Critique of CyberInsecurity report

Eugen Leitl eugen at leitl.org
Fri Sep 26 13:10:55 PDT 2003


On Fri, Sep 26, 2003 at 12:47:38AM +0200, futureworlds wrote:

> Overall, this is a terrible analysis with a misguided solution which,
> if adopted, would only make things worse.  It is shocking to see the

Please describe, how exactly it would be worse. We're kinda curious.

> well known figures who have allowed their names to be attached to this
> document.  Apparently hatred of Microsoft runs so deep that people are
> unable to think critically when presented with an analysis that attacks
> the company.  We saw the same thing with the absurd lies and exaggerations
> about Palladium last year.

It's a *tiny* *little* bit premature to conclude that, don't you think?
Now your rhetoric does strike me as pro-establishment, if not outright
as a Redmond mole. Kindly go insert your troll stick elsewhere.

> Let's look at these three portions.  The "problem in principle",
> according to the report, is the existence of a monoculture, which should
> be addressed by diversification.  There are nonsense figures in here

Nonsense, my ass. Go ask your nearest friendly biologist and
immunologist/epidemiologist about the value of diversity.

> that claim to quantify the "power" of the net, using absurd, handwavey
> formulations like Metcalfe's Law or Reed's Law.  (Reed's so-called Law is
> a joke, predicting that the Internet will be 228 quadrillion times more
> "powerful" in 10 years if the number of systems increases 50% per year!)
> This is not logic, this is not reason, it is just rhetoric.

If you don't see that the value of the network increases with its size
what exactly are you doing in that thar Innurnet here? Ah, you just
don't understand this nonlinear metric thing. I see. Just log it, if
it will make you more comfortable.

> But the fundamental problem with the analysis here, which is what
> makes the report's recommendation so misguided, is that claim that
> diversification will somehow solve the problem.  In fact, diversification
> will make it worse, as a moment's thought should make clear.

Don't put all your eggs in one basket. If it breaks, all will be lost.

Dilute susceptible system with inert (immune) ones. That'll take
care of kinetics (local loop systems are tighly coupled, so there's
a distance even though there's a 95% global connectivity).

Hardly takes a five-sigma egghead to grok it, right?

> Let's suppose that the government stepped in, and the kind, wise
> government bureaucrats we all know and love so well decided to aid
> disadvantaged operating systems.  This affirmative action program is so

Disadvantaged? Sure, open source has eaten a few industry branches alive,
and now we've got a monopolist shitting their pants because they know
they can't compete on the middle run. Yawn. Goverments are adopting it,
resulting in fax effect? Good, that will accelerate the inevitable.

> effective that after many years, Microsoft has only a third of the market;

Half a decade sounds about right. You'll see a lot more players than
just *BSD derivates in the dominating 2/3rds, though.

> Macs have another third; and Linux has most of the remaining third.
> Wow, the problem is solved, right?

Just three systems are not enough diversity by far. Ten would be better.
It'd be nice
to have it run on diversified hardware as well, and offer stack
protection and several iterations of security-conscientous redesign
steps.

However, worse is better, so we'll probably see only a slight improvement
over the status quo. It would sure be nice to see liability for commercial
software products, though.

> Wrong.  With the number of systems on the net growing rapidly, any
> realistic extrapolation leaves the number of Windows systems as being
> even larger than today.  Hence we face at least as much exposure as
> at present, which the evidence has shown is more than enough to cause
> tremendous economic damage.

Bullcrap once again. A fraction of all systems will be taken out, with
a much slower kinetics due to phlegmatizing aspect of dilution (look
up phlegmatization in HE chain reaction context). Moreover, the mission
critical stuff *will* be running hardened systems after a few rounds of
current worm roulette. Everybody else would be taken of circulation.
Let's see how much pressure business need to start adapting rational
strategies instead of the current snakeoil jacuzzi. (Probably, a lot).

> And in fact, it is worse, because any flaws in the Mac or Linux OSs
> will now be just as dangerous as for Windows!  What we will face is a
> situation where the *weakest* of the widely used OS's will determine
> the risk factor for the system as a whole.

I'm distinctly underwhelmed with the logic of the remainder of the
diatribe, so I won't address it.

[demime 0.97c removed an attachment of type application/pgp-signature]





More information about the cypherpunks-legacy mailing list