Security Report Puts Blame on Microsoft

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/wp-dyn/articles/A54872-2003Sep23.html

By Jonathan Krim
Washington Post Staff Writer
Wednesday, September 24, 2003

Viruses, worms and other cyber-attacks that are crippling computers 
with increasing frequency cannot be stopped as long as the software of 
one company -- Microsoft Corp. -- dominates computing, according to a 
paper prepared by corporate technology officers and researchers.

"The security situation is deteriorating," says the report, which is 
to be released today. With Microsoft operating systems used on more 
than 90 percent of the world's personal computers, the authors write, 
most computers are vulnerable to attack and networks are easily 
compromised. 

The report, whose authors include prominent critics of Microsoft, 
comes at a sensitive time for the company. It is under intense 
criticism for security flaws in its software despite repeated pledges 
from Chairman Bill Gates and chief executive Steven A. Ballmer to make 
security the company's top priority.

"No other company in the world is more committed to providing its 
customers with more secure software than is Microsoft," said Sean 
Sundwall, a company spokesman. He said he could not comment further 
until the paper is released. 

Since the recent spread of the Sobig, Blaster and Slammer worms, 
federal and state officials have questioned cybersecurity more 
critically. Many technology officers for companies and governments are 
reconsidering whether they should diversify the types of products on 
their networks.

The paper argues that governments, through their power to decide what 
software to buy for their systems, should force Microsoft to reveal 
more of its software code to allow development of better security 
tools, and to make its software work better with competing products.

Policymakers must "confront the security effects of monopoly and 
acknowledge that competition policy is entangled with security policy 
from this point forward," the paper says.

The technology industrygenerally opposes government regulation and 
favors allowing the marketplace and technological innovation to create 
solutions to problems. Under the free-market theory, if a company's 
products are flawed, consumers will buy others that are superior.

But Microsoft has virtually no competition for PC operating systems, 
and people who break into computer systems or write worms and viruses 
are more technologically adept than many software manufacturers.

"I don't hold to the theory that technology always beats policy," said 
Daniel E. Geer Jr., one of the paper's authors and chief technology 
officer for AtStake Inc., a business-security firm in Massachusetts.

The report is being released by the Computer and Communications 
Industry Association, a trade group that is involved in antitrust 
action against Microsoft in the United States and Europe. Other 
authors include Charles P. Pleeger of Exodus Communications Inc.; John 
S. Quarterman, founder of Matrix NetSystems Inc.; Rebecca Bace, chief 
executive of network security firm Infidel Inc., and Peter Gutmann, a 
computer science researcher at the University of Auckland in New 
Zealand.

Geer said the paper grew out of his ideas and discussions among 
security executives and academics about the increase in security 
threats and was not instigated by the association. 

"Nature does not put up with monocultures" because they are too easy 
to attack, Geer said. "If everything looks just alike . . . it will 
promptly be punished."

Another author of the paper, Bruce Schneier, chief technology officer 
of Counterpane Internet Security Inc., is a longtime Microsoft 
antagonist who has argued that the company should be held financially 
liable for its security flaws.

Computer users generally agree to terms that absolve software makers 
of liability, which Microsoft's critics argue gives the company no 
incentive to be more vigilant about security.

Schneier said the problem with Microsoft is that it is so intent on 
being dominant that it designs its systems primarily to keep out 
competitors, not intruders. 

"Their goal is to facilitate lock-in" of Microsoft products, he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.