Path – Well, today we have proof that someone intentionally sent Anthrax to Microsoft. It would be a lie to say I am surprised. The terrorists are not trying to inflict maximum casualties at this point, but rather to attack the most visible symbols possible so that every American citizen is aware of the possibility that he or she could be next. And it was obvious that all of the energy diverted to such silliness as reinforced cockpit doors would naturally make non-aircraft targets much softer. As soon as we all start watching our mail more carefully, the terrorists will move on to other soft spots. No defensive measures we can take will make us safe; there are far too many soft spots in America’s infrastructure. Like all wars, the war that the terrorists declared on America is a war of attrition. They are betting that Americans will get worn down by each successive new thing that we are expected to worry about. And when we are finally worn down, we’ll pull out of the middle east and stop doing whatever it is that Osama righteously believes we shouldn’t be doing. Unfortunately, that would never work. A nation of 300 million people can’t be forced to negotiate with every single psychopath who figures out how to commit mass murder. If we appease Osama, we’ll just show that his is a profitable business and create a thousand more like him. There are more than 6 billion people on the planet; letting every one of us be a one-man government with capability of mass destruction is stupid (and an O(n^2) proplem). The idea that every single human being is good and will do the right thing if given the chance is not idealistic; it it stupid. Stanley Milgram proved that a good percentage of us would push the button if asked; and at least 2% of us would push the button on our own if given the chance. By my math, that’s about 120 million people who aren’t even close to qualifying as “innately good”.

Laws exist because that 2% exist, and because about 60% of us are willing to take orders from that 2%. Laws are not capable of preventing crimes. Laws exist simply to create a cost/benefit situation that makes the odds more favorable for the 2% guy to start a pizza parlor than to push the button. People like Osama have found that the costs and risks of terrorism are very low, and the payoff is very high. Unfortunately, the few tastes of success that the terrorists have had over the past 20 years will make them far more tolerant to failures for the next 50. Our war of attrition is to wear them down until all of the terrorist who remember that “the infidels used to respond to this” are gone, and the youngsters only remember terrorism as a fruitless and punishing waste of time undertaken by pathetically bitter and zealous old men.

We should expect incidents like the Anthrax to continue. And we should expect the terror to take new forms. The terrorists did not select their targets out of some stupid delusion that they could actually bring down the financial exchange system or halt the military by ruining a few buildings and killing a few thousand people. They know that they are not capable of inflicting damage of that scale on America. Their targets were chosen specifically because they are all highly-visible symbols of stability and security. All of these institutions are still just as stable and secure as before, but the terrorists have succeeded in getting Americans to consider the fact that none of us are completely safe. At this phase in the terrorist’s war, we are all supposed to be thinking “it could happen to me.” Of course, it’s not long before people wise up and start thinking “I’m not a highly-visible symbol of American stability and security, so I am safe.” By that point, the big megaphone of visibility provided by such institutions as DoD and NYSE will be no longer useful to the terrorists, and they will concentrate on driving home the point that even average Americans who never go near highly-visible targets are at risk. To use a marketing metaphor, the terrorists are using celebrity testimonials right now; the “neighbors next door” testimonials must follow.

It is worth mentioning that an outcome which sees America withdrawing from the middle east and appeasing the Islamists is not the only scenario that is a victory for them. Equally favorable to them would be the scenario where we provoke a West vs. Islam holy war. If every individual in America feels fear and tries to make it go away by withdrawing from the Middle East, the Islamists win. If the actions of the Western superpowers provoke riots and revolution in moderate Islamic states, and defensiveness from fundamentalist states; the Islamists win, too. It is like the game “heads I win, tails you lose.” The cost/benefit equation for Zawahiri and Bin Laden is extremely favorable. We have to balance the coin on its edge this time, and the only way to do that is by being patient.

The terrorists’ only hope of victory is to wear us down and provoke a panicked reaction, and fear is the only tool at their disposal. And so far, it’s been working for them. Until we do like Hammurabi and change the cost/benefit equation, we aren’t finished. And that’s going to take a long time. In the meantime, we have to assume they are going to keep pulling the lever.


Really? – Today, a CNN on-line poll shows that nearly a third of people asked believe that the Anthrax infections in Florida have nothing to do with terrorism. Even when offered “I don’t know” as a choice, they respond assuredly that this is not terrorist related. Watching the degree to which people are capable of denial when faced with unpleasant but obvious facts has been fascinating. Looking at the facts:

  • All of the victims lived and worked near the terrorists.
  • Inhalation Anthrax almost never occurs naturally.
  • The spores, when tested, were a strain of Anthrax that does not occur in nature.
  • In February, the government’s main turncoat witness from the embassy bombing trial, Jamal Ahmed Al-Fadl, testified that he had been involved in attempts to aquire chemical weapons and that members of Al Qaeda had been trained in placing objects in building ventilation systems.
  • Anthrax has a six day incubation period, and after incubation can take up to 30 days until critical symptoms like those seen in the first victim appear. Thus it is very likely that the spores were distributed before September 11.
  • The location of infection was probably in an office building, which is not a normal place to find sheep from Pakistan.

You don’t have to be William of Occam to apprehend the clear implications I pointed out earlier. Yet the news still tells us that “health officials emphasize that there is no clear evidence linking this with terrorism.” Of course, 16 of the hijackers were “completely new actors” and thus the government has no clear evidence linking them to terrorism. Thank Allah that we knew one of those guys to be a terrorist so that we can confirm that the destruction of the WTC was actually linked to terrorism!! Otherwise we would have no clear evidence linking that event to terrorism…

Th vaccine works, by the way. At least, it works against inhalation anthrax on monkeys, which is a good sign. It is interesting now to hear senators slamming BioPort, acting as if it is BioPort’s fault that there is no vaccine. “How dare BioPort not be able to meet all of our FDA regulations and paperwork!!” I haven’t heard any discussion at all that maybe the FDA regulations were stupid and onerous; and maybe our entire nation is unprotected because the bureaucrats meddled too much. The stupidest are the senators who blame the situation on lack of competing production facilities. It is necessary to have live Anthrax around to produce vaccine. Multiplying the number of places that have live anthrax sitting around is a very bad idea. Keeping the anthrax from making it out the manufacturers’ doors is something that does benefit from government regulation, and in this regard BioPort does a fine job of complying with government regulations. Multiplying the number of facilities will increase the risk that live bacteria control regulations will be violated, and will not make it any more likely that someone will be able to meet all of the frivolous FDA regulations anytime soon (BioPort has been working on it for years and is only now close to being compliant). Anthrax infection by inhalation is not very easy to diagnose, either. I am wondering how on earth the FBI are expecting nasal swabs to be conclusive, but they must know something I don’t.

Speaking of government meddling; it is interesting to note that shortly before these attacks there was controversy in the negotiations on chemical and biological warfare. Apparently there were certain countries who felt that all participating nations should be required to disclose the locations of all chemical/biological defense sites and medicine stockpiles. I must be stupid, because I can’t imagine how it makes the world safer for Sudan to know where all of the U.S. antibiotic stockpiles are. When your enemy knows that you do not have a way to defend against a nuclear weapon, the weapons can remain unused and still serve as a capable deterrent. Russia is concerned about U.S. missile defense plans, because such plans could neutralize the deterrent impact of the Russian nuclear arsenal. But are some countries actually imagining that their bio-chemical weapons will be a deterrent of the same type as nuclear weapons? Sorry to say, but the deterrent club is already full; and the current members don’t want any company.

We can understand if CNN and the pundits want us to feel safe against all reason. But I cannot understand why CNN and others are having such a difficult time figuring out who we are attacking. I am still seeing headlines about an “attack on Afghanistan”. This is inaccurate, misleading, and dangerous. The U.N. and U.S. have never recognized the Taliban as being Afghanistan, and there is a legitimate Afghan population and government who are not being attacked and are not having bombs dropped on them. It is quite shocking; the Taliban have been trying for years to be recognized as the legitimate government of Afghanistan. Finally, when they harbor Arab foreigners and terrorists and provoke an international war, the American media do exactly what the Taliban wanted all along and declare them to be “Afghanistan”. Can somebody please tell these so-called journalists to shut up and stop working against the carefully-laid foreign policy of every single government in the world (not one of which recognizes the Taliban as being “Afghanistan”)? This is, by any measure you choose, “an exercise to liberate some territory in Afghanistan that has been overtaken by a foreign-led opressive and autocratic regime of thugs.”

