Re: Microsoft security risk

Discussion in 'NZ Computing' started by Nathan Mercer, Oct 1, 2003.

  1. "Peter" <> wrote in message
    news:...
    >
    > Some security experts have concluded that the Microsoft monoculture is a
    > major security risk to society, particularly with the less knowledgable
    > home users, who are now getting better computers and broadband

    connections.
    > The solution is to avoid Microsoft software, especially with important

    data
    > and functions, such as government and public utilities.


    I liked reading this reply from the Security Watch email list
    http://mcpmag.com/security/

    http://ENTmag.com


    **Does Windows Endanger Society?
    By Roberta Bragg

    Last week, a number of high-profile security experts released a report
    called "Cyberinsecurity: The Cost of Monopoly. How the Dominance of
    Microsoft Products Poses a Risk to Security." Read coverage of the report
    first, at http://mcpmag.com/news/article.asp?EditorialsID=613;
    the report itself is at www.ccianet.org/papers/cyberinsecurity.pdf.

    I discount the report for a number of reasons, and respond directly to the
    authors.

    1. I was made aware of the report's release through an invitation to a
    conference call. The subject of the e-mail was "National Security
    Compromised by Reliance on Microsoft Windows." To me, this sounded like the
    national security of the United States had been compromised. To me, this
    sounded like you were going to reveal the facts behind some successful
    attack on my country. Because of the title and the unrecognized sender,
    along with the fact that it had an attachment, I almost relegated the e-mail
    to the spam bucket.

    2. The conference call wasn't about national security being compromised. I
    assumed it was and I was annoyed that you'd used such a tawdry attempt at
    getting attention.

    3. At the beginning of the call you seemed almost apologetic -- fumbling
    around, emphasizing that this wasn't about bashing Microsoft.
    I don't care if you want to bash Microsoft. This is a free country; you can
    criticize anyone you want to. If it's not about bashing Microsoft, though,
    why accuse the company of being behind the compromise of national security?
    Why bash them in the actual report?

    4. Your report, and the conference call, were sponsored by the Computer &
    Communications Industry Association (CCIA). This group is an industry
    association with a long history of anti-Microsoft rhetoric and action.
    The CCIA is involved in antitrust action against Microsoft in the United
    States and Europe. If you're going to tell me you're scientists who have all
    come to the same conclusion about the 3 M's -- Microsoft, monopoly, and
    monoculture -- then please find a more independent public forum. Your words
    will have more weight.

    5. While you stressed during the media conference call that your warnings
    weren't about Microsoft, the report plainly is. And while you are experts in
    information security, you clearly are *not* Microsoft Windows experts. One
    of you seemed surprised to learn that automatic updates are a default
    feature of current Windows releases. Another said they plugged in a Windows
    computer and it was compromised before it could be updated. Was the computer
    around when the patch was issued? If so, why wasn't it patched? Even the
    latest worm was preceded by three weeks in which the patch was available.
    Was it a new computer? I have to wonder about a security expert who waits
    three weeks to patch his computer or plugs in a brand new computer to the
    Internet before patching it or protecting it with a firewall. An ordinary
    citizen might do that, and that is a real problem.

    And that's the problem you need to be talking about. Not your experience;
    you're the experts, after all. Don't get me wrong -- in the enterprise, you
    don't need thousands of desktop computers phoning home to Microsoft and
    downloading and installing service packs and security patches. Depending on
    your size, there are products like the free Microsoft Software Update
    Services and commercial software like Systems Management Server or
    third-party product that allows you to choose which security patches will be
    applied to which computers, and when.
    But for the average consumer, the chance that a patch will cause harm is far
    less risky than the risk of not enabling automatic updating. The average
    consumer also needs to at least run a personal firewall. Many of the
    exploits, worms and so on can be foiled by basic firewalls.

    6. While they're correct that consumers shouldn't need to be security
    experts in order to browse the Internet, you don't seem to understand that
    the message consumers are getting is that they don't need to use any
    security on the Internet.

