I've begun to think maybe I should take down this page. I'm not as frothing-at-the-mouth against Microsoft as I used to be. Heck, I even started using Windows 2000 because I finally thought Microsoft had a stable, powerful enough operating system that I could have almost as much power as I had under Linux. Now Microsoft is even admitting their operating system has bugs and releasing frequent fixes, something they never did in the early days. That kind of honesty surprised me and I'm softening up to them. Maybe they don't suck after all. Maybe this page can be a snapshot of what Microsoft used to be like. Maybe. Just Maybe.

- Tue Sep 16, 2003

Why Microsoft Sucks

This is an informal hogde-podge of anecdotal information lending credence to the hypothesis that Microsoft is a disgraceful, unreliable, dishonest company. And sometimes just plain bone-headed, too. Most of the information is actually from the moderated USENET Newsgroup comp.risks, which is a reasonably reliable source of technical information.


The "Halloween" Documents, a collection of leaked internal Microsoft memos from late 1998 that are self-testimonials to the dishonest tactics that are normally used by this company, in response to their deep fear that Linux and other Open Source Software might blow Microsoft out of the water over the next few years.
First, some links to other people that agree with me.

Other "Microsoft Sucks" links

This is just a very small sampling of the pages around the world that already have the title Microsoft Sucks. A much more extensive and up-to-date list can by generated by going to Google and searching for the string "Microsoft sucks". I'm not sure why I was surprised at the number of pages that already exist on the topic...

Survey proves: Microsoft sucks 14.77 times as much as Apple sucks

My list of examples of why Microsoft sucks

[1] RISKS DIGEST 18.64
Date: Mon Dec 02 14:47:15 EST 1996

From: Tim Panton 
Subject: Web-based auto update of Microsoft's Java support

  [Here is a frightening snippet from Microsoft's website I'm not sure I
  understand the full implications of it, but I don't doubt that there are
  risks involved.]

http://www.microsoft.com/java/sdk/getstart/javac007.htm :

Updating the Java Support on a User's Machine

If you are placing an applet that uses COM on an HTML page accessible from
the Internet, you must ensure that any users who encounter that page have a
version of the Java Support for Internet Explorer that fully supports
Java/COM integration.

To do this, you must insert the following tag on the HTML page
containing your applet (or on the introductory page of your Web site): 

This tag causes the user's Internet Explorer to check the version of its
Java support. If the version installed on the user's machine is not
Internet Explorer downloads the latest version of Java support from
http://www.microsoft.com and updates the user's machine.

 - - - -

The potential risks are endless. Say I know of a security hole in a 
specific version of IE, I can automatically get visitors to 
my website to install it, then attack them through the hole.
Some questions:
Does it ask the user first ?
Can I force a  'down'grade, i.e., install an older version ?
What happens if the user uses two sites that require different versions?
Is the code signing strong? (i.e., stronger than MS's CD keys ?), can I
fake a CAB file?

Tim Panton, Westhawk Ltd, Frederik Hendriklaan 89, 2582BW Den Haag. The
Netherlands  tpanton@ibm.net   +31 6 5348 1795   http://www.westhawk.co.uk


[1] RISKS DIGEST 18.65

Date: Tue, 3 Dec 1996 13:25:24 -0500
From: Bob.Price@cwi.cablew.com
Subject: MS-Access Runtime trashes WFW

Unless especial pains are taken, 16-bit MS-Acess runtime disks made on a
Windows-95 machine with 16-bit Access will cause near-irreparable harm when
installed on a WFW or Windows 3.1 machine.  The reason is that some 32-bit
system .DLLs are copied to the distribution diskettes (or network
distribution set) along with the 16-bit files, and because the 32-bit files
have the same names as the 16-bit files, the 16-bit platform no longer works
properly.  I'm told the official Microsoft paper on the subject says to
format the hard drive and re-install everything.  I was able to "recover" by
upgrading to Windows-95; others have had success ferreting out the specific
files and replacing them.  Reinstalling WFW didn't fix anything.

Bob Price  Cable & Wireless Inc.  bobp0303@hotmail.com  (703)760-3071


[1] RISKS DIGEST 18.80
Date: Sat Feb 01 19:07:45 EST 1997

Date: Fri, 31 Jan 1997 12:51:38 -0800
From: Geoff Kuenning 
Subject: Spelling checkers and inconsistent interfaces

A posting on the Orchestra List once again highlights the RISKS of
inconsistent interfaces:

> From: Symph@uwyo.edu (Michael T. Griffith)
> To: orchestralist@hubcap.clemson.edu (ork)
> Subject: spellcheckers
> I know some of you have been amused (at best)  by my spellchecker episodes
> in the past few weeks (Hindemith came out as Hindmost was the worst). If
> you're interested, I've discovered the problem, and will share it with
> Microsoft Mail users out there.
> In MS Word, if the spellchecker highlights a word it doesn't know, like
> Hindemith, you can click on "add" and it puts Hindemith into its dictionary
> In MS Mail, if it highlights a word it doesn't know, and you click on "add,"
> it puts the highlighted correction it offered into the dictionary as a
> permanent correction. Since "Hindmost" was the first offered correction, it
> permanently noted that every time I type Hindemith, it would substitute
> Hindmost.

So in one interface, "add" means "add this word, as-is, to the dictionary."
In the other, "add" means "add this suggested replacement to the dictionary
and never ask me again."

Incidentally, ispell users have been asking for the latter feature for
years, but I have stubbornly refused because I think that automated
replacement is far too RISKy to trust a computer.