At least one person writing in Peshawar’s newspaper is thinking the same thing that I’m thinking.


Records – I just made it 23 hours without turning on my computer; that’s got to be a record. Today is a good day for baseball. Our M’s tied the record set in 1906 for most wins in a season, and they still have a chance to beat it. Barry Bonds set the record for homers+=2 last night, and Cal Ripken retired, breaking his personal record for worst full-season batting average.

I am trying to figure out what Annan means when he says “solve the Kashmir problem” diplomatically. Kashmir is part of India last I knew, so who are the conflicting opponents in this “diplomacy”? India and India? Or India and terrorists? Annan makes no sense. Who exactly should India negotiate “diplomatically” with? Some terrorist group of thugs? Is it really diplomacy to negotiate with someone who is not representing anyone other than himself and fellow thugs? Who are the citizens who voted to make the Jaish-e-Mohammed their government? If nobody voted for them, they don’t speak on behalf of the people of Kashmir. And if they have no citizens, no state, and no diplomats, what the heck is Annan blathering about?

Even wackier is this news that some US Congressman claims that Sikhs are being repressed in India. They quote the congressman as having called for “Free Khalistan”. This is so outrageously ludicrous a quote that I have to assume it is a bald-faced lie and only meant to cater to the credulous pro-Taliban readers in Peshawar. The article claims further that there is American support for Nagaland separatists. So we are led to believe that Americans (and our congressmen, no less), support the idea of carving off three new countries based on religious lines — one for Muslims (Kashmir), one for Sikhs (Khalistan), and one for Christians (Nagaland).

Someone over there needs to be set straight. America is all about secularism and separation of church and state. So is India. This is the only way to guarantee freedom of religion (and freedom from having someone else’s priest write your laws). Things get incredibly ugly when nations are created on ethnic or religious divisions; this is exactly the problem in Afghanistan, and represents everything that democracies oppose.

intellectual property

Intellectual Property – Today our team got our first real code-signed builds and got the Windows Installer modules working with the proper versions of the .NET Frameworks. When everything else that we depend on is also releasing daily builds, it is quite tricky to get things all lined up. It feels great to see the light at the end of this particular underpass.

I celebrated by taking some time to see what’s happening on the various online communities. I was quite surprised to see a bunch of controversy about patents and the W3C. The discussion is about some proposed changes to W3C patent disclosure policy, but that is all I know. Unfortunately I do not even remotely understand what is being proposed, so I don’t really have an opinion about it. In fact, most of the messages boil down to either “patents are good” or “patents are bad”. If someone believes that all patents are evil, then they probably don’t need to even read or understand the W3C proposals to come up with an opinion. Don Park at least relates the issue directly to W3C, and makes an interesting point. I remember way back when SHTTP and SSL were the two dueling standards for web encryption. Netscape had patents on SSL and was intending to charge royalties. I was among the hordes of people who e-mailed Netscape asking them, “for the good of the Internet”, to let go of control of this particular thing. Netscape did, and I still think it was the right thing for them to do. Even though Netscape was clearly becoming a de-facto standard by that point (and SSL was easily superior to SHTTP), Netscape’s move avoided a wasteful standards battle that would have significantly slowed the adoption rate of the Web and Web Commerce. Removing barriers to adoption grew the market faster, and getting short-term revenue gains by restricting the growth of such a high-potential market would probably have been a bad financial decision in any case. But … there I go spouting commentary without even reading the W3C proposal. I hope people work things out…

sinking sand

Sinking Sand – First, Jaish-e-Mohammad terrorists connected to the Taliban killed 30 people in Kashmir in a suicide bomb attack. Next, gunmen murdered worshipers at a Shiite mosque in Pakistan. Taliban are Sunni (and hate Shiites), but who knows if there is a connection? Now, a Russian airliner full of civilians has been shot out of the sky, and we are assured that this, too, has nothing to do with terrorists. There is an unprecedented outbreak of a truly horrific virus at the Afghan border. And some guy who lived less than a mile away from where Mohammed Atta did his test flights is now infected with pulmonary Anthrax. Nevermind that the last case of pulmonary Anthrax was nearly 30 years ago and caused by long-term inhalation of dust from Pakistani wool – we are again told that this incident is not terrorist-related. I can’t wait to see what other non-terrorist events are in store. Maybe the hackers will protect us, and “open a can” on the Taliban’s high-tech. At least some people have figured out how to keep up with their neighbors’ patriotic displays, even though the stores have run out of flags.

