Does 'Trustworthy' Computing Matter?
About seven years ago, Bill Gates announced in a Trustworthy Computing memo emphasizing the importance of availability, security, privacy and trustworthiness in the software Microsoft develops.
Here's what he said about the last of these:
"Trustworthiness is a much broader concept than security, and winning our customers' trust involves more than just fixing bugs and achieving 'five-nines' availability."
Now I'd say that the rather dismissive "more than just fixing bugs" implies Microsoft will actually fix bugs and in a reasonable amount of time at that.
So the recent announcement that the company has finally gotten round to fixing a known flaw in its Server Message Block (SMB) protocol a full seven years after it was discovered simply beggars belief. The bug affects operating systems including Server 2003 and Server 2008, and could result in remote code execution by a hacker. Seven years seems an absurdly long time for a serious bug to remain unpatched.
So why did it take so long to fix? Because coming up with a fix would have been hard to do without breaking other Microsoft products, according to Christopher Budd, a security program manager in the Microsoft Security Response Center (MSRC).
"When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable," he explained in his blog last week.
This is disputed by Eric Schultze, a former Microsoft employee who claims to have brought the bug to the company's attention in the first place. "We probably could have solved it back then if we'd had a few months to noodle on it," he says.
Instead of coming up with a solution, the company suggested using SMB signing to mitigate the problem, although Budd admits that this was a bit of a half-baked idea. "... the reality was that there were similar constraints that made it infeasible for customers to implement SMB signing," he says in the blog.
So here's a message to Chairman Bill: Winning customers' trust involves fixing bugs in a timely manner. A few months noodling on them first is acceptable, if the problems are tough ones to crack. Seven years noodling is not.
The boys and gals in the enterprise Linux world may be swifter at releasing patches, and it's a sign of the growing maturity of that market that internecine warfare is beginning to break out. Here's the opening seconds of an ad campaign you might be seeing in the near future:
"Hello! I'm a SUSE Linux Enterprise Server."
"And I'm a Red Hat."
It's not quite as catchy as the PC/Mac "Get A Mac" switcher ads, but it looks like the folks at Novell have decided to take a page out of Steve Jobs' book and launch a switcher campaign of their own. In an act of breathtaking chutzpah, Novell announced last week a new subscription and support program "designed to aid customers making the transition from their existing third-party Linux distribution to SUSE Linux Enterprise Server."
The new program provides technical support for a customer's existing Linux deployments and for that read Red Hat (or possibly CentOS) for up to two years while transitioning to SUSE Linux Enterprise.
It's an aggressive move on Novell's part, and one that will almost certainly provoke a response. But it's also good news for enterprise customers if it gives them more options for switching, if they want to.
It's a big "if." How would you characterize the two Linux distributions to persuade potential customers to move from Red Hat to SUSE? Apple's commercials work because PCs and Macs each have their own very distinct characters: memorably described in The Guardian as "PCs are a bit rubbish yet ultimately lovable, whereas Macs are just smug, preening tossers."
In contrast, there's not much difference between Red Hat and SUSE servers really. If they were guys you'd have to describe them both as "secure, reliable, popular, with big ambitions." Novell may well find that getting people to switch from Red Hat to SUSE is much harder than it thinks.
Paul Rubens is an IT consultant and journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.