"CyberInsecurity" on the wrong track

[Note - this is an archived version of the original posting from 05:01 PM EDT, Oct 05 2003]

The article below was submitted to the Cryptography mailing list, cryptography@metzdowd.com, archived at http://www.mail-archive.com/cryptography%40metzdowd.com/maillist.html. As with a series of articles posted anonymously, the moderator, Perry Metzger, refused to publish it. He is hiding this information from the subscribers to his list, apparently out of spite.

Now, in this case, Perry was one of the co-authors of the report which I criticize, so his emotional reaction may be understandable. Nevertheless on an important policy issue such as this one, it is important to allow all sides an opportunity to air their views.

I request my readers to write to Perry Metzger, perry@piermont.com, and ask him to allow anonymous messages to appear on the cryptography mailing list.

===

The CyberInsecurity essay is available at http://www.ccianet.org/papers/cyberinsecurity.pdf. A few comments:

Overall, this is a terrible analysis with a misguided solution which, if adopted, would only make things worse. It is shocking to see the well known figures who have allowed their names to be attached to this document. Apparently hatred of Microsoft runs so deep that people are unable to think critically when presented with an analysis that attacks the company. We saw the same thing with the absurd lies and exaggerations about Palladium last year.

> The threats to international security posed by Windows are significant, > and must be addressed quickly. We discuss here in turn the problem in > principle, Microsoft and its actions in relation to those principles, and > the social and economic implications for risk management and policy. The > points to be made are enumerated at the outset of each section, and > then discussed.

Let's look at these three portions. The "problem in principle", according to the report, is the existence of a monoculture, which should be addressed by diversification. There are nonsense figures in here that claim to quantify the "power" of the net, using absurd, handwavey formulations like Metcalfe's Law or Reed's Law. (Reed's so-called Law is a joke, predicting that the Internet will be 228 quadrillion times more "powerful" in 10 years if the number of systems increases 50% per year!) This is not logic, this is not reason, it is just rhetoric.

But the fundamental problem with the analysis here, which is what makes the report's recommendation so misguided, is that claim that diversification will somehow solve the problem. In fact, diversification will make it worse, as a moment's thought should make clear.

Let's suppose that the government stepped in, and the kind, wise government bureaucrats we all know and love so well decided to aid disadvantaged operating systems. This affirmative action program is so effective that after many years, Microsoft has only a third of the market; Macs have another third; and Linux has most of the remaining third. Wow, the problem is solved, right?

Wrong. With the number of systems on the net growing rapidly, any realistic extrapolation leaves the number of Windows systems as being even larger than today. Hence we face at least as much exposure as at present, which the evidence has shown is more than enough to cause tremendous economic damage.

And in fact, it is worse, because any flaws in the Mac or Linux OSs will now be just as dangerous as for Windows! What we will face is a situation where the *weakest* of the widely used OS's will determine the risk factor for the system as a whole.

This is not the kind of redundancy which reduces risk. There is no effective way that the presence of other architectures is going to prevent a virus or worm from being able to spread just as rapidly as today.

That error is the most fundamental in the report, but let's turn to their analysis of Microsoft's dominance, where again they have utterly missed the obvious truth.

The report claims that the reason for Microsoft's dominance in OS is due to what it calls application lock-in, which is a nasty way of saying that people prefer Windows because they want to use applications that are only available on that architecture. This part is obviously true. But the report tries to link this to the claim that this is all due to Microsoft's strategy to tightly integrate applications and the operating system, which is absurd.

In the first place, many of the most popular applications which drive people to choose Windows aren't even from Microsoft. Games, business software, web utilities, there are thousands of popular programs which are only available on the Windows architecture. These programs aren't built into the OS, but instead the companies making this software have chosen Windows because it is popular, has good development tools, and in the early days was easier to write for (remember that up until a few years ago, the Mac lacked preemptive multitasking, and Linux wasn't even a blip on the radar).

In the second place, Microsoft does in fact make some of its most popular applications available on the Mac. Office and its predecessors, and IE have been available for many years on that platform. These apps are not locked to the OS as the report claims.

And in the third place, the real reason why Microsoft preferentially supports Windows is not due to technical integration with the OS, but for the obvious economic reason that the Windows OS is made by the same company as Windows apps, so it makes sense for the latter to support the former. This fact is so utterly obvious that it is astonishing that the report manages to miss it.

