[LINK] OS diversity protects cell phones from virus outbreaks

Rick Welykochy rick at praxis.com.au
Sat Apr 4 13:26:12 AEDT 2009

Andy Farkas wrote:

> Hows this for coincidence - I stumbled upon this file in my archives
> this evening:
> "CyberInsecurity: The Cost of Monopoly
> How the Dominance of Microsoft's Products Poses a Risk to Security
> 27 September 2003"
> A quick google search says it can be found here:
> http://www.ccianet.org/papers/cyberinsecurity.pdf

An excellent paper written by industry experts who understand computer
software security fundamentals. Should be required reading for anyone
in a position to make decisions on critical computing infrastructure.

This passage sums up the situation for me quite well:

    "For governments and other critical infrastructures, the price
     of failure determines the size of the risk transfer.

     Where a software monoculture exists – in other words, a computing
     environment made up of Windows and almost nothing else – what remains
     operational in the event of wholesale failure of that monoculture
     determines the size of the risk transfer.

     Where that monoculture is maintained and enforced by lock-in, as it
     is with Windows today, responsibility for failure lies with the
     entity doing the locking-in – in other words, with Microsoft.

     It is important that this cost be made clear now, rather than waiting
     until after a catastrophe."

Many informed and reputable voices are joining in calls to make
Microsoft responsible for its monopoly. Especially in light of the net
effects out here on the "end-user periphery" of our computing universe,
where we see 94% lock-in, as discussed in the paper.

Remedies are presented for consideration to alleviate the dangers of
lock-in and computing monoculture currently nurtured by Microsoft, i.e.

  * force Microsoft to provide versions of its applications that
    run on all common operating system platforms, e.g. Linux and OS X

  * publish the interface specifications for its operating system and

  * do not allow further lock-in to be disguised as perceived security
    improvements with initiatives such as "Trusted Computing"

Although six years old, the points raised in this paper are as relevant
today as when it was written. A catastrophic failure as hinted by the authors
could be on the horizon in the form of the Conficker infection.

Earlier massive failures, such as I Love You and NIMDA, were easily forgotten,
overlooked or even forgiven, despite costing the economy tens of billions of
dollars. The only apparent cost to Microsoft for these failures has been
delays in sales necessitated by the company being seen to "do something"
to address security issues, even when those somethings have been ineffective.


Rick Welykochy || Praxis Services

Few things are harder to put up with than the annoyance of a good example.
      --Mark Twain

More information about the Link mailing list