Does Windows Endanger Society?
Security study faulty at many levels; let me count the ways.
- By Roberta Bragg
- September 29, 2003
Last week, a number of high-profile security experts released a report called
"Cyberinsecurity: The Cost of Monopoly. How the Dominance of Microsoft
Products Poses a Risk to Security." Read coverage of the report first,
at
http://mcpmag.com/news/article.asp?EditorialsID=613;
the report itself is at
www.ccianet.org/papers/cyberinsecurity.pdf.
I discount the report for a number of reasons, and respond directly to
the authors.
- I was made aware of the report's release through an invitation to a conference
call. The subject of the e-mail was "National Security Compromised by
Reliance on Microsoft Windows." To me, this sounded like the national
security of the United States had been compromised. To me, this sounded like
you were going to reveal the facts behind some successful attack on my country.
Because of the title and the unrecognized sender, along with the fact that
it had an attachment, I almost relegated the e-mail to the spam bucket.
- The conference call wasn't about national security being compromised. I
assumed it was and I was annoyed that you'd used such a tawdry attempt at
getting attention.
- At the beginning of the call you seemed almost apologeticfumbling
around, emphasizing that this wasn't about bashing Microsoft. I don't care
if you want to bash Microsoft. This is a free country; you can criticize anyone
you want to. If it's not about bashing Microsoft, though, why accuse the company
of being behind the compromise of national security? Why bash them in the
actual report?
- Your report, and the conference call, were sponsored by the Computer &
Communications Industry Association (CCIA). This group is an industry association
with a long history of anti-Microsoft rhetoric and action. The CCIA is involved
in antitrust action against Microsoft in the United States and Europe. If
you're going to tell me you're scientists who have all come to the same conclusion
about the 3 M'sMicrosoft, monopoly, and monoculturethen please
find a more independent public forum. Your words will have more weight.
- While you stressed during the media conference call that your warnings
weren't about Microsoft, the report plainly is. And while you are experts
in information security, you clearly are not Microsoft Windows experts.
One of you seemed surprised to learn that automatic updates are a default
feature of current Windows releases. Another said they plugged in a Windows
computer and it was compromised before it could be updated. Was the computer
around when the patch was issued? If so, why wasn't it patched? Even the latest
worm was preceded by three weeks in which the patch was available. Was it
a new computer? I have to wonder about a security expert who waits three weeks
to patch his computer or plugs in a brand new computer to the Internet before
patching it or protecting it with a firewall. An ordinary citizen might do
that, and that is a real problem.
And that's the problem you need to be talking about. Not your experience; you're
the experts, after all. Don't get me wrongin the enterprise, you don't
need thousands of desktop computers phoning home to Microsoft and downloading
and installing service packs and security patches. Depending on your size, there
are products like the free Microsoft Software Update Services and commercial
software like Systems Management Server or third-party product that allows you
to choose which security patches will be applied to which computers, and when.
But for the average consumer, the chance that a patch will cause harm is far
less risky than the risk of not enabling automatic updating. The average consumer
also needs to at least run a personal firewall. Many of the exploits, worms
and so on can be foiled by basic firewalls.
- While they're correct that consumers shouldn't need to be security experts
in order to browse the Internet, you don't seem to understand that the message
consumers are getting is that they don't need to use any security on the Internet.
My ISP, Southwestern Bell (http://www01.sbc.com/DSL_new/content/0,,54,00.html#firewalls),
has a lot to say about security. The quote below is from a Web page I've just
downloaded. It tells consumers they should make their own decision about whether
or not they need a firewall:
For example, a small business, or a customer who sends a lot of proprietary
information over the Internet, may want to install a firewall, whereas customers
who use the Internet for research or entertainment may find changing their
passwords regularly to be all the security they need.
Would you trouble yourself to install a firewall after that? Read the
page. It tells you how well Southwestern Bell keeps you secure by
securing their network. It also implies you should not open an email
attachment that contains a virus (how do you determine that, pray
tell?) and install anti virus software (Nothing here about keeping that
updated.) So why aren't you attacking ISPs? A computer used without any
security is like a car driven by a drunk driver; an accident waiting to
happen.
