Originally posted by Q Cubed
Also: security through obscurity is NOT something you want to base your security on.

Software Publishers Association Agrees
The Software & Information Industry Association (formerly SPA, the Software Publishers Association) agrees with my conclusions. Pages 12 to 15 of the document Competition in the Network Market: The Microsoft Challenge, dated June 19, 1998, contain a section titled Hidden APIs. Here are two quotes that I find especially illustrative. The first quote illustrates the speed advantage that a programmer can derive from hidden API functions:

For example when Microsoft released Internet Information Server (IIS), it significantly outperformed Netscape Server on the NT Platform. Microsoft insisted that its developers had not had any additional acceess to information than had Netscape developers. Yet after careful review, Netscape developers were able to utilize previously undisclosed information about NT in their own products. Future releases of Netscape Server were competitive with IIS in subsequent testing.
If you write programs using a documented API, the programs run slower. The second quote illustrates that Microsoft uses the hidden APIs to make their applications the best in any particular market:
Microsoft can write application code that can run optimally on an operating system, has advance knowledge about future releases, knows which programming method to choose over another, and can tweak the OS code prior to final relase to advantage3 its own applications.
If you perform the costly task of reverse-engineering the hidden APIs in order to compete with Microsoft, they change those hidden APIs to favor their products.

The SPA document illustrates precisely the Hard Decision described above.

Secret API reverse-engineered and partially documented
Need more confirmation? Notorious Windows book publishers IDG put out a slim (335 pages) volume that "documents" a lot of NT internals, including the native API. Conservatively, 6 man-years of effort went into reverse-engineering all this material. This confirms the massive effort required to at least partially document NT's secret API.


Undocumented Windows NT
Prasad Dabak, Milind Borate and Sandeep Phadke
IDG Books, 1999
ISBN 0-7645-4569-8

Although Microsoft Windows NT is one of the most popular operating systems in the corporate world, no book has documented what actually goes on under the hood - until now. Undocumented Windows NT dissects the Win32 interface, deconstructs the underlying APIs, and deciphers the Memory Management architecture to help you understand operations, fix flaws, and enhance performance.
In this groundbreaking guide, three experts share what they've dug up on NT through years of hands-on research and programming experience. The authors' in-depth investigation uncovers both the strengths and the weaknesses - and reveals how you can make any Windows NT system more stable and secure.



I had a look at this book in a local bookstore on January 26, 2000. It possesses a lot of the flaws of a typical "Windows technical book": pitiful indexing, obvious lack of editing, and very little exposition on anything other than the syntax of the programming question at hand. The authors devote an entire appendix to prototyping and describing the NT native API functions' syntax. Material in that appendix apparently didn't make it into the book's index, nor are the function prototypes listed in alphabetical order. If you buy it, you will doubtless encounter a lot of frustration along with the information.

That said, the book contains a truckload of documentation on functionality only hinted at elsewhere.


--------------------------------------------------------------------------------

Another book covering the NT "native" API just came out:
Windows NT/2000 Native API Reference
Gary Nebbett
New Riders Publishing, February 2000
ISBN 1578701996

I had a quick thumb-through of a copy of this book. It looked pretty good, given that it listed the native API functions in alphabetical order, and covered the non-Win32 uses of some of the functions.


--------------------------------------------------------------------------------

[1] Several issues hide in that: whether programmers and designers best describe OS services in terms of C functions (or any function-like interface at all), or some elaborate assembly-language specification (like VMS) that allows almost any programming language to use the OS services.

[2] Inside Windows NT, 2nd Edition, by David A. Solomon, Microsoft Press, 1998, ISBN 1-57231-667-2.

[3] Verbing weirds language. "To advantage" reads poorly.

[4] According to a paper describing Linux on a Mach microkernel,

Early efforts to layer OS personality servers on top of the microkernel have had disappointing performance due to the extra message-based communication between the system components. Often, as much as a 40% performance cost has been reported.
[5] Inside Windows NT System Data by Sven B. Schreiber, Dr Dobb's Journal, Nov 1999, pp 40 - 49, for an account of how Schreiber reverse engineered the NtQuerySystemInformation() native system call.

[6] Analysis of the Security of Windows NT
by Hans Hedbom, Stefan Lindskog, Stefan Axelsson, and Erland Jonsson
From Section 8.2, "UNIX versus NT", page 65:

Even though Microsoft Inc. would like to have us believe otherwise, NT does not in fact contain many ideas that UNIX has not either pioneered or picked up during the seventies or early eighties. Both systems have from a research perspective a distinctive seventies feel to them. Especially from a security perspective one is struck by the similarities between the respective systems. There are in fact many more similarities than differences.

