Velocity Reviews - Re: Microsoft security risk

"Peter" <nospamjynyl@yahoo.co.nz> wrote in message
news:3f749fc0@news.maxnet.co.nz...
>
> Some security experts have concluded that the Microsoft monoculture is a
> major security risk to society, particularly with the less knowledgable
> home users, who are now getting better computers and broadband
connections.
> The solution is to avoid Microsoft software, especially with important
data
> and functions, such as government and public utilities.

I liked reading this reply from the Security Watch email list
http://mcpmag.com/security/

http://ENTmag.com

**Does Windows Endanger Society?
By Roberta Bragg

Last week, a number of high-profile security experts released a report
called "Cyberinsecurity: The Cost of Monopoly. How the Dominance of
Microsoft Products Poses a Risk to Security." Read coverage of the report
first, at http://mcpmag.com/news/article.asp?EditorialsID=613;
the report itself is at www.ccianet.org/papers/cyberinsecurity.pdf.

I discount the report for a number of reasons, and respond directly to the
authors.

1. I was made aware of the report's release through an invitation to a
conference call. The subject of the e-mail was "National Security
Compromised by Reliance on Microsoft Windows." To me, this sounded like the
national security of the United States had been compromised. To me, this
sounded like you were going to reveal the facts behind some successful
attack on my country. Because of the title and the unrecognized sender,
along with the fact that it had an attachment, I almost relegated the e-mail
to the spam bucket.

2. The conference call wasn't about national security being compromised. I
assumed it was and I was annoyed that you'd used such a tawdry attempt at
getting attention.

3. At the beginning of the call you seemed almost apologetic -- fumbling
around, emphasizing that this wasn't about bashing Microsoft.
I don't care if you want to bash Microsoft. This is a free country; you can
criticize anyone you want to. If it's not about bashing Microsoft, though,
why accuse the company of being behind the compromise of national security?
Why bash them in the actual report?

4. Your report, and the conference call, were sponsored by the Computer &
Communications Industry Association (CCIA). This group is an industry
association with a long history of anti-Microsoft rhetoric and action.
The CCIA is involved in antitrust action against Microsoft in the United
States and Europe. If you're going to tell me you're scientists who have all
come to the same conclusion about the 3 M's -- Microsoft, monopoly, and
monoculture -- then please find a more independent public forum. Your words
will have more weight.

5. While you stressed during the media conference call that your warnings
weren't about Microsoft, the report plainly is. And while you are experts in
information security, you clearly are *not* Microsoft Windows experts. One
of you seemed surprised to learn that automatic updates are a default
feature of current Windows releases. Another said they plugged in a Windows
computer and it was compromised before it could be updated. Was the computer
around when the patch was issued? If so, why wasn't it patched? Even the
latest worm was preceded by three weeks in which the patch was available.
Was it a new computer? I have to wonder about a security expert who waits
three weeks to patch his computer or plugs in a brand new computer to the
Internet before patching it or protecting it with a firewall. An ordinary
citizen might do that, and that is a real problem.

And that's the problem you need to be talking about. Not your experience;
you're the experts, after all. Don't get me wrong -- in the enterprise, you
don't need thousands of desktop computers phoning home to Microsoft and
downloading and installing service packs and security patches. Depending on
your size, there are products like the free Microsoft Software Update
Services and commercial software like Systems Management Server or
third-party product that allows you to choose which security patches will be
applied to which computers, and when.
But for the average consumer, the chance that a patch will cause harm is far
less risky than the risk of not enabling automatic updating. The average
consumer also needs to at least run a personal firewall. Many of the
exploits, worms and so on can be foiled by basic firewalls.

6. While they're correct that consumers shouldn't need to be security
experts in order to browse the Internet, you don't seem to understand that
the message consumers are getting is that they don't need to use any
security on the Internet.

My ISP, Southwestern Bell
(http://www01.sbc.com/DSL_new/content...tml#firewalls), has a lot to
say about security. The quote below is from a Web page I've just downloaded.
It tells consumers they should make their own decision about whether or not
they need a firewall:

"For example, a small business, or a customer who sends a lot of proprietary
information over the Internet, may want to install a firewall, whereas
customers who use the Internet for research or entertainment may find
changing their passwords regularly to be all the security they need."

