decoration decoration

When you want to know more...
For layout only
Site Map
About Groklaw
Legal Research
ApplevSamsung p.2
Cast: Lawyers
Comes v. MS
Gordon v MS
IV v. Google
Legal Docs
MS Litigations
News Picks
Novell v. MS
Novell-MS Deal
OOXML Appeals
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v Novell
Sean Daly
Software Patents
Switch to Linux
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.

To read comments to this article, go here
Expert Appointed to Advise EU Commission on MS Compliance
Wednesday, October 05 2005 @ 01:46 AM EDT

The EU Commission has chosen a Professor Neil Barrett to act as the Trustee in the Microsoft antitrust matter. Barrett's assignment is to advise the Commission on how well Microsoft is complying, and he is an expert in the field of computer security and cyber crime. I note that the press release says he was chosen from a list provided by Microsoft:
In accordance with the terms of the Decision, Microsoft submitted several candidates for the position of Monitoring Trustee. The Commission carefully examined all candidates in terms of their expertise and impartiality, and determined that Professor Barrett was the most qualified to carry out the Monitoring Trustee function.

So, Microsoft got to suggest its own watchdog. Certainly, if Microsoft merely pretends to comply, he should be able to spot it. However, since the Commission already let Microsoft exempt FOSS as far as interoperability is concerned, pending its appeal, I find it hard to care too deeply and anticipate he'll report Microsoft is doing fine.

What does Microsoft care, as long as FOSS is not allowed to compete on a level playing field? That may be overstating it, but allowing Microsoft to open up to everyone but its chief competition sticks in my craw.

The EU Commission press release doesn't identify him except by name, but I think I've found the right Professor Neil Barrett. If you'd like to read something he's written, here you go. The blurb on the cover page describes him like this:

Academic, author and frequent computer expert witness for the prosecution, Neil Barrett brings an in-depth, 'big picture' perspective to the wild world of IT security and computer crime

He does have a sense of humor, as you can see in the opening paragraphs of an article on the need for better, clearer laws to deal with cyber crime. He begins by listing some ridiculous laws still on the books around the world:

Some of these laws are plainly silly; others simple haven't been repealed; and others... well, who can tell where and how they arose?

In Switzerland, for example, it is illegal for a man to relieve himself standing up after 22:00 local time - reasonable, I would assume, in a block of flats where the noise might disturb. In New York, the penalty for jumping off a building is death - a bit harsh, though I would suspect that with skyscrapers there's seldom a need for the courts to impose the sentence. In Scotland, it is illegal to be drunk in charge of a cow; in Iowa, one-armed pianists must perform for free; in Florida, having sexual relations with a porcupine is an offence; in Tampa Bay, it is illegal to eat cottage cheese after 18:00 local time; and in New Orleans, a woman can only drive a car if her husband waves a warning flag in front of it.

No wonder it was hard to evacuate New Orleans. Joke. Joke.

Maybe it's too soon to joke about that. I'll never forget those images. I've been haunted by one in particular. On Fox News, there was one young mother, whose adorable blond toddler hadn't had sufficient water and the distraught mom said he was becoming sluggish and it was getting hard to wake him up. I'll never forget her or her words. She said, "This isn't about rich people or poor people. This is about *people*." I burst into tears, seeing her distress. Does anyone know what happened to that mom and her son? Did they make it? If so, could you let me know? I can't stop thinking about them.

But getting back to Barrett, his suggestion regarding computer security laws is a bit frightening, when I think about my poor clueless mother, or all my nongeek friends and relatives.

He writes about a UK case, Rylands v. Fletcher, where Fletcher had built an inadequate reservoir on his land, and it flooded Rylands' mine next door. Fletcher was held responsible, the court ruling that "anyone who brings or collects and keeps on his [sic] land anything likely to do mischief if it escapes must keep it at his peril and if he does not do so is prima-facie strictly liable for all that damage which is the natural consequence of its escape". Barrett extrapolates that ruling to computers:

Rylands v Fletcher establishes the principle for responsibility in cases of negligence - and arguably, though it makes no reference to computers, can be applied in the world of networks. This computer is on my land and can be thought of as having 'escaped' if I were to lose control of it - that is, if it were controlled remotely by a hacker using a Trojan or similar. And if it does indeed 'escape', it can do 'mischief' in the sense of being a part of a zombie army used in a distributed denial of service attack or similar.

