[ISN] Commentary: The Threat Of Microsofts .Net

From: InfoSec News (isnat_private)
Date: Fri Oct 26 2001 - 02:26:24 PDT

  • Next message: InfoSec News: "[ISN] White House asks industry to develop secure federal network"

    For more than two centuries Americans have prided themselves on
    protecting their freedom by limiting the concentration of power. With
    its famous balance of power, the U.S. Constitution divides federal
    power among the three branches of government, while the Bill of Rights
    provides other checks all of which have served the country well.
    With new threats have come new protections. In the nineteenth century,
    corporations grew and multiplied, and some amassed the kind of power
    we had always sought to limit in our own government. Anti-trust laws
    were passed to guarantee that commercial power would be distributed
    among competing companies in every sector of business.
    These protections have also served us well.
    But now a new threat has arisen that may be less obvious but more
    While computer and communication technology have enhanced our lives in
    many ways, they have also caused fundamental changes that make
    protecting ourselves from the concentration of power more
    difficult--in part because these technologies have made it feasible to
    build organizations that are larger and more globally-distributed than
    ever before. The result: we need to be more alert to potential abuses
    of power.
    The fact that everything is interconnected makes it possible to
    concentrate power in a new way. A business that holds a monopoly in
    one area may be able to use its influence to extend its monopoly in
    entirely new ways. This is what is happening as Microsoft attempts to
    extend its monopoly over personal computer operating systems into the
    Internet world.
    Microsoft .NET (pronounced dot net') is a far-reaching project to
    channel the personal information of all customers who browse, shop,
    and congregate on the Internet into Microsoft or Microsoft-controlled
    companies. It is made up of components: Passport establishes an
    individual's identity on the Internet .NET My Services collects
    various pieces of private information--including .NET Contacts, .NET
    Location, .NET Inbox, .NET Documents, .NET Devices, and .NET Wallet.
    The control over computer software that Microsoft has achieved through
    its dominance of operating systems has limited competition and
    innovation throughout the computer field.  Through .NET, it is
    attempting to exert the same control over all Internet commerce. Just
    as kings got to grant or deny royal charters to businesses, the
    Redmond giant, if successful, may be able to say who can do business
    on the Net and who can't.
    But there is another and more immediate problem with .NET--something
    that could evolve from a problem to a national crisis even if
    Microsoft is well behaved or well regulated in the use of its new
    powers.  That is the problem of security, as opposed to privacy.
    What is the difference? If Microsoft knows everything about
    everyone--and the information being collected by Passport and My
    Services make that look quite likely--the company could still be
    constrained in how it uses that information by laws or corporate
    privacy policies. That presupposes, however, that Microsoft is
    actually in control of the information it has collected.
    Microsofts security record is nothing to brag about. Windows is the
    most widely used yet one of the least secure operating systems around.
    Microsoft programs have shown themselves vulnerable to worms, viruses,
    and break-ins, on Microsoft's own computers and on everybody else's.
    The Melissa virus spread through Microsoft's word processing and
    e-mail programs, sending itself to the first 50 people in each of the
    infected machine's address lists. A year later the ILOVEYOU virus
    infected the Web through a different part of Microsofts e-mail
    package. More recently Microsoft's own internal systems were hacked,
    and the intruders spent over a month accessing system source code,
    likened to Microsoft's crown jewels, before their unlawful entry was
    Why should Passport be any different? Early security analyses show
    that compromises made for the sake of universal availability make
    Passport less secure than it might have been, less secure than it
    should be, and perhaps just plain insecure. The My Services databases
    will be a particularly ripe target for hackers. (Since all users of
    Microsoft's free Hotmail service have Passports, many unknowingly,
    there are already 160 million Passport users.)
    Remember, Willie Sutton used to rob banks because that's where the
    money is.
    Suppose that in a year or two Microsoft has succeeded in funneling the
    lion's share of information about people's identities, preferences,
    financial assets, and shopping habits to itself and putting them all
    in one big database. If Microsoft can't protect its own systems: what
    hope is there for Microsoft databases that will contain the credit,
    locations, and private files of millions upon millions of users?
    Suppose somebody breaks in. Everyone's personal and financial
    information would suddenly be in the hands of the intruders. Or
    worse--they could be scattered about in a series of resulting
    malfunctions. The extent of the financial, social, and political
    disaster that could result is hard to imagine.
    If history has shown us anything, it's that the best protection lies
    in decentralizing power and promoting competition. We need to take the
    same approach to our digital identities and make sure that who and
    what we are is not held captive by a single entity.
    Whitfield Diffie and Susan Landau are respectively distinguished
    engineer and senior staff engineer at Sun Microsystems and co-authors
    of Privacy on the Line: The Politics of Wiretapping and Encryption,
    MIT Press, 1998. Diffie is also the co-inventor of public-key
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Oct 26 2001 - 04:25:02 PDT