News

Report: Microsoft Monopoly Puts Computing at Risk

Microsoft's virtual monopoly on the desktop puts networks and computing at large, at grave risk, according to authors of a paper on security.

• By Keith Ward
• 09/24/2003

The report is titled "Cyberinsecurity: The Cost of Monopoly", and its authors include some well-known names in the IT security field, such as Bruce Schneier of Counterpane Internet Security, and Daniel Geer of the security firm @stake.

The seven authors held a Wednesday morning conference call with reporters. Geer went so far as to state he was staking his professional reputation on the report. "There is a matter of competition policy and security policy that cannot be ignored any longer," he said. "It isn't any one factor, but a combination of factors that make this important. It's the nature of the platform that dominates every desktop everywhere. Its dominance, coupled with its insecurity, can't be ignored any further."

Another of the authors, security consultant Perry Metzger, said the problem is that there is "a gigantic susceptible population of machines. You can do awful things to vast numbers of machines. Whether or not the vendor is trying to protect the systems, with such a huge number of machines, any vulnerability can be spread to huge numbers" of computers.

The report was issued by the Computer and Communications Industry Association (CCIA), a long-time Microsoft nemesis which counts among its members America Online, Oracle and Sun. It's also been involved in the anti-trust lawsuits against Microsoft. The authors said they weren't influenced by CCIA's anti-Microsoft stance, but the report's introduction, written by CCIA, is a harshly-worded broadside against Redmond. "Microsoft's efforts to design its software in evermore complex ways so as to illegally shut out efforts by others to interoperate or compete with their products has succeeded…The presence of this single, dominant operating system in the hands of nearly all end users is inherently dangerous," it states.

The report's authors are equally scathing. "Most of the world's computers run Microsoft's operating systems, thus most of the world's computers are vulnerable to the same viruses and worms at the same time. The only way to stop this is to avoid monoculture in computer operating systems…Microsoft exacerbates this problem via a wide range of practices that lock users to its platform. The impact on security of this lock-in is real and endangers society," the report states.

A number of authors argued the problem isn't necessarily the security or insecurity of Microsoft products themselves, but rather their pervasiveness. As Metzger said, "If every machine on earth ran Mac OS X, it would be the same problem."

Schneier went even further. "I wouldn't put any of the blame on Microsoft…The problem won't be fixed based by the altruism of Microsoft, but by businesses saying this is a problem and we're going to fix it."

While the authors spent a great deal of time describing what they see as the problem, they offered little in the way of possible solutions. "We're speaking as scientists, not as policy people. We understand there are lots of political ramifications to this," Schneier said. Several authors suggested that government would have to have a leading role in any remedy of the problem, but again, no concrete solutions were offered.

The consensus, however, was that more OS diversity was needed. "Having diversity is necessary. It's not [all] sufficient by any means, but necessary," said one. One area the authors declined to discuss was the server/datacenter environment, which is diversity-rich, and where Microsoft doesn't even have a majority, let alone a monopoly, of the operating systems in use.

Microsoft wasn't immediately available to comment on the report or the conference call. The report can be found at www.ccianet.org/papers/cyberinsecurity.pdf.