The ruling in Rylands v Fletcher says that I keep this computer 'at my peril'; it is my responsibility to take measures to ensure that it does not 'escape' - that is, it is my responsibility to secure my own computer against use by hackers, or suffer liability for any damage resulting in its escape.

Could such a ruling be applied in practice? I know of no situation in which Rylands v Fletcher has been applied in cases of supposed computer negligence but it would be nice to believe that those people operating unsecured computers used by hackers to attack third parties have at least some responsibility for the damage arising from their negligence.

And it would be nice to have at least some legal tool with which to encourage improved security.

I have a better idea. How about, if we are going to write new laws on computer security (not that I personally am encouraging it) as Professor Barrett gets to know Microsoft better, he think along the lines of holding Microsoft responsible for selling people like my mom software that she is totally unable to control? Really, Professor Barrett, is there any way known to man to actually secure a Windows 98 computer? Millions of people still use them, you know. Seriously. Add firewall and antivirus and antispyware, and you're still a sitting duck, in my experience, anyway.

Microsoft is the computer expert, after all, not my mom. Microsoft sold her software with so many flaws, built-in vulnerabilities, and easy ways for the bad guys to take control of her computer, the poor old thing doesn't have a chance. Wouldn't that be a more efficient method? She uses XP Home, by the way, just so you don't suggest we outlaw Windows 98 and think you've solved the problem. Or, she did use XP, until I bought her a PowerBook, so my life would get easier. I'm tech support.

And if you passed a law saying all computer owners are required to purchase and keep up-to-date antivirus software or whatever, could you first stop and think about the nonWindows world? We are here, you know. And we are not contributing to the problem, so why should we be forced to take steps that really apply to Windows users? Some of us stopped using Microsoft software in part because we got sick of all that aggravation. Remember when Darl McBride visited Harvard and he joked with a guy in the audience, suggesting that maybe his was one of the computers taken over by the MyDoom virus that was then blasting SCO's website? The audience member truthfully answered that his computer ran Linux, and MyDoom only ran on Windows, so he was sure his computer wasn't involved. When was the last time you heard about a virus incident involving Apple or GNU/Linux? Just something to consider, if our goal is writing better, clearer laws.

Barrett writes a regular column, Criminal IT, so you can read his articles to get the measure of the man. Here's an article he wrote on why computers are insecure by nature:

In the language of mathematics, a computer program is a Turing Machine and a computer - a device able to run any Turing Machine - is called a 'Universal Turing Machine', a mathematical model able to interpret any mathematical model. One feature of Turing's work, though, was to show that there are programs which cannot be run to completion - programs which are the analogues of 'this statement is false' and cannot therefore be decided.

What does this mean for information security? In essence, we want to know in advance whether a given sequence of changes to data - a program - is going to be 'harmful' or not. Unfortunately, in 1986, Fred Cohen managed to prove that the problem of determining whether a piece of program was a virus was indeed an un-decidable problem. A Turing Machine to run the analysis would never halt; the only way to determine the effect of the program was actually to run it and see.

This is an enormously important result. It means the task of the antivirus program is mathematically impossible. By extension, the task of determining in advance whether any program will have a harmful effect is equally impossible. The only way of establishing what a program will in fact do is to allow it to execute and then to look at the state of the computer's memory. If the task of information security is to predict whether a given program will have a harmful effect on the data state, then this is impossible.

The implication is that the mathematical model of computation has insecurity implicit within it because we know that we cannot know ahead of time whether something will or will not be damaging. To borrow a phrase from my colleague Stephen Castell, computers are "ontologically insecure" - whether they are built on the von Neumann or any other architectural model.

If insecurity is implicit, then writing laws, holding anyone responsible for unintended insecurity results seems a bit Alice in Wonderland, but I'm not a professor and Barrett is, so I may have overlooked some piece of logic. You'll notice at the end of the article, there is a brief bio:

Neil Barrett is visiting professor in the Centre for Forensic Computing at the Royal Military College of Science, Cranfield University, and the author of several books, papers and articles covering computer crime. A frequent computer expert witness for the prosecution, he has given evidence in cases of hacking, paedophilia, fraud and even murder.

Fraud, eh? Hmm. My mind floods with thoughts of Get the Facts. Only kidding. Sorta. Barrett has written some books on computer security as well. Clearly he is qualified to advise the Commission on technical matters, and Microsoft will have to actually comply if he is, in fact, as impartial as the Commission hopes.

Perhaps the marketplace will accomplish what the regulators so far have been unable to do. Here's an article I came across looking for information about Barrett, which indicates Microsoft's recent changes to its Software Assurance program are causing some to look to FOSS as a remedy for their anger at Microsoft:

UK IT chiefs have slammed Microsoft over the cost of signing up to the Software Assurance (SA) licensing model, and accused the Redmond giant of wanting to "have its cake and eat it and charge customers to watch". In the biggest shake-up of the subscription-based SA in the four years it has been running, Microsoft has added technical support, training, desktop deployment planning services and other side benefits in an attempt to placate angry customers. . . .

One IT director who did not wish to be named simply said open source "looks more and more tempting" while Paul Broome, IT director at, said he plans to migrate off Windows server and SQL server as soon as he can. . . .

Microsoft's customer relations appear to have taken a severe knock from SA and John Odell, group IT director at the BBA Group, said: "Microsoft's business objectives are not aligned with its customers' and it will stay that way while Microsoft has a near monopoly in this market."

Here's the EU press release.


Competition: Commission appoints Trustee to advise on Microsoft’s compliance with 2004 Decision

Reference: IP/05/1215 Date: 05/10/2005


Brussels, 5th October 2005
Competition: Commission appoints Trustee to advise on Microsoft’s compliance with 2004 Decision

The European Commission has appointed Professor Neil Barrett, a computer scientist, as the Trustee who will provide technical advice to the Commission on issues relating to Microsoft’s compliance with the Commission’s 2004 Decision (see IP/04/382). Professor Barrett will begin his mandate immediately.

The Commission decided in March 2004 that Microsoft Corporation broke the EC Treaty’s ban on abuse of monopoly power (Article 82) by leveraging its near monopoly in the market for PC operating systems onto the markets for work group server operating systems and for media players. The Commission’s Decision imposed a fine of €497 million on Microsoft and required the company to implement remedies as regards both work group server operating systems and media players.

The Decision foresees a Monitoring Trustee to assist the Commission in monitoring Microsoft’s compliance with the Decision. The Decision requires that the Monitoring Trustee must be independent of Microsoft, must possess the necessary qualifications to carry out his mandate, and have the possibility to hire expert advisors to assist him in carrying out tasks within his mandate.

The exclusive responsibility for ensuring that Microsoft complies in full with the 2004 Decision rests with the Commission. The Monitoring Trustee’s role is to provide impartial expert advice to the Commission on compliance issues. For example, as regards the interoperability remedy, where Microsoft is required to disclose complete and accurate interface documentation which would allow non-Microsoft work group servers to achieve full interoperability with Windows PCs and servers, his expertise might be used in assessing whether Microsoft’s protocol disclosures are complete and accurate, and whether the terms under which Microsoft makes the protocol specifications available are reasonable and non-discriminatory. On tying, the Trustee might be asked to examine whether Microsoft has properly implemented the requirement to offer to PC manufacturers a version of its Windows client PC operating system without Windows Media Player.

In accordance with the terms of the Decision, Microsoft submitted several candidates for the position of Monitoring Trustee. The Commission carefully examined all candidates in terms of their expertise and impartiality, and determined that Professor Barrett was the most qualified to carry out the Monitoring Trustee function.

  View Printable Version

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )