|
|
ONLINE FEATURES
Book Reviews
BW Video
Columnists
Interactive Gallery
Newsletters
Past Covers
Philanthropy
Podcasts
Special Reports
BLOGS
The Auto Beat
Byte of the Apple
Europe Insight
Eye on Asia
Getting In
Investing Insights
The New Entrepreneur
NEXT: Innovation Tools & Trends
On Media
Technology at Work
The Tech Beat
Traveler's Check
TECHNOLOGY
Product Reviews
Tech Stats
Hands On
AUTOS
Home Page
Auto Reviews
Car Care & Safety
INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip FINANCE Investing: Europe Annual Reports Bloomberg BW50 SCOREBOARDS Hot Growth Companies: 2008 Mutual Funds Info Tech 100 B-SCHOOLS Undergrad Programs Rankings & Profiles | |
APRIL 29, 2003
By Alex Salkever For Windows, Less Fat Means Fewer Bugs With Windows Server 2003, Microsoft is promising greater security. However, its 50 million lines of code mean it'll never be secure enough
This time around, the Colossus of Redmond is promoting the new version's stability, ease-of-use, and most important, improved security. At the official corporate unveiling of Win 2003 in San Francisco, Microsoft CEO Steve Ballmer urged customers to trust the security in the new operating system software. If this sounds familiar, well, that's because Microsoft has said some of this before. Windows 2000 supposedly packed many of the same benefits, including better security. Alas, Win2K and the subsequent WinXP have been dogged by a series of nasty security flaws that has enraged info-tech professionals and drawn smug flames from the Linux/Unix community. Hardly a month has gone by without Gates & Co. fessing up to at least several security flaws. Tech news site Slashdot.org recently posted a notice about one under the tongue-in-cheek headline "Weekly Microsoft Critical Security Issue." Ouch. FOLLOW THE WIZARD. For the 2003 version, Microsoft threw even more resources into making the code safe. It halted all programming work for 10 weeks during the winter of 2002 to teach its engineers more about how to build secure software. It used in-house hackers to try to tear apart Win 2003. And it built innovative automated software to check for common types of security flaws. Most important, Microsoft decided to ship Win 2003 with some key components turned off by default, especially the much maligned Internet Information Service (IIS) Web server. And for the first time, Microsoft has included a handy "Security Wizard" that walks a systems administrator through securing his Windows server. Clearly, no one should accuse Microsoft and security chief Mike Nash of ignoring security. Still, I fear that for all Microsoft's efforts, its software will continue to face wave after wave of security flaws. The root of the problem isn't necessarily lack of effort but the basic laws of mathematics. The central one is this: Roughly speaking, a system's complexity increases dramatically for each new piece of information introduced. So, when it comes to software, each line of code added to a program results in a leap of complexity. The more complex a system becomes, the harder it is to accurately predict how it'll behave. By the same token, the trickier it becomes to safeguard the system's security. FUTILE APPROACH. This lesson is seemingly lost on Microsoft. Each subsequent release of Windows software contains more and more lines of code. By definition, each release will have more and more vulnerabilities because the laws of large numbers trump even the best efforts of Bill Gates's armies of sophisticated programmers. In reality, the most massive fight to shore up code will prove akin to holding back the sands of the desert. Much of Microsoft software's gargantuan size results from it trying to build in backward compatibility with older systems. (Not surprisingly, a high percentage of software holes are attached to mechanisms designed to do just that.) In its defense, Redmond's ability to continue to engineer backward compatibility and ensure continuity has contributed plenty to the success of its products. However, in Win 2003, Microsoft finally concedes to the critics on this point by refusing to guarantee backward compatibility for a large swath of software and systems designed for the now-decrepit Windows NT 4 server software. That will likely elicit squeals of protest from folks who like NT just fine and want to run mixed-server networks. But Microsoft is well within its rights to stop promising that Win 2003 will work with applications that were written for NT. A NEW INITIATIVE. Regardless of this decision, the code bloat in the House that Gates Built continues. The latest version of Windows sucks up even more hard-drive space than its predecessors, thanks to more than 50 million lines of code, vs. 35 million for Win2K and 40 million for Win XP. Microsoft is recommending that system administrators run Win 2003 on machines with at least 256 megabytes of RAM (random access memory). That's four times the recommended RAM for Win 2000 and twice the recommended RAM for Win XP, a slightly more advanced version of the software. That highlights the inherent contradiction between higher security and simpler software, not to mention Microsoft's very public comments about its ballyhooed Trusted Computing Initiative, a project that aims to build computers that are inherently more secure from the ground up. I would propose a new kind of Trusted Computing Initiative for Microsoft. It will take a cultural change, for sure, but I think Gates has enough talented people who can make it happen. That initiative would mandate that each subsequent version of Windows carries less code than the prior one. This would require some rethinking of the way Microsoft software works and a new focus on elegant coding to remove any fat. Fat hides bugs. Lean code reveals all. Better yet, slimmer programs run faster and crash less. None of this is to say Win 2003 represents a major step backward. It doesn't crash as much as its predecessors. It does use better, more elegant code. But it's still 50 million lines, and I'm more than certain that Microsoft could figure out ways to keep delivering more features with less code under the hood. That's what I would call a Trusted Computing Initiative.  Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column Get BusinessWeek directly on your desktop with our RSS feeds.  Add BusinessWeek news to your Web site with our headline feed. Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video. To subscribe online to BusinessWeek magazine, please click here. Learn more, go to the BusinessWeekOnline home page  | | |
 Copyright 2003, Bloomberg L.P.Terms of Use | Privacy Policy |
Printer-Friendly Version
