Posted on 09/25/2003 8:26:03 AM PDT by ShadowAce
A panel of leading security experts Wednesday blasted Microsoft for vulnerabilities in its software, and warned that reliance on the Redmond, Wash.-based developer's software is a danger to both enterprises and national security.
The group, which debuted its report at the first day of a two-day conference hosted by the Computer & Communications Industry Association (CCIA), was headed by Dan Geer, the chief technology officer of @Stake, a security consulting firm.
"As fast as the world's computing infrastructure is growing, vulnerability to attack is growing faster still," said Geer.
"Microsoft's attempts to tightly integrate myriad applications with its operating system have significantly contributed to excessive complexity and vulnerability. This deterioration of security compounds when nearly all computers rely on a single operating system subject to the same vulnerabilities the world over," Geer added.
Ed Black, the CEO and president of CCIA, whose members include Microsoft competitors such as Sun and Oracle, was even more blunt.
"Microsoft's monopoly threatens consumers in a number of ways, it it's clear it is now also a threat to our security, our safety, and even our national security."
According to the report and its seven authors--security consultants and leaders of several security firms--the biggest problem is the over-reliance by corporations and governments worldwide on Microsoft's products.
"The problem is that of monoculture," said Bruce Schneier, one of the paper's authors and a co-founder of security firm Counterpane. "As long as all computers are running the same OS, they're all vulnerable."
In response to the report, Microsoft spokesman Sean Sundwall said, "There's nothing inherently wrong with having a prime vendor [of operating system and other software], but being the leader, we have the responsibility of providing as secure an environment as possible.
"We always consider security to be our absolute top priority," he said.
In fact, Sundwall agreed with the first sentence of the report, which reads: "No software is perfect."
"We recognize that. Our job is to make our software as close as possible to perfect to eliminate threats for our customers," he said. "We've made some strides, and admittedly, we have a lot of work ahead to do."
Using several agricultural analogies of the danger of relying on a single crop--from attacks of boll weevils on cotton to the Irish potato famine--the authors stressed that reliance on Microsoft dooms IT to a continued plague of vulnerabilities.
"We need operating system diversity," said John Quarterman, another of the report's authors and the founder of InternetPerils, an Internet risk-management company. "If there's one thing to take away from this report, it's that a single attack can take out all the computers running a single operating system."
The monopoly that Microsoft enjoys--its Windows is, by far, the world's most popular operating system--ensures that attackers will focus their efforts on its software. More importantly, these attacks will have rapid and broad effects.
"Ironically, Microsoft's efforts to deny interoperability of Windows with legitimate non-Microsoft applications have created an environment in which Microsoft's program interoperate efficiently only with Internet viruses," said Geer.
The complexity of Microsoft's software--the report claims that integrating applications with Windows results in code 15 to 35 times more complex--results in a similar increase in vulnerabilities. And simply patching the vulnerability--as Microsoft has increasingly had to do on the fly as vulnerabilities are disclosed--only exacerbates the problem.
"I don't think that Microsoft can ever fix this," said Geer.
Enterprises, organizations, and government agencies must wake up to the fact that there are ramifications to their decisions to buy Microsoft, added Schneier. "Because everyone's buying it, there are security implications to your decision to buy what everyone else is buying. You need to take that into consideration."
Among its other recommendations, the report, "CyberInsecurity: The Cost of Monopoly," urged the federal government to diversify the software it uses, demand that Microsoft design its wares to work well with other companies' software, and require Microsoft to open its source code to other developers.
Some of its advice is likely to become controversial, for it hinges on government stepping in, perhaps on an anti-trust basis, to make specific demands of Microsoft. Among these recommendations: Microsoft should not be allowed to release Office for any one platform, such as Windows, until it releases comparable Linux and Mac OS versions.
While the report's authors note the seriousness of their recommendations, they stood by them. "When the government uses a product whose monopoly position undermines its security, anti-trust becomes a national security issue," said Geer.
This story courtesy of TechWeb.
The study’s premise of an existing monoculture in computer security is inherently false. Of 660 million Windows users worldwide, less than one-tenth of one percent were impacted by the notorious MSBlast worm last month. Why? In reality, each Windows user has different configurations of hardware, routers, virus software, and security habits. The diversity that comes from the security stack of hardware, software and user habits leads to an extremely heterogeneous security environment even on a single operating system like Windows. The evidence clearly shows that the monoculture feared by the authors exists only in theory and not in reality. On the operating system level, the authors do little to show why mandating a heterogeneous environment would create any greater security. With viruses and hacker attacks proportional to market share, the evidence suggests that a multicultural computing environment wouldn’t lead to fewer security threats. At the same time, the study ignores the benefits of homogenous networks, such as ease of security management and lower security training costs which offset the potential dangers. CCIA proposes solving this problem with a set of government-mandates for Microsoft that has already been rejected by the courts. If the government continues to reject CCIA’s proposals, what would Ed Black suggest then? To mandate that each American be assigned a different operating system based on their social security number? The only answer here is the market. If a computing monoculture emerges as a legitimate security problem, the market will react and do a far better job than any government mandate.
Security is the number one issue for the software industry. Instead of this mercenary rhetoric, our industry needs to be focused on working together to improve security across the board and ensuring good security practices inside large organizations." It is appalling that Ed Black and CCIA would exploit our nation’s security for politics and greed. CCIA’s concerns are not based on good security or public policy, but business opportunities for the horde of Microsoft competitors it represents. To benefit its member companies like Oracle and Sun, CCIA repeatedly has attempted to hobble Microsoft using political process here and abroad. This is just more of the same.On the back of his CCIA-funded security study, Ed Black is riding in with his own Marxist Government-mandated Software Security plan. Not surprisingly, the plan benefits CCIA’s own members like Sun Microsystems at the expense of Microsoft.
Joe Barr has been writing about personal computing for 10 years, and about Linux for five. His work has appeared in IBM Personal Systems Journal, LinuxGazette, LinuxWorld, Newsforge, phrack, SecurityFocus, LinuxJournal.com, and VARLinux.org. He is the founder of The Dweebspeak Primer, home of the official newsletter of the Linux Liberation Army, an organization in which he holds the honorary rank of Corporal-for-life.
True in all times and places. The rather brief span of the last fifty years is littered with the corpses of IBM, Wordstar, Visicalc, Lotus, wordperfect, Novell, and other giants that dominated their niche for a while. The mere fact that Linux and Macintosh exist ensures that a major Microsoft stumble will leave consumers with alternatives.
Which in turn reduces system reliability (in addition to being vulnerable to outside attack). The ONLY application which has ever consistently locked my machine up "tighter than a bull's ass in fly season" (i.e. the "three finger dance" CTL-ALT-DEL won't force a reboot--you have to actually power down and back up)--is INTERNET EXPLORER. The problem remains through several iterations of IE.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.