old crufatin

Old Crufatin – The New York Times has been writing about Bill Ayers, one of the anarchist heroes of the sixties now turned professor. Ayers story proves how impressionable (and self-impressed) young minds are, and how some minds never grow up. But more than that, Ayers is a good antidote for the people who feel that we need to understand and thereby embrace terrorists. Ayers felt important when he was a part of destruction, and he doesn’t even lie about it. How hard is that to understand? Understanding someone isn’t the same as embracing them. The only thing difficult to understand about this old crufatin is why he still takes himself seriously. Sampling amateur anarchists from the sixties is good entertainment, but actually prop’ing these ideas in this day and age seems very naive. How does he explain his views to his captive audience of students in Chicago? “I used to make bombs to murder innocent people, but I don’t anymore. I still think it was a good idea, and if you do what I did then you might even get the same amazing results as me!” That’s really inspiring.

the iis plan

The IIS Plan – This interview with Brian Valentine sums up the main action plan for addressing IIS concerns. The quote that sums up his attitude best is “When we look back in a few years, we will see this as one of the critical inflection points in our company’s growth.”

Here are my notes, detailing the parts of the plan I found interesting:

Two initiatives for customers:
Get Secure:

  • All virus-related PSS calls for all customers (not just enterprise) are now free. 1-866-PC-SAFETY.
  • Premiere Support and Microsoft’s Consulting Service as of today are offering a Security Assessment Service for large enterprises; this service may be for fee (at discretion of local offices), but will not be profit-driven, and will eat significant costs where customer situation warrants).
  • Regularly updated Security Toolkit will be distributed. Each will include all known patches and tools, and a one-click “make my system secure.” First toolkit mailed and web-distributed on October 15. As of tomorrow, the tools should be available to MS Employees to hand out to customers. All of the tools are fully supported, and are made to run on NT4, Windows 2000, and Windows XP. This is not “resource kit” or loose collection of unsupported tools. Localized versions come later, since getting tools available quickly is top priority.
  • New set of additional security tools will RTM in December.
  • Toolkit will not be perfect starting Oct. 14; will make continual improvements based on feedback.

Stay Secure:

  • Mid 2002 availability of federated Windows Update for enterprises. This lets enterprises run their own windows update service under their own control.

  • Feb 2002, Provide version of windows update that can be configured to accept and install updates with zero user intervention.
  • Make security bulletins simpler and integrated with update technology so an IT administrator can simply approve a security patch and have it automatically be pushed to the whole enterprise.
  • Security patches will now contain absolute minimum fix; no QFE, etc. stuff lumped in.

Internal Efforts (Not Customer-Facing):

  • (Historically) Windows 2000: Hired a bunch of people to do penetration analysis and code analysis, and placed unprotected servers on the net to let hackers attempt cracking it. Built and used automated code analysis tools to detect some common security bugs.
  • Windows XP: Code analysis tools have been improved to detect many more types of security bugs, and continued increases in investment in security analysis.
  • Currently BrianV organizing a full pass review of how security is handled in all groups to look for deficiencies.


  • BrianV con-called with 1000+ CIOs and other IT people to get feedback and comment; has handed out his e-mail to everyone.
  • Any customer should be able to call that phone number above (or contact any Microsoft employee) and get the one-click “make my system secure” tool kit for no charge.
  • BrianV will be point-person working with competitors, government agencies, etc. on industry-wide solutions. “We think that some of these problems require industry-wide solutions, but we realize that it is incumbent upon us to drive solutions”. Brian will take a more visible role in driving these solutions.

So the way I see it, we will be successful to the degree that we:

  • Assure that no customer ever again finds it difficult, confusing, or time-consuming to keep their system secure.
  • Improve security going out the door so that fewer patches are required (IMO, this wouldn’t have made a difference in any of the recent worms, but is still a good goal for countering potential future threats). The goal here is to be the platform with fewest known vulnerabilities that need to be patched, using any metric you care to apply.
  • Be a lot more proactive in contacting, encouraging, and helping customers keep their systems secure.

