Debate Rages Over Microsoft Security Report

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Industry players are hotly debating a controversial report released this week claiming thatflaws in Microsoft Corp.'s software combined with the company's grip on the market iscausing a national security risk.

And to add more flame to the fiery debate, one of the authors was dismissed from his jobbecause of his involvement with the report.

''It is the combination of the two -- the flaws in the software and the company's monopoly-- that creates the magnitude of the problem described,'' says Ed Black, president and CEOof the Computer and Communication Industry Association, (CCIA) a Washington, D.C.-basedtrade group often considered an "adversary" of Microsoft. ''There are several differentpieces that come together that create a perfect storm of insecurity.''

The CCIA released and backed the study, while several players in the security industryauthored the report, entitled 'CyberInsecurity: The Cost of Monopoly'.

Daniel Geer, asecurity consultant and, at the time, the chief technical officer of @Stake, a securityconsulting firm, was the principal author.

A spokesperson for @Stake confirmed that Geer is no longer with the company since therelease of the report. The company released a statement saying that ''the values andopinions of the report are not in line with @stake's views'' and that Geer is no longerassociated with the company. The spokesperson added that Microsoft did not push for orparticipate in Geer's dismissal.

''It shows that a raw nerve was hit,'' says Black. ''The emperor never likes being told thathe has no clothes. Microsoft's web of relationships is the seat of its power.''

What the report claims is that the large number of flaws in Microsoft's popular softwarecombined with the fact that most companies around the world run that software is creating adangerous security risk.

''If you can penetrate one Windows system, you can penetrate millions of systems,'' saysBlack. ''We're saying that when an entire nation, the entire industrialized world, is 96percent dependent on a product with these flaws, there's a serious problem... It's acascading effect.''

And Black adds that the United States' dependence on Microsoft's software is directlyputting the country at risk.

''The infrastructure of every major industry, of the government, of our power system, areall basically vulnerable,'' he says. ''When they rely a great deal on a flawed system, theyare vulnerable.''

Chris Belthoff, a senior analyst with anti-virus company Sophos, Inc., says he agrees thatthere is a risk here. Belthoff spends much of his time battling worms and viruses, likeBlaster and Sobig, that attack Microsoft Windows systems. And he says virus writers attackthose systems for two simple reasons -- the flaws in the coding leave them vulnerable toattack and Microsoft's huge bite of market share gives them a wide and impressive target toattack.

''Name another industry that is producing products as critical as this and there is only oneplayer holding on to most of the marketshare,'' says Belthoff. ''And think about if thoseproducts aren't operating properly and so they could cripple the nation's IT infrastructure.

''Do these people have an axe to grind?'' Belthoff asks. ''Sure. Is that a legitimate axe tobe grinding? I'd say, yes it is.''

But not everyone agrees.

Dan Woolley, a long-time security player and now a vice president at Computer Associates,which works closely with Microsoft, called the report and its charges ''bull.''

''I know what the guys are saying but it's a little hard to swallow given that some of thesefolks are into security products and are direct competitors with Microsoft,'' says Woolley.''Do they have a point? Yah. But the problem I see is if I'm a bad guy, I'm going to pickthe highest probability target I can get. That's Microsoft. If you hit the right thing, youcan take down a lot of machines fast.''

Woolley says to claim that Microsoft is causing a national security risk is stretchingthings.

''I don't think the stuff is poorly built,'' he adds. ''My contention, in general,is that I don't see another software manufacturer out there jumping through the hoops to tryto fix their products like Microsoft is.''

Ken Dunham of security company iDefense says he believes Microsoft is working hard onsecuring its software but there's a lot of flawed code to fix.

''Microsoft has increased usability of its software to become a software giant,'' saysDunham. ''The downside is that with all these features and functionalities added in, you getmore problems... Microsoft made this code and they need to make security a focal point. Theyneed to fix the code.''