The PivX Enigma

How does one refuse an offer from Vito Corleone?

A very enigmatic letter was posted openly to Amit Yoran, head of the department at the US DHS which advised people to abandon Internet Explorer for Windows.

The letter was posted on the PivX website and signed by their two dignitaries Rob Shively and Thor Larholm. What's most puzzling about the letter is that it is rather unique: no one else is criticising the move by Yoran.

Also puzzling is the fact that Shively and Larholm do not seem to offer an alternative other than their own commercially available HIPS (host-based intrusion prevention system) product.

Was this then just a cheap publicity stunt, or could there be something deeper and darker lurking behind?

'We all know that IE has some design flaws that are periodically exploited,' write PivX in what must be the understatement of the year. 'However, there are ubiquitous implementation flaws that most software applications suffer from...'

Shively and Larholm continue.

'Email clients like Outlook and Eudora, Windows Explorer, the Windows Help system, popular antivirus software such as Norton and McAfee, and other applications depend on IE and will have to be rewritten and re-distributed to satisfy a broad move away from IE.'

To which any knowledgeable conscientious IT guru would have to concur (and it's nice to see someone enumerate exactly where all the system flaws are located, and point out that the guardians themselves, such as Norton and McAfee, are also eminently vulnerable to attack).

The dynamic duo then continue with an all-time mouthful.

'The industry needs to think more creatively about what options exist to solve the IE security design problem.'

Where else but in the world of politics would one otherwise meet such garbage?

'IE suffers from a basic design flaw in its security zone implementation.'

OK, so what? Our friends should have more to offer than that...

'We applaud the Department of Homeland Security and US-CERT's passion, vision and recommendations to help users have a more secure computing experience. We felt it was important, however, to offer an opposing view to your recommendation that users switch browsers to address their security problems.'

Ahem. Time for a pause that won't refresh.

The PivX site itself is a curious mongrel.

HTTP/1.1 200 OK
Server: Apache/1.3.27 (Unix) Chili!Soft-ASP/3.6.2 PHP/4.2.3

Chili!Soft is a Sun product:

http://sun.com/software/chilisoft

In the blurb at the above URL one can read:

'The new version 4.0, adds support for Microsoft ASP 3.0, VBScript/JScript 5.5, and XML, and includes enhancements to its COM-to-Java technology bridge and integration with popular Web authoring tools, such as Macromedia's Dreamweaver MX and Microsoft FrontPage.'

So we're basically looking at a compromise web server solution here with enough sense to not run IIS but still not enough sense to not lame onto Microsoft 'technology' where it isn't needed (which is anywhere basically).

OK, back to the article.

What's really apparent - and enigmatic - about the article is that the so-called 'opposing view' of PivX is not really apparent. Views are not important here, and PivX have hardly missed that. Solutions are what are important, and PivX offer no alternative to the dictum already decreed by the DHS.

If PivX had a better idea, then yes people would listen. But the PivX article, as confused as it is - and deliberately so [sic] - does not offer a better idea: it offers no idea at all.

Leading one to wonder: why did PivX publish this article? Why did they write this 'open letter' to Amit Yoran? Was it only to garner attention, to promote their own products?

Was this just a cheap - and tactless - publicity stunt?

If so, it would be a blunder of monstrous proportions. People are tired of being kicked silly online with their Microsoft products, and this latest insult from the HangUp team has them angry - and for a private company to try to tout their snake oil in this situation is tantamount to corporate suicide.

Why so dumb then, PivX?

It's a true enigma - until one remembers, back in the fogs of time, not so long ago actually, that PivX used to be the numero uno thorn in the side of Microsoft. PivX had the greatest and biggest and most visited list of unfixed Microsoft vulnerabilities in the world. PivX were a major embarrassment to Microsoft.

And then one rainy ominous morning the list disappeared. And people started to wonder. And finally PivX responded, in the type of inimical gobbledegook so prevalent in this latest letter quoted here, trying to save face while at the same time not admitting directly that a certain company in Redmond Washington in the US might be behind the list's sudden removal.

It's a much more accessible tactic for the likes of Bill Gates to crush the voices of opposition rather than get one's own house in order. Founding his company on the principle that experienced software engineers are never to be let near the front door because they're not 'malleable' and can't be controlled by Steve Ballmer, Gates is today the victim of the world's worst lock-in, having only strong-arm tactics to resort to when things go bad.

Time and again the brainwashed zombies of the Pacific Northwest screw up - and all Gates can do is the Vito Corleone bit and give the critics 'an offer they can't refuse'.

That Microsoft only hire idiots is well-documented, even at the Microsoft site; and yet despite valiant efforts qualified engineers have crept in with other assignments and with Microsoft management unaware they were so qualified, and their stories of horror about what they saw are well known. In one well publicised case, a lady with only the most sincere intentions wrote to Gates to tell him of the serious situation and got not even a polite reply in return - she got a court order forbidding her to write to Gates again.

Such is the awareness of Gates to what the world is experiencing now: he's bet his fortune and his wobbly company on the premise that you can build a software empire with eminently poor - not to say dangerous - products and a ruthless and unethical marketing strategy. But odds are even Gates didn't see the ramifications of this policy at the time, and Gates does have personal weaknesses despite his wealth, and one of those is that in regard to the quality of his products and his attention to that quality, nothing will ever change.

PivX were a major pain for Microsoft and were well-known as such. They had become a 'work of reference' for all wanting to know more about significant Microsoft vulnerabilities. They were the web reference in this regard. And then over a single night all that changed, and PivX made their quiet retreat back into the woodwork.

Given the puzzling nature of PivX's latest missive, it is hard to not see a connection between the one event and the other.