Critique of CyberInsecurity report
The CyberInsecurity essay is available at http://www.ccianet.org/papers/cyberinsecurity.pdf. A few comments: Overall, this is a terrible analysis with a misguided solution which, if adopted, would only make things worse. It is shocking to see the well known figures who have allowed their names to be attached to this document. Apparently hatred of Microsoft runs so deep that people are unable to think critically when presented with an analysis that attacks the company. We saw the same thing with the absurd lies and exaggerations about Palladium last year.
The threats to international security posed by Windows are significant, and must be addressed quickly. We discuss here in turn the problem in principle, Microsoft and its actions in relation to those principles, and the social and economic implications for risk management and policy. The points to be made are enumerated at the outset of each section, and then discussed.
Let's look at these three portions. The "problem in principle", according to the report, is the existence of a monoculture, which should be addressed by diversification. There are nonsense figures in here that claim to quantify the "power" of the net, using absurd, handwavey formulations like Metcalfe's Law or Reed's Law. (Reed's so-called Law is a joke, predicting that the Internet will be 228 quadrillion times more "powerful" in 10 years if the number of systems increases 50% per year!) This is not logic, this is not reason, it is just rhetoric. But the fundamental problem with the analysis here, which is what makes the report's recommendation so misguided, is that claim that diversification will somehow solve the problem. In fact, diversification will make it worse, as a moment's thought should make clear. Let's suppose that the government stepped in, and the kind, wise government bureaucrats we all know and love so well decided to aid disadvantaged operating systems. This affirmative action program is so effective that after many years, Microsoft has only a third of the market; Macs have another third; and Linux has most of the remaining third. Wow, the problem is solved, right? Wrong. With the number of systems on the net growing rapidly, any realistic extrapolation leaves the number of Windows systems as being even larger than today. Hence we face at least as much exposure as at present, which the evidence has shown is more than enough to cause tremendous economic damage. And in fact, it is worse, because any flaws in the Mac or Linux OSs will now be just as dangerous as for Windows! What we will face is a situation where the *weakest* of the widely used OS's will determine the risk factor for the system as a whole. This is not the kind of redundancy which reduces risk. There is no effective way that the presence of other architectures is going to prevent a virus or worm from being able to spread just as rapidly as today. That error is the most fundamental in the report, but let's turn to their analysis of Microsoft's dominance, where again they have utterly missed the obvious truth. The report claims that the reason for Microsoft's dominance in OS is due to what it calls application lock-in, which is a nasty way of saying that people prefer Windows because they want to use applications that are only available on that architecture. This part is obviously true. But the report tries to link this to the claim that this is all due to Microsoft's strategy to tightly integrate applications and the operating system, which is absurd. In the first place, many of the most popular applications which drive people to choose Windows aren't even from Microsoft. Games, business software, web utilities, there are thousands of popular programs which are only available on the Windows architecture. These programs aren't built into the OS, but instead the companies making this software have chosen Windows because it is popular, has good development tools, and in the early days was easier to write for (remember that up until a few years ago, the Mac lacked preemptive multitasking, and Linux wasn't even a blip on the radar). In the second place, Microsoft does in fact make some of its most popular applications available on the Mac. Office and its predecessors, and IE have been available for many years on that platform. These apps are not locked to the OS as the report claims. And in the third place, the real reason why Microsoft preferentially supports Windows is not due to technical integration with the OS, but for the obvious economic reason that the Windows OS is made by the same company as Windows apps, so it makes sense for the latter to support the former. This fact is so utterly obvious that it is astonishing that the report manages to miss it.
The natural strategy for a monopoly is user-level lock-in and Microsoft has adopted this strategy. Even if convenience and automaticity for the low-skill/no-skill user were formally evaluated to be a praiseworthy social benefit, there is no denying the latent costs of that social benefit: lock-in, complexity, and inherent risk.
Here the report manages to touch upon a particularly important point, but as usual to miss its significance. The point is that Microsoft's security vulnerabilities are due to the fact that it is making its software easy to use. But that is one of the main reasons it is so successful! Believe it or not, people like software that is usable and has features they need. Doing so is difficult and makes software more complex. By adopting this strategy, Microsoft has inevitably acquired security vulnerabilities over the years. What the report misses, then, is that any other OS or company which adopts the same strategy is going to face the same problem. But companies are going to be forced to make their software easier to use and more complex in order to compete with Microsoft, even if the report's recommendations were adopted. This is going to add to the problem noted above, that the other OS's are going to have security vulnerabilities as well, once they are widely used. What the authors appear to really want is to somehow change software development methodology so that security takes precedence over features. As a security professional who has worked for many years on consumer products, I am well aware of the tension that exists within corporations between these two competing goals. It is perhaps understandable that others in our field are trying to win this argument by government fiat. The authors are in effect saying that they know better than the end users what is important; that if customers prefer that their word processors are functional, their wishes would be overridden in order to make the programs more secure. Even if we accept this argument (the morality of which is highly questionable), forcing Microsoft to port Office to Linux isn't going to do a single thing to accomplish it! As noted above, the only effect is going to be more pressure on the newly enfranchised OS's to become more like Microsoft in order to compete, that is, to add features and complexity. Ultimately, those are the preferences of the people buying the computers, and no amount of pontificating by the authors of this report is going to change those economic incentives. Turning to the third section of the report, the authors contradict themselves by claiming that Microsoft will not change its habits, while at the end of the second section they just listed several important changes. Microsoft's trustworthy computing initiative, its introduction of delays in product release in order to address security goals, and its work towards a secure computing base are all changes that indicate that Microsoft is taking a much more serious attitude towards security. But rather than give the company a chance to see what it can do in terms of making its products more secure, the report proposes to force Microsoft to reorient its development efforts towards making Mac and Linux versions of all its software, as if that will solve anything:
Microsoft should be required to support a long list of applications (Microsoft Office, Internet Explorer, plus their server applications and development tools) on a long list of platforms. Microsoft should either be forbidden to release Office for any one platform, like Windows, until it releases Linux and Mac OS X versions of the same tools that are widely considered to have feature parity, compatibility, and so forth.
The arrogance of this proposal is beyond belief. One of the most successful companies in the world, one which even the report admits has specialized in making software easy to use and meeting the needs and requirements of end users, is expected to reorient its development efforts and port its massive software base to a "long list" of platforms. No consideration is given to the costs of this government-imposed mandate. No concern is expressed about the impact on end users who have come to appreciate Microsoft's increasingly functional applications. Ironically, no one even seems to realize that resources spent doing these ports may well detract from Microsoft's current efforts to refocus on security improvements! Forcing the company to change direction like this is likely to weaken security, not improve it. The lack of any strong evidence that these drastic measures will improve the security of the net as a whole demonstrates that this is an ideological report rather than a technical one. Hand-waving about diversification does not answer the point. Realistically, even if the net does become more diversified (which will probably happen, gradually and naturally, without Draconian government regulation), we are still going to have a relatively limited number of architectures that are popular. That's just the way markets work; there is only a limited amount of public attention to go around, and in most markets there are only a few companies which claim the majority of the market share. The result is that we will have a system where, as pointed out above, not one but several architectures are each widespread enough to bring the net to its knees when an exploit is discovered. This network will only be as strong as its weakest link. Diversity, in this context, is a risk factor, not a risk mediator. In summary, this report is misguided and mistaken on so many levels that it is astonishing that such well respected figures were willing to put their names to it. The analysis is flawed or missing. The recommendations are harsh, extreme and premature. And ultimately their proposals will only serve to make the problem worse, not better.
On Fri, Sep 26, 2003 at 12:47:38AM +0200, futureworlds wrote:
Overall, this is a terrible analysis with a misguided solution which, if adopted, would only make things worse. It is shocking to see the
Please describe, how exactly it would be worse. We're kinda curious.
well known figures who have allowed their names to be attached to this document. Apparently hatred of Microsoft runs so deep that people are unable to think critically when presented with an analysis that attacks the company. We saw the same thing with the absurd lies and exaggerations about Palladium last year.
It's a *tiny* *little* bit premature to conclude that, don't you think? Now your rhetoric does strike me as pro-establishment, if not outright as a Redmond mole. Kindly go insert your troll stick elsewhere.
Let's look at these three portions. The "problem in principle", according to the report, is the existence of a monoculture, which should be addressed by diversification. There are nonsense figures in here
Nonsense, my ass. Go ask your nearest friendly biologist and immunologist/epidemiologist about the value of diversity.
that claim to quantify the "power" of the net, using absurd, handwavey formulations like Metcalfe's Law or Reed's Law. (Reed's so-called Law is a joke, predicting that the Internet will be 228 quadrillion times more "powerful" in 10 years if the number of systems increases 50% per year!) This is not logic, this is not reason, it is just rhetoric.
If you don't see that the value of the network increases with its size what exactly are you doing in that thar Innurnet here? Ah, you just don't understand this nonlinear metric thing. I see. Just log it, if it will make you more comfortable.