Geoff Kuenning  g.kuenning@ieee.org     geoff@ITcorp.com

  [Hindemith wrote "Mathis der Maler".  Hindmost wrote "MS der Mauler",
  seemingly applicable in English (one who mauls).  Although not quite
  echt deutsch, there are several potentially pertinent interpretations
  as well.  PGN]


[1] RISKS DIGEST 18.84
Date: Fri Feb 21 19:04:08 EST 1997

Date: Fri, 21 Feb 1997 11:46:11 -0800 (PST)
From: fc@ca.sandia.gov (Fred Cohen)
Subject: Re: MS on the CCC ActiveX virus (RISKS-18.83)

Re: SBN Wire: News Flash, Brad Silverberg

> You may have heard reports about a malicious software program created and
> demonstrated recently by the Chaos Computer Club (CCC) in Hamburg, Germany.
> I want to personally assure you that Microsoft(R) Internet Explorer 3.0 has
> the appropriate safeguards to protect against this type of threat.  By using
> its default security level (High) that comes pre-set, Internet Explorer 3.0
> will not download and run any "unsigned" control such as the one from the
> CCC.

I appreciate your insightful opinion on this matter, however...
        Anyone can get a signature key without authenticating their
        legitimacy.  It's relatively easy to break into a system and take a
        legitimate key.  The default may be changed by the user for one use
        and remain changed.  Other flaws in Explorer may be used to turn
        that feature on - then look out.

> The CCC demonstrated its malicious executable code running on Microsoft
> Internet Explorer 3.0, though they could just as easily have demonstrated a
> similar attack on any other browser.  While it is unfortunate that hackers
> have created this harmful program, it does point out the need for users to
> act cautiously and responsibly on the Internet, just as they do in the
> physical world.

I appreciate your insightful opinion on this matter, however...
        This is not accurate.  The very nature of ActiveX makes it
        impossible to operate it securely.  Unlike other vendors who
        make attempts at providing improved protection, ActiveX is a
        hole waiting to be exploited.

> Malicious code can be written and disguised in many ways - within
> application macros, Java(tm) applets, ActiveX(tm) controls, Navigator
> plug-ins, Macintosh(R) applications and more.  For that reason, with
> Internet Explorer 3.0, Microsoft has initiated efforts to protect users
> against these threats.  Microsoft Authenticode(tm) in Internet Explorer 3.0
> is the only commercial technology in use today that identifies who published
> executable code you might download from the Internet, and verifies that it
> hasn't been altered since publication.

I appreciate your insightful opinion on this matter, however...
        No disguise is needed for malicious ActiveX programs.  Any ActiveX
        program can potentially - either maliciously or by accident or even
        as a result of configuration differences, cause a system crash, the
        corruption or destruction of information and/or unlimited leakage
        and it doesn't depend on some hard-to-find hole in an otherwise
        secure application.  It is a direct result of the methods used by
        Microsoft, cannot be easily cured with any bug-fix.

> If users choose to change the default security level from High to Medium,
> they still have the opportunity to protect themselves from unsigned code.
> At a Medium setting, prior to downloading and running executable software on
> your computer, Microsoft Internet Explorer presents you with a dialog either
> displaying the publisher's certificate, or informing you that an "unsigned
> control" can be run on your machine.  At that point, in either case, you are
> in control and can decide how to proceed.

I appreciate your insightful opinion on this matter, however...
        Even if you choose wisely, ActiveX is a hole waiting to be exploited
        and provides essentially no protection.  As the folks at Microsoft
        know well, impediments are easily and commonly removed - and the
        use of the display box for popular applications is likely to result in
        the question being turned off in favor of easy access.

> As you know, Microsoft is committed to giving users a rich computing
> experience while providing appropriate safeguards.  Most useful and
> productive applications need a wide range of system services, and would be
> seriously limited in functionality without access to these services.  This
> means that many Java applications will have to go "outside the sandbox" to
> provide users with rich functionality.  By signing code, a developer can
> and integrity safeguards they need.  Other firms such as Sun and Netscape
> are following our lead, and have announced that they will also provide code
> signing for Java applets. Microsoft will also be providing an enhanced Java
> security model in the future, giving users and developers flexible levels of
> functionality and security.

I appreciate your insightful opinion on this matter, however...
        "...while providing appropriate safeguards" is just not true.
        Microsoft has a long history of providing systems with no
        protection, and only recently introduced the first system with
        even mild protection in it's NT product.  Java provides a lot of
        functionality within the "sandbox", but I am not an advocate of
        Java either. The syle of computing being pushed out to consumers
        is inherently risky and must be implemented with substantial controls

        There is nothing wrong with having signatures, but it is no
        guarantee either.

> Microsoft takes the threat of malicious code very seriously.  It is a
> problem that affects everyone in our industry.  This issue is not tied to
> any specific vendor or group of people.  All of us that use computers for
> work, education, or just plain fun need to be aware of potential risks and
> use the precautions that can insure we all get the most out of our
> computers. For this reason, we are committed to providing great safeguards
> against these types of threats in Internet Explorer.  We expect hackers and
> virus writers to get increasingly sophisticated but we pledge we'll continue
> to keep you and us one step ahead of them.

I appreciate your insightful opinion on this matter, however...  Microsoft
        still has not addressed Word Macro viruses, PC viruses, Windows
        viruses, etc.  The claim that "Microsoft takes the threat of
        malicious code very seriously" is ludicrous on its face.  This is
        the same company that has distributed viruses to its customers because
        it didn't do adequate checking of its distributions for known viruses.
        This is the company whose Windows installation deleted all of the
        README files on a system when the user upgraded.  This is the same
        company that continues to ship software with inadequate protection.
        All of this "perception management" doesn't change the fact, and it
        shouldn't sway the readers of this letter either.

FC  [Fred Cohen can be reached at tel:510-294-2087 fax:510-294-1225]


RISKS-LIST: Risks-Forum Digest  Saturday 31 May 1997  Volume 19 : Issue 20

Date: Thu, 29 May 1997 12:04:45 -0400
From: "Mich Kabay [NCSA]" 
Subject: Microsoft and Privacy

>From Computer Privacy Digest Wed, 28 May 97, Volume 10 : Issue: 026
Date: 27 May 1997 14:45:37 -0600
>From: cooler 
Subject: Microsoft and Privacy

Yesterday I became aware of an online privacy issue involving Microsoft, and
I hope to bring an awareness of this issue to anyone who can take that
awareness further.

