Joshua
10-29-2003, 12:47 PM
==== 1. Does Microsoft Market Domination Spell Doom? ====
by Mark Minasi, Senior Contributing Editor, [email protected]
In late September, a group called the Computer and Communications
Industry Association (CCIA) released a report taking Microsoft to task
for the company's dominance in the industry. (You can read the report
at http://www.ccianet.org/papers/cyberinsecurity.pdf .) Although this
report is old news, it provides a new spin. The CCIA claims that
Microsoft's monopoly threatens national security. But is the computing
world getting more insecure because of Microsoft market dominance? I
think the short answer is "yes," but the more complete answer is "yes,
but we can't do much about it."
The report's writers use a biodiversity metaphor to make their
argument. Let me use the following example to explain the CCIA's
position. Suppose Monsanto uses genetic engineering to design the
perfect tomato. It tastes good, grows under a wide variety of
conditions, is disease-resistant, and yields more tomatoes per acre
than any other competitor. In just a few years, virtually all tomato
growers will have switched to this super tomato. Then a nasty tomato
pith necrosis strikes our super tomato with particular ferocity; 99
percent of the tomato crop is unusable. The loss of ketchup and salsa
(the two most popular condiments in America, I'm told) decimates
hamburger sales, the lack of tomato sauce eviscerates the pizza market
and brings sad times to Italian food lovers, and before you know it,
chaos ensues. If only some farmers had planted some other tomato. Just
a few trainloads of The Second-Best Tomato might have saved us, but
there are none.
Seriously, this is a grave concern in the biological/ecological
world. Introducing a disease into an ecosystem (or agricultural
system) with a wide variety of organisms results in far less damage
than introducing a pathogen into a system with a small number of
different genomes. But is this an appropriate analogy for computing?
Again, probably yes.
Imagine a world in the near future that mostly runs Windows NT in
some variety; then imagine a hole like the one that MSBlaster crawled
through. What if the people who discovered the MSBlaster hole didn't
tell anyone, but instead, figured out how to exploit the hole with a
destructive worm that left so many back doors behind that the only
certain way to disinfect the system would be to use FDISK and rebuild.
Imagine that the worm spreads as quickly as Slammer--which hit about
90 percent of all the systems that it would ever hit in just 7
minutes--and you have the plot of a pretty scary disaster movie. So
yes, if the most of the computing world settles on Microsoft OSs, and
if Microsoft OSs continue to be vulnerable to attacks of the magnitude
of MSBlaster or Slammer, then yes, one day this scenario could happen.
How can we avoid this possible scenario? Clearly, one answer is
more "cyberdiversity." Some percentage of us should use Macs, others
Windows, and others, Linux, Solaris, HP/UX, and so on. Or a better
answer would be for every organization to use a bit of each.
By now, you're probably shaking your head, saying "he can't be
serious," and I'm not. Having to deal with interoperability problems,
whether within an organization or across organizations, just makes
computers more difficult to use, and I can't imagine anyone willingly
taking on more interoperability responsibilities. To continue the
agricultural analogy, what tomato farmer would willingly grow a tomato
with worse market and profitability potential?
I'd argue that interoperability is so much of an annoyance that
under any scenario, a population of computing users would want to
standardize on something. For example, in the absence of Microsoft
Office's dominance, I doubt that 20 percent of the world would use TeX
for their documents, 25 percent would use some kind of PDF-like tool,
40 percent would use Corel WordPerfect, and 15 percent would use some
Lotus product. People would naturally gravitate to some set of
standards, whether de facto or de jure.
If Linux or Solaris were the OS of choice for 90 percent of the
servers and desktops in the world, then we'd be just as vulnerable to
a "killer bug," unless we believe that Linux or Solaris are inherently
more bug-free and secure than Windows Server 2003, Windows XP, and
Windows 2000, and I've never seen any numbers that support that
belief.
To date, we've standardized on alternating current (AC) in our
walls rather than a mix of direct current (DC) and AC. We've also
standardized on gasoline in most of our cars' fuel tanks instead of a
mix of kerosene, jet fuel, diesel, and gasoline. We didn't arrive at
these standards because they were necessarily the best answers but
because they were good enough answers and we didn't have to worry
about a lot of compatibility problems in power. In the same way, I
believe that we'll always have a dominant OS--whatever that OS might
be--and that we'll always be vulnerable as a result.
What's the answer? Yes, we've seen some pretty scary bugs in the
past few years in the Microsoft, Solaris, and Linux worlds, but the
strides that Microsoft has taken in automated patching tools are steps
in the right direction. The company has a long way to go--patching
feels as if it's in the DOS 2.1 days right now--but Microsoft knows
that it's in the security spotlight and it had better solve the
patching problem once and for all. If it doesn't solve the patching
problem, then the Solaris and Linux guys might.
by Mark Minasi, Senior Contributing Editor, [email protected]
In late September, a group called the Computer and Communications
Industry Association (CCIA) released a report taking Microsoft to task
for the company's dominance in the industry. (You can read the report
at http://www.ccianet.org/papers/cyberinsecurity.pdf .) Although this
report is old news, it provides a new spin. The CCIA claims that
Microsoft's monopoly threatens national security. But is the computing
world getting more insecure because of Microsoft market dominance? I
think the short answer is "yes," but the more complete answer is "yes,
but we can't do much about it."
The report's writers use a biodiversity metaphor to make their
argument. Let me use the following example to explain the CCIA's
position. Suppose Monsanto uses genetic engineering to design the
perfect tomato. It tastes good, grows under a wide variety of
conditions, is disease-resistant, and yields more tomatoes per acre
than any other competitor. In just a few years, virtually all tomato
growers will have switched to this super tomato. Then a nasty tomato
pith necrosis strikes our super tomato with particular ferocity; 99
percent of the tomato crop is unusable. The loss of ketchup and salsa
(the two most popular condiments in America, I'm told) decimates
hamburger sales, the lack of tomato sauce eviscerates the pizza market
and brings sad times to Italian food lovers, and before you know it,
chaos ensues. If only some farmers had planted some other tomato. Just
a few trainloads of The Second-Best Tomato might have saved us, but
there are none.
Seriously, this is a grave concern in the biological/ecological
world. Introducing a disease into an ecosystem (or agricultural
system) with a wide variety of organisms results in far less damage
than introducing a pathogen into a system with a small number of
different genomes. But is this an appropriate analogy for computing?
Again, probably yes.
Imagine a world in the near future that mostly runs Windows NT in
some variety; then imagine a hole like the one that MSBlaster crawled
through. What if the people who discovered the MSBlaster hole didn't
tell anyone, but instead, figured out how to exploit the hole with a
destructive worm that left so many back doors behind that the only
certain way to disinfect the system would be to use FDISK and rebuild.
Imagine that the worm spreads as quickly as Slammer--which hit about
90 percent of all the systems that it would ever hit in just 7
minutes--and you have the plot of a pretty scary disaster movie. So
yes, if the most of the computing world settles on Microsoft OSs, and
if Microsoft OSs continue to be vulnerable to attacks of the magnitude
of MSBlaster or Slammer, then yes, one day this scenario could happen.
How can we avoid this possible scenario? Clearly, one answer is
more "cyberdiversity." Some percentage of us should use Macs, others
Windows, and others, Linux, Solaris, HP/UX, and so on. Or a better
answer would be for every organization to use a bit of each.
By now, you're probably shaking your head, saying "he can't be
serious," and I'm not. Having to deal with interoperability problems,
whether within an organization or across organizations, just makes
computers more difficult to use, and I can't imagine anyone willingly
taking on more interoperability responsibilities. To continue the
agricultural analogy, what tomato farmer would willingly grow a tomato
with worse market and profitability potential?
I'd argue that interoperability is so much of an annoyance that
under any scenario, a population of computing users would want to
standardize on something. For example, in the absence of Microsoft
Office's dominance, I doubt that 20 percent of the world would use TeX
for their documents, 25 percent would use some kind of PDF-like tool,
40 percent would use Corel WordPerfect, and 15 percent would use some
Lotus product. People would naturally gravitate to some set of
standards, whether de facto or de jure.
If Linux or Solaris were the OS of choice for 90 percent of the
servers and desktops in the world, then we'd be just as vulnerable to
a "killer bug," unless we believe that Linux or Solaris are inherently
more bug-free and secure than Windows Server 2003, Windows XP, and
Windows 2000, and I've never seen any numbers that support that
belief.
To date, we've standardized on alternating current (AC) in our
walls rather than a mix of direct current (DC) and AC. We've also
standardized on gasoline in most of our cars' fuel tanks instead of a
mix of kerosene, jet fuel, diesel, and gasoline. We didn't arrive at
these standards because they were necessarily the best answers but
because they were good enough answers and we didn't have to worry
about a lot of compatibility problems in power. In the same way, I
believe that we'll always have a dominant OS--whatever that OS might
be--and that we'll always be vulnerable as a result.
What's the answer? Yes, we've seen some pretty scary bugs in the
past few years in the Microsoft, Solaris, and Linux worlds, but the
strides that Microsoft has taken in automated patching tools are steps
in the right direction. The company has a long way to go--patching
feels as if it's in the DOS 2.1 days right now--but Microsoft knows
that it's in the security spotlight and it had better solve the
patching problem once and for all. If it doesn't solve the patching
problem, then the Solaris and Linux guys might.