[Oberon] Over-Reliance On Microsoft Endangers Business And National
Security
Douglas G. Danforth
danforth at greenwoodfarm.com
Wed Sep 24 22:02:33 CEST 2003
Oberon Folks,
Here is an interesting posting in the US press.
-Doug Danforth
Study: Over-Reliance On Microsoft Endangers Business And National
Security Sept. 24, 2003
A panel of security experts blasted Microsoft for vulnerabilities in its
software and said the company's monopoly on operating systems is a
security risk.
By Gregg Keizer, TechWeb News
A panel of leading security experts Wednesday blasted Microsoft for
vulnerabilities in its software and warned that reliance on the
company's software is a danger to both business and national security.
The group, which debuted its report at the first day of a two-day
conference hosted by the Computer & Communications Industry Association
(CCIA), was headed by Dan Geer, chief technology officer of @Stake, a
security consulting firm.
"As fast as the world's computing infrastructure is growing,
vulnerability to attack is growing faster still," Geer said.
"Microsoft's attempts to tightly integrate myriad applications with its
operating system have significantly contributed to excessive complexity
and vulnerability. This deterioration of security compounds when nearly
all computers rely on a single operating system subject to the same
vulnerabilities the world over."
Ed Black, the CEO and president of CCIA, whose members include Microsoft
competitors such as Sun and Oracle, was even more blunt. "Microsoft's
monopoly threatens consumers in a number of ways," he said. "It's clear
it is now also a threat to our security, our safety, and even our
national security."
According to the report and its seven authors--security consultants and
leaders of several security firms--the biggest problem is the
over-reliance by businesses and governments worldwide on Microsoft's
products.
"The problem is that of monoculture," said Bruce Schneier, one of the
authors and a co-founder of security firm Counterpane. "As long as all
computers are running the same operating system, they're all vulnerable."
Using several agricultural analogies of the danger of relying on a
single crop-- from attacks of boll weevils on cotton to the Irish potato
famine--the authors stressed that reliance on Microsoft dooms IT to a
continued plague of vulnerabilities.
"We need operating-system diversity," said John Quarterman, another of
the report's authors and the founder of InternetPerils, an Internet
risk-management company. "If there's one thing to take away from this
report, it's that a single attack can take out all the computers running
a single operating system."
The monopoly that Microsoft enjoys--Windows is by far the world's most
popular operating system--insures that attackers will focus their
efforts on its software. More important, these attacks will have rapid
and broad effects.
"Ironically, Microsoft's efforts to deny interoperability of Windows
with legitimate non-Microsoft applications have created an environment
in which Microsoft's program interoperate efficiently only with Internet
viruses," Geer said.
The complexity of Microsoft's software--the report claims that
integrating applications with Windows results in code 15 to 35 times
more complex-- results in a similar increase in vulnerabilities. And
simply patching the vulnerability, as Microsoft has increasingly had to
do on the fly as vulnerabilities are disclosed, only exacerbates the
problem.
"I don't think that Microsoft can ever fix this," said Geer.
Businesses, organizations, and government agencies must wake up to the
fact that there are ramifications to their decisions to buy Microsoft,
added Schneier. "Because everyone's buying it, there are security
implications to your decision to buy what everyone else is buying," he
said. "You need to take that into consideration."
Among its other recommendations, the report, "CyberInsecurity: The Cost
Of Monopoly," urged the federal government to diversify the software it
uses, demand that Microsoft design its products to work well with other
companies' software, and require Microsoft to open its source code to
other developers.
Some of its advice is sure to become controversial, because it hinges on
government stepping in, perhaps on an antitrust basis, to make specific
demands of Microsoft. Among these recommendations: Microsoft should not
be allowed to release Office for any one platform, such as Windows,
until it releases comparable Linux and Mac OS versions.
While the report's authors note the seriousness of their
recommendations, they stood by them. "When the government uses a product
whose monopoly position undermines its security," said Geer, "antitrust
becomes a national security issue."
More information about the Oberon
mailing list