But the fundamental problem with the analysis here, which is what makes the report's recommendation so misguided, is that claim that diversification will somehow solve the problem. In fact, diversification will make it worse, as a moment's thought should make clear.
Don't put all your eggs in one basket. If it breaks, all will be lost. Dilute susceptible system with inert (immune) ones. That'll take care of kinetics (local loop systems are tighly coupled, so there's a distance even though there's a 95% global connectivity). Hardly takes a five-sigma egghead to grok it, right?
Let's suppose that the government stepped in, and the kind, wise government bureaucrats we all know and love so well decided to aid disadvantaged operating systems. This affirmative action program is so
Disadvantaged? Sure, open source has eaten a few industry branches alive, and now we've got a monopolist shitting their pants because they know they can't compete on the middle run. Yawn. Goverments are adopting it, resulting in fax effect? Good, that will accelerate the inevitable.
effective that after many years, Microsoft has only a third of the market;
Half a decade sounds about right. You'll see a lot more players than just *BSD derivates in the dominating 2/3rds, though.
Macs have another third; and Linux has most of the remaining third. Wow, the problem is solved, right?
Just three systems are not enough diversity by far. Ten would be better. It'd be nice to have it run on diversified hardware as well, and offer stack protection and several iterations of security-conscientous redesign steps. However, worse is better, so we'll probably see only a slight improvement over the status quo. It would sure be nice to see liability for commercial software products, though.
Wrong. With the number of systems on the net growing rapidly, any realistic extrapolation leaves the number of Windows systems as being even larger than today. Hence we face at least as much exposure as at present, which the evidence has shown is more than enough to cause tremendous economic damage.
Bullcrap once again. A fraction of all systems will be taken out, with a much slower kinetics due to phlegmatizing aspect of dilution (look up phlegmatization in HE chain reaction context). Moreover, the mission critical stuff *will* be running hardened systems after a few rounds of current worm roulette. Everybody else would be taken of circulation. Let's see how much pressure business need to start adapting rational strategies instead of the current snakeoil jacuzzi. (Probably, a lot).
And in fact, it is worse, because any flaws in the Mac or Linux OSs will now be just as dangerous as for Windows! What we will face is a situation where the *weakest* of the widely used OS's will determine the risk factor for the system as a whole.
I'm distinctly underwhelmed with the logic of the remainder of the diatribe, so I won't address it. [demime 0.97c removed an attachment of type application/pgp-signature]
Look, the answers are excruciatingly simple: 1. your email should not execute. 2. your web browser should not be able to run script that can access anything other than contect that came from that server - or in the least that domain -- especially not your hard drive. Things like ActiveX are a security nightmare. 3. your machine should not serve any services to the outside world that it doesn't need to. It doesn't matter what OS you run, the above are all still true. Do that, the 90% of insecurity goes away. Add buffer overflow protections, and another 5% goes away. Add parameter checking to libraries, good security permissions on file systems and other objects, and things like per process capabilities limitations, and another 4% goes away. If you run a network of unhardened Macs, Linux boxes, FreeBSD or even OpenBSD boxes, you may as well hang up a sign that says "break in please." All of this has been previously dealt with elsewhere, and it isn't that hard to grok. The only reason to cricize the redmond beast that should not be is points 1-3. The paragraph following it hasn't been implemented anywhere that's widely in use. Things like SE Linux and OBSD have attempted some of them and succeeded, but they're not as widely used as they should be. Worrying about what percentage of machines are hetro vs homogenous is a waste of time. Do you run Linux or MacOS X? Did you bother to upgrade OpenSSH last week? No? Is ssh open for anyone on the internet to access? Well then, you're fucked, and you're not even running Windows! If someone breaks into a windows 95 machine on your network whose owner has access to files vital to your company's existance, the potential to break into the server is already there. Don't just harden SOME machines and your firewall, harden them all. A simple activeX component off some rogue web page is enough to take over a lame little win9x machine. Example: Ever seen WebX? - it's like PCAnywhere, or VNC or TimbukTu, only it works over the web. A user just goes to a web page, and a user at the other end can take over their machine because IE allows such software to run! Ok, at least WebX is a commercial product designed to provide tech support, and asks if it's ok to allow it, but if it's technically possible to do it for legitimate reasons, it's technically feasable to do it for rogue reasons too. Worms aren't the only problems out there. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------
participants (3)
-
Eugen Leitl -
futureworlds -
Sunder