Mindcraft 2.0: Firefox Comes of Age


Not many people remember the Mindcraft saga, which took place just over ten years ago. That's a pity, because it was an important moment in the rise of GNU/Linux, and in the way Microsoft tried to fight it. Here's what I wrote in Rebel Code:

On 13 April [1999], a company called Mindcraft issued a press release headed “Mindcraft study shows Windows NT server outperforms Linux.” The summary read, “Microsoft Windows NT Server us 2.5 times faster than Linux as a file server, and 3.7 times faster as a Web server.”

Almost immediately after the press release appeared, an item posted to the Linux Today site by Dave Whitinger pointed out one extremely relevant fact from the benchmark report, not mentioned in the press release. Under the heading “Mindcraft Certification”, Whitinger noted, was the following phrase: “Mindcraft Inc. conducted the performance tests described in this report between March 10 and March 13, 1999. Microsoft Corporation sponsored the testing reported herein.”

This, of course, was a proverbial red rag to a bull. The free software community went ballistic, making every obvious accusation of bias, and demanding more details of how the benchmarks were conducated, as well as a re-run of the tests under more open conditions.

In the end, the whole affair gradually died down. It appeared that Windows NT Server *was* faster than GNU/Linux at that point – but that the tests had also been carried out on Microsoft's premises, with Microsoft technicians available for fine tuning, which gave NT undoubted advantages. Further investigation by top Samba hackers like Andrew Tridgell and Jeremy Allison revealed that the real problem lay in the Linux kernel: the old accusation that “Linux does not scale” turned out to be true – but fixable. So, in a way, Microsoft's decision to prove Windows NT's superiority actually led to the kernel being improved. Moreover:

The fueling of future improvements in Linux was one way the exercise backfired for Microsoft. The bigger blunder, however, was something more profound. By arranging for GNU/Linux, Apache and Samba to be benchmarked against Windows NT, Microsoft said in the most emphatic manner possible that these were rivals; after all, there is no point benchmarking things that are not in some sense comparable. This was a significant shift from Microsoft's previous stance that GNU/Linux was not up to enterprise-level tasks, and nobody was using it anyway.

The Mindcraft benchmarks gave the lie to this position more effectively than anything the open source community could have done. At a stroke, Microsoft had anointed GNU/Linux as an official rival. Moreover, through its inept initial handling of the resulting furor, it hammered home this message for over three months, just in case anybody missed the first announcement in April.”

It seems that Microsoft has learned at least something from its past mistakes. With two new benchmarking studies, carried out by NSS Labs, the company has admitted from the start that it paid for the work (although this fact doesn't seem to be mentioned anywhere in the reports themselves, or on the Web site, that I can see – can anyone find anything?)

But in another important respect, the company has learned nothing. Unsurprisingly, the benchmarks show that Internet Explorer 8 is “better” than Firefox – Microsoft wouldn't have published them otherwise. But, as with the Mindcraft report ten years ago, the very existence of the report shows that Microsoft is now officially worried about Firefox's growing success.

When Firefox had only a few percent market share, it could be dismissed as a minority browser for a few enthusiasts. Now that it holds over 50% in some countries, particularly in Europe, it can't be written off so easily. The fact that Microsoft has paid for these reports shows that Firefox has come of age as a serious rival to Internet Explorer that might even wrench the browser crown from the latter's grasp in the not-too-distant future.

But there's another point that seems to have escaped the Microsofties as they drew up this plan. One of the reports covers “Socially Engineered Malware” [.pdf]:

Socially engineered malware attacks pose a significant risk to individuals and organizations alike by threatening to compromise, damage or acquire sensitive personal and corporate information. 2008 and 2009 statistics show an acceleration of the trend. Detecting and preventing these threats continues to be a challenge as criminals remain aggressive. Antivirus researchers report detecting between 15,000 and 50,000 new malicious programs per day, and even as high as “millions per month,” according to Kaspersky.

While not all of these malicious programs are used in social engineering attacks, this technique is increasingly being applied to the web to quickly distribute malware and evade traditional security programs. 53% of malware is now delivered via internet download versus just 12% via email, while IFrame exploits and other vulnerabilities comprise 7% and 5%, respectively, of the global malware infection vectors, according to statistics from Trend Micro. And as many as 0.5% of the download requests made through Internet Explorer 8 are malicious according to Microsoft.

What this omits to point out, of course, is that nearly every single one of these 50,000 “new malicious programs per day” is exploiting weaknesses in Windows: this is not malware, but malware made possible by Microsoft. So what the social malware report reveals is how well browsers cope with the inherent flaws of Windows.

It would be instructive, for example, to compare Internet Explorer 8 running on Windows with Firefox running on GNU/Linux in terms of their relative success in fending off attacks. Although I don't have any hard figures to back it up, my hunch is that Firefox + GNU/Linux would be immune to practically all of those 50,000 malicious programs, whereas IE8 and Windows would presumably be susceptible to 19% of them, by NSS Labs' own figures.

As with the Mindcraft incident, the latest attempt by Microsoft to “prove” the superiority of a key product under threat backfires in ways the company clearly never imagined. I just can't wait to see what they come up with to “demonstrate” that Microsoft Office is “better” than OpenOffice.org – and what flaws of the former it inadvertently demonstrates.

Follow me @glynmoody on Twitter and identi.ca.

"Recommended For You"

Doing the Samba in Public Hijacked 24/7 ad server shows web risks, says Symantec