action needs to be taken to prevent the abuse. If you protest
effectively against Microsoft abuse, you are not against Microsoft;
you are more pro-Microsoft than Bill Gates.
P.O. Box 14491
Portland, OR 97293-0491
E-Mail: ms-article AT myrealbox DOT com
(Take out the spaces, change AT to @, and change DOT to a period to
e-mail the author. The coded e-mail address helps discourage misuse of
the address by computer robots that harvest email addresses for sale
to those who send unwanted e-mail.)
This version was made available on February 16, 2003. It is revision
#1 of that day. (file micro08h.htm)
The latest version of this article can be found at
An equivalent address is http://www.futurepower.net/microsoft.htm.
(Always select View/Reload on your browser, so you read the version on
the web site, and not the version you read before, that was stored in
If you want other people who have an Internet connection to read this
article, please send them this link, rather than sending the article
by e-mail. That way they will read the latest version.
This article may be sent to anyone by e-mail without permission from
the author, provided that no changes are made, and provided you have
some knowledge of the person to whom you are sending the e-mail.
If you print this article with no changes, you may give it to anyone
you know. Other use requires permission.
Copyright 2002-2003. Futurepower ® is a trademark in the U.S. and
Please mention errors and shortcomings to the author so that he can
Microsoft and Windows XP are trademarks of Microsoft Corporation.