And of course, huge progress in fighting worms could be made by getting the router vendors, OS vendors, and other infrastructure vendors to all work together, and hopefully that happens too.

another day

Another Day – Today we had the first “bug bash” for the program I’m working on. A bug bash is where everyone on the team sets aside their normal activities and starts hammering away on the code trying to be the person to file the most bugs. It was fun; the first bug I filed was already fixed before 5PM, but there are still plenty of other bugs to keep the devs busy for a few days.

Today, Brian Valentine called a meeting about our response to Gartner’s negative comments on IIS security. Many people think that Microsoft is an ivory tower where we ignore our customers. These people might be surprised to know that literally thousands of e-mails have been flying around on internal mailing lists about what we can do about the problem. Of course, there was already a lot of soul-searching starting around the time of Melissa and SirCam, but the Gartner report was a major wake-up-call (in my opinion). BrianV is the guy who made Windows 2000 ship, and if anyone can make a major impact on IIS security situation, he’s the guy. He gave lots of details about the things we will be announcing (and delivering) soon. He points out that, while we are not the worst in terms of security, we are not the best either. He is dead-set on changing things here until we are the undisputed best. He’s also going to start working with competitors and others to set up cooperative solutions where it makes sense.

Responding to yesterday’s theme on Journalistic conflicts of interest, Ramaswamy pointed me to an amusing jab at CNN journalists in a Pakistan weekly: “Top Ten Ways to Look Like a CNN Journalist”.

respect mahh authori-tay!!!

Respect Mahh Authori-tay!!! – Andrew Orlowski is obviously pretty smart, judging from his past articles for The Register. But he seems to have jumped too soon into the clever rhetoric regarding IIS security and didn’t take the time to get educated about the facts. He started out tentatively enough, but when a bunch of rational people educated him, he made the bizarre and paranoid jump to proclaiming that he was being astro-turfed. If someone disagrees with the vaunted knowledge of a journalist, it must be a conspiracy, right? Rather than try to (gasp!) educate himself about the issues, today he posts another defiant non-news item as if to say, “how dare any of you disagree with my obvious expertise!” This late breaking news has someone named “Richard Brain” (I’m not kidding) providing an “expert” viewpoint. This “Richard Brain” says that Apache CGI is the same as IIS ASP, forgetting to mention that IIS implements the exact same CGI that Apache does, and it has nothing to do with ASP. “Rick Brain” continues like this, and to close the article, Andrew quotes another so-called expert making a silly car analogy that doesn’t seem to have any relation to the topic. Many people have noticed that Scott McNealy constantly uses car analogies, but I am sure there is no relationship here. Scott McNealy is from the Detroit area, like Steve Ballmer, so one wonders why Steve doesn’t see everything as a car manufacturing problem; but that also is off-topic.

When covering incidents like the current “War on Terrorism”, journalists are torn between conflicting motives.

