In the January issue of Smart Access, I ranted abouthow awful hackers (in the pejorative sense) were and went on to suggest thatMicrosoft ends up carrying a lot ofthe blame for the actions of vandals. AndrewBenner wrote in with what I thought was a great response:
I certainlyagree with you that each dirtbag who writes a virus/trojan and releases it intothe wild is to blame for the havoc their software creates. By the same token,Microsoft is directly responsible for the software it creates.
Microsofthas been criticized by the security community for as long as I have beenreading trade journals and magazines. Microsoft has been aware of problems withits OS since Windows 3.1. Microsoft has been aware of issues with Office sinceits first release. The company…has been putting features oversecurity/stability. Many, such as you, are willing to give Microsoft a breakand claim the current issues are “because of the Internet.” It isn’t. There aremany reasons and almost all of them pre-date the Internet (as we all know).
I’m notwilling to let Microsoft off the hook. The issues it is responsible for havebeen known for too long. The current morass it faces is arguably a directresult of its business plan.
It’s hard to argue with Andrew. There are really only
two places where I disagree. The first is my fault—I didn’t mean to indicate
that I thought the current issues were “because of the Internet.” I do feel
that Microsoft’s attitude toward security issues reflected a “pre-Internet”
mindset that wasn’t inappropriate when Windows 3.1 was created. The security
problems we face don’t exist “because of the Internet.” What the Internet has
allowed is for the existing security failures to be exploited to a far greater
degree than anyone would have thought possible in the pre-Internet age.
The second issue that Andrew raises is that Microsoft
put “features over security/stability.” You just can’t argue with
that—Microsoft has. But the question that you have to ask is, “Why?” Was it
because the people at Microsoft are stupid or evil? Both seem unlikely to me
(you’re entitled to your opinion).
As Andrew points out, the answer relates to
Microsoft’s business plan: Features sell products, while security and stability
don’t (or didn’t). People wanted features in their software and were willing to
pay for them but weren’t willing to buy competing products that were less
feature-rich. Microsoft served its customers (or chased the dollar, depending
on how you want to look at it).
You can complain that the people who made those
decisions were stupid or were tricked. I’m always uncomfortable with those
claims. I remember an article with Bill Gates in Fortune magazine back in the
early 1990s. In that article, Bill advanced the idea that affordable “good
enough” technology drives out expensive high-end technology every time.
I suspect he’s right. The VHS video recording system
succeeded, and the Beta video recording system didn’t, though Beta provided
better picture quality. I suspect that most people preferred the cheaper costs
(and longer recording times) of the VHS system and didn’t value the better Beta
picture quality. Volvo made safety a primary feature of its cars and steadily
lost ground to other car manufacturers with flashier sales pitches. Windows 3.1
drove out OS/2, though Windows 3.1 was less stable than OS/2. Windows 3.1 cost
80 percent less than OS/2 and provided backward compatibility to DOS programs
(in the same article, Bill pointed out that customers put a high value on
backward compatibility).
In addition to the business-related answer, I think
there’s a more personal answer. I suspect that people inside Microsoft are a
lot like me: It’s a lot more exciting to code features than it is to code
security and stability. But that’s probably just me projecting my personal
failures onto other people.
I suppose you could make a claim that Microsoft should
have (a) been more farsighted, (b) taken the high road, and (c) acted in the
best interests of its customers and provided better stability/security, even if
that wouldn’t generate better sales. That behavior seems unlikely in a
capitalist/consumer society.
Besides, why should any company do anything that its
customers don’t want? If customers ask for something, companies should do that.
However, customers are also allowed to change their minds. Customers can decide
that, for instance, security and stability are more important than features.
When that happens, companies that can’t switch to providing what the customer
wants now are going to suffer. Business life in a capitalist/ consumer society
is like that, too.