Security Advisor

Does Windows Endanger Society?

Security study faulty at many levels; let me count the ways.

• By Roberta Bragg
• 09/29/2003

I discount the report for a number of reasons, and respond directly to the authors.

1. I was made aware of the report's release through an invitation to a conference call. The subject of the e-mail was "National Security Compromised by Reliance on Microsoft Windows." To me, this sounded like the national security of the United States had been compromised. To me, this sounded like you were going to reveal the facts behind some successful attack on my country. Because of the title and the unrecognized sender, along with the fact that it had an attachment, I almost relegated the e-mail to the spam bucket.
   
   
2. The conference call wasn't about national security being compromised. I assumed it was and I was annoyed that you'd used such a tawdry attempt at getting attention.
   
   
3. At the beginning of the call you seemed almost apologetic—fumbling around, emphasizing that this wasn't about bashing Microsoft. I don't care if you want to bash Microsoft. This is a free country; you can criticize anyone you want to. If it's not about bashing Microsoft, though, why accuse the company of being behind the compromise of national security? Why bash them in the actual report?
   
   
4. Your report, and the conference call, were sponsored by the Computer & Communications Industry Association (CCIA). This group is an industry association with a long history of anti-Microsoft rhetoric and action. The CCIA is involved in antitrust action against Microsoft in the United States and Europe. If you're going to tell me you're scientists who have all come to the same conclusion about the 3 M's—Microsoft, monopoly, and monoculture—then please find a more independent public forum. Your words will have more weight.
   
   
5. While you stressed during the media conference call that your warnings weren't about Microsoft, the report plainly is. And while you are experts in information security, you clearly are not Microsoft Windows experts. One of you seemed surprised to learn that automatic updates are a default feature of current Windows releases. Another said they plugged in a Windows computer and it was compromised before it could be updated. Was the computer around when the patch was issued? If so, why wasn't it patched? Even the latest worm was preceded by three weeks in which the patch was available. Was it a new computer? I have to wonder about a security expert who waits three weeks to patch his computer or plugs in a brand new computer to the Internet before patching it or protecting it with a firewall. An ordinary citizen might do that, and that is a real problem.

And that's the problem you need to be talking about. Not your experience; you're the experts, after all. Don't get me wrong—in the enterprise, you don't need thousands of desktop computers phoning home to Microsoft and downloading and installing service packs and security patches. Depending on your size, there are products like the free Microsoft Software Update Services and commercial software like Systems Management Server or third-party product that allows you to choose which security patches will be applied to which computers, and when. But for the average consumer, the chance that a patch will cause harm is far less risky than the risk of not enabling automatic updating. The average consumer also needs to at least run a personal firewall. Many of the exploits, worms and so on can be foiled by basic firewalls.

6. While they're correct that consumers shouldn't need to be security experts in order to browse the Internet, you don't seem to understand that the message consumers are getting is that they don't need to use any security on the Internet.

My ISP, Southwestern Bell (http://www01.sbc.com/DSL_new/content/0,,54,00.html#firewalls), has a lot to say about security. The quote below is from a Web page I've just downloaded. It tells consumers they should make their own decision about whether or not they need a firewall:

For example, a small business, or a customer who sends a lot of proprietary information over the Internet, may want to install a firewall, whereas customers who use the Internet for research or entertainment may find changing their passwords regularly to be all the security they need.

Would you trouble yourself to install a firewall after that? Read the page. It tells you how well Southwestern Bell keeps you secure by securing their network. It also implies you should not open an email attachment that contains a virus (how do you determine that, pray tell?) and install anti virus software (Nothing here about keeping that updated.) So why aren't you attacking ISPs? A computer used without any security is like a car driven by a drunk driver; an accident waiting to happen.

7. You emphasized that people who use Macs laugh at worms. I know companies who have 100 percent Windows on the desktop and laughed, too. They weren't infected -- and not just because they patch, but because they follow sound information security principles. I also know many average folks who use Windows on their desktop. They use the onboard firewall. They use automatic updates. They weren't infected, either. Some of them were previous Mac users. Why did they switch? Because Windows is easier to use, and easier to update and protect.

Here are my general responses to your report's conclusions.

• You complain that Microsoft has systematically done everything they could to become the dominant player in computing. Isn't that what business is all about -- becoming No. 1? Of course it was intentional. Was it malicious? Was it illegal? That's for the courts to judge. Get off it. Pointing fingers and calling someone the devil won't get me to support your cause.
• You say that the result of the alleged monopoly is a monoculture. By that you mean that since life at the end of each thread leading away from the Internet and into someone's home or office is Windows, we're all at risk. A single flaw can be our downfall. This is true; one way of doing anything puts us at risk. It's why businesses build redundancy into their computing infrastructure. It's why we ordinary citizens have a backup plan for getting to work if the car won't start.
• You say that the problem is we're all so dependent on computers, and the vast majority of us are so incapable of using them securely that the government needs to step in. It's true that we're dependent on computers. This scares me. Many users don't know how to use them securely. Many of us who should know better don't always secure them properly. You might convince me that we need some ground rules here. Every citizen has a responsibility to protect others. We have laws about smoking in public places, driving while intoxicated and other harmful actions precisely because on their own, some people will do harmful things. Making rules to protect the good of the masses against the actions of the few and enforcing them is at least as old as Moses and the Ten Commandments. But let's make sure the laws are about regulating everyone in the same way, and not about punishing a single company.
• You say the complexity of Microsoft products and the tight integration of the code in those products lock users in and violate a basic security principle. You say that computer scientists agree that loose coupling and modularity makes for better systems. You want, in short, to be able to mix and match products. Use another word processor on Windows. Use Office on Linux. I can do the former. I can't do the latter.

Do you remember the first version of Windows NT? The requirement for modularity resulted in OS/2 and POSIX subsystems. What was the first security suggestion? Remove those subsystems because they posed additional risk. I agree with the subsystem removal bit. Few used those parts of the product, and another security dictum says get rid of what you don't use, because it poses a risk as well. It's true that complexity is the enemy of security. The complexity of computing systems can be the result of using a single complex product. But diversifying, a main solution proposed by the report, also makes computing systems complex. How much harder will it be for consumers to secure their systems when they have a greater variety of them?

• You also offer some suggestions for the alleged problem; here the message gets muddied.

1. Use a Macintosh or Linux. But oh, by the way, if all of us do that, we'll still be at risk since those that would attack us will just do it by discovering and exploiting flaws in those products.
2. Government legislation is needed to control the situation. I'm not sure if you're saying that Microsoft should be kicked in the pants or that we just need better control over who can do what on the Internet.
3. Take the computers away from moms. Well, what else did you expect me to draw as a conclusion, when they complain that the problem is stupid users using unprotected computers on the Internet, and then point to their own mothers as an example? A number of you did just that during the conference call.

I'm glad we live in a society where we can express our opinion, and I'm really glad you did. I want very much to join you in your crusade to make the world safe from those that would take advantage of the lack of computer security that lives on the edge of the Internet. I want to make people more aware. I want them to secure their computers. I want the computing industry to give us products that are secure by design, and that we can secure even if we aren't experts. I want the craziness to stop. I don't want anyone hurt because some clueless teenager or malevolent terrorist takes advantage of a flaw in an operating system or application. I want it badly.

So guys, come on, stop with the M words. Join together instead. Let's get together—users, experts, policy makers, moms, programmers, software and hardware companies—in some independent forum, and work toward that goal without the rhetoric, without the animosity. After all, as one of you once said, "Security is a process, not a product."