[Oberon] Over-Reliance On Microsoft Endangers Business And National Security

[Douglas G. Danforth]

Oberon Folks,
Here is an interesting posting in the US press.
-Doug Danforth

Study: Over-Reliance On Microsoft Endangers Business And National 
Security   Sept. 24, 2003

A panel of security experts blasted Microsoft for vulnerabilities in its 
software and said the company's monopoly on operating systems is a 
security risk.

By Gregg Keizer, TechWeb News


A panel of leading security experts Wednesday blasted Microsoft for 
vulnerabilities in its software and warned that reliance on the 
company's software is a danger to both business and national security.

The group, which debuted its report at the first day of a two-day 
conference hosted by the Computer & Communications Industry Association 
(CCIA), was headed by Dan Geer, chief technology officer of @Stake, a 
security consulting firm.

"As fast as the world's computing infrastructure is growing, 
vulnerability to attack is growing faster still," Geer said. 
"Microsoft's attempts to tightly integrate myriad applications with its 
operating system have significantly contributed to excessive complexity 
and vulnerability. This deterioration of security compounds when nearly 
all computers rely on a single operating system subject to the same 
vulnerabilities the world over."

Ed Black, the CEO and president of CCIA, whose members include Microsoft 
competitors such as Sun and Oracle, was even more blunt. "Microsoft's 
monopoly threatens consumers in a number of ways," he said. "It's clear 
it is now also a threat to our security, our safety, and even our 
national security."

According to the report and its seven authors--security consultants and 
leaders of several security firms--the biggest problem is the 
over-reliance by businesses and governments worldwide on Microsoft's 
products.

"The problem is that of monoculture," said Bruce Schneier, one of the 
authors and a co-founder of security firm Counterpane. "As long as all 
computers are running the same operating system, they're all vulnerable."

Using several agricultural analogies of the danger of relying on a 
single crop-- from attacks of boll weevils on cotton to the Irish potato 
famine--the authors stressed that reliance on Microsoft dooms IT to a 
continued plague of vulnerabilities.

"We need operating-system diversity," said John Quarterman, another of 
the report's authors and the founder of InternetPerils, an Internet 
risk-management company. "If there's one thing to take away from this 
report, it's that a single attack can take out all the computers running 
a single operating system."

The monopoly that Microsoft enjoys--Windows is by far the world's most 
popular operating system--insures that attackers will focus their 
efforts on its software. More important, these attacks will have rapid 
and broad effects.

"Ironically, Microsoft's efforts to deny interoperability of Windows 
with legitimate non-Microsoft applications have created an environment 
in which Microsoft's program interoperate efficiently only with Internet 
viruses," Geer said.

The complexity of Microsoft's software--the report claims that 
integrating applications with Windows results in code 15 to 35 times 
more complex-- results in a similar increase in vulnerabilities. And 
simply patching the vulnerability, as Microsoft has increasingly had to 
do on the fly as vulnerabilities are disclosed, only exacerbates the 
problem.

"I don't think that Microsoft can ever fix this," said Geer.

Businesses, organizations, and government agencies must wake up to the 
fact that there are ramifications to their decisions to buy Microsoft, 
added Schneier. "Because everyone's buying it, there are security 
implications to your decision to buy what everyone else is buying," he 
said. "You need to take that into consideration."

Among its other recommendations, the report, "CyberInsecurity: The Cost 
Of Monopoly," urged the federal government to diversify the software it 
uses, demand that Microsoft design its products to work well with other 
companies' software, and require Microsoft to open its source code to 
other developers.

Some of its advice is sure to become controversial, because it hinges on 
government stepping in, perhaps on an antitrust basis, to make specific 
demands of Microsoft. Among these recommendations: Microsoft should not 
be allowed to release Office for any one platform, such as Windows, 
until it releases comparable Linux and Mac OS versions.

While the report's authors note the seriousness of their 
recommendations, they stood by them. "When the government uses a product 
whose monopoly position undermines its security," said Geer, "antitrust 
becomes a national security issue."