  • Credibility – Journalists and their news organizations are incredibly dependent on credibility and reputation. People want news that they can depend on, and are quick to seek out more “authentic” news sources when they percieve that credibility is lacking. This fact, the reader would assume, can act to keep the media focused on high-integrity journalism. Unfortunately, it tempts journalists in highly-competetive environments to make some unethical trade-offs:
    • Fabricated Expertise – Journalists and their companies can end up spending significant effort on making themselves appear credible, rather than actually putting in the groundwork to get credible facts. Presenting opposing views, no matter how inane, helps show how “balanced” they are. Even if the reporter cannot find anyone who can credibly articulate the positions of the Taliban, Al Qaeda, or the Pakistani people, the reporter can still claim to be “balanced” by interviewing someone who says the opposite of whatever President Bush says. Another method of fabricating credibility is to interview people with credible titles like “market watcher”, “middle-east expert”, “adjunct professor of asian affairs”, and so on. Who needs to know about actual facts on the ground when we can hear it all ‘splained to us by a “former deputy chief for diplomatic relations”? The science of appearing credible has become a fine art in modern media, and it’s not a good thing.
    • Defensive Behavior – The scientific method is all about trying to prove yourself wrong, and using objectively repeatable observations to do so. This passion for using facts to correct one’s viewpoint is not something that is widely shared in an industry that thrives on having readers think that you are always right. If a journalist says “whoops, I was wrong!” too many times, readers start to think “maybe he’s wrong this time, too.” Of course, good journalists educate themselves and check all of their facts before writing the story, but people still make mistakes. When a news organization puts perceived credibility ahead of factual integrity, you see journalists playing “payback” with their critics (who are often themselves journalists). Journalists would like to think that this is some sort of glorified checks-and-balances system within their own profession, but mostly it is just people with big egos trying to obscure the facts to avoid having their mistakes exposed. Of course, strategically admitting to a harmless mistake every now and then is equally necessary to prop us credibility and bank up a defense of examples for a rainy day.
    • Self-Importance – Eventually, some of these experts start to believe their own credibility. “If all of these people consider me to be an expert, then I must really be an expert!” Eventually, these people write “op-eds”, which now seem to be an accepted form of “news”. How it can be news that “someone had an opinion” is a mystery, especially when Clint Eastwood clued us in so many years ago. But this is what happens when people cultivate reputation and take themselves too seriously. This gets even worse when journalists start to see themselves as some sort of powerful corrective force that must be respected, and are willing to back that up with retaliatory behavior. For example, journalists hounding Condit about the Chandra Levy affair, when asked what they expected to gain replied “we won’t leave until he resigns”. By claiming that “everyone has biases, so it is fine for a journalist to be biased”, they justify crossing the line between “humble fact-gathering servant of the public” to “vengeful dispenser of enlightened activist justice.”
    • Fact Avoidance – If loss of credibility is a disaster for a journalist, then common sense would dictate that the journalist avoid as much as possible things that could test his credibility (facts, to be specific). This is another reason that “op-ed” is so popular. The journalist can start with a simple, boring, news-fact and use it like a stem-cell to craft whatever opinion or editorial they wish to write. The cleverest of journalists don’t even need to start with verifiable facts; they can use as a stem-cell something like “Experts agree that there is a possibility that Condit could be tried for petty larceny”. From there, they can write about anything they wish, even reviving old english class essays from college. Since the article contains no facts that can be verified, it also contains no facts that can be discredited. Fantastic!
  • Eyeballs – Newspapers today depend on advertising, which is why we saw the intensely absurd situation after Sept. 11 where papers like the New York Times warned that they would lose money by being forced to carry news instead of advertisements. To get maximum revenue, they have to attract maximum readership. And if they don’t, they will get gobbled up and “reformed” by one of the remaining five media conglomerates that own most of the newspapers in the United States. This can have journalists making hard choices:
    • Fashion beats Fact – Things like fashion, relationships, lifestyles, celebrities, and electronics are proven draws. These are the things that people like to talk about, and give people a sense of community (and an endless source of idea stem-cells for their own discussions). Unfortunately, fashion is fickle and volatile, which is why we have “fashion rags” to cover fashion. When major news organizations like CNN and New York Times sunk their budgets disproportionately into fashion, they were caught sleeping by the terrorist attacks. These and other news organizations have announced they are going to start spending more money on international reporting again, since (surprise) that is what readers want now. Fashion is not news; it is fashion.
    • Controversy gets Attention – David and Goliath stories, probes into Senators’ personal lives, personality pieces about how mouthy some executive is – these are the things that get people’s attentions. If a journalist makes a broad and shocking claim, people pay attention. Again, “op-ed” is best for this. If a journalist claims that 4,000 Jews were warned to stay away from the trade center, he is quickly exposed as a fraud. But a clever journalist can report hearsay (a bunch of Palestinians said it) and build enough of an article to get people’s passions fired up.
    • Pessimism and Buying Don’t Mix – Many studies have shown that people exposed to violent and unsettling scenes are not favorably disposed towards buying things that they subsequently see advertised. Does this slant the way that the news (or “op-ed”) gets presented?

Continuing my investigation of the money-laundering and shadow economies that sustain terrorism (CNN today reports on “Hunda”, another name for “Hawala”, which is really another name for “draft”), I was not surprised to find that NATO is still
ambivalent about smuggling and black market activities.