Wikipedia:Mediation Cabal/Cases/2007-03-06 Microsoft Windows

Mediation Case: 2007-03-06 Microsoft Windows
Please observe Etiquette and Talk Page Etiquette in disputes. If you submit complaints or insults your edits are likely to be removed by the mediator, any other refactoring of the mediation case by anybody but the mediator is likely to be reverted. If you are not satisfied with the mediation procedure please submit your complaints to Wikipedia talk:Mediation Cabal.

Request Information

 * Request made by: emacsuser emacsuser 12:00, 6 March 2007 (UTC)

User_talk:Warrens Talk:Microsoft_Windows
 * Where is the issue taking place?

Warren
 * Who's involved?


 * What's going on?

Security section: erroneous innacurate and not neutral point of view


 * ''What would you like to change about that?

Get it replaced with the historical facts



emacsuser@linuxmail.org
 * Would you prefer we work discreetly? If so, how can we reach you?

Mediator response
I accept to mediate this case.  Snowolf (talk)CONCOI  -  14:30, 6 March 2007 (UTC)

Compromise offers
This section is for listing and discussing compromise offers.



Discussion


emacsuser 12:00, 6 March 2007 (UTC)

I do not understand this case, the problem, nor do I see any proposed alternative. I do not understand the relevance of the PDFs linked to on the talk page of the article when looked at from the subject of that section of the talk page. SchmuckyTheCat 19:17, 6 March 2007 (UTC)

As far as I can tell, emacsuser wants to insert statements like, "Bill gates is quoted in an interview as saying it would make a great Server platform" into the security section of the article. That makes no sense, given the context. The statement, "Despite numerous iterations from NT4 to Vista it continues to be plagued by security lapses" is a somewhat egregious violation of WP:NPOV. This user also wants to remove the vitally important note that "Windows was originally designed for ease-of-use on a single-user PC without a network connection, and did not have security features built in from the outset." This is correct from a historical perspective -- operating system security wasn't an issue on desktop PCs in 1985 when Windows 1.0 was released, because it was impossible to enforce on the platform due to a lack of hardware-level memory protection mechanisms.

I'm not really sure what else to say; this case is pretty light on details... -/- Warren 19:57, 6 March 2007 (UTC)

emacsuser, Warrens has made a good point. What do you say?  Snowolf (talk) CON COI  -  22:08, 9 March 2007 (UTC)


 * Last emacsuser's edits is of march 6, and it's this MedCab case. I hope I'll come back soon.  Snowolf (talk) CON COI  -  22:23, 9 March 2007 (UTC)

The case is simple. This section is innacurate and not neutral point of view. It also does not contain any citations. The solution being to produce any citations that Windows security was not designed for the Internet or to remove that section.

''Windows was originally designed for ease-of-use on a single-user PC without a network connection, and did not have security features built in from the outset[citation needed]. Windows NT and its successors are designed for security (including on a network) and multi-user PCs, but was not designed for Internet security in mind as much since, when it was first developed, the Internet was less important''

Define 'Less important' in this context and who was it less important to, Novell, Dec, IBM, Darpa. As I pointed out in Warrens page, security had been a problem at least since the 1970s and most certainly from 1980 when the entire Arpanet got shutdown and after the Mossis Worm of 1988. Now whether Microsoft only started to address security after the turn of the century is debatable, what is not a matter for debate is that Windows security was not designed for the Internet.

Here are MS internal emails discussing Internet strategy in 1995 and reference to Windows TCP/IP and service providers in 1994. In the first there are specifically references to security and billing. In 1997 there are references to winning the Internet platform battle. Does Warren seriously expect us to take 'not designed for Internet security' seriously.

http://edge-op.org/iowa/www.iowaconsumercase.org/122106/PLEX0_2281.pdf http://edge-op.org/iowa/www.iowaconsumercase.org/122106/PLEX0_4524.pdf http://edge-op.org/iowa/www.iowaconsumercase.org/122106/PLEX0_5705.pdf http://edge-op.org/iowa/www.iowaconsumercase.org/122106/PLEX0_2700.pdf

Virus infects Arpanet 1980 ..

http://www.secretguide.net/read/index.php?filename=internet emacsuser 15:49, 10 March 2007 (UTC)


 * You are right, it does not contain any citations. They should be added.  The basic statements that Windows was not designed for a hostile Internet is true, and removing it would be not only innacurate, but misleading.  The PDF files that you reference do not support whatever claim you are trying to make.


 * Their was no internet strategy for Windows 95. Windows 95 included the Marvel client, MSN 1.0.  That client was a walled garden like AOL was.  Windows 95 didn't include Internet Explorer at release - OEMs paid to put it on machines because it was part of the Frosting package, a value-add that added to MSFTs per machine margins IF the OEM included it. MSRP for retail buyers was $50. The default network stack in Windows 95 was NetBEUI and IPX, for connecting to Microsoft LanMan/NT networks or Novell NetWare networks.  TCP/IP was included in Win95, but was not part of the default install.
 * Worms on the wider internet, which was largely Unix, weren't an environment Microsoft was paying attention to AT ALL, nor would those worms affect Microsoft machines. Note, this is largely the reverse of the current platitude that Windows machines are targeted because they are the majority of clients, this was not true in 1995.
 * Win95 was never considered a "secure" platform for BUSINESS computers in closed networks either - nevermind the Internet. It could securely connect to servers, but it could not be secured.  The stock answer if an enterprise wanted secure client machines was "buy NT".
 * NT machines were secured to themselves and secure connections through rights permissions from the GUI through the API to the filesystem and onto the network, but they were not designed for a hostile environment. Security at that time meant was concerned with whether a local user could hack their way into granting themselves more rights, it did not mean putting a machine on a hostile network. NT was made "securable" via service packs and very careful configuration changes but designing a secure Internet machine (either host or client) out of NT4 was a careful undertaking. This paradigm did not change until Windows 2000 came out.
 * It was shortly after the release of Win95 that Microsoft, as a corporation, suddenly "got" the Internet and it took Bill Gates making a huge announcement and making demands of all product groups that they had to make fundamental changes in the way they were designing software. The reality was that the walled garden they had designed Win95 and MSN for was already obsolete.  The rug was swept away from them while it was still being designed.  It was in 1996 that Microsoft started making Internet Explorer a freebie and started rapid upgrades of IE/MSN and the Dial-up Networking architecture.
 * Yet, among all that development there was nothing that changed the Win9x security model - Win95 still, by default, bound File/Print Sharing to the Internet once TCP/IP was added. Win98 removed that glaring hole and didn't expose File/Print through DUN, but added nothing for "security".  Win98 SE (in 1999) added a NAT feature but this was not a security feature, it was a user convenience for multiple machines in one house. This was a rudimentary firewall for the machines behind the NAT. None of these features made Win9x a secure Internet client and nobody (at Microsoft) was addressing it which made a rich market for Internet protection suites from third parties.
 * SchmuckyTheCat 18:25, 10 March 2007 (UTC)


 * Yes, I do expect you to take the claim seriously, because Windows was released in 1985, not 1993 or 1995. The Microsoft Windows article covers the -entire- operating system from Windows 1.0 up until now.  You keep talking about later versions of the operating system like it somehow matters when we're talking about the first version.


 * But if you really feel the burning need to be convinced that the mid-1990s matters, how about that 1997 statement from a Microsoft product manager that told an audience that if they wanted security on the 'Net', unplug their computer: "We never made the claim up front that ActiveX is intrinsically secure." Then there's Iain Mcdonald, one of the top people in Windows (he had responsibility for shipping Windows 2000, XP, and Server 2003), who talked in 2005 about how they made a mistake in enabling all sorts of things by default in Windows 2000.  He talks about how security was a major issue for them over the prior couple of years.  He states "We're three years into a ten year job with security".  Three years... that's 2002.  Not Windows 95 in 1995, NT 3.1 in 1993, and certainly not Windows 1.0 1985.  The whole interview is worth watching, because it gives some important context for the security work that Microsoft was doing at the time.


 * There you go, two citations to get you started. We could probably dig up thousands of articles from newspapers discussing how Windows (specially 9x) hasn't been secure for Internet use since its outset, because it's so widely discussed, and it's been well-proven through years of egregious security vulnerabilities and design faults.  A multi-billion dollar industry has built up around it, too, so surely there's more to this.  -/- Warren 19:28, 10 March 2007 (UTC)



A more accurate version of the disputed section would be:

''Since at least 1994 Windows NT and its successors were designed for connection to the Internet either as clients or servers. At the time security wasn't a high priority at MS, that and certain design decisions contributed to the less than steller reputation Windows subsequently acquired. Those decisions being integration and ease of use for the desktop user. Giving Windows its unique click and get infected feature.''

''Then there's Iain Mcdonald .. who talked in 2005 about how they made a mistake in enabling all sorts of things by default in Windows 2000''

''Windows NT and its successors .. was not designed for Internet security .. most versions of Windows NT were shipped with important security features disabled by default'', wikipedia

That's as may be Warren, but how does 'enabling features' equate to 'not designed for Internet security'. The 'burning' issue here is the patently false claims re Windows not designed for Internet security.

Warren: explicitly state which versions of Windows were not designed for Internet security and the timeline they were produced. Also please address 'the Internet was less important' issue and who was it less important to. Include citations please supporting these claims. For a supposed high quality wikipedia article, such phraseology is down right careless not to mention just plain wrong.

NT supported Windows network protocols, inheriting the previous OS/2 LAN Manager networking, as well as Unix's TCP/IP networking (for which Microsoft would implement a TCP/IP stack derived from the BSD Unix stack), Wikipedia

Inside Windows NT - 1992

http://portal.acm.org/citation.cfm?id=138407

Windows NT TCP/IP Network Administration

http://www.oreilly.com/catalog/wintcp/ emacsuser 16:32, 11 March 2007 (UTC)


 * You're linking to books that exist, but not how they demonstrate anything you are saying above. SchmuckyTheCat 17:44, 11 March 2007 (UTC)


 * It's not a "patently false claim". The simple, absolutely undeniable truth of the matter is that the Internet was not that important when Windows NT was being developed.  To whom, you ask?  To the millions of people who used computers and were in Microsoft's target market at the time.  We're talking circa 1991 here, not 1999.  Home users were using AOL, GEnie and Compuserve in droves, and BBSs were popular.  The Internet at the time was still primarily an academic and nerd-friendly social environment, and was not widely-supported on home user platforms until 1994-1995 when Trumpet Winsock and Windows 95 came around.  There were virtually no corporations outside of the computer industry itself that were doing anything with the Internet as it existed at the time.


 * Let's look at some facts about Windows: NT 3.1 did not ship with SLIP or PPP capabilities... it had its own proprietary dial-up technology that could only connect to NT Server. PPP didn't come around until Windows 95 and NT4.  TCP/IP networks and Ethernet in general were pretty rare when NT 3.1 was released; Novell Netware on token-ring networks were far more common.  Yes, NT 3.1 shipped with a TCP/IP stack, but it didn't get preferential treatment -- it sat alongside IPX and NetBEUI (but not NetBIOS over TCP/IP, which came in NT 3.5) as networking options which could be installed, the latter forming the basis for Microsoft's networking technology.  That was the reality of the networking world at the time of NT 3.1's release.  As for Internet-facing TCP/IP services, Microsoft got their FTP and Gopher sites running in 1993 and the web site in 1994 using server software developed at EMWAC.  Microsoft didn't ship a DNS server until NT 4, though they had provided a beta version of one with the NT 3.5 resource kit.  It was also a flaming pile of poo before Windows 2000.


 * Oh, and let's not forget later incidents like MS03-010 where Microsoft came right out and said about a a service made available by TCP/IP that, "The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability". Gosh, that sure doesn't sound like an operating system that was designed for Internet security, now, does it?


 * You want a timeline of versions of Windows that weren't designed for Internet security? How about I give you the much shorter list of versions of Windows that -are- designed for Internet security:  2004: Windows XP SP2, 2005: Windows Server 2003 SP1, 2006: Windows Vista.  Yes, that's it.  Windows XP shipped with a pile of remotely exploitable services enabled by default, and the firewall was disabled by default, so it doesn't count.  Windows Server 2003 was much the same.  Windows 2000?  Pffft, "Hacked by Chinese!"", enough said about that.


 * Anyways, you've made it abundantly clear from your so-called "more accurate" version that you're really not interested in contributing encyclopedia-quality prose to Wikipedia's article on Microsoft Windows. I'm done with this discussion.  It's been eleven days since you opened this and you haven't proposed anything that would improve the article other than snide remarks and poor grammar.  -/- Warren 18:47, 17 March 2007 (UTC)

Yet more discussion
I'm asking the other fella to provide citations for opinions expressed in the article. By most conventional rules of debate, when expressing an opinion it is on you to support the claims with evidence, not up to the other fella to prove the negative. Now would you or anyone else please provide supporting evidence for the following:

''Windows NT and its successors .. was not designed for Internet security''

emacsuser 18:06, 11 March 2007 (UTC)

Anyone here care to explain how you can design a TCP/IP interface not designed to work on the Internet.

Microsoft TCP/IP VxD Interface Specification Oct 24 1994

http://ftp.hs-niederrhein.de/~ftp/pub/oldstuff/win31/winsock/ms-ext/VXDTDI.DOC

emacsuser 16:56, 16 March 2007 (UTC)


 * In 1994, the majority of TCP/IP based PCs were connected to corporate LANs not the Internet. You needed TCP/IP as a generic transport protocol, or to connect terminal emulators. Those corporate LANs may have had an Internet interface somewhere, but it was not something any desktop user knew or cared about, if they had access to go through it at all. SchmuckyTheCat 20:37, 16 March 2007 (UTC)

While that may or may not be true, how does corporate LAN policy or lack of knowlege by the desktop user equate to 'Windows NT and its successors .. was not designed for Internet security'. emacsuser 16:15, 17 March 2007 (UTC)


 * The point isn't corporate policies, it was that Microsoft was designing for locked down corporate networks. Microsoft makes design goals for a product based on the market that will buy the product. NT was designed to obsolete LanManager and supplant NetWare (and to a lesser extent, Lantastic and Banyan Vines), not the Internet. The Internet wasn't even on the radar for Microsoft, and neither was Internet security. Capable of being on the Internet and designed for security doesn't mean it adds up to "designed for Internet security". SchmuckyTheCat 18:14, 17 March 2007 (UTC)

Produce any citation that MS was designing for locked down corporate networks. In 1995 there are references in an email, to moving Blackbird objects across TCP/IP networks and security and billing. It's addressed as from Nathan Myhrvold, CTO at Microsoft. The subject title of the email is 'Internet Strategy'. How does this get translated in your mind into wasn't even on the radar. What's your interpretation of the following extract:


 * the Blackbird MSN/Internet/CorporateNet issue has been widely discussed


 * We will move to using TCP/IP, and thus will benefit from the ever cheaper connectivity which is a central part of the internet April 24 1995

http://edge-op.org/iowa/www.iowaconsumercase.org/122106/PLEX0_2281.pdf

Still waiting for citations in support of the following:


 * Windows NT and its successors .. was not designed for Internet security

emacsuser 12:26, 18 March 2007 (UTC)


 * Produce any citation that MS was designing for locked down corporate networks. The Windows Resource Kits.


 * Nice citation for 1995. That means of course, that the earliest products anything talked about in 1995 would have been Windows 98 and Windows 2000.


 * As Warren said, there isn't anything else to add to this for you. You want the article to say something that is obviously untrue.  Windows NT and its successors .. was not designed for Internet security does need a citation, but it's a difficult thing to cite.  It's the same logic as proving a negative.  I don't consider it a problem, this is a historical section. When writing on history topics, it may be necessary to include a sentence pointing out to contemporary readers some obvious fact of the time being discussed.


 * Also, as Warren said, I'm done. I'm not responding to this mediation anymore. SchmuckyTheCat 15:28, 18 March 2007 (UTC)

You want the article to say something that is obviously untrue For what ever reason, you have willfully and disingenuously misrepresented the issue. No, I want the author of that section to produce a citation. That you cannot is because that statement isn't true. You and Warren are entitled to your opinions. But they don't belong in a neutral point of view article.

''Windows NT and its successors .. was not designed for Internet security .. does need a citation, but it's a difficult thing to cite''

Because it isn't even true, Schmucky.

It's the same logic as proving a negative.

No, producting a citation for a given statement, is called proving a positive.

it may be necessary to include a sentence pointing out to contemporary readers some obvious fact of the time being discussed

So produce some citation from the time showing that NT and its successors was not designed for the Internet.

I'm not responding to this mediation anymore

Guess I'll take it to formal arbitration then emacsuser 16:00, 20 March 2007 (UTC)