Remember when Microsoft promised that Windows NT would solve our computer security problems? This was back in the early 1990s, when most of the PC world was using Windows 3.1. Computer viruses were rampant. And as near as anybody could tell, things were only going to get worse.But the word on the street back then was that we shouldn’t worry-Microsoft was developing a new operating system that would make everything better. Unlike previous Microsoft systems, NT would employ the most sophisticated security measures available to stop viruses dead in their tracks.
Alas, things didn’t work out that way. It’s true that Windows NT had advanced features like memory protection and separation of privileges-features designed to prevent one program from modifying other programs or the operating system itself. But those mechanisms only protected the operating system against unprivileged users, not against system administrators. And because of the way that Windows NT was built, many programs required that users log in as an “administrator” in order to get any work done at all. So in the end, the Windows NT security mechanisms, even though they alleviated some problems, didn’t address the operating system’s underlying susceptibility to viruses.
Indeed, by the mid 1990s, the virus problem had gone from bad to worse. The problem was no longer the operating system-it was application programs. In 1996 the very first Word macro virus appeared. “Concept,” as it was called, was a new kind of virus. Instead of infecting the operating system or programs, Concept infected Microsoft Word documents. This was a threat that Windows NT’s security model was utterly unprepared to handle. Concept spread like wildfire. We hadn’t solved the virus problem-we had just moved it somewhere else.
This experience with Windows NT is an example of a phenomenon that comes up again and again in the computer industry. I call it the “Frontier Syndrome.” Researchers, engineers, or whole companies get excited about a new technology-a computational or architectural “frontier” where no one has gone before. These visionaries make up lots of stories about how the frontier is a better, cleaner, simpler place, with none of the problems that we face today. And then they set off, usually with millions of dollars in capital, to turn their vision into a reality.
These cycles become pretty easy to recognize once you’ve lived through a few of them. One reason is that they almost always end up the same way. The frontier is exciting as long as it’s mostly filled with pioneers-people who are willing to live with the rustic leading edge of technology. But as soon as new people move into town-when the roads get paved and the housing projects get put up-we discover that the problems on the now-conquered frontier aren’t all that different than the problems that we thought we left behind.
The Java gold rush was an example of the Frontier Syndrome in the extreme. Java, a fundamentally new computer language, burst onto the scene in 1995. Billed as a language that was designed for the Internet, Java was going to simultaneously wipe away the security problems of C++ and make the Macintosh a viable platform in Apple’s competition against Microsoft. What’s more, Java showed up just in time to help solve the Y2K crisis: Instead of trying to upgrade millions of lines of COBOL code, businesses could instead rewrite their systems using sweet and simple “Enterprise Java Beans.”