COMMENT
What do the boll weevil, Irish potatoes and Microsoft have in common? Quite a lot, if you believe American Dan Geer - a backyard beekeeper with muttonchop sideburns and a doctorate in biostatistics.
The internet security guru created quite a flap with his white paper CyberInsecurity: The Cost of Monopoly, which argued that the dominance of Microsoft's software in the computer world threatens our electronic existence.
The fact Geer got fired from his job at security company @Stake following his publishing the paper late last year plucked the "monoculture" argument out of academic oblivion and into the mainstream. Microsoft, it seems, was a major client of @Stake's, leading to speculation that Geer was culled by an employer wanting to stay on the software behemoth's right side.
It was a juicy subplot and hundreds of newspapers around the world picked up Geer's story. Slashdot.org postings on Geer came very thick and fast.
A little-known fact is that Auckland University's very own Professor Peter Gutmann co-authored the CyberInsecurity paper, though he says Geer "wrote 99 per cent of it".
"[@Stake] might have been embarrassed because he criticised a client of theirs. But Dan had no end of job offers," he says of his colleague, who has moved to a security start-up.
Gutmann subscribes to the paper's premise - that the monoculture of the Windows-centric IT world is a dangerous thing. He's got nothing against Microsoft itself - but the lack of diversity it represents goes against the grain.
"If everyone was using Linux we'd have the same problem. It's very difficult to separate comments about security from attacks on Microsoft."
Nothing that has been thrown at Microsoft has yet been able to break its monopoly on the client operating system market, where surveys variously suggest it has a 90 per cent to 98 per cent share. On the server side, it still accounts for more than half of server software sales, despite the increasingly popularity of Linux.
For Geer and others this is distressing. That's because the workings of society depend more on computers than ever before - from the card reader we swipe to get into our office to the systems that run the power and telecoms networks to the databases that make sense of our financial transactions.
The argument is that by letting Microsoft become so dominant, we've set ourselves up for "the blue screen of death" of all time - or what one security firm has dubbed the "$100 billion cyber catastrophe".
Geer argues that the dominance of Microsoft's operating systems across the networks of the world creates a "susceptible reservoir of platforms" from which attacks by malicious worms, viruses and Trojans can be launched. The result is "cascade failure" where the viral infection rapidly spreads via internet connections. Internet nasties Nimda and Slammer, SoBig, MSBlaster and most recently MyDoom are all examples of cascade failure, several of which have targeted Microsoft software.
Geer says the "tight integration" of Microsoft's products "violates the core teaching of software engineering" which is "loosely-coupled interfaces".
The integration locks in users, making it hard for them to jump to other platforms.
Microsoft's operating systems, adds Geer, are notable for their incredible complexity - and complexity is the first enemy of security.
"After a threshold of complexity is exceeded, fixing one flaw will tend to create new flaws: Microsoft has crossed that threshold."
The answer, he argues, is to make Microsoft's applications fully compatible with competing operating systems so that a range of systems are used by larger numbers of people.
"For many organisations the only thing keeping them with Microsoft in the front office is Office ... if Microsoft were forced to inter-operate, innovators and innovation could not be locked-out because users could not be locked in," wrote Geer, who believes Microsoft should publish interface specifications for major functional components of its code, both Windows and Office.
But he doesn't believe that breaking up Microsoft is the answer. Attempts at that have already been unsuccessful. He's arguing for Microsoft to unbundle its unified product suite.
Based on plain old biology of the Darwinian variety, the argument says that in the real world, monoculturalism is lethal. Take cotton farming, for example. Early last century, farmers in the southern states of the US were making a killing out of cotton. It grew like weed and clothed the masses. The farmers got rich, the merchants grew fat, the economy flourished. Then the boll weevil made its appearance. It munched its way across the states, where fields in parts were solely devoted to cotton.
The boll weevil attack led to a miserable Grapes of Wrath-type existence for millions of Americans as stretches of Texas, Oklahoma and Georgia became dustbowls. Afterwards, however, farmers diversified their crops by planting corn or peanuts alongside the cotton.
The same thing happened in Ireland where in the nineteenth century everyone grew one particular type of weather-resistant potato. They called it the "lumper" and it was so deliciously tasty and easy to grow that by 1840 it was the staple diet for three million Irish. But by 1845, most of the lumpers being dug out of the peaty Irish soil were covered in a horrible fungus which turned them to mush. A million Irish died during the two-year great potato famine. Many more fled to the US. Afterwards, the Irish made sure they planted several species of potato.
It may be that the worms and viruses we've seen in the past 18 months are merely the precursor to "the big one".
It's definitely something the insurance industry is fretting about, according to British security firm mi2g.
"The premium for such cover is ... likely to run into millions of dollars per quarter per corporation insuring against US$2 billion to US$5 billion of exposure, and have excess limits of US$100 million or more because the probability of incidence of cyber catastrophe is rising with every passing month," it said in a bulletin.
Certainly, security breaches such as the monumental stuff-up that allowed 600MB of source code for Windows 2000 and Windows NT to find its way on to the web, fail to inspire confidence.
But how real is the threat, really?
"At the moment these viruses are badly written," says Gutmann. "They've major bugs so their propagation is impeded."
But he tells me unprintable things that can be done to computers by single-minded hackers to reduce them to "paper weights". The best hackers are the most patient ones. They're willing to wait six months, a year, before their work takes effect. Most experts agree, we ain't seen nothing yet.
Which leads me to this conclusion. The Government has to take leadership on dismantling this dangerous monoculture.
Maybe Geer's idea of governments and critical infrastructure providers ensuring that no more than 50 per cent of their computer infrastructure is run on one flavour of operating system is a good one.
On the operating side, if it comes down to paying a premium on my next (already free) Linux upgrade so I can run the selected Microsoft applications, I'll pay it.
Organisations such as the Department of Homeland Security and our own CCIP (Centre for Critical Infrastructure Protection) have been set up to protect us from terrorist threats. Cyber-terrorism needs close attention as well and policy over operating-system use could come from such organisations.
Maybe the partial mandating of open-source software use in government is the path we need to take. On the evidence presented, there's a good argument for it.
* Email Peter Griffin
<I>Peter Griffin:</I> Microsoft's might means danger
AdvertisementAdvertise with NZME.
