Defining Deviancy Down, Microsoft Style

In a seminal 1993 paper in American Scholar, “Defining Deviancy Down,” Daniel Patrick Moynihan reexamined an observation of Emile Durkheim, who helped establish sociology as a discipline, that crime was a “normal” function. By that he meant that the concept of crime helped define and reinforce social standards (“a punishment ceremony creates social solidarity”) and provided an outlet for malcontents. In 1965, Kai Erikson’s book Wayward Puritans looked at criminal activity in the Massachusetts Bay Colony “to test [Durkheim’s] notion that the number of deviant offenders a community can afford to recognize is likely to remain stable over time.” Moynihan quotes Erikson:

…the amount of deviation a community encounters is apt to remain fairly constant over time. To start at the beginning, it is a simple logistic fact that the number of deviancies which come to a community’s attention are limited by the kinds of equipment it uses to detect and handle them, and to that extent the rate of deviation found in a community is at least in part a function of the size and complexity of its social control apparatus. A community’s capacity for handling deviance, let us say, can be roughly estimated by counting its prison cells and hospital beds, its policemen and psychiatrists, its courts and clinics. Most communities, it would seem, operate with the expectation that a relatively constant number of control agents is necessary to cope with a relatively constant number of offenders. The amount of men, money, and material assigned by society to “do something” about deviant behavior does not vary appreciably over time, and the implicit logic which governs the community’s efforts to man a police force or maintain suitable facilities for the mentally ill seems to be that there is a fairly stable quota of trouble which should be anticipated.

In this sense, the agencies of control often seem to define their job as that of keeping deviance within bounds rather than that of obliterating it altogether.

Durkheim apparently never considered that there might be an excess of bad behavior, but Erikson did:

In both authors, Durkheim and Erikson, there is an undertone that suggests that, with deviancy, as with most social goods, there is the continuing problem of demand exceeding supply….Erikson, writing much later in the twentieth century, contemplates both possibilities. “Deviant persons can be said to supply needed services to society.” There is no doubt a tendency for the supply of any needed thing to run short. But he is consistent. There can, he believes, be too much of a good thing. Hence ‘the number of deviant offenders a community can afford to recognize is likely to remain stable over time.”

Here, in a nutshell, is Moynihan’s construct:

….the amount of deviant behavior in American society has increased beyond the levels the community can “afford to recognize” and that, accordingly, we have been re-defining deviancy so as to exempt much conduct previously stigmatized, and also quietly raising the “normal” level in categories where behavior is now abnormal by any earlier standard. This redefining has evoked fierce resistance from defenders of “old” standards, and accounts for much of the present “cultural war” such as proclaimed by many at the 1992 Republican National Convention.

Now what can this possibly have to do with Microsoft?

An item today on Slashdot, “Word 2007 Flaws are Features, Not Bugs,” discusses Microsoft’s efforts to redraw the boundaries of acceptable behavior, in this case, regarding the preformance of its products:

Mati Aharoni’s discovery of three flaws in Word using a fuzzer (screenshots) has been discounted by Microsoft, which claims that the crashes and malformed Word documents are a feature of Word, not a bug.

Microsoft’s Security Response Center is also refusing to classify the flaws as security problems. According to Microsoft developer David LeBlanc, crashes aren’t necessarily DoS situations: ‘You may rightfully say that crashing is always bad, and having a server-class app background, I agree. Crashing means you made a mistake, bad programmer, no biscuit. However, crashing may be the lesser of the evils in many places. In the event that our apps crash, we have recovery mechanisms, ways to report the crash so we know what function had the problem, and so on. I really take issue with those who would characterize a client-side crash as a denial of service.’

Let’s go to the ComputerWorld article that describes these bugs, um, features in some detail:

Two of the three bugs result in a denial-of-service-like situation, with the PC’s processor maxed out at 100%, making the machine unusable until it’s rebooted. The third, Aharoni suggested, could be used to introduce remote attack code after an exploit causes an overflow of “wwlib.dll,” a crucial Word library. But “code execution is not trivial,” he added.

I am no expert, but a bug that forces a reboot is pretty bad. And another ComputerWorld writer, Frank Hayes, agrees:

In the words of an unnamed Microsoft spokesmushroom: “In fact, the behavior observed in Microsoft Word 2007 in this instance is a by-design behavior that improves security and stability by exiting Microsoft Word when it has run out of options to try and reliably display a malformed Word document….The sample code in [Aharoni’s] postings cause Microsoft Word to crash, and users can restart the application to resume normal operations.”

So can we expect to see that approach in other products that use Windows Embedded?

Like maybe…a TV that, when the cable service goes pixellated, shorts out all the circuitry in your house? (“Users can reset circuit breakers to resume normal operations.”)

A car CD player that, when it’s fed a scratched disc, disconnects the steering and brakes and disengages the clutch? (“Users who survive can restart the car to resume normal operations.”)…

David LeBlanc — quoted in the news story as a Microsoft secure-code guru — says “it is better to crash, at least with client apps, than it is to be running the bad guy’s shell code.” Hooey….This suicide-before-capture approach isn’t “by-design” behavior. It’s lack-of-design behavior.

And a “code guru” of any kind who thinks that’s not a security and stability problem that needs fixing doesn’t belong in this business.

What’s going on here? Microsoft’s core programs – the OS, Word, and Excel – have gotten so big and unwieldy that upgrading them is a Herculean task. And upgrading doesn’t entail streamlining them, but merely bolting new features on to existing code and hoping that doesn’t make other things break. But as the number of lines of code grows, the number of bugs rises disproportionately (or so it seems). But Microsoft has only a certain level of policing infrastructure (quality control and debuggers) in its little society. So as Moynihan surely would have predicted, it has defined down what a bug is.

The problem is while this all may seem logical and appropriate within the Redmond campus, Microsoft lives in a larger world where the level of “criminality” meaning software problems, isn’t on the increase, so no one else is lowering standards. Microsoft’s efforts to pretend these bugs are features, which means both intentional and desirable, makes the company seem either dishonest or incompetent. While that general pattern of behavior isn’t new for Microsoft, the lack of sophistication in how they go about it is.

Print Friendly, PDF & Email