In the January issue of Smart Access, I ranted about how awful hackers (in the pejorative sense) were and went on to suggest that Microsoft ends up carrying a lot ofthe blame for the actions of vandals. Andrew Benner wrote in with what I thought was a great response:
I certainly agree with you that each dirtbag who writes a virus/trojan and releases it into the wild is to blame for the havoc their software creates. By the same token, Microsoft is directly responsible for the software it creates.
Microsoft has been criticized by the security community for as long as I have been reading trade journals and magazines. Microsoft has been aware of problems with its OS since Windows 3.1. Microsoft has been aware of issues with Office since its first release. The company...has been putting features over security/stability. Many, such as you, are willing to give Microsoft a break and claim the current issues are “because of the Internet.” It isn’t. There are many reasons and almost all of them pre-date the Internet (as we all know).
I’m not willing to let Microsoft off the hook. The issues it is responsible for have been known for too long. The current morass it faces is arguably a direct result of its business plan.
It’s hard to argue with Andrew. There are really only two places where I disagree. The first is my fault—I didn’t mean to indicate that I thought the current issues were “because of the Internet.” I do feel that Microsoft’s attitude toward security issues reflected a “pre-Internet” mindset that wasn’t inappropriate when Windows 3.1 was created. The security problems we face don’t exist “because of the Internet.” What the Internet has allowed is for the existing security failures to be exploited to a far greater degree than anyone would have thought possible in the pre-Internet age.
The second issue that Andrew raises is that Microsoft put “features over security/stability.” You just can’t argue with that—Microsoft has. But the question that you have to ask is, “Why?” Was it because the people at Microsoft are stupid or evil? Both seem unlikely to me (you’re entitled to your opinion).
As Andrew points out, the answer relates to Microsoft’s business plan: Features sell products, while security and stability don’t (or didn’t). People wanted features in their software and were willing to pay for them but weren’t willing to buy competing products that were less feature-rich. Microsoft served its customers (or chased the dollar, depending on how you want to look at it).
You can complain that the people who made those decisions were stupid or were tricked. I’m always uncomfortable with those claims. I remember an article with Bill Gates in Fortune magazine back in the early 1990s. In that article, Bill advanced the idea that affordable “good enough” technology drives out expensive high-end technology every time.
I suspect he’s right. The VHS video recording system succeeded and the Beta video recording system didn’t, though Beta provided better picture quality. I suspect that most people preferred the cheaper costs (and longer recording times) of the VHS system and didn’t value the better Beta picture quality. Volvo made safety a primary feature of its cars and steadily lost ground to other car manufacturers with flashier sales pitches. Windows 3.1 drove out OS/2, though Windows 3.1 was less stable than OS/2. Windows 3.1 cost 80 percent less than OS/2 and provided backward compatibility to DOS programs (in the same article, Bill pointed out that customers put a high value on backward compatibility).
In addition to the business-related answer, I think there’s a more personal answer. I suspect that people inside Microsoft are a lot like me: It’s a lot more exciting to code features than it is to code security and stability. But that’s probably just me projecting my personal failures onto other people.
I suppose you could make a claim that Microsoft should have (a) been more farsighted, (b) taken the high road, and (c) acted in the best interests of its customers and provided better stability/security, even if that wouldn’t generate better sales. That behavior seems unlikely in a capitalist/consumer society.
Besides, why should any company do anything that its customers don’t want? If customers ask for something, companies should do that. However, customers are also allowed to change their minds. Customers can decide that, for instance, security and stability are more important than features. When that happens, companies that can’t switch to providing what the customer wants now are going to suffer. Business life in a capitalist/ consumer society is like that, too.