    My ISP, Southwestern Bell
    (http://www01.sbc.com/DSL_new/content/0,,54,00.html#firewalls), has a lot to
    say about security. The quote below is from a Web page I've just downloaded.
    It tells consumers they should make their own decision about whether or not
    they need a firewall:

    "For example, a small business, or a customer who sends a lot of proprietary
    information over the Internet, may want to install a firewall, whereas
    customers who use the Internet for research or entertainment may find
    changing their passwords regularly to be all the security they need."

    Would you trouble yourself to install a firewall after that? Read the page.
    It tells you how well Southwestern Bell keeps you secure by securing their
    network. It also implies you should not open an email attachment that
    contains a virus (how do you determine that, pray
    tell?) and install anti virus software (Nothing here about keeping that
    updated.) So why aren't you attacking ISPs? A computer used without any
    security is like a car driven by a drunk driver; an accident waiting to
    happen.

    7. You emphasized that people who use Macs laugh at worms. I know companies
    who have 100 percent Windows on the desktop and laughed, too.
    They weren't infected -- and not just because they patch, but because they
    follow sound information security principles. I also know many average folks
    who use Windows on their desktop. They use the onboard firewall. They use
    automatic updates. They weren't infected, either.
    Some of them were previous Mac users. Why did they switch? Because Windows
    is easier to use, and easier to update and protect.

    Here are my general responses to your report's conclusions.

    - You complain that Microsoft has systematically done everything they could
    to become the dominant player in computing. Isn't that what business is all
    about -- becoming No. 1? Of course it was intentional.
    Was it malicious? Was it illegal? That's for the courts to judge. Get off
    it. Pointing fingers and calling someone the devil won't get me to support
    your cause.

    - You say that the result of the alleged monopoly is a monoculture. By that
    you mean that since life at the end of each thread leading away from the
    Internet and into someone's home or office is Windows, we're all at risk. A
    single flaw can be our downfall. This is true; one way of doing anything
    puts us at risk. It's why businesses build redundancy into their computing
    infrastructure. It's why we ordinary citizens have a backup plan for getting
    to work if the car won't start.

    - You say that the problem is we're all so dependent on computers, and the
    vast majority of us are so incapable of using them securely that the
    government needs to step in. It's true that we're dependent on computers.
    This scares me. Many users don't know how to use them securely. Many of us
    who should know better don't always secure them properly. You might convince
    me that we need some ground rules here.
    Every citizen has a responsibility to protect others. We have laws about
    smoking in public places, driving while intoxicated and other harmful
    actions precisely because on their own, some people will do harmful things.
    Making rules to protect the good of the masses against the actions of the
    few and enforcing them is at least as old as Moses and the Ten Commandments.
    But let's make sure the laws are about regulating everyone in the same way,
    and not about punishing a single company.

    - You say the complexity of Microsoft products and the tight integration of
    the code in those products lock users in and violate a basic security
    principle. You say that computer scientists agree that loose coupling and
    modularity makes for better systems. You want, in short, to be able to mix
    and match products. Use another word processor on Windows. Use Office on
    Linux. I can do the former. I can't do the latter.

    Do you remember the first version of Windows NT? The requirement for
    modularity resulted in OS/2 and POSIX subsystems. What was the first
    security suggestion? Remove those subsystems because they posed additional
    risk. I agree with the subsystem removal bit. Few used those parts of the
    product, and another security dictum says get rid of what you don't use,
    because it poses a risk as well. It's true that complexity is the enemy of
    security. The complexity of computing systems can be the result of using a
    single complex product. But diversifying, a main solution proposed by the
    report, also makes computing systems complex. How much harder will it be for
    consumers to secure their systems when they have a greater variety of them?

    - You also offer some suggestions for the alleged problem; here the message
    gets muddied.

    1. Use a Macintosh or Linux. But oh, by the way, if all of us do that, we'll
    still be at risk since those that would attack us will just do it by
    discovering and exploiting flaws in those products.

    2. Government legislation is needed to control the situation. I'm not sure
    if you're saying that Microsoft should be kicked in the pants or that we
    just need better control over who can do what on the Internet.

    3. Take the computers away from moms. Well, what else did you expect me to
    draw as a conclusion, when they complain that the problem is stupid users
    using unprotected computers on the Internet, and then point to their own
    mothers as an example? A number of you did just that during the conference
    call.

    I'm glad we live in a society where we can express our opinion, and I'm
    really glad you did. I want very much to join you in your crusade to make
    the world safe from those that would take advantage of the lack of computer
    security that lives on the edge of the Internet. I want to make people more
    aware. I want them to secure their computers. I want the computing industry
    to give us products that are secure by design, and that we can secure even
    if we aren't experts. I want the craziness to stop. I don't want anyone hurt
    because some clueless teenager or malevolent terrorist takes advantage of a
    flaw in an operating system or application. I want it badly. So guys, come
    on, stop with the M words. Join together instead. Let's get together --
    users, experts, policy makers, moms, programmers, software and hardware
    companies -- in some independent forum, and work toward that goal without
    the rhetoric, without the animosity. After all, as one of you once said,
    "Security is a process, not a product."
    Nathan Mercer, Oct 1, 2003
    #1
    1. Advertising

  2. Nathan Mercer

    Peter Guest

    this quote is from Nathan Mercer of Wed, 01 Oct 2003 12:29 :
    >
    > I liked reading this reply from the Security Watch email list
    > http://mcpmag.com/security/
    > http://ENTmag.com


    <snip>
    > Here are my general responses to your report's conclusions.
    >
    > - You complain that Microsoft has systematically done everything they
    > could to become the dominant player in computing. Isn't that what business
    > is all about -- becoming No. 1? Of course it was intentional.
    > Was it malicious? Was it illegal? That's for the courts to judge.


    and the courts have decided; the actions were unlawful, Microsoft is guilty
    http://cyber.law.harvard.edu/msdoj/

    > - You say that the result of the alleged monopoly is a monoculture. By
    > that you mean that since life at the end of each thread leading away from
    > the Internet and into someone's home or office is Windows, we're all at
    > risk. A single flaw can be our downfall. This is true; one way of doing
    > anything puts us at risk. It's why businesses build redundancy into their
    > computing infrastructure. It's why we ordinary citizens have a backup plan
    > for getting to work if the car won't start.


    It's why society would be better off with a diversity of computer operating
    systems and applications.

    > - You say that the problem is we're all so dependent on computers, and the
    > vast majority of us are so incapable of using them securely that the
    > government needs to step in. It's true that we're dependent on computers.
    > This scares me. Many users don't know how to use them securely. Many of us
    > who should know better don't always secure them properly. You might
    > convince me that we need some ground rules here.
    > Every citizen has a responsibility to protect others. We have laws about
    > smoking in public places, driving while intoxicated and other harmful
    > actions precisely because on their own, some people will do harmful
    > things. Making rules to protect the good of the masses against the actions
    > of the few and enforcing them is at least as old as Moses and the Ten
    > Commandments. But let's make sure the laws are about regulating everyone
    > in the same way, and not about punishing a single company.


    Yes the laws should be about regulating everyone in the same way. And if
    one company or individual is doing damage and acting unlawfully, that
    single particular entity should be punished (or at least stopped).

    > - You say the complexity of Microsoft products and the tight integration
    > of the code in those products lock users in and violate a basic security
    > principle. You say that computer scientists agree that loose coupling and
    > modularity makes for better systems. You want, in short, to be able to mix
    > and match products. Use another word processor on Windows. Use Office on
    > Linux. I can do the former. I can't do the latter.


    That you can't do the latter is simply a function of the unfair monopoly
    situation. (I note that you don't argue that modularity is undesirable.)
    It is not technically difficult (see Crossover Office).

    > How much harder will it be for consumers to secure their systems when
    > they have a greater variety of them?


    Not much at all, really.

    > - You also offer some suggestions for the alleged problem; here the
    > message gets muddied.
    >
    > 1. Use a Macintosh or Linux. But oh, by the way, if all of us do that,
    > we'll still be at risk since those that would attack us will just do it by
    > discovering and exploiting flaws in those products.


    Obviously, going from one monoculture to another isn't going to solve the
    problem. Diversity of OS and freedom of choice are the answer.

    > 2. Government legislation is needed to control the situation. I'm not sure
    > if you're saying that Microsoft should be kicked in the pants or that we
    > just need better control over who can do what on the Internet.


    Somehow, we need to get to a situation where there is freedom of choice.


    Peter
    Peter, Oct 1, 2003
    #2
    1. Advertising

  3. Nathan Mercer

    Lennier Guest

    On Wed, 01 Oct 2003 19:58:44 +1200, Peter wrote:

    > Obviously, going from one monoculture to another isn't going to solve the
    > problem.


    Agreed...

    > Diversity of OS and freedom of choice are the answer.


    Agreed.

    RedHat, Suse, Mandrake, Solaris, Slackware, Debian, SCO-Unix, AIX, HPUX.

    Nice diversity, to name but a few of the main non-Micro$oft players...

    Lennier
    Lennier, Oct 1, 2003
    #3
  4. On Wed, 01 Oct 2003 19:58:44 +1200, Peter wrote:

    >> 1. Use a Macintosh or Linux. But oh, by the way, if all of us do that,
    >> we'll still be at risk since those that would attack us will just do it by
    >> discovering and exploiting flaws in those products.

    >
    > Obviously, going from one monoculture to another isn't going to solve the
    > problem. Diversity of OS and freedom of choice are the answer.


    Macs are a hell of a lot harder to infect. I think there are something like
    50 viruses known, total, plus some scripting fun with MS office for
    Macintosh.


    More imnportantly, most users are idiots and Macs are well suited to
    idiots. They're the Kodak cameras of the computing world ("Just take the
    picture, we'll do the rest" - the slogan which made Kodak one of the
    world's largest companies(*)...)



    (*) Unfortunately they forgot the slogan and concentrated on being a film
    company. It's going ot be interesting to see if they can survive the
    digital shift or if they'll go bust like Polaroid.
    Uncle StoatWarbler, Oct 1, 2003
    #4
  5. Nathan Mercer

    Mainlander Guest

    In article <>, alanb+google4
    @digistar.com says...
    > On Wed, 01 Oct 2003 19:58:44 +1200, Peter wrote:
    >
    > >> 1. Use a Macintosh or Linux. But oh, by the way, if all of us do that,
    > >> we'll still be at risk since those that would attack us will just do it by
    > >> discovering and exploiting flaws in those products.

    > >
    > > Obviously, going from one monoculture to another isn't going to solve the
    > > problem. Diversity of OS and freedom of choice are the answer.

    >
    > Macs are a hell of a lot harder to infect. I think there are something like
    > 50 viruses known, total, plus some scripting fun with MS office for
    > Macintosh.
    >
    >
    > More imnportantly, most users are idiots and Macs are well suited to
    > idiots. They're the Kodak cameras of the computing world ("Just take the
    > picture, we'll do the rest" - the slogan which made Kodak one of the
    > world's largest companies(*)...)
    >
    >
    >
    > (*) Unfortunately they forgot the slogan and concentrated on being a film
    > company. It's going ot be interesting to see if they can survive the
    > digital shift or if they'll go bust like Polaroid.


    Kodak make a range of digital including some very high end pro gear.
    Mainlander, Oct 2, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve Young

    Windows Media Player 9 is a security risk

    Steve Young, Oct 22, 2003, in forum: Digital Photography
    Replies:
    230
    Views:
    3,119
    Mxsmanic
    Nov 10, 2003
  2. Wireless Devices - Security Risk?

    , Jun 9, 2004, in forum: Computer Security
    Replies:
    1
    Views:
    430
    Colonel Flagg
    Jun 9, 2004
  3. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Information Security Risk Analysis", Thomas R. Peltier

    Rob Slade, doting grandpa of Ryan and Trevor, Jun 21, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    687
    Rob Slade, doting grandpa of Ryan and Trevor
    Jun 21, 2004
  4. Nathan Mercer

    Re: Microsoft security risk

    Nathan Mercer, Sep 26, 2003, in forum: NZ Computing
    Replies:
    39
    Views:
    792
    T.N.O.
    Sep 30, 2003
  5. Chris Wilkinson

    Re: Microsoft security risk

    Chris Wilkinson, Sep 27, 2003, in forum: NZ Computing
    Replies:
    95
    Views:
    1,477
    Steven H
    Oct 14, 2003
Loading...

Share This Page