[IP] CCIA Microsoft report--what's the real issue?

To: ip@xxxxxxxxxxxxxx
Subject: [IP] CCIA Microsoft report--what's the real issue?
From: Dave Farber <dave@xxxxxxxxxx>
Date: Thu, 09 Oct 2003 12:27:34 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx

CCIA Microsoft report--what's the real issue?
By <mailto:letters-zdnn@xxxxxxxxx>John Carroll
Special to ZDNet
October 8, 2003, 4:53 AM PT

URL: <http://zdnet.com.com/http://zdnet.com.com/2100-1104-5087886.html>http://zdnet.com.com/2100-1104-5087886.html

c934ca.jpg

COMMENTARY--This is part two in a three part series detailing my objectionsto a recent Computer & Communications Industry Association (CCIA) report,titled <http://www.ccianet.org/papers/cyberinsecurity.pdf>CyberInsecurity:The Cost of Monopoly. In<http://zdnet.com.com/5/2100-1107_2-5086379.html>the last installment, Iexplained that cost savings related to a standardized computinginfrastructure can outweigh costs associated with software "monoculture"risks.

In this installment, I outline my objections to various aspects of thereport's content. In short, the authors' obscure the point of the articlethrough their obsession with the perceived unfairness of Microsoft's marketpower. Furthermore, though their ability to put a negative spin onMicrosoft's every action is impressive, it seems more opportunisticaggression than an attempt at dealing objectively with security flaws inMicrosoft operating systems.

What is the REAL point of the article?

If you skipped the table of contents, four pages of biographies, a two pageanti-Microsoft diatribe courtesy of the CCIA, and a two page executivesummary, you might be forgiven for believing that this was yet anotherattempt by the CCIA to undo the settlement reached between Microsoft andthe DOJ. The entire report is threaded with protestations about Microsoft'ssupposed monopoly power.

Granted, the report attempts to link monopoly power to the presence of amonoculture--which is presented as a Bad Thing that requires governmentintervention to remedy. Unfortunately, the authors' obsession with the"fundamental unfairness" of Microsoft's monopoly power causes them toforget the point of the article, which was, at least theoretically, aboutsecurity.

For instance, the report mentions that "today's locked-in Microsoft userswould no longer pay the prices that only a monopoly can extract."Pretending for the moment that Microsoft's prices are truly far above theindustry average for proprietary OSes, what on earth does this have to dowith the issue of security? Wouldn't higher prices result in FEWERcomputers, or even better, drive customers to other providers?

Later, they try to turn Microsoft's decision to slip release dates in orderto conduct more thorough security reviews into a negative, by claiming sucha move "...is also an admission that Microsoft holds monopoly power--theyand they alone no longer need to ship on time". Besides the obvious factthat most software companies slip schedules, this, again, has little to dowith the issue of security so much as a complaint over Microsoft's supposedmonopoly power as such.

This obsession with antitrust, sure fingerprints of the CCIA, poisons thearticle's ability to deal honestly with the issue of security in Microsoftsoftware. Consider their treatment of the issue of "trusted computing."Trusted computers are built according to specifications designed by theTrusted Computing Platform Association (Intel, IBM, Microsoft and HP arefounding members), and enable levels of Digital Rights Management (DRM) notpossible given current hardware architectures. Microsoft's proposedimplementation of these specifications is the Next Generation SecureComputing Base (NGSCB), formerly code-named Palladium.

"Given Microsoft's tendencies, however, one can foresee a Trusted Outlookthat will refuse to talk to anything but a Trusted Exchange Server, with(Palladium's) strong cryptographic mechanism for enforcement of thatlimitation. There can be no greater user-level lock-in than that, ..."

That's all well and good, and represents something that IS possible onplatforms which adhere to TCPA specs. However, again I must ask if thisreport is about security, or about the CCIA's ability to fire anothercream-filled antitrust Zinger at Microsoft? Presumably, if Trusted Exchangecan only communicate with Trusted Outlook, then untrusted crackers can'taccess Exchange AT ALL, thus avoiding potential security issues. In otherwords, Palladium SOLVES security issues, which is a GOOD thing unless youlive in a world where everything that Microsoft does must somehow be castas a bad thing.

This article is NOT supposed to be about how upset the authors are aboutMicrosoft's market power, but about Microsoft's security issues.Unfortunately, that issue gets entirely lost in the authors' enthusiasm forthrowing buckets of red paint towards Redmond.

Fearmongering

The authors note that "(y)ou should not have to wait until people die toaddress risks of the scale and scope discussed here." It's certainly hardto argue with this, which was probably the reason the statement was wordedin this way. Yet, if the feared event is unlikely to happen in the firstplace, then reacting as dramatically as the authors later suggest seems abit paranoid. It should be significant that there isn't a SINGLE instanceof terrorists targeting computer infrastructure.

The standard response is to question what might happen if Windows was usedin uniquely sensitive infrastructure, such as to control the coolingprocess of a nuclear power plant. But that's like saying Formula One racersshould be concerned that the tires used on a Volkswagen Jetta might explodeon a hard curve. Formula One racers don't use the same tires as aVolkswagen Jetta.

It's not impossible to use Windows, or even Linux, in sensitive computingenvironments, provided proper attention is given to risks associated withoperating systems with large installed bases (the same risks outlined inthe CyberInsecurity report). However, Windows servers are aimed at the massmarket, and are intended for use in MOST business situations. Managingnuclear power plants isn't a common usage of commodity operating systems.

