Truth About Computer Security Hysteria
Gates lost — because I didn't file an amicus curiaeRob Rosenberger, Vmyths co-founder
Wednesday, 17 November 1999
I FINALLY DIGESTED judge Jackson's Microsoft Trial Findings of Fact. Three excerpts stand out from a computer security perspective, so let's tackle them in order. First up:
[para #174] Microsoft has unjustifiably jeopardized the stability and security of the operating system... [They] made it easier for malicious viruses that penetrate the system via Internet Explorer to infect non-browsing parts of the system.
I fail to see His Honor's logic. I assert the Internet itself is the true "common" threat, not the browser. It simply doesn't matter what OS you run or what email/web client you prefer. Their commonality comes in second with respect to Internet security. Remember: we designed the Internet to link diverse network architectures so they could communicate with each other after a nuclear war.
Java or Linux or whatever comes next will give us even more homogeneity, which in turn will foreshadow greater common threats. What difference does it make if Microsoft paved the way a little bit? You can't blame an individual element for a common threat, folks — it's like blaming one cloud for the threat of a hurricane.
Let's move on. Judge Jackson chimed in with an interesting "fact" about consumer-driven security desires:
[para #197] Consumers recognize that the Web contains ... viruses that are capable of causing devastating and irreversible harm to their security and privacy interests. Accordingly, consumers prefer, and benefit from, innovations in Web browser technology that help them identify and avoid harmful Web resources.
Consumers want innovative security in non-security products? His Honor overlooks reality. GartnerGroup, for example, recommends clients avoid innovation even in genuine security products. A PC Magazine reviewer said basically the same thing earlier this year. I could bore judge Jackson to tears with anecdotes like this. When it comes to security, users react like those sheep in the movie "Babe." Fear drives sales, not innovation.
Symantec, Network Associates, and other antivirus firms know what consumers want in a product. They want to see great-looking boxes on store shelves! Software marketing teams (I didn't say "antivirus marketing teams") do everything they can to attract your eye as you walk through the aisles. Judge Jackson should go to Best Buy, pick up a useless cardboard container of antivirus software, and study it.
If & when consumers want innovative security, they will dump ActiveX, stop using Word as their email editor, switch to Linux, and demand profile-based virus detection. Users can talk all they want, but actions speak louder than words.
(Yeah, like I should talk about innovation. I still run DOS & Win31 on my personal systems. In my defense, I don't lose sleep about computer security — and I've used "innovative" products from Command Software, Stiller Research, FoundationWare, and some other firms you never heard of.)
Okay, let's continue:
[para #198] Far from demonstrating that Internet Explorer is currently a "best of breed" Web browser, the evidence reveals Microsoft's awareness of the need for continuous improvement of its products. For example, Microsoft frequently releases "patches" to address security and privacy vulnerabilities in Internet Explorer as they are discovered. In sum, there is no indication that Microsoft is destined to provide a "best of breed" Web browser that makes continuing, competitively driven innovations unproductive.
Again, I fail to see how judge Jackson's argument leads to this conclusion. His Honor implies a best-of-breed product needs little improvement, and he further implies a best-of-breed product needs little security tweaking. Bah! All major products undergo constant improvement, folks. All major products contain security flaws.
Look no farther than the "ping-o-death" discovery in 1996 — most (if not all) Internet-aware OSs required security patches. Netscape suffered their own security woes the same year. The first true Java applet virus made its debut last year. Want something more recent? I identified a widespread (and easily exploitable) flaw in antivirus software this summer.
By His Honor's logic, no security product can call itself a "best of breed." They constantly undergo improvement, they require numerous updates, and they need security patches.
Man, I hope Gates didn't lose this round because I failed to submit an amicus curiae. Did Microsoft's lawyers present these counter-arguments to the court?