Microsoft's Means Danger
by Peter Griffin,
What do the boll weevil, Irish potatoes and Microsoft have in
common?
Quite a lot, if you believe American Dan Geer - a backyard beekeeper
with
muttonchop sideburns and a doctorate in biostatistics.
The internet security guru created quite a flap with his white
paper
CyberInsecurity: The Cost of Monopoly, which argued that the
dominance of
Microsoft's software in the computer world threatens our electronic
existence.
The fact Geer got fired from his job at security company @Stake
following
his publishing the paper late last year plucked the "monoculture"
argument
out of academic oblivion and into the mainstream. Microsoft,
it seems, was
a major client of @Stake's, leading to speculation that Geer
was culled by
an employer wanting to stay on the software behemoth's right
side.
It was a juicy subplot and hundreds of newspapers around the
world picked
up Geer's story. Slashdot.org postings on Geer came very thick
and fast.
A little-known fact is that Auckland University's very own Professor
Peter
Gutmann co-authored the CyberInsecurity paper, though he says
Geer "wrote
99 per cent of it".
"[@Stake] might have been embarrassed because he criticised
a client of
theirs. But Dan had no end of job offers," he says of his
colleague, who
has moved to a security start-up.
Gutmann subscribes to the paper's premise - that the monoculture
of the
Windows-centric IT world is a dangerous thing. He's got nothing
against
Microsoft itself - but the lack of diversity it represents goes
against
the grain.
"If everyone was using Linux we'd have the same problem.
It's very
difficult to separate comments about security from attacks on
Microsoft."
Nothing that has been thrown at Microsoft has yet been able
to break its
monopoly on the client operating system market, where surveys
variously
suggest it has a 90 per cent to 98 per cent share. On the server
side, it
still accounts for more than half of server software sales,
despite the
increasingly popularity of Linux.
For Geer and others this is distressing. That's because the
workings of
society depend more on computers than ever before - from the
card reader
we swipe to get into our office to the systems that run the
power and
telecoms networks to the databases that make sense of our financial
transactions.
The argument is that by letting Microsoft become so dominant,
we've set
ourselves up for "the blue screen of death" of all
time - or what one
security firm has dubbed the "$100 billion cyber catastrophe".
Geer argues that the dominance of Microsoft's operating systems
across the
networks of the world creates a "susceptible reservoir
of platforms" from
which attacks by malicious worms, viruses and Trojans can be
launched. The
result is "cascade failure" where the viral infection
rapidly spreads via
internet connections. Internet nasties Nimda and Slammer, SoBig,
MSBlaster
and most recently MyDoom are all examples of cascade failure,
several of
which have targeted Microsoft software.
Geer says the "tight integration" of Microsoft's products
"violates the
core teaching of software engineering" which is "loosely-coupled
interfaces".
The integration locks in users, making it hard for them to jump
to other
platforms.
Microsoft's operating systems, adds Geer, are notable for their
incredible
complexity - and complexity is the first enemy of security.
"After a threshold of complexity is exceeded, fixing one
flaw will tend to
create new flaws: Microsoft has crossed that threshold."
The answer, he argues, is to make Microsoft's applications fully
compatible with competing operating systems so that a range
of systems are
used by larger numbers of people.
"For many organisations the only thing keeping them with
Microsoft in the
front office is Office ... if Microsoft were forced to inter-operate,
innovators and innovation could not be locked-out because users
could not
be locked in," wrote Geer, who believes Microsoft should
publish interface
specifications for major functional components of its code,
both Windows
and Office.
But he doesn't believe that breaking up Microsoft is the answer.
Attempts
at that have already been unsuccessful. He's arguing for Microsoft
to
unbundle its unified product suite.
Based on plain old biology of the Darwinian variety, the argument
says
that in the real world, monoculturalism is lethal. Take cotton
farming,
for example. Early last century, farmers in the southern states
of the US
were making a killing out of cotton. It grew like weed and clothed
the
masses. The farmers got rich, the merchants grew fat, the economy
flourished. Then the boll weevil made its appearance. It munched
its way
across the states, where fields in parts were solely devoted
to cotton.
The boll weevil attack led to a miserable Grapes of Wrath-type
existence
for millions of Americans as stretches of Texas, Oklahoma and
Georgia
became dustbowls. Afterwards, however, farmers diversified their
crops by
planting corn or peanuts alongside the cotton.
The same thing happened in Ireland where in the nineteenth century
everyone grew one particular type of weather-resistant potato.
They called
it the "lumper" and it was so deliciously tasty and
easy to grow that by
1840 it was the staple diet for three million Irish. But by
1845, most of
the lumpers being dug out of the peaty Irish soil were covered
in a
horrible fungus which turned them to mush. A million Irish died
during the
two-year great potato famine. Many more fled to the US. Afterwards,
the
Irish made sure they planted several species of potato.
It may be that the worms and viruses we've seen in the past
18 months are
merely the precursor to "the big one".
It's definitely something the insurance industry is fretting
about,
according to British security firm mi2g.
"The premium for such cover is ... likely to run into millions
of dollars
per quarter per corporation insuring against US$2 billion to
US$5 billion
of exposure, and have excess limits of US$100 million or more
because the
probability of incidence of cyber catastrophe is rising with
every passing
month," it said in a bulletin.
Certainly, security breaches such as the monumental stuff-up
that allowed
600MB of source code for Windows 2000 and Windows NT to find
its way on to
the web, fail to inspire confidence.
But how real is the threat, really?
"At the moment these viruses are badly written," says
Gutmann. "They've
major bugs so their propagation is impeded."
But he tells me unprintable things that can be done to computers
by
single-minded hackers to reduce them to "paper weights".
The best hackers
are the most patient ones. They're willing to wait six months,
a year,
before their work takes effect. Most experts agree, we ain't
seen nothing
yet.
Which leads me to this conclusion. The Government has to take
leadership
on dismantling this dangerous monoculture.
Maybe Geer's idea of governments and critical infrastructure
providers
ensuring that no more than 50 per cent of their computer infrastructure
is
run on one flavour of operating system is a good one.
On the operating side, if it comes down to paying a premium
on my next
(already free) Linux upgrade so I can run the selected Microsoft
applications, I'll pay it.
Organisations such as the Department of Homeland Security and
our own CCIP
(Centre for Critical Infrastructure Protection) have been set
up to
protect us from terrorist threats. Cyber-terrorism needs close
attention
as well and policy over operating-system use could come from
such
organisations.
Maybe the partial mandating of open-source software use in government
is
the path we need to take. On the evidence presented, there's
a good
argument for it.
|