NASA engineers use chips 10-15 years old for the simple reason that theyare well tested and understood, and that's just for stuff that gets blastedinto outer space. Utilities tend to be VERY conservative about the softwareand hardware they buy. I would suggest that they would be as reluctant toput their trust in commodity Linux servers as they are to put their trustin commodity Windows servers.

People don't bypass the cost savings of consumer-grade video camerasbecause movie studios don't use them to make movies. In the same vein, youdon't bypass the cost savings of a general purpose OS like Windows andLinux simply because it isn't likely to be used in a nuclear power plant.You figure out what your risk costs are, and if they are higher than thecost savings associated with commodity operating systems, you turn tosomething more specialized. Furthermore, I would suggest those bestqualified to make the required risk calculations are those closest to thesituation, not CEOs and consultants at security companies.

Correcting various errors

As noted in my introduction, the authors appeared to go to unusual lengthsto cast Microsoft in a bad light. Along the way, they make a number ofmisrepresentations, and fail to explain themselves on a number of logicalpoints.

For instance, on page 13, they claim that Microsoft is dropping support forIE on the Mac because of their recent decision to embed the IEbrowser...far into their operating system. Yet, remember that Opera, makerof a competitor to Internet Explorer,<http://zdnet.com.com//2100-1104-982314.html?tag=nl>has questioned whetherthey would release a new Mac version. The reason, of course, is that Appleis putting a lot of energy into its Safari browser, and Opera doesn't seemuch of a market competing with an Apple-sanctioned browser. Why wouldMicrosoft make any different a calculation?

The authors make clear the need for a diverse computing architecture as abarrier to cascade failure, yet note on page 7 that "(t)he growth in riskis chiefly amongst unsophisticated users." In other words, the greatestrisk is not among companies who pay specialists to secure their network,but among home users without the technical sophistication to protectthemselves. No suggestion is proposed as to how this situation is to beremedied. Are non-technical users supposed to buy multiple systems for thehome? Are governments to require stores to sell computers on a round-robinbasis, forcing home consumers to buy computers that they may have no ideahow to use? Are non-technical users more likely to understand how to use,much less update, a particular system in a world with a diverse operatingenvironment, given that for many, it's hard enough to learn ONE operatingsystem?

On page 12, the authors state that Microsoft has a high level of user-levellock-in; there are strong disincentives to switching operating systems.Yet, where is it NOT the case that customer's are "locked-in" to aparticular platform? Can a user's collection of Linux applications bemigrated to the Mac if they choose? Can Mac applications be run on Solaris,or for that matter, Windows? Can applications written against an Oracledatabase be ported automatically to SQL Server?

Likewise, how does the presence of an integrated IE constitute user-levellock-in? Is it a grievous sin for Microsoft to offer developers the OPTIONof reusing an integrated HTML renderer? Microsoft's "crime" in this casewas that they were sufficiently forward-thinking as to offer their HTMLrendering engine as a set of reusable components years before itscompetitors got around to it. It should surprise no one that developersfound IE appealing. Similarly, it is only a problem for Microsoft to makeIE available to end users as a default option if you buy into the notionthat government must bully consumers into usage modes it considers morefavorable.

Along those lines, consider the basis upon which they conclude Microsoft isguilty of "tight integration" of components: The "tight integration" isthis: inter-module interfaces so complex, undocumented , and inaccessibleas to (1) permit Microsoft to change them at will, and thus to (2) precludeothers from using them such as to compete (page 13).

I'm only left to conclude that the authors have NEVER programmed for aMicrosoft operating system. Microsoft is and always has been verydeveloper-friendly, and goes to great lengths to provide its developerswith loads of easy to use documentation. This is a fact noted by developerswho have <http://zdnet.com.com/http://daringfireball.net/2002/08/pepper_author_maarten_hekkelman.html>madethe transition to Windows from other platforms.

Furthermore, where are the examples of Microsoft changing APIs at will inorder to befuddle the competition? That would be surprising, given thatMicrosoft often tends to create its applications as a set of reusablecomponents so that its own developers might reuse them. In other words,changing an API would harm Microsoft's own developers as much as it harmsexternal developers.

Besides these facts, few companies go to the same lengths as Microsoft tomaintain backwards compatibility with old interfaces. Windows 9x code wasonly recently replaced with Windows XP, and even then, most applicationswritten for Windows 9x operating systems run on Windows XP. Compare this toApple, who has drastically changed its APIs several times over the pastdecade. This fact should be an "in" to insightful competitors, given thatthere is nothing stopping them from cloning the IE automation interfaces(as an example), thus making their browser interchangeable with use of IE.

Lastly, on what basis do they conclude that Microsoft makes its interfaces"complex...and inaccessible?" Microsoft for years has used COM as itsstandard reusability API, a binary interface standard on Windows whichenables multiple languages to reuse the same block of code (now supersededby .NET). COM was well understood, at least if you were a Windowsdeveloper, and hardly the "inaccessible API" that the CyberInsecurityauthors imply is the norm on Windows.

This is the second of three parts. Read Part I<http://zdnet.com.com//2100-1107-5086379.html?tag=nl>CCIA Microsoftreport--the core issues. Part III will appear on Friday.

biography John Carroll is a software engineer now living in Geneva,Switzerland. He specializes in the design and development of distributedsystems using Java and .Net. He is also the founder of<http://www.turtlenecksoftware.com/>Turtleneck Software.

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on Media study reveals effect of spin on US public
Next by Date: [IP] The Impact of Academic Research on Industrial Performance
Previous by thread: [IP] more on Media study reveals effect of spin on US public
Next by thread: [IP] The Impact of Academic Research on Industrial Performance
Index(es):
- Date
- Thread