Would you trouble yourself to install a firewall after that? Read the page.
It tells you how well Southwestern Bell keeps you secure by securing their
network. It also implies you should not open an email attachment that
contains a virus (how do you determine that, pray
tell?) and install anti virus software (Nothing here about keeping that
updated.) So why aren't you attacking ISPs? A computer used without any
security is like a car driven by a drunk driver; an accident waiting to
happen.

7. You emphasized that people who use Macs laugh at worms. I know companies
who have 100 percent Windows on the desktop and laughed, too.
They weren't infected -- and not just because they patch, but because they
follow sound information security principles. I also know many average folks
who use Windows on their desktop. They use the onboard firewall. They use
automatic updates. They weren't infected, either.
Some of them were previous Mac users. Why did they switch? Because Windows
is easier to use, and easier to update and protect.

Here are my general responses to your report's conclusions.

- You complain that Microsoft has systematically done everything they could
to become the dominant player in computing. Isn't that what business is all
about -- becoming No. 1? Of course it was intentional.
Was it malicious? Was it illegal? That's for the courts to judge. Get off
it. Pointing fingers and calling someone the devil won't get me to support
your cause.

- You say that the result of the alleged monopoly is a monoculture. By that
you mean that since life at the end of each thread leading away from the
Internet and into someone's home or office is Windows, we're all at risk. A
single flaw can be our downfall. This is true; one way of doing anything
puts us at risk. It's why businesses build redundancy into their computing
infrastructure. It's why we ordinary citizens have a backup plan for getting
to work if the car won't start.

- You say that the problem is we're all so dependent on computers, and the
vast majority of us are so incapable of using them securely that the
government needs to step in. It's true that we're dependent on computers.
This scares me. Many users don't know how to use them securely. Many of us
who should know better don't always secure them properly. You might convince
me that we need some ground rules here.
Every citizen has a responsibility to protect others. We have laws about
smoking in public places, driving while intoxicated and other harmful
actions precisely because on their own, some people will do harmful things.
Making rules to protect the good of the masses against the actions of the
few and enforcing them is at least as old as Moses and the Ten Commandments.
But let's make sure the laws are about regulating everyone in the same way,
and not about punishing a single company.

- You say the complexity of Microsoft products and the tight integration of
the code in those products lock users in and violate a basic security
principle. You say that computer scientists agree that loose coupling and
modularity makes for better systems. You want, in short, to be able to mix
and match products. Use another word processor on Windows. Use Office on
Linux. I can do the former. I can't do the latter.

Do you remember the first version of Windows NT? The requirement for
modularity resulted in OS/2 and POSIX subsystems. What was the first
security suggestion? Remove those subsystems because they posed additional
risk. I agree with the subsystem removal bit. Few used those parts of the
product, and another security dictum says get rid of what you don't use,
because it poses a risk as well. It's true that complexity is the enemy of
security. The complexity of computing systems can be the result of using a
single complex product. But diversifying, a main solution proposed by the
report, also makes computing systems complex. How much harder will it be for
consumers to secure their systems when they have a greater variety of them?

- You also offer some suggestions for the alleged problem; here the message
gets muddied.

1. Use a Macintosh or Linux. But oh, by the way, if all of us do that, we'll
still be at risk since those that would attack us will just do it by
discovering and exploiting flaws in those products.

2. Government legislation is needed to control the situation. I'm not sure
if you're saying that Microsoft should be kicked in the pants or that we
just need better control over who can do what on the Internet.

3. Take the computers away from moms. Well, what else did you expect me to
draw as a conclusion, when they complain that the problem is stupid users
using unprotected computers on the Internet, and then point to their own
mothers as an example? A number of you did just that during the conference
call.

I'm glad we live in a society where we can express our opinion, and I'm
really glad you did. I want very much to join you in your crusade to make
the world safe from those that would take advantage of the lack of computer
security that lives on the edge of the Internet. I want to make people more
aware. I want them to secure their computers. I want the computing industry
to give us products that are secure by design, and that we can secure even
if we aren't experts. I want the craziness to stop. I don't want anyone hurt
because some clueless teenager or malevolent terrorist takes advantage of a
flaw in an operating system or application. I want it badly. So guys, come
on, stop with the M words. Join together instead. Let's get together --
users, experts, policy makers, moms, programmers, software and hardware
companies -- in some independent forum, and work toward that goal without
the rhetoric, without the animosity. After all, as one of you once said,
"Security is a process, not a product."