Modernizing Authentication — What It Takes to Transform Secure Access
And to add more flame to the fiery debate, one of the authors was dismissed from his job because of his involvement with the report.
''It is the combination of the two -- the flaws in the software and the company's monopoly -- that creates the magnitude of the problem described,'' says Ed Black, president and CEO of the Computer and Communication Industry Association, (CCIA) a Washington, D.C.-based trade group often considered an "adversary" of Microsoft. ''There are several different pieces that come together that create a perfect storm of insecurity.''
The CCIA released and backed the study, while several players in the security industry authored the report, entitled 'CyberInsecurity: The Cost of Monopoly'.
A spokesperson for @Stake confirmed that Geer is no longer with the company since the release of the report. The company released a statement saying that ''the values and opinions of the report are not in line with @stake's views'' and that Geer is no longer associated with the company. The spokesperson added that Microsoft did not push for or participate in Geer's dismissal.
''It shows that a raw nerve was hit,'' says Black. ''The emperor never likes being told that he has no clothes. Microsoft's web of relationships is the seat of its power.''
What the report claims is that the large number of flaws in Microsoft's popular software combined with the fact that most companies around the world run that software is creating a dangerous security risk.
''If you can penetrate one Windows system, you can penetrate millions of systems,'' says Black. ''We're saying that when an entire nation, the entire industrialized world, is 96 percent dependent on a product with these flaws, there's a serious problem... It's a cascading effect.''
And Black adds that the United States' dependence on Microsoft's software is directly putting the country at risk.
''The infrastructure of every major industry, of the government, of our power system, are all basically vulnerable,'' he says. ''When they rely a great deal on a flawed system, they are vulnerable.''
Chris Belthoff, a senior analyst with anti-virus company Sophos, Inc., says he agrees that there is a risk here. Belthoff spends much of his time battling worms and viruses, like Blaster and Sobig, that attack Microsoft Windows systems. And he says virus writers attack those systems for two simple reasons -- the flaws in the coding leave them vulnerable to attack and Microsoft's huge bite of market share gives them a wide and impressive target to attack.
''Name another industry that is producing products as critical as this and there is only one player holding on to most of the marketshare,'' says Belthoff. ''And think about if those products aren't operating properly and so they could cripple the nation's IT infrastructure.
''Do these people have an axe to grind?'' Belthoff asks. ''Sure. Is that a legitimate axe to be grinding? I'd say, yes it is.''
But not everyone agrees.
Dan Woolley, a long-time security player and now a vice president at Computer Associates, which works closely with Microsoft, called the report and its charges ''bull.''
''I know what the guys are saying but it's a little hard to swallow given that some of these folks are into security products and are direct competitors with Microsoft,'' says Woolley. ''Do they have a point? Yah. But the problem I see is if I'm a bad guy, I'm going to pick the highest probability target I can get. That's Microsoft. If you hit the right thing, you can take down a lot of machines fast.''
Woolley says to claim that Microsoft is causing a national security risk is stretching things.
''I don't think the stuff is poorly built,'' he adds. ''My contention, in general, is that I don't see another software manufacturer out there jumping through the hoops to try to fix their products like Microsoft is.''
Ken Dunham of security company iDefense says he believes Microsoft is working hard on securing its software but there's a lot of flawed code to fix.
''Microsoft has increased usability of its software to become a software giant,'' says Dunham. ''The downside is that with all these features and functionalities added in, you get more problems... Microsoft made this code and they need to make security a focal point. They need to fix the code.''