Originally posted by shawnmmcc
FYI, the search took all of two minutes.

Originally posted by MrFun


You should demand some kind of compensation -- you will never regain those two minutes of your life ever again.

...The problem is the allegation that MS has some kind of super-functions hidden that only they can use is so mind-numbingly stupid that it really does frustrate me. No one has ever actually pointed out anything remotely like this, yet the Slashdot and anti-MS crowd continue to circulate this bull**** as if it were fact....

Independent software vendors and competing platform developers will get little relief from Microsoft's continual practice of hiding and manipulating interfaces. Microsoft has the unreviewable ability under the proposed settlement to define Windows itself. It therefore controls whether and how independent software developers will be able to write programs that run on top of the operating system. The definitions of software products and functionalities and the decisions about how to configure applications programming interfaces (APIs) are left in the hands of Microsoft to an extreme extent. As a consequence, the company will be encouraged to embed critical technical specifications deeply into the operating system and thereby prevent independent software developers from seeing them. To the extent that Microsoft would actually be required to reveal anything, it would be so late in the product development cycle that independent software developers would never be able to catch up to Microsoft's favored developers...

...Microsoft's prevented Intel from developing software by using its key leverage over computer manufacturers. In an oft-repeated pattern, Microsoft "pressured the major OEMs to not install NSP software on their PCs until the software ceased to expose APIs."[Footnote 40: Fact, at 101] ...

...Microsoft launched a year long campaign in which it "tried to persuade Apple to stop producing a Windows 95 version of its multimedia playback software, which presented developers of multimedia content with an alternative to Microsoft's multimedia APIs."[Footnote 54: Fact, at 105.]

Microsoft backed its effort to drive Apple out of developing applications for the Windows environment with threats that it "would enter the authoring business to ensure that those writing multimedia content for Windows 95 concentrated on Microsoft's APIs instead of Apple's."[Footnote 55: Fact, at 106.]

Microsoft went on to suggest that incompatibilities would occur since "the technologies provided in those tools might very well be inconsistent with those provided by Apple's tools."[Footnote 56: Fact, at 106.]

The threat was backed up with the cross-subsidies available when the "Microsoft executives warned, Microsoft would invest whatever resources were necessary to ensure that developer used its tools; its investment would not be constrained by the fact that authoring software generated only modest revenue."[Footnote 57: Fact, at 107.]...

THE ANTICOMPETITIVE BUSINESS MODEL
Using the operating system as the core of its market power, Microsoft erects barriers to entry. It freezes out competitors with incompatibilities,[Footnote 63: The practice was deeply embedded in the business strategy, although it was refined over time. Wallace and Erickson offer the following example from 1982-83 (p. 233). Still, for a very brief time in early 1983, Multiplan did enjoy an advantage over 1-2-3. Microsoft released its upgrade for he IBM PC/XT, causing problems for 1-2-3 on the updated operating system. According to one Microsoft programmer, the problems encountered by Lotus were not unexpected. A few of the key people working on DOS 2.0, he claimed, had a saying at the time, DOS isn't done until Lotus won't run." They managed to code a few hidden bugs into DOS 2.0 that caused Lotus to break down when it loaded. "There were as few as three or four people who knew what was being done," he said. He felt the highly competitive Gates was the ringleader. The art had apparently been refined by the early 1990s (Wallace, p. 38-39). "He denied there was a Chinese Wall at Microsoft," Schmidt wrote in his notebook, "and clearly stated that the software groups throughout all of Microsoft's Corporation talked to all others. He claimed that the use of hidden APIs was an error by the team" The hidden APIs referred to by Schmidt are applications programming interfaces, or "calls," programming codes integrated into an operating system such as Windows to allow it to respond to commands from an application program. If competitors don't know about these hidden or undocumented calls, their applications will not work as well as Microsoft's Microsoft had long denied that it deliberately designed hidden calls into its operating systems, but in the summer of 1992, Andrew Schulman, a programming expert living in Cambridge, Massachusetts, published a book Undocumented Windows, which confirmed that Microsoft had lied. Microsoft later acknowledged that Excel and Word used at least 16 APIs that had been hidden in Windows. (boldface added by me)

Originally posted by Fve Crathva
Because they were being used? Because they worked when used by people who knew precisely how to use them, but were too dangerous when used publicly?

Originally posted by Fve Crathva
Because they were a temporary kludge, necessary for some OS operation, but slated to be removed when a proper implementation was written (or when it was no longer necessary)?

Originally posted by Fve Crathva
It's easy to to be an armchair engineer and say that Microsoft should release their products only when they're completely finished, but that's idiotic and naive.

Originally posted by Fve Crathva
I'm sure as a Linux fanboy, you'll agree that Microsoft's programmers aren't perfect.

Originally posted by Q Cubed

*cough*Firefox*cough*

Lesser marketshare with vulnerabilities, and yet Firefox isn't targeted as often as IE.

Um, isn't that what documentation is for? Telling others how to use them precisely, and give warnings for dread things that could happen if they aren't used in exactly the right way?

You mean the OS was held together by duct tape, but they released it to the public?

There is no reason to not believe a finished product, e.g. something MS deemed ready to be sold to the public, is not finished to a very large degree, i.e. no kludges, no hidden surprises, etc? Maybe your own expections lowered over the years by using Microsoft software, but not mine.

I have never seen a motherboard that came with jump wires. I have never seen a car that was only 70% built or a chair with one fewer legs than it is necessary for it to stand on its own. Why should software be different?

Originally posted by Agathon
God knows why.

You keep saying this but you have no real evidence. Nobody really knows why OS X has zero viruses. I know that you don't know. So stop talking out of your ass.

Originally posted by shawnmmcc
pwnd - and unless you can provide similiar evidence, from the legal system or from academic presses, you will remain that way. I am going to save that little quote for every time you claim how Microsoft is not the rat bastard company it is. Note, I am not passing judgement on the quality of their products, Asher.

In fact you'll note I gave Che the thumbs up - and he was not paticularly nice to anybody.

Asher, I posted a link clearly showing what has been claimed, going into details. You refutation also contradicts itself - the Netscape Server worked well on other platforms, not Windows - and I linked to the article where by using the undocumented Windows API's Netscape Server worked faster on MS products. I am trying hard not to be insulting, but doesn't the logic of that bother you even for a second?

Originally posted by Agathon
God knows why.

You keep saying this but you have no real evidence. Nobody really knows why OS X has zero viruses. I know that you don't know. So stop talking out of your ass.

Apple plugs 'critical' holes in OS X
Published: September 23, 2005, 1:48 PM PDT
By Alorie Gilbert
Staff Writer, CNET News.com

Apple Computer released 10 security fixes to address Mac OS X flaws that security experts described as "critical."

Apple issued the patches, available through its Web site, Thursday. The flaws affect versions 10.3.9 and 10.4.2 of the Mac OS X operating system, as well as related server software.

Symantec and the French Security Incident Response Team both said the vulnerabilities are serious and that the need to patch them is urgent. However, no exploits for them have been reported, Symantec noted in an alert sent to members of its DeepSight service Friday.
Big plans for the small screen

The flaws expose affected machines to remote attack using arbitrary commands and e-mail interception, according to Apple's bulletin. Certain vulnerabilities could also be exploited for a denial-of-service attack, FrSirt said in an online advisory.

Apple declined to comment on the security patches Friday.

The company has previously released patches for these Mac OS X versions. In one of its bigger security updates, the company last month unloaded fixes for 44 flaws. Last May, it released an update for 20 vulnerabilities, and in March, it distributed an update for a dozen security bugs.

Again -- why don't you look into what those APIs are. They are not super-functions that let MS do what other people can't.

… Because they were a temporary kludge, necessary for some OS operation, but slated to be removed when a proper implementation was written (or when it was no longer necessary)?

Microsoft released its upgrade for he IBM PC/XT, causing problems for 1-2-3 on the updated operating system. According to one Microsoft programmer, the problems encountered by Lotus were not unexpected. A few of the key people working on DOS 2.0, he claimed, had a saying at the time, DOS isn't done until Lotus won't run." They managed to code a few hidden bugs into DOS 2.0 that caused Lotus to break down when it loaded. "There were as few as three or four people who knew what was being done," he said. He felt the highly competitive Gates was the ringleader.

If competitors don't know about these hidden or undocumented calls, their applications will not work as well as Microsoft's Microsoft had long denied that it deliberately designed hidden calls into its operating systems, but in the summer of 1992, Andrew Schulman, a programming expert living in Cambridge, Massachusetts, published a book Undocumented Windows, which confirmed that Microsoft had lied.