Andrew Plato wrote: >Among many flaws, the report almost totally ignores the myriad of 3rd >party technologies that can make Windows systems more secure. > The main thrust <http://dc.internet.com/news/article.php/3083121> of the report is that monoculture is devastatingly dangerous. Geer has said publicly <http://boston.internet.com/news/article.php/3084381> that a Linux monoculture of the same magnitude would be just as bad. However, the nature of Linux and Microsoft with respect to monoculture. Linux's open source allows and encourages forks, and so even a Linux monoculture would be running a lot of different versions. Microsoft, in contrast, works hard to lock customers into Microsoft products and protocols, and engages various semi-synthetic mechanisms to try to force as many users as possible to the current version. So the threat of a Microsoft monoculture is greater than Linux, both actual and potential. > Hence, >their models are fundamentally flawed. They are based on the assumption >that NOBODY secures their Windows systems. > No, they are based on the assumption that *many* people don't secure their Windows systems, which is quite different. In fact, it is manifestly obvious that most people <http://www.usenix.org/events/sec03/tech/rescorla.html> don't secure their systems, regardless of what kind they are. >This is a good example of one of the chief problems with information >security research. Many of the theories about information security are >only relevant in academic settings. In practice, these theories erode >and have much less relevance. > Geer is not an academic. He was CTO of a large infosec consultancy company, essentially a much larger version of Anitian. In fact, all of the other report authors (except Gutmann) are similarly industrial leaders, not academics. >In this report, the authors talk about the possibility of crafting an >exploit that could wipe out or cause massive failure of Windows systems. > Like Code Red, Nimda, Sapphire, and Blaster, each of which were capable of wiping out most Windows systems, and did. Seems like a pretty credible claim. >While it is theoretically possible that such virus could bring the world >to its knees, the practical reality is not as dire. > It may not have happened yet, but that's because Windows is right now on a steep tangent of moving into the embedded world. Most embedded systems right now are not running Windows, but there is big growth in embedded Windows systems. So it very well might be just around the corner. When the August NE American blackout happened, there was a significant report of some of the power grid being controlled by a Windows RPC DCOM system, which is precisely the Windows component that Blaster exploited. This may not have been the proximate cause of the blackout, but there's essentially no reason why it could not have been. > There are numerous >independent mechanisms in operation that can prevent and stop the >widespread distribution of this theoretical virus. Most of these >independent mechanisms do not rely on Windows at all. > And the 5% or so of Windows users who deploy these tools will be safe, at least from direct attack. I'm running a Linux system that is entirely safe from the Swen virus, and still I am laboring under a 300% increase in mail traffic for the last week due entirely to that single virus. >I know it sounds like it, but I am not defending Microsoft. > It sure does sound like it :) > I'm the >first to admit that Microsoft is a big part of the security problems out >there. But security is a bigger issue than just Microsoft. Microsoft >might be a 900 lb gorilla, but that doesn't mean there isn't a plenty of >800lb and 725lb gorillas out there that are equally as bug-riddled as >Microsoft. > I disagree with the analogy. MS is the 900 lb gorilla, and the rest of the problems are spider monkeys. MS has: * a near monopoly on desktops * a near monopoly on document systems (Word, PowerPoint, Excel) * the #1 position in servers * the absolute worst security of all popular systems, by a long, long way I submit that security incidents & problems induced by Microsoft are greater than the sum of all other problems combined. An easy claim to back up, when you consider that most security incidents are cleaning up virus-infected desktops. >The other problem with this report is how it fuels a lot of holy war >reasoning. While it might be trendy to bash Microsoft, that trendieness >does not translate into a server room full systems. > It is only "trendy" if you think 15 years is a "trend" :) >Technology holy wars are entertaining distractions for newsgroups and >beer fueled pub rants, but when it comes time to make a business work, >holy wars can be destructive and counterproductive. Holy wars are about >coercion and emotions, not rational analysis. Smart businesses approach >technologies neutrally and analyze their benefits and weaknesses fairly >and honestly. They weigh their needs, analyze the data, and make an >informed decision. > Fair enough. Rational analysis says that the decision maker should weigh the cost of porting or managing interop for a given application run on a non-windows platform against the very high vulnerability of hosting on Windows. If your threat level is low, and your porting costs are high, then Windows is justified. But if Windows is your default choice, you are being irresponsible. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
This archive was generated by hypermail 2b30 : Sat Sep 27 2003 - 17:46:01 PDT