- You emphasized that people who use Macs laugh at worms. I know companies
who have 100 percent Windows on the desktop and laughed, too. They weren't
infected -- and not just because they patch, but because they follow sound
information security principles. I also know many average folks who use Windows
on their desktop. They use the onboard firewall. They use automatic updates.
They weren't infected, either. Some of them were previous Mac users. Why did
they switch? Because Windows is easier to use, and easier to update and protect.
Here are my general responses to your report's conclusions.
- You complain that Microsoft has systematically done everything they could
to become the dominant player in computing. Isn't that what business is all
about -- becoming No. 1? Of course it was intentional. Was it malicious? Was
it illegal? That's for the courts to judge. Get off it. Pointing fingers and
calling someone the devil won't get me to support your cause.
- You say that the result of the alleged monopoly is a monoculture. By that
you mean that since life at the end of each thread leading away from the Internet
and into someone's home or office is Windows, we're all at risk. A single
flaw can be our downfall. This is true; one way of doing anything puts us
at risk. It's why businesses build redundancy into their computing infrastructure.
It's why we ordinary citizens have a backup plan for getting to work if the
car won't start.
- You say that the problem is we're all so dependent on computers, and the
vast majority of us are so incapable of using them securely that the government
needs to step in. It's true that we're dependent on computers. This scares
me. Many users don't know how to use them securely. Many of us who should
know better don't always secure them properly. You might convince me that
we need some ground rules here. Every citizen has a responsibility to protect
others. We have laws about smoking in public places, driving while intoxicated
and other harmful actions precisely because on their own, some people will
do harmful things. Making rules to protect the good of the masses against
the actions of the few and enforcing them is at least as old as Moses and
the Ten Commandments. But let's make sure the laws are about regulating everyone
in the same way, and not about punishing a single company.
- You say the complexity of Microsoft products and the tight integration of
the code in those products lock users in and violate a basic security principle.
You say that computer scientists agree that loose coupling and modularity
makes for better systems. You want, in short, to be able to mix and match
products. Use another word processor on Windows. Use Office on Linux. I can
do the former. I can't do the latter.
Do you remember the first version of Windows NT? The requirement for
modularity resulted in OS/2 and POSIX subsystems. What was the first
security suggestion? Remove those subsystems because they posed
additional risk. I agree with the subsystem removal bit. Few used those
parts of the product, and another security dictum says get rid of what
you don't use, because it poses a risk as well. It's true that
complexity is the enemy of security. The complexity of computing
systems can be the result of using a single complex product. But
diversifying, a main solution proposed by the report, also makes
computing systems complex. How much harder will it be for consumers to
secure their systems when they have a greater variety of them?
- You also offer some suggestions for the alleged problem; here the message
gets muddied.
- Use a Macintosh or Linux. But oh, by the way, if all of us do that, we'll
still be at risk since those that would attack us will just do it by discovering
and exploiting flaws in those products.
- Government legislation is needed to control the situation. I'm not sure
if you're saying that Microsoft should be kicked in the pants or that we just
need better control over who can do what on the Internet.
- Take the computers away from moms. Well, what else did you expect me to
draw as a conclusion, when they complain that the problem is stupid users
using unprotected computers on the Internet, and then point to their own mothers
as an example? A number of you did just that during the conference call.
I'm glad we live in a society where we can express our opinion, and I'm really
glad you did. I want very much to join you in your crusade to make the world
safe from those that would take advantage of the lack of computer security that
lives on the edge of the Internet. I want to make people more aware. I want
them to secure their computers. I want the computing industry to give us products
that are secure by design, and that we can secure even if we aren't experts.
I want the craziness to stop. I don't want anyone hurt because some clueless
teenager or malevolent terrorist takes advantage of a flaw in an operating system
or application. I want it badly.
So guys, come on, stop with the M words. Join together instead. Let's get togetherusers,
experts, policy makers, moms, programmers, software and hardware companiesin
some independent forum, and work toward that goal without the rhetoric, without
the animosity. After all, as one of you once said, "Security is a process,
not a product."