acm - an acm publication

Articles

Monty Python's flying circus
Microsoft and the aircraft carriers

Ubiquity, Volume 2000 Issue August, August 1 - August 31, 2000 | BY M. E. Kabay 

|

Full citation in the ACM Digital Library


Maybe the military can convince Microsoft to invest in quality assurance.


In an article by Dan Verton for Federal Computer Week ('Son of Windows' to control carrier, http://www.fcw.com/fcw/articles/2000/0807/news-navy-08-07-00.asp , we are told that first in the next generation of aircraft carriers, the CVN-77, will be controlled by software from Microsoft Federal Systems.

The operating system will be based on Windows 2000, which is itself the latest version of what was called Windows NT. According to Brian Roach, an official of Microsoft Federal Systems, the new software will be used for most of the command-and-control systems of the ship.

According to the latest output from the ever-enjoyable POLITECH list run by Declan McCullagh (see http://www.y2kculture.com/politech/ to subscribe and http://www.politechbot.com/ for archives), this news has elicited disbelief and ridicule among observers familiar with Microsoft's record on quality assurance.

[set rant = on]

My immediate reaction was that someone was playing a joke -- surely this article was a spoof.

It doesn't look like it.

It looks like Microsoft has signed a binding contract with the government of the United States for mission-critical software. Is this a Good Thing?

Depends on your point of view.

From one angle, this could be the biggest single step towards functional disarmament that we've ever seen. I wonder what the resistance to external penetration of the security perimeter will be like? And what does rebooting an aircraft carrier involve?

Just think of the possibilities: based on the company's previous history, we can count on refusal to integrate security considerations into the fundamental architecture of the operating system, resistance to advice from aliens (i.e., from experts outside Microsoft) and rollout into production of a final version that any serious quality assurance team would call a beta-test version.

You think I'm overreacting? You think I'm an anti-Microsoft religious nut? Nah. I've been a programmer since 1965; I helped write a compiler in 1979; I did quality assurance duty; I ran a production shop with 24x7 shifts and 1000 live terminals in the 1980s. I'm not biased, it's just that I have a frame of reference that goes beyond the normal expectations now applied to PCs. After I wrote a diatribe inveighing against bad operating systems some months ago, some poor soul wrote to me to say that he didn't understand why I was so critical of Windows; after all, he wrote, he only had to reboot his Windows 98 system twice a day now -- once in the morning and once in the afternoon when his resource utilization got too high.

While I was writing this document in the late afternoon, my Microsoft Windows 98 system climbed over 90% resource utilization and my (non-Microsoft) alarm system went into warning mode (loud pinging noises once a second). Now, with only a live connection to the Net, my word processor (Corel WordPerfect 9) and my browser (Opera 4.01) open (plus some terminate-stay-resident programs in background) my resource utilization is back down to 81%. The system behaves erratically with more than around 90% utilization, but there is no way that I know of from Microsoft to reorganize those resources or to provide more of them.

You call this a production version of an operating system?

On the other hand, this may be the best break we Microsoft users have ever received. Think of the implications of having a contract that includes service level agreements or terms of performance -- something that ordinary users can only dream of with respect to any commercial software. It would be wonderful to see the engineers who write bloated, poorly-designed and inadequately-tested code hauled in to court to explain exactly why they used, say, 10 Mb of source where 500 Kb of good source would have done better; why the Windows Update feature has no user-tunable parameters in Windows 98; and why the Service Release 1 does what the original release was supposed to accomplish. I suspect their answers will point unerringly to business decisions made by managers. As Bruce Schneier has written so effectively http://www.counterpane.com/crypto-gram-0005.html , "Microsoft knows that reliable software is not cost effective. According to studies, 90% to 95% of all bugs are harmless. They're never discovered by users, and they don't affect performance. It's much cheaper to release buggy software and fix the 5% to 10% of bugs people find and complain about."

The problem is that on a military vessel, gambling on a 5% bug rate won't work -- or at least, not for long.

The irony is that everything we know about system development teaches us that catching errors early saves money: there's roughly a ten-fold increase in cost of recovery for every stage of the classical system development life cycle through which an error slips. With a contract in hand, maybe the military will be able to convince Microsoft managers that it's worth their while to invest in quality assurance before their software goes live.

Let's hope that the obligation to perform to specification will have significant spinoffs for everyone else who uses Microsoft products.




M. E. Kabay is a security leader in the INFOSEC Group at AtomicTangerine, Inc., an Internet e-business consulting firm. He can be reached by e-mail at mkabay@atomictangerine.com. Copyright © 2000 M. E. Kabay. All rights reserved.

COMMENTS

POST A COMMENT
Leave this field empty