The issue is this: Microsoft has begun to set up a series of "Sidewalk"
sites, ostensibly to provide local information for various cities.  One
example is at http://www.newyork.sidewalk.com/ .  If you visit that site,
you can see a link (toward the right) to "Terms and Conditions".  The link
is to a page explaining the "Terms of Use" of the Sidewalk site.  This is
rather unusual; I don't know any other site that has "Terms of Use".
Reading through six paragraphs of fine print you will see that they are
asserting that your usage of their site entitles them to sell your e-mail
address together with any demographic data they might gather about you.

I believe there is a serious online privacy issue because:
 1) Few visitors will be aware that they have implicitly consented to
    allow the sale of their personal data.
 2) Providing local information about cities increases the chance that
    your personal data will be tied to geodemographic data.
 3) Microsoft also makes a browser.  We have no way to know that they can't
    grab your e-mail address with it.  Indeed, their new browser integrates
    seamlessly with the information on your desktop, so the potential is
    there for them to grab much more data.

While the selling of personal data is nothing new, I believe that
Microsoft has an unusual advantage here.  Their willingness to gather
and sell this data, together with the intimacy of their browser,
presents a new and possibly dangerous threat to personal privacy.


alt.humor.best-of-usenet (moderated) #8191 (0 + 0 more)                    [1]
From: Toby Speight 
[1] [comp.emacs] Re: RMS is being a weenie
Followup-To: alt.humor.best-of-usenet.d
Date: Sun Oct 19 13:55:53 EDT 1997
Organization: best of usenet humor
Lines: 34
X-Disclaimer: The "Approved" header verifies header information for article
+             transmission and does not imply approval of content.  See .sig
+             below.
X-Submissions-To: ahbou-sub@acpub.duke.edu
X-Posting-Moderator: Peter Simons
X-FAQ-Is-At: ftp://rtfm.mit.edu/pub/faqs/best-of-usenet-humor
X-For-FAQ-Mailto: ahboufaq@eey.org
X-Moderator-Review: thumps-up

Subject: Re: RMS is being a weenie
From: David Kastrup 
Newsgroups: comp.emacs

Rich Pieri  writes:

>>>>> "JAB" == John Arley Burns  writes:

JAB> Grow up? Stop using windoze - that's maturity! ;)

> Yeah, right.  OS flames are really mature.
> Ever hear of the concept of using the right tool for the job?

Of course you're right.  Nothing like Windows for programmers into
heavy masochism (oh, yes, Master Gates, I have failed to adapt to your
latest secret API.  Punish me.  Give me the Global Protection Fault.
Give my hard disk freely to others via one of the many holes you
pierced in my ActiveX. Boot and reboot me, again and again.  Make me
say "industry standard", then whack me with unexpected changes just
when I'm feeling safe.  Come up with faster ways to use my inputs and
outputs (cd http://www.i2osig.org), but let never again let me know
freely about how to work with them).

Use the right tool for the right Job [sic].

Sorry, this was too hard to resist.  I promise to be a good boy from
now on (at least for a while).  Sob.


Date: Wed, 12 Nov 1997 13:46:29 -0500
From: Harvey Newstrom 
Subject: Re: Why Microsoft is a Threat to Freedom

Michael Lorrey wrote:
> there's a route to take for personal choice....Or you could buy a Mac,
> pay twice as much for the same performance you get in your PC. There's
> another choice.

Actually, price/performance ratios for Macs are the same or better than
Intel PCs.  Keep in mind that Macs come with built in ethernet, stereo
sound, video capability, music synthesizers, voice recognition, and
other items that aren't included in some PC prices.

It's also hard to compare prices on the fastest Motorola or Alpha chips
with Intel chips because Intel can't go that fast yet.  If you need the
fastest machines, the price of Intels become infinity (= not available).

At 21:23 3-11-97 Lee Daniel Crocker  wrote:
> > Anbody that tries to make a M$ competing product will be aquired by MS or
> > will be cut of with technical incompatibility tricks. That failing, the

This has been my experience with Microsoft products.  I am currently
trying to build web pages that are standard HTML and compatible with
every browser.  I downloaded Microsoft Internet Explorer to my Macintosh
and installed it.  In the "README.TXT" file it explained that it changed
the data format of my "Internet Config" control panel, which is used by
all TCP/IP programs on my Mac.  It them explained that other programs
may not be compatible with the "newer" version.  Basically, they
reformatted another product's data files in such a way to make it
MS-compatible only, and broke it for other products.

Another example just occurred at IBM where I work, also involving
Microsoft and Web Pages.  The Microsoft servers wouldn't feed graphics
correctly to Netscape browsers.  They claimed that the Netscape browser
can't view the file, but that Internet Explorer can.  Upon
investigation, it turns out that the files are readable by Netscape, but
that the Microsoft Server refuses to serve to Netscape clients.  When
one of our engineers tried to retaliate by making his webserver refuse
to serve to Microsoft Internet Explorer, we discovered that the
Microsoft browser will misrepresent itself to gain access.  It first
claims to be Microsoft Internet Explorer.  If access is denied, it then
claims to be Netscape Mozilla to gain access.

There also are many examples of Microsoft products opening back doors on
machines to allow their servers to gain access, or for their anti-piracy
software to check for stolen products on your machine.  Some of these I
have discovered will open listening sockets on the network, even when
networking appears to be disabled and all access permissions are denied.
This latter example occurred with a wordprocessor program on a
"non-networked" machine that was causing network problems for other
machines.  There was no way to open a document file without the machine
turning on the network and communicating data about the local machine to
other Microsoft products on the network.

As a Network Security consultant, I recommend that my clients do not use
products that deliberately sabotage other products, lie to security
filters to gain access to other machines, or open back doors to the
network that are neither documented or part of the product's normal
- -- 
Harvey Newstrom  (harv@gate.net)


Date: Thu, 13 Nov 1997 11:46:16 -0500
From: Harvey Newstrom 
Subject: Re: Why Microsoft is a Threat to Freedom

Michael Lorrey wrote:
> Haven't been shopping for PCs lately huh?

Of course I have.  I wouldn't have made a statement about price
comparisons if I hadn't actually compared prices.  I have recently
purchased six PC's, 3 Macs, and 2 Unix Workstations for my home lab.

> What do you mean "another products data files"? Do you mean that it made
> IE the default browser for .html files for that computer? Duh, thats
> merely a matter of file format association.

No, I mean the installer opened up private preferences files for other
non-Microsoft products that were previously installed on the computer
and changed the data in those files such that the original applications
couldn't use their own files any more.  Internet Config is a seperate
product for configuring IP on the Mac.  No other product is supposed to
write to those files, although the product will feed information from
those files to other applications.  By changing the data formats in this
file, Microsoft caused competing products to start failing with
corrupted data while Microsoft products continue to work with the new
format.  Restoring the Internet Config file from backup reenables the
other products to their original functionality.

> Here's an idea. Netscape could, GASP, do the same thing, impersonate an
> Explorer browser to gain access to a MS webserver.... Gee why didn't I
> think of that... I dunno, it must be because I don't work for
> microsoft.....

Sure they could do the same thing.  But as a Network Security
consultant, I take a dim view of software deliberately providing false
information to queries in an attempt to access server areas that the
server administrator is clearly trying to withhold from that software.
Just as any hacker caught trying to get in under false pretenses could
be banned from the site, any software that lies to try to bypass
security under false pretenses could also be banned.

Of course my preferred solution is that my clients beef up their own
security the way they want, and then they don't have to worry about what
client do to try to break in.

>> There also are many examples of Microsoft products opening back doors on
>> machines to allow their servers to gain access, or for their anti-piracy
>> software to check for stolen products on your machine.

> I'd like to see more about this. Any system administrator would find
> this a useful tool, and this data must be how many of the network
> oversight applications operate. A good way to make sure your coders and
> data entry weenies are working and not playing solitaire or sending each
> other joke email....I'm sure my boss would like to have that capability
> over me... he he...

Yes, it would be a wonderful tool if it were documented and if the
Network Administrators had access to this data.  Instead, it is
undocumented, and only Microsoft software uses this information to
gather data about someone else's network without their knowledge.

Any knowledgeable network engineer can analyze these interactions with a
sniffer and write their own code to access the same listening ports
(backdoors) to gather information about PCs.  For each PC, you could
tell what time an application started and what time it ended.  You could
even choose to deny any specific (Microsoft) application by telling it
that its copy is illegal.  The Microsoft product will override the local
user's desire with the directives received over the network.

> As a network consultant, I recommend that others in the field find out
> more about how PCs work in background operations to expand their
> horizons past their Mac blindered knowledge...

I have discovered this stuff using packet sniffer tools to detect
anomolous behaviors occurring in the background of most software vendors
products.  Much of my research has been part of top secret DoD projects,
for which I was specifically brought in because of my investigations
into backdoors deliberately created by software vendors.  None of my
research is second-hand or unsubstantiated.  (Long-time readers of this
list will remember when I left the Government arena to found my own
company in 1994.)  Besides consulting for DoD security projects, I also
pull six figures per year from IBM for researching their PC networking
difficulties.  I assure you that my knowledge of PC networking is not
slight or biased.

But why argue with me?  Anybody can buy the products, and then reverse
engineer them to see what they are really doing in the background.  If
you are a network consultant, you should probably have the tools to do
this already.  Did you actually investigate any of these items before
you decided to disagreed with them, or do you merely have the "faith"
that Microsoft would never do anything underhanded with their software?
- --
Harvey Newstrom  (harv@gate.net)


[1] RISKS DIGEST 19.53

Date: Fri, 12 Dec 1997 19:16:15 -0000
From: Ken Tindell 
Subject: Re: What really happened on Mars Rover Pathfinder (Jones, R-19.49)

>This scenario is a classic case of priority inversion.

So classic that it has happened before many times in many projects.  And I
fear will continue to happen. Today, people are building critical real-time
systems based on Windows NT. But NT doesn't implement priority inheritance.
Instead it contains a "priority randomizer" which randomly selects tasks and
alters their priorities in the hope that eventually the priority inversion
goes away. Whilst this may be adequate for a general-purpose computer in a
workstation environment, this is unlikely to be adequate for a critical
real-time system.

>For the record, the paper was:
>L. Sha, R. Rajkumar, and J. P. Lehoczky. Priority Inheritance Protocols: An
>Approach to Real-Time Synchronization. In IEEE Transactions on Computers,
>vol. 39, pp. 1175-1185, Sep. 1990.

I must point out that their work appeared much earlier in technical reports
and conference proceedings and was widely cited before the 1990 paper
appeared.  Interested readers might like to read the following paper, which
gives an historical perspective on when major results were made available:

  "Fixed Priority Scheduling: An Historical Perspective", Audsley, Burns,
  Davis, Tindell, Wellings, Real-Time Systems journal, March 1995, Volume 8,
  No. 2/3, pp. 173-198.

I find it outrageous that engineers in 1997 are building critical systems
that contain serious defects that were detectable and correctable ten years
ago. I do wonder at what point failure to be aware of these risks
constitutes negligence.


From: Matt Robinson 
Date: Tue, 24 Feb 1998 15:49:26 -0500
Subject: Internet Explorer 4.0 for Solaris is out (long)

Microsoft has released Internet Explorer 4.0 for Solaris.
Note that this is the "final" release and not a "beta"
or "preview" release.
I've played with it a bit and can offer the following insights.

One Line Summary:  of course it's free - you have to be nuts to pay for it!

Suspicious Release Schedule:  currently available for Solaris and
nothing else.  HP-UX expected by the "end of the year".  Now I know it
is popular in the PC world to play-up the incompatibilities between 
various implementations of Unix, but this just reeks of incompetence.
Most major implementations and many minor ones are largely POSIX-1003.1
compatible or they're close enough that porting work is minimal to nil.
At least Netscape, despite other deficiencies, seems to understand this -
when they release one Unix version of their browser, they release it for
a large number of versions (at a quick glance:  AIX 4, Digital Unix,
HP-UX 9 and 10, Irix 5.3 and 6.2, Linux 1.2 and 2.0, SunOS 4.1.3,
Solaris 2.4 and 2.5.1 and Solaris x86 2.4 for Communicator 4.04).
This is either a ploy (to make Unix systems look worse than PCs),
incompetence (in not understanding how to make something remotely portable)
or both.

How Not To Do Things On A Unix System:
- Create a font cache the first time you run on a particular combination of
  X server and font path.  This is only done once but takes a heck of a
  long time as it forces the X server to load every single font in its 
  font path, sometimes multiple times if the font has more than one name.
  Microsoft claims that this is to be able to quickly find font matches
  on the fly.  While the font rendering does seem to be a little better
  than Netscape (perhaps just a better choice of fonts) it is not clear
  that this is particularly useful or necessary.  Microsoft obviously
  got some complaints about this since the preview release since they
  have included a number of pre-fabricated caches for common configurations.
- Replicate large chunks of the Win32 API.
  Installed package is about 43Mb, Communicator 4.04 is about 16Mb.
- Store configuration data in a human-unreadable binary file.  IE actually
  keeps a couple of registries, apparently in the Win32 format.  While this
  was almost certainly done to avoid changing parts of the IE code, it does
  mean that you cannot edit the configuration outside of the IE program.
  Thus some of the tricks we could do with Ariel accounts and Netscape setup
  (i.e. installing a preferences file) cannot be done here.  Mind you,
  Microsoft does sell an Internet Explorer for Unix Administration Kit for
  over $70CDN.  Most other programs do not provide such a package for any
  price, since there are free third party configuration programs available,
  called (depending upon your preferences) ed, vi or emacs.
- Determine the maximum size of your disk cache based upon a percentage
  of the partition size.  Now who came up with this?  I mean, you have
  to really make an effort to make a bonehead decision like this.  I hope
  for the so-called "engineer"'s sake that they were blindingly drunk or
  had accidentally mixed medications when they put this in.  I would hate to
  believe that somebody had deliberately set up the controls this way.
  (Aside:  according to the readme.txt file, this feature doesn't even 
   work and the limit is hard-coded to 1% of the partition size.)
- Scrolling seems to be slower in many cases than Netscape, but has less
  flicker.  The middle button is used in a misguided attempt to emulate
  the IntelliMouse wheel.  I can just see this causing great confusion;
  when you click the middle button once, the mouse goes into "scrolling"
  mode where moving the mouse scrolls the page rather than moving the
  cursor.  Clicking the mouse again exits the mode.
- Java support is just broken.  It crashes very easily - just scrolling
  back and forth quickly over an applet kills the browser.
- Busy wait.  When running Java applets, the browser would suck up at
  least 6-7% of the CPU on tiger, even if you weren't doing anything
  and nothing was actually running.  The browser (according to truss)
  seems to keep trying to wait on a condition variable with a ridiculously
  short timeout.  At other times, the browser still sits and spins (albeit
  less gratuitously) while it poll()s some file descriptors (often in multiple
  chunks) and also ioctl(FIONREAD)s others - all with short timeouts.
- Memory usage is obscene.  Opening a few pages (but only one window) and
  running a Java applet, ended up with an image of 33Mb (26Mb resident).
  Navigator 4 under similar conditions had 21Mb (16Mb resident).   It also
  produces nice large core files, usually upwards of 11Mb.
- Read local files, but not local directories.  Trying to read a local
  file (e.g. file:/cs/home/tech1/matt/www/index.html) works, but trying
  to read a local directory (e.g. file:/cs/home/tech1/matt/www/) fails
  with a "File System Navigation Not Implemented" response.  Mind you,
  FTP directories work fine (ftp://matt@localhost/cs/home/tech1/matt/www/)
  and we all know that the output from a "dir" command under FTP is 
  radically different from an ls command on a local filesystem (sarcasm).
- Dumps about 600k or so of junk in ~/.microsoft including a 400k registry
- Microsoft's requirements:  32Mb of memory (64Mb recommended).
- multiple instances (same user, same host, different display) work but seem
  to be related in some weird way as a crash in one crashes the other.

Not As Bad Things:
- although the exec memory usage is poor, it seems as though X resource 
  usage is significantly better than Netscape 4.0.


[1] Risks Digest 19.94
Date: Fri Sep 04 15:54:13 EDT 1998

Date: Thu, 27 Aug 1998 14:08:15 -0600 (MDT)
From: Bear Giles 
Subject: MS databases lose data; MS loses source code to DOS

It's bad enough that Microsoft databases lose data, but now Microsoft
claims, in court, that it has lost the crucial source code necessary to
prove Caldera's allegation that Microsoft did in fact, as implied by an
internal 30 September 1991 that which Microsoft does not dispute, actively
sabotage Windows 3.1 if it is launched from any competitive product to

Caldera is involved as the current legal owner of DR DOS, an increasingly
popular alternative to MS-DOS which was knocked out of the market after the
introduction of Windows 3.1 due to the flakiness of the DR DOS/Windows 3.1
combination.  (Not to imply that MS DOS/Windows 3.1 was particularly

Since it lost the source code, Microsoft appears to be claiming that there's
no contempt of court in failure to provide the documentation (since it no
longer exists) and the judge should dismiss the case as without merit.

No word on whether Microsoft's next defense will be that it stored the
source code for Windows 3.1 in an Access database.

As an historical footnote, it's my understanding that the smoking gun memo
was discovered in the 1995 DoJ investigation of Microsoft's business
practices.  That raises some obvious questions about what the current round
will uncover.

References:  Wall Street Journal (27 Aug 1998?)

Bear Giles 


From: risko@csl.sri.com (RISKS List Owner)
[1] Risks Digest 20.01
Date: Thu Oct 01 20:21:52 EDT 1998

Date: Fri, 25 Sep 1998 23:48:27 -0400
From: Joe Thompson 
Subject: Re: "Windows NT security"

There was a forum on InfoWorld Electric (http://www.infoworld.com/) about
this about a month or so ago.  The actuality of NT's C2 certification is
dependent on the following:

* One of two or three (I seem to remember two Compaqs and one Digital
system) very specifically detailed hardware configurations must be used.
These do not include any kind of external connectivity (network card,

* The version of NT that was certified was NT 3.5 with Service Pack 3
applied, and no networking or comm drivers installed.  3.51 is not
certified, nor is 3.5 without SP3.  4.0 has not, to anyone's knowledge,
begun the process of certification, and Microsoft declined to comment.

The forum was started by InfoWorld columnist Nicholas Petreley, who spoke
with a fellow named Ed... I can't recall his last name, but he headed up
Lone Star Systems, the company which developed the testing software that
Microsoft used to gain the seal of approval.  He alleges that Microsoft has
both actively and passively misrepresented the security of NT to, among
others, government agencies, and that Microsoft reneged on promises to
distribute his compliance-testing software.

It was a very interesting forum.  Petreley sent a comprehensive list of
questions to Microsoft and their answer was a blanket "no comment."  Most
of the questions were not even speculative in nature, but were seeking
comment on facts that could easily be verified independently (e.g., details
about Microsoft displays at various trade shows).

Nicholas will be happy to comment I'm sure, and the forum discussion should
still be archived (I'd provide direct addresses and URLs, but my copy of
Netscape is flaky today). -- Joe


[1] Risks Digest 20.03

Date: Fri, 9 Oct 1998 09:55:45 -0400 (EDT)
From: "Daniel P. B. Smith" 
Subject: Unreliable reception of e-mailed WP documents

Some unpleasantness occurred in a meeting recently. Person A said that the
reasons he hadn't performed a task was because he was still waiting for
Person B to supply some needed information. Person B said he'd supplied it a
week ago in a specific memo which he'd distributed via e-mail.  Person C
said, "I got it and I'm almost sure I saw A on the distribution list."
Person A said "I got the earlier version where all of those numbers were
blank, but I've never gotten anything that had the numbers." Person B said
"What version where the numbers were blank?" Person E said "You know, the
one you sent out about a week ago.  I never got the one with the numbers
filled in, either."

On comparing notes, it turned out that a single version of the memo had been
e-mailed, and when opened by about half the participants a critical table was
complete and had information visible in all columns, and about half of them
had a column in which all cells were blank.  All recipients of the damaged
version had simply assumed that the blank cells were intentional.

Incidentally, this was a 100%-pure-Microsoft situation, involving no version
of Word more than a year old (no version skew of more than one version) and
involved RTF format which is the format Microsoft specifically designates
for document transfer.  There was no obvious pattern to the problem; the
originator used Word 97 on a PC, and some receivers using Word 98 on a Mac
received it correctly while some receivers using Word 97 on a PC got blank
columns.  We don't know the full story but it is suspected that the set of
fonts installed, the OS version, the screen dimensions and resolution, and
the kind of printer the user is connected to may all play some part in this
crazy equation.

The RISK here is the same as with any other kind of unreliable communication
that is falsely _assumed_ to be reliable.  Notice that, in general, when you
send a word-processing document to someone else, _the sender has no reliable
way to confirm what the receiver will ultimately see and print.  Unless the
user guesses there is something wrong and complains, the problem is likely
to go undetected.  Even when the problem is detected, it is usually hard to
resolve, because nothing in the system logs all the configuration
information that would be needed to resolve it.  Unless the recipient is a
colleague in an adjacent cubicle and is willing to experiment with you in
real time, problems of this kind are likely to remain unsolved.

Daniel P. B. Smith  


RISKS-LIST: Risks-Forum Digest  Friday 29 January 1999  Volume 20 : Issue 18

>From: "Daniel P. Stasinski" 
Subject: Microsoft Hotmail

I contacted Microsoft/Hotmail asking them to close the account that was
listed in the backdoored tcp wrapper source code.  I also forwarded the
offending code.

The word back from them is that they will not close it.  Theft
of passwords and hacking does not violate their terms of service.

Daniel P. Stasinski, Software Engineer, Karemor International, Inc.
2406 South 24th Street, Phoenix, AZ 85034  dannys@karemor.com


RISKS-LIST: Risks-Forum Digest  Monday 2 August 1999  Volume 20 : Issue 51
Date: Fri, 23 Jul 1999 15:32:18 -0700
From: Thomas_Gilg@ex.cv.hp.com
Subject: 2nd-class invitation in Outlook

One of our engineers has decided to leave and go back to school to complete
her Ph.D. and enter teaching, a career move we all wish her the best in.
Before a going-away party could be scheduled however, she ended up in an
unusually contentious software design meeting with four other
momentarily-combative engineers, including myself.  It was ugly!

As I pondered whether or not I was out of line during the meeting, and how
we could reconcile our differences so she could leave on a high note, our
administrative assistant used Microsoft's Outlook/Exchange "meeting request"
feature to schedule a lab-wide going away party.  Unlike most engineers in
the lab, I and one of the other combative engineers quickly hit the "accept"
button which converts the e-mail based meeting request into a calendar item
and sends a RSVP back to the meeting organizer.

A day later, an update was issued on the same meeting request, and I scanned
the request for the change.  While the lab-wide mail list alias "Lab.All"
was still on the "Required Attendance" line, I and one other combative
engineer were now explicitly listed, by name, on the "Optional Attendance"
line.  My heart sunk at the thought that some of us were no longer welcome
at her going away party.  Good friends for so long, how could one lousy
meeting drive us apart?

After some tactful asking around though, it became clear that there were no
hard feelings and no one had tagged anyone as optional.  Ah, enter another
Microsoft Outlook/Exchange feature.

If a meeting request is sent to a mail list alias, and then individuals
accept the request *and* use the option to e-mail back a yes/no response to
the meeting organizer, Outlook/Exchange does not recognize that the
individual(s) are part of the original mail list alias.  If an update is
then issued on the same meeting request, Outlook/Exchange treats the
unrecognized names as optional attendees.

Depending on the issue at hand, being explicitly listed as "optional" can
take on a whole lot of extra meaning.  Who needs enemies when you have
Outlook/Exchange ;-)

Thomas Gilg, R&D Software Engineer, Hewlett-Packard  tomg@cv.hp.com


RISKS-LIST: Risks-Forum Digest  Weds 1 December 1999  Volume 20 : Issue 66

Date: Tue, 30 Nov 1999 17:59:03 +0000
From: main@radsoft.net
Subject: Expanding, Embracing, Devouring: IE 5.0 Task Scheduler Elevates


What this article will demonstrate is that installing a web browser from
Microsoft changes the topology of the underlying operating system - even
on Windows NT.

Ken Thompson used to say, "keep your hands off the drivers." With all
the ridiculous crashes IE4 and IE5 have been guilty of, it's obvious
Microsoft has never heeded that good advice.

Instead, they now muck about with the innards of your operating system
when all they're really supposed to do is install a user mode

The mind boggles.

RA Downes, Radsoft Laboratories  http://www.radsoft.net


Date: Thu, 25 Nov 1999 14:08:50 +0000
From: main@radsoft.net
Subject: No bounds checking in Microsoft RTF controls

I am speechless. Totally speechless. And for reasons which might become
clearer later, I have a lump in my throat. This is not funny anymore.
Dammit, it is not. I am mad.

The morning mailbox contained a newsletter on NT security, and this
newsletter had an article about an attack on the Microsoft Rich Edit
(RTF) controls. The URL given is:


As there are a few discrepancies in the RTF code reproduced there, I
made the mistake of assuming that this was a limited problem. But after
disconnecting and thinking about the matter a bit (thinking still does
have its advantages, even in this age when, thanks to Microsoft,
information is at your fingertips) I realized it was "easy peasy" to
crash any of Microsoft's Rich Edit (RTF) controls any time I wanted, and
set about doing so.

But let's make sure everyone is up to speed before we continue.

RTF is a Microsoft invention (or so they claim) for formatting text. RTF
stands for "Rich Text Format", thereof the description "Rich Edit" often
used to describe this "technology". Microsoft encapsulates this
"technology" all over the place, in their Office suite, in FrontPage,
and in two resident system DLLs, RICHED32.DLL and RICHED20.DLL. Again,
the attack works on _any_ version of the DLL, and not just one or the
other as the article at the above URL implies.

RTF consists of a number of "tokens" all introduced with the (you
guessed it) backslash. An RTF file is always enclosed in braces (what
good this does no one knows, next question please) and after the initial
opening brace the token "\rtf1" should follow immediately. (The article
online at the URL above incorrectly gives this token as "\rtf" - the '1'
on the end, to the best of my knowledge, is necessary.)

As the article states, the buffer used for interpreting RTF tokens seems
to be 36 bytes. This is such a ridiculous magic number it's not funny. I
can't get past this one at all. The backslash is regarded as part of the
token in this context: thus any character sequence beginning with a
backslash and continuing with at least 35 characters before the next
token will send the control south.

Also, RTF tokens are considered to conform to the American alphabet: any
non American alphabetic character in a token will in effect break the
token and avoid the attack.

Another tidbit that might prove beneficial to readers: the initial MS
Rich Edit control, Riched32.DLL, was written in C, the follow up,
Riched20.DLL (sic) is written in C++, and Microsoft probably regards
this latter DLL as a vast improvement, which it is not. But as this
attack works on all generations of the control it can be concluded that
the same brain dead code snippet is in effect here in all cases.

The buffer for parsing an RTF token is 36 bytes (including backslash
character)  - and no checks are used in the code to make sure the buffer
does not overflow.

There is evidence in the disassembly of a character pointer being
incremented with the postfix ++ operator - that the loop not check that
this pointer is within bounds really and truly boggles the mind.

I can think of hundreds, thousands, hundreds of thousands of loops I
have written and seen over the years, everyone of course having a bounds
check built in. I mean, this is very _basic_ programming, isn't it?

  for (cp = buf; cp < buf + BUFSIZE; cp++)
    /* * */

I mean, this is all really very _elementary_, isn't it? Tell me I'm
wrong! Please, someone, _anyone_, tell me I'm wrong!!!!

I used to think so. But now that "Redmond RuleZ", who knows what goes
anymore? The real pity is that in a week, as everyone becomes aware of
this issue and what is behind it, that people will just end up
_accepting_ it. Crimenee!!!!

This RTF control in all its generations is one of the most used controls
from the Microsoft arsenal. That this control be subject to the
kindergarten programming practices of Redmond is more than at least this
author can stomach.

This is absolutely horrendous. I feel literally physically sick. This is
not funny any more.

RA Downes

PS. As this affects almost everyone using any kind of PC program
anywhere, I guess I'll just have to devote the rest of this day to
writing a wrapper to protect us. The idea is simple: send all references
to RTF editors to the wrapper instead, which will first parse the file
for evidence of malignant tokens, and then pass the file on to the
target editor if all is in order - or otherwise issue a warning and drop
the matter entirely. Drop me a line if you have any ideas. As Microsoft
will probably handle this "issue" as so many others - i.e. ignore it -
and as I rather trust my own code at this point far more than I trust
Microsoft's (nil trust there to be honest) I think we have to take
matters into our own hands.

RA Downes, Radsoft Laboratories  http://www.radsoft.net


RISKS-LIST: Risks-Forum Digest  Monday 29 May 2000  Volume 20 : Issue 89

Date: Fri, 19 May 2000 11:41:41 -0700
From: "Gary Cattarin" 
Subject: Junk-mail filters

  [NOTE: Entire item in RISKS-20.89x.  See below.  PGN]

This I'm sure has been covered before, but here's an interesting example of
filters gone awry.

I recently upgraded (?) to MS Office 2000, which, among other things, lets
you have more than 8 e-mail filters active at once.  In my glee I started
turning things on, including junk mail filtering.  Surprise!  I found 8-10
important messages -- all replies to a query I sent out to a personal mailing
list -- all dumped into the Junk Mail folder.

What was it?  I'm riding in a charity bicycle ride, and I needed to tell my
pledge-ees that I needed their money now.  So I sent them an e-mail updating
my training status and asking them to send their checks.  Obviously, this
message had at least one dollar sign "$" in it -- and because I'm an
excitable guy it had at least one multiple exclamation mark "!!", and since,
at the end, I chided my manager to make good on my exaggerated version of
his pledge:

        >> Mark, didn't you promise $5,000 or something like that?

...we also hit the magic phrase ",000".

Now, the fine folks in Redmond have determined that if these three elements
converge, you have received Spam.  The actual rule (from their web site) is:

    Body contains ",000" AND Body contains "!!" AND Body contains "$"

Who'd have guessed?  In fact, even looking at their filter list, it took me
a long time to figure out which rule I'd hit.  (OK, I'm slow sometimes.)

I guess the rule is (a) don't get too excited ! -- one "!" at a time!  (b)
specify your currency as "USD", and (c) use European periods ("5.000")
instead of North American commas in large numbers.  OK, that's silly.  But
just as silly is the fact that any spammer can read the list of rules and
tailor their e-mail to avoid them.

Of course, you might never read this, because if you have junk e-mail
filtering turned on, Outlook will catch THIS message and do with it as
you've requested for junk mail.

Two other interesting points:

(1) In the adult filters you'll find these two:
(1) In the adult filters you'll find these two:
    Subject contains " sex"
    Subject contains "free" AND Subject contains "sex"
The first is set up with a leading space to only accept the *word* "sex", so
those of us who live here in Middlesex county don't lose any local-related
mail.  But the writer of the second wasn't so careful -- what if the
Middlesex News offers free subscriptions?  That's Spam, yes, but not porn (I
guess that's why that newspaper changed its name...).

(2) Don't address your dear friend as such -- note the rule:
    Body contains "Dear friend"
My golly!  I can't send some good old-fashioned heartfelt feelings to my
dear friends!!  (oops, double "!!" -- I got excited!)

This stuff can be very dangerous...

The entire list is at
I included it here, but the moderator may choose to cut it from the journal
in the interest of space.


Personal example: Wed Jun 28 17:36:27 EDT 2000
From: Wayne Hayes

Tried using Microsoft Word for the first time in many years.  Tried
printing to an HP postscript printer.  Didn't work.  Tried printing
postscript to a file.  That's when I noticed that Word isn't generating
standard postscript.  It's some other sort of screwed up postscript of
their own.  Just what the hell is wrong with these people?  Postscript
is a STANDARD.  That means it's supposed to be, well, STANDARD --- DUH,
which means the same for everybody.  I have crappy free software that
can generate correct postscript.  Why the hell can't Word do it?
The programmers of Word are either incompetent, or intentionally
fucking with the standard for some reason.


Wed Jul  4 20:56:59 EDT 2001
From: Wayne Hayes

Microsoft Excel from Office 2000 (and presumably all earlier versions,
and I'll bet any more recent version as well) contains a numerical
limitation: if you try to take the geometric mean of a bunch of numbers
greater than 1, you can get Infinity as the answer even if the *actual*
geometric mean is perfectly representable.  After some experimentation,
it appears that they're computing the geometric mean using the
mathematically correct but numerically naive algorithm:

    multiply the N numbers together, then take then Nth root.

If the multiplies result in an overflow, then the Nth root is still an
overflow.  A similar problem arises if all the numbers are less than 1;
an underflow results, and you get 0 as the result.

This makes Excel useless for any data reduction where you want to take
the geometric mean of a modest list of numbers.  In my case, it was
only about 300 numbers, each less than 100, and the actual geometric
mean was about 80.

The solution to this problem is utterly trivial, has been understood
since the advent of numerical computing (let's be generous and say
the mid 1960's), and should be well-known to anybody who's taken an
undergraduate introductory numerical analysis course.  You note that
the logarithm of the product of a bunch of numbers is equal to the sum
of their individual logarithms, and replace the above algorithm with
the following:

    add the logarithms of the N numbers together, divide by N, then

I sent this bug report and suggested fix by e-mail to Microsoft
technical support, and received back an informationless form letter;
apparently the tech support person reading it had no understanding of
mathematics.  I re-sent it, saying that if they didn't understand what
I was saying, that they should simply forward it to a supervisor, or
directly to the Excel developers responsible for the mathematical
computations of Excel.  I received the same form letter back.  I gave

It is distressing to realize that, with all the nice glitter and
ease-of-use of Excel (I'll admit that it has quite a nice and intuitive
interface, at least for simple tasks), the basic numerical algorithms
underpinning it all are at the level of a mediocre high-school student.


Access count (updated once a day) since 1 Jan 1997: 129010