> The natural strategy for a monopoly is user-level lock-in and Microsoft > has adopted this strategy. Even if convenience and automaticity for the > low-skill/no-skill user were formally evaluated to be a praiseworthy > social benefit, there is no denying the latent costs of that social > benefit: lock-in, complexity, and inherent risk.

Here the report manages to touch upon a particularly important point, but as usual to miss its significance. The point is that Microsoft's security vulnerabilities are due to the fact that it is making its software easy to use. But that is one of the main reasons it is so successful! Believe it or not, people like software that is usable and has features they need. Doing so is difficult and makes software more complex. By adopting this strategy, Microsoft has inevitably acquired security vulnerabilities over the years.

What the report misses, then, is that any other OS or company which adopts the same strategy is going to face the same problem. But companies are going to be forced to make their software easier to use and more complex in order to compete with Microsoft, even if the report's recommendations were adopted. This is going to add to the problem noted above, that the other OS's are going to have security vulnerabilities as well, once they are widely used.

What the authors appear to really want is to somehow change software development methodology so that security takes precedence over features. As a security professional who has worked for many years on consumer products, I am well aware of the tension that exists within corporations between these two competing goals. It is perhaps understandable that others in our field are trying to win this argument by government fiat. The authors are in effect saying that they know better than the end users what is important; that if customers prefer that their word processors are functional, their wishes would be overridden in order to make the programs more secure.

Even if we accept this argument (the morality of which is highly questionable), forcing Microsoft to port Office to Linux isn't going to do a single thing to accomplish it! As noted above, the only effect is going to be more pressure on the newly enfranchised OS's to become more like Microsoft in order to compete, that is, to add features and complexity. Ultimately, those are the preferences of the people buying the computers, and no amount of pontificating by the authors of this report is going to change those economic incentives.

Turning to the third section of the report, the authors contradict themselves by claiming that Microsoft will not change its habits, while at the end of the second section they just listed several important changes. Microsoft's trustworthy computing initiative, its introduction of delays in product release in order to address security goals, and its work towards a secure computing base are all changes that indicate that Microsoft is taking a much more serious attitude towards security.

But rather than give the company a chance to see what it can do in terms of making its products more secure, the report proposes to force Microsoft to reorient its development efforts towards making Mac and Linux versions of all its software, as if that will solve anything:

> Microsoft should be required to support a long list of applications > (Microsoft Office, Internet Explorer, plus their server applications and > development tools) on a long list of platforms. Microsoft should either > be forbidden to release Office for any one platform, like Windows, > until it releases Linux and Mac OS X versions of the same tools that > are widely considered to have feature parity, compatibility, and so forth.

The arrogance of this proposal is beyond belief. One of the most successful companies in the world, one which even the report admits has specialized in making software easy to use and meeting the needs and requirements of end users, is expected to reorient its development efforts and port its massive software base to a "long list" of platforms.

No consideration is given to the costs of this government-imposed mandate. No concern is expressed about the impact on end users who have come to appreciate Microsoft's increasingly functional applications. Ironically, no one even seems to realize that resources spent doing these ports may well detract from Microsoft's current efforts to refocus on security improvements! Forcing the company to change direction like this is likely to weaken security, not improve it.

The lack of any strong evidence that these drastic measures will improve the security of the net as a whole demonstrates that this is an ideological report rather than a technical one. Hand-waving about diversification does not answer the point.

Realistically, even if the net does become more diversified (which will probably happen, gradually and naturally, without Draconian government regulation), we are still going to have a relatively limited number of architectures that are popular. That's just the way markets work; there is only a limited amount of public attention to go around, and in most markets there are only a few companies which claim the majority of the market share.

The result is that we will have a system where, as pointed out above, not one but several architectures are each widespread enough to bring the net to its knees when an exploit is discovered. This network will only be as strong as its weakest link. Diversity, in this context, is a risk factor, not a risk mediator.

In summary, this report is misguided and mistaken on so many levels that it is astonishing that such well respected figures were willing to put their names to it. The analysis is flawed or missing. The recommendations are harsh, extreme and premature. And ultimately their proposals will only serve to make the problem worse, not better.