About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Rants

The Rise and Fall of Windows

Week of January 3, 2005

Windows isn't an operating system. It has no design. It has no security. There are over 100,000 Windows viruses in the wild. There are none for either Linux or Apple's OS X - none. But both those latter systems are real operating systems; Windows is layer after layer of ad hoc code slapped onto existing products. It has no overall philosophy or design, and in today's world that means everything.

Windows rose with the advent of full 32-bit memory addressing in the IBM PC; it fell with the bad karma of putting something so slipshod into an environment - the Internet - where security means everything and a lack of it spells corporate ruin.

People will more and more refuse to run Windows or buy computer systems with Windows because they don't want the hassles and the threats. And they don't need to be rocket scientists to see the difference either: real operating systems are not threatened online as is Windows; they're not threatened at all. It's simple and people will see it and are already beginning to see it.

It was only a bit more than twenty years ago IBM sent a team down to a defunct factory in Boca Raton to design a personal computer with off the shelf components. The reason they decided to not make the computer with their own components was that the process would take too long: an earlier internal study showed that IBM bureaucracy had grown so debilitating that the corporation on an average needed nine months to ship an empty cardboard box out the door. IBM didn't have the time.

The processor of the day was the Z80 from Zilog, but as its founders were former Intel engineers and as the Z80 architecture was directly based on the Intel 8080, IBM decided to go with Intel instead and began buying up Intel stock like there was no end in sight.

IBM picked all the other components of their computer but lacked an operating system. They knew literally nothing about the hobby computer business but they'd heard of a small software company in the Northwest specialising in programming languages and set up a meeting. That company was of course MicroSoft [sic].

MicroSoft agreed to supply BASIC for the coming IBM computer but did not feel operating systems were their forte, and so recommended IBM contact Gary Kildall, creator of the ubiquitous CP/M operating system used on all the Z80 machines.

But neither Gary, nor his wife, nor their legal adviser were particularly interested in IBM's proposition. The IBM reps returned to Seattle empty handed. Bill Gates promised them he'd see if he could find an operating system for them, and he did.

What he found was something called QADOS ('quick and dirty operating system') written by Tim Paterson of a company also in Seattle. QADOS was written on an Intel 8080 machine and cross-assembled to run on Intel's new 8086 processor. Intel also had a less powerful processor in the same class called the 8088 - IBM decided to go with this one instead for reasons of backward compatibility with legacy CP/M ISV products.

Bill Gates made Tim's company a deal: he said he had a small-time buyer and could offer the company $50,000. It was only later Tim's company found out Bill's client was none other than IBM. They subsequently sued MicroSoft and settled out of court for a facile $400,000. Already here in his first major business deal in the mainstream computer industry Bill Gates proved he was a liar and a cheat.

[For that matter, take a moment and ask yourself if any other major IT corporate leader - Opel, McNealy, Watson, et al - has ever been accused and found guilty so often of lying and cheating as Bill Gates. Think about it. And this is the guy who's always accusing others of wrong-doing.]

QADOS was little more than a lacklustre update to Gary Kildall's Z80-based CP/M. The interrupt vector table was deliberately backward compatible. And so forth. Microsoft had no one in-house who had been involved in the development of the product, and the product itself was a mere four month moonlight job for Paterson who wrote it in his evening hours away from work.

When Bill Gates bought his source code licence to Unix (which he turned over to Santa Cruz Operation) PC-DOS/MS-DOS was updated to reflect a modicum of compatibility with Unix for purposes of application development, got its hierarchical file system, its backward slash where Unix had the ordinary forward slash - but that was it. Nothing else happened for years on end.

Tim Paterson never considered his product finished. When showing it to Bill Gates he thought it more important to explain what he planned to add, not what he'd already done. But Bill Gates wasn't interested.

Tim planned to add multiuser and multithreading capabilities. Bill wanted none of it. PC manufacturers later would petition Gates to have these features added, but they were ignored. None of that for Bill Gates.

Prototypes of the Mac were made available to Microsoft before the official 1984 release. Microsoft promised Apple a suite of 'office applications' including Multiplan. VisiCorp had a GUI for the PC almost ready for market by Comdex 1983. Gates panicked, scrambled, and got his hysterical Harvard buddy Steve Ballmer to 'hype' the Windows vaporware project for the next two years.

Windows saw the light of day (the dark of night) in December 1985. It was a direct total outright fiasco.

Windows was nothing more than a shell plastered on MS-DOS. Its sole purpose was to pre-empt the market before the competition could get a foothold. It went absolutely nowhere, but nothing else went anywhere either, so things from Microsoft's perspective were cool.

When IBM began their PS/2 OS/2 project Microsoft were on board. PS/2 represented fast hardware at a fraction of the price of earlier PCs but OS/2, a cooperative effort with Microsoft, was wobbly. (OS/2 in fact didn't pick up and 'get with it' until Microsoft dropped out of the project - go figure.)

IBM still held rights to Windows through version 3.1 which could be co-branded with the Big Blue logo. But it wasn't until the XMS memory standard developed by IBM, Microsoft, and Lotus that things started to take off. Yet Windows was still not an operating system, slapped on top of the QADOS MicroSoft bought years earlier.

Security issues were hidden for many years as networks were only in-house, often coupled with Novell NetWare. A new multitasking multiuser version of MS-DOS which was written on contract with major PC OEMs, which could have made a difference, was pushed out of the market by 'scare tactics' implemented at the personal behest of Bill Gates. When Windows 95 finally came out (a year late), it had hidden code to detect the presence of the alien product and scare users to get them to stop using it.

By the end of the 1980s Microsoft knew secure 32-bit computing was coming and that they needed such a system of their own, but they had no in-house capability or experience for such a task, so they contacted Dave Cutler, legendary author of VMS, and paid him to take his proprietary DEC research project across town to the Redmond campus.

DEC would later sue Microsoft for stealing their operating system, and again Bill Gates would settle out of court - 'the cost of doing business'.

But while VMS was a bulletproof system, this new system, force-fitted onto Windows, was be anything but. The catch is that Cutler didn't know what Microsoft were up to, Microsoft knew he didn't know, and Microsoft weren't about to tell him until he was up to his neck in it. Dave really believed he was designing and writing a 'LAN manager' - which is of course not at all the same thing.

For all the improvements it represented, Dave Cutler's 'Windows NT' was still a few good ideas slapped on top of a lot of bad ones, and such cannot an operating system make.

When designing an operating system your top priority must always be security. No matter what you decide to use your system for, security has to be in your thoughts at all times.

Security must be in the core philosophy. Security is not only making files 'read-only': it's about user and privileged mode execution, authentication to create threads of execution and synchronisation objects, run programs, and so forth.

Access to each and every resource, from RAM and virtual memory addresses to folders and files on disk, must be strictly controlled. Running programs must be authenticated. Logging in must be as well. Entering folders and being able to list their contents too.

Renaming files, adding files, moving files, copying files, deleting files - everything but everything must be strictly controlled, strictly secured, and the logic for this security must be found at the core of the operating system.

You don't have to see these controls all the time, but they have to be there. If not, you'll be toast by yesterday.

Everything in a Windows machine is wide open. There are no controls. None whatsoever.

Just as important as control of resources is the concept of ownership of them. The idea that there is one anonymous user on a system - whoever touches the power-on button - simply won't do it. No matter you paid cold hard cash for that box, you either accept the fact that you still have to prove who you are to use it or you have to accept the inevitability that anyone will be able to. Security is not there to hassle you and keep you out, but to keep everyone else out and let only you in.

Organisation and ownership on a Windows disk is somewhere between non-existent and chaotic.

A Windows PC is owned by everybody. It doesn't have a single very exclusive 'system' user. It has administrators and precious little else. These administrators have 100% virtual control to the entire system. And what little they can't by default get at they can easily assume total ownership of so it can be accessed anyway.

If a Windows box has more than one physical human user, where do their home areas go? Where are their files placed, and in a way that other users can't get at them?

What is 'Documents and Settings'? Do you see documents and settings for other users in there? Can you get at those documents and settings? Can you read them, write to them, move or copy them, delete them?

Is your default 'documents' folder different than those for other users? Is yours protected? Can you prevent other users from peeking in there?

Can you go into your Windows directory? Can you delete files there? Can you go into your 'system' directory and do the same?

Now think very slowly about this: if you can do almost anything feasible on your system and without further authentication and controls, what's to stop someone else from doing the same?

List your Windows directory in Windows Explorer. Go to the 'column' view so you see all possible columns of data. Does the program tell you who owns each file? Do you see any indication of what user group owns each file?

Do you see any indication of what each user and group may and may not do with each file?

Can you find any controls on the directory itself? Can you see who owns it? What group it belongs to? What the user and group rights are? What may and may not be done?

Can you find text files in your Windows and 'system' directories? Are you able to open them with Notepad? Are you able to save them back to disk again?

Who owned those files? To which user group did that owner belong? What could the group do with those files?

Who would you have to be to change any of the above security controls?

If you can't think up a decent or reasonable answer to any of the above questions, don't worry: there are no answers to them. Although they're all valid questions for any 'real' operating system, they don't, have never, and will never apply to Windows. Windows isn't an operating system.

The world is starting to understand. People have been predicting the downfall of Windows for ten years now, but now it's inevitable: as security has become so important, and as Windows has no defences against threats, it cannot survive: the malware out there will destroy it and scare everyone out of using it.

Academia have already ended their brief affair with Windows. Unix seemed to have stagnated a while there; Microsoft came out with their 'el cheapo' ODBC; but now it's security that matters, everyone realises this, and people simply don't have time with the Microsoft nonsense any longer and research is back in the Unix camp where it belongs. As commercial markets follow academic research, it's obvious the best years of Microsoft - and the worst years for everyone else - are already long behind.

Do the research: ask yourself the hard questions. Do you really think surfing with Windows is fun? Do you really think your firewall and anti-virus software and anti-spyware software are going to protect you? Do you want to go around feeling so tense, uptight, and scared all the time?

Computing isn't meant to be like that. Real operating systems don't leave you open like that. They don't need firewalls and anti-virus software and anti-spyware software to survive.

Maybe now you'll understand why.

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.