Web Informant #243, 2 April 2001:
Trust me, I'm from Microsoft (and I am here to help you)

http://strom.com/awards/243.html

I've lived long enough to have learned
The closer you get to the fire the more you get burned
It's hard when you're always afraid
You just recover when another belief is betrayed
After you've heard lie upon lie
There can hardly be a question of why
And some might have learned to adjust
But then it always was a matter of trust

Even though he was talking about love, Billy Joel said it best (excuse some editing license here). And when it comes to matters of consumer software trust, Microsoft is one lousy lover.

If we look at the past few years' worth of news stories, we can quickly find many Microsoft misdeeds: collecting information on individuals' use of their operating systems through the global unique ID, security breaches du jour with various Outlook and Outlook Express viruses, patches to Internet Information Server to prevent malicious pieces of code to reveal files stored anywhere on the machine regardless of security settings, badly behaving Active X controls that can do just about any damage to a machine, its own badly configured corporate networks that were easily hacked, rogue security certificates issued by Verisign to people they thought were Microsoft employees but weren't, Hotmail problems that allowed anyone to open anyone else's email, Hotmail privacy abuses allowing spammers to harvest their email on Infospace, Hotmail passwords being stolen by various hackers exploiting security loopholes, and numerous other Hotmail service interruptions and privacy problems. And let's not even get into the blue screen of death and frequent Windows crashes issues, or default security settings for various Microsoft software.

All right, you say. Enough. It is a big company, and it is hard to keep track of everything going on with your products when you have to run a government-approved monopoly in so many areas of applications software, operating systems, and Internet tools. Give the company a break: after all, isn't the end user better served with the current crop of Microsoft applications and operating systems than those dark days of the past when we had to choose our IP protocol stack and dial-up program vendors, and install web browsers from scrappy Silicon Valley startups? Well, now that I put it that way...

Some of my colleagues in the press have argued that the corporate hubris allows -- or certainly inculcates -- these sorts of security breaches to happen. Gates' DOJ testimony is a good case in point about corporate hubris. Certainly, the way that Microsoft has responded to many of these issues in the past has been first to deny, then to reluctantly issue a patch -- although that could be changing, particularly with their behavior about the Verisign certificates. (Although you can't really blame Microsoft for that problem, can you?)

But hubris only goes so far as an explanation. Some of this certainly comes from integration of the browser into Windows, and having a seamless landscape that offers untold opportunities to hackers to try their craft (or whatever the heck you want to call their twisted business) on us unwitting users. Some of this comes from having more and more Windows computers directly connected to the Internet, thanks to those broadband companies still in business. (Guess which DSL provider Microsoft picked for a strategic relationship, and which same DSL provider just left all their customers in the dark last week? Okay, you can't blame Microsoft for a bankrupt Northpoint, but it all goes back to this level of trust thing.)

Perhaps that is more a function of the depth and breadth of its products than any one particular corporate attitude. Yeah, sure, and I have this bridge in Brooklyn cheap.

Trust came into the forefront recently with Microsoft's latest offering, code named Hailstorm. Announced last month, it is a huge leap of trust forward for the company, telling us to trust us with your most personal data, everything from credit card numbers to shopping and shipping preferences. You can read the decoded press release here, translated care of Tom von Alten.

At the core of Hailstorm is Microsoft's Passport, its authentication service for Hotmail, MSN, and a host of new services to come. When you sign up for a new Hotmail account, for example, you use Passport to establish your identity. Microsoft currently requires you to specify things like your location and birthday to setup a new account -- this is the information that is contained inside your Passport. You also have the option to include additional information, such as your credit cards, in your Passport, to speed purchases at web sites that recognize your Passport "wallet."

How many people with Hotmail accounts have these wallets? Not many, from what I can tell.

Given the number of security breaches with Hotmail alone, you don't have to be as crazy as Gary Sinise (or Kirk Douglas or Jack Nicholson, depending on your theatrical memories) to know that this is a bad idea. And while problems with Passport aren't usually responsible for all the security sinkholes surrounding Hotmail, it is a close enough kissing cousin that it is bothersome. Again, it gets back to a matter of trust. Until Microsoft can strengthen both services, Passport is more a ticket to trouble than a way to trust Microsoft with my personal tidbits.

Indeed, I think a good metric of consumer trust is to compile the following metric: take the total number of active members (A) of a particular web site or service (you pick your own definition, but how about those members who have signed on within the last three months). Now take the total number of members (C) who have put their credit card numbers on file with your site or service. Take the ratio of C to A, what do you get? More than ten percent? You have a lotta trust. Less than 0.001 percent? Probably where Microsoft Passport is. Ten percent is a pretty miserable goal, dontcha think?

I gotta go. It's time for me to re-read a few grassy knoll books and watch Mel Gibson and Julia Roberts build their mutual trust. And maybe think about locking my refrigerator, or at least putting my credit cards in the crisper. Better than giving these numbers to Microsoft for now.

 

N.B: Some interesting commentary on Passport's changing Terms of Use can be found here.

Self-promotions dep't

This week's edition of Network World carries a feature article I wrote about the networking innovations happening at the new Tokyo Disney Sea theme park: the park carries all data, as well as audio and video applications over a unified Gigabit Ethernet network.

Speaking of security sinkholes, I just finished a wonderful O'Reilly book, called Securing Windows NT/2000 Servers for the Internet. It is a must read for anyone who is serious about deploying applications on these platforms, and particularly good at providing solid tips on how to harden your Windows servers to prevent break-ins.

To subscribe, send a blank email to
informant-subscribe@pez.oreillynet.com

To be removed from this list, send a blank email to
informant-unsubscribe@pez.oreillynet.com

David Strom
david@strom.com
+1 (516) 944-3407
back issues
entire contents copyright 2001 by David Strom, Inc.
Web Informant is registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress.