The Computer & Communications Industry Association (CCIA) has been a long-time Microsoft opponent. The lobbying group filed numerous friend of the court briefs during the antitrust trial in America, and is an active participant in the antitrust investigation being conducted by the European Commission. It is composed of a number of Microsoft's fiercest competitors, among them AOL, Sun Microsystems, Oracle, Intuit and Nokia.
Since the end of the American trial, however, the CCIA has pretty much fallen off the radar screen. Recently, however, they've managed to generate a bit of noise with "CyberInsecurity: The Cost of Monopoly," which is presented as "a wake up call that government and industry need to hear" regarding security issues in Microsoft's near-ubiquitous operating system. The report has garnered an unusual amount of attention, possibly because Bruce Schneier, author of Applied Cryptography and generally recognised expert in the realm of cryptography, was included as one of the report's authors.
My respect for Mr Schneier's work, however, doesn't extend to ignoring flaws in reports to which he contributes. This is part one in a three-part series which rebuts the arguments made in the CyberInsecurity report. Today's instalment deals with the core issues, namely, the risks associated with software "monoculture" and complex systems. Part two is a collection of general criticisms relating to the report's content, and details its uncanny ability to put a negative spin on practically everything Microsoft does. Part three is my treatment of the proposed remedies, and closes with some parting thoughts. The columns will be published throughout this week.
Do note that you can read the entire report yourself by going to www.ccianet.org/papers/cyberinsecurity.pdf.
The risks of a software monoculture
"Protection from cascade failure is instead the province of risk diversification -- that is, using more than one kind of computer or device, more than one brand of operating system, which in turns assures that attacks will be limited in their effectiveness. This fundamental principle assures that, like farmers who grow more than one crop, those of us who depend on computers will not see them all fail when the next blight hits." (Page 11)
In other words, by having a diverse operating system environment, you prevent a virus that targets one platform from bringing down the entire infrastructure. The targeted platform might be laid low, but other platforms will live on to propagate the species...or just continue computing.
It's true that a monoculture has certain costs from the standpoint of shared risks which lead to a larger pool within which a computer virus might thrive. On the other hand, there are also real costs to the lack of a standardised computing architecture, which is the flip-side of the monoculture detailed in the report.
Talkback
Excellent column so far. I look forward to reading the rest of it.
You mention one point that I really wish Unix fans would get: Windows is integrated ONLY in that it all comes in one box. Windows is no more one monolithic thing than Unix is and in much the same way that any standard Unix distro comes with tons of little apps which get installed with the OS, Windows is a collection of objects (mostly COM) and apps delivered with the core OS.
Each object is independent as code, although they may talk to each other and expect other specific objects to exist to function - that's the core of why Microsoft said IE couldn't be removed from the OS. They were right in the sense that a lot of things in the OS expect to find the IE COM object to do their thing.
That's a dependency, but no more so than a Unix app expecting libc.a to exist. The IE COM object isn't the browser, it's the component that does browser stuff - and any app can use it to do browser stuff - which is really powerful and useful - and desirable.
For those who argue that Microsoft is still at fault for not letting other companies replace their IE COM object - let me ask - would you be happy about the idea of some application replacing libc.a with their own personal copy?
I didn't think so.
Why then does Microsofct change the namme of its "security initiative" AKA Paladiam and a dozen other names?
That is what most of us who have looked at the problem are scared of.
In the name of "fighting piracy", MS will determine what can be run on your computer!
Whilst I thoroughly agree with the statement on the issues and the problems that this causes (today or later) for the users, it is difficult to see what can be done about it in a practical sense.
As a real dinosaur, I remember the days when there was IBM, and a bunch of "others". I worked in an IBM shop on a 1440 and then a 360. My brother woirked in an ICL shop on a 1905. Where I worked, we had a maintenance visit once a month from the CE; at my brother's place they had a more or less resident engineer.
I certainlywould not have liked to see ICL artificially suppoorted by court cases, legislation or other pressure, and I don't think it would have done any good anyway. In my opinion, artificial support makes people less inclined to support themselves, so the quality ultimately goes down and not up. The ultimate examples of this are, of course, the local councils and central government.
Unfortunately, I see no practical alternative to letting Bill Gates and his crew go down the same slippery road as IBM, and when they become arrogant and lazy enough, someone else, who may not even exist today, will leap into the gap and we shall be off again, singing the praises of this wonderful new company.
Does anyone else remember how great we all thought the early Windows stuff was, compared with DOS? Of course we also compared it with other systems that we saw, which had "drop down menus" (even our childrens' Atari had them which Windows did not), and asked each other how Bill Gates could be so silly!