[ISN] Security Report Puts Blame on Microsoft

From: InfoSec News (isn@private)
Date: Tue Sep 23 2003 - 22:33:11 PDT

  • Next message: InfoSec News: "[ISN] Evans touts Energy IT security standard"

    By Jonathan Krim
    Washington Post Staff Writer
    Wednesday, September 24, 2003
    Viruses, worms and other cyber-attacks that are crippling computers 
    with increasing frequency cannot be stopped as long as the software of 
    one company -- Microsoft Corp. -- dominates computing, according to a 
    paper prepared by corporate technology officers and researchers.
    "The security situation is deteriorating," says the report, which is 
    to be released today. With Microsoft operating systems used on more 
    than 90 percent of the world's personal computers, the authors write, 
    most computers are vulnerable to attack and networks are easily 
    The report, whose authors include prominent critics of Microsoft, 
    comes at a sensitive time for the company. It is under intense 
    criticism for security flaws in its software despite repeated pledges 
    from Chairman Bill Gates and chief executive Steven A. Ballmer to make 
    security the company's top priority.
    "No other company in the world is more committed to providing its 
    customers with more secure software than is Microsoft," said Sean 
    Sundwall, a company spokesman. He said he could not comment further 
    until the paper is released. 
    Since the recent spread of the Sobig, Blaster and Slammer worms, 
    federal and state officials have questioned cybersecurity more 
    critically. Many technology officers for companies and governments are 
    reconsidering whether they should diversify the types of products on 
    their networks.
    The paper argues that governments, through their power to decide what 
    software to buy for their systems, should force Microsoft to reveal 
    more of its software code to allow development of better security 
    tools, and to make its software work better with competing products.
    Policymakers must "confront the security effects of monopoly and 
    acknowledge that competition policy is entangled with security policy 
    from this point forward," the paper says.
    The technology industrygenerally opposes government regulation and 
    favors allowing the marketplace and technological innovation to create 
    solutions to problems. Under the free-market theory, if a company's 
    products are flawed, consumers will buy others that are superior.
    But Microsoft has virtually no competition for PC operating systems, 
    and people who break into computer systems or write worms and viruses 
    are more technologically adept than many software manufacturers.
    "I don't hold to the theory that technology always beats policy," said 
    Daniel E. Geer Jr., one of the paper's authors and chief technology 
    officer for AtStake Inc., a business-security firm in Massachusetts.
    The report is being released by the Computer and Communications 
    Industry Association, a trade group that is involved in antitrust 
    action against Microsoft in the United States and Europe. Other 
    authors include Charles P. Pleeger of Exodus Communications Inc.; John 
    S. Quarterman, founder of Matrix NetSystems Inc.; Rebecca Bace, chief 
    executive of network security firm Infidel Inc., and Peter Gutmann, a 
    computer science researcher at the University of Auckland in New 
    Geer said the paper grew out of his ideas and discussions among 
    security executives and academics about the increase in security 
    threats and was not instigated by the association. 
    "Nature does not put up with monocultures" because they are too easy 
    to attack, Geer said. "If everything looks just alike . . . it will 
    promptly be punished."
    Another author of the paper, Bruce Schneier, chief technology officer 
    of Counterpane Internet Security Inc., is a longtime Microsoft 
    antagonist who has argued that the company should be held financially 
    liable for its security flaws.
    Computer users generally agree to terms that absolve software makers 
    of liability, which Microsoft's critics argue gives the company no 
    incentive to be more vigilant about security.
    Schneier said the problem with Microsoft is that it is so intent on 
    being dominant that it designs its systems primarily to keep out 
    competitors, not intruders. 
    "Their goal is to facilitate lock-in" of Microsoft products, he said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 24 2003 - 01:26:23 PDT