ACT responds to security study

– by Joe Barr –
Association for Competitive Technology (ACT) president Jonathan Zuck has responded to the security study authored by well-known security experts and published by arch-rival group CCIA this morning. The ACT is funded primarily by Microsoft and two other firms: Orbitz and Ebay. Zuck often travels to testify against any legislation which might disrupt the status quo; they are perfectly comfortable with Microsoft’s monopoly. This past summer, for example, he flew to Austin, Texas, in order to speak against state Senate Bill 1579, which mandated a study on the use of open source software in state government. His statement, which was entitled “The Myth of the Monoculture: Why the CCIA Security Study is Just Another Thinly Veiled Attempt to Get the Government to Punish Microsoft and Give AOL and Sun a Leg Up” follows.

On the back of his CCIA-funded security study, Ed Black is riding in with his own Marxist Government-mandated Software Security plan. Not surprisingly, the plan benefits CCIA’s own members like Sun Microsystems at the expense of Microsoft.

The study’s premise of an existing monoculture in computer security is inherently false. Of 660 million Windows users worldwide, less than one-tenth of one percent were impacted by the notorious MSBlast worm last month. Why? In reality, each Windows user has different configurations of hardware, routers, virus software, and security habits. The diversity that comes from the security stack of hardware, software and user habits leads to an extremely heterogeneous security environment even on a single operating system like Windows. The evidence clearly shows that the monoculture feared by the authors exists only in theory and not in reality.

On the operating system level, the authors do little to show why mandating a heterogeneous environment would create any greater security. With viruses and hacker attacks proportional to market share, the evidence suggests that a multicultural computing environment wouldn’t lead to fewer security threats. At the same time, the study ignores the benefits of homogenous networks, such as ease of security management and lower security training costs which offset the potential dangers.

CCIA proposes solving this problem with a set of government-mandates for Microsoft that has already been rejected by the courts. If the government continues to reject CCIA’s proposals, what would Ed Black suggest then? To mandate that each American be assigned a different operating system based on their social security number? The only answer here is the market. If a computing monoculture emerges as a legitimate security problem, the market will react and do a far better job than any government mandate.

Security is the number one issue for the software industry. Instead of this mercenary rhetoric, our industry needs to be focused on working together to improve security across the board and ensuring good security practices inside large organizations.”

It is appalling that Ed Black and CCIA would exploit our nation’s security for politics and greed. CCIA’s concerns are not based on good security or public policy, but business opportunities for the horde of Microsoft competitors it represents. To benefit its member companies like Oracle and Sun, CCIA repeatedly has attempted to hobble Microsoft using political process here and abroad. This is just more of the same.

Joe Barr has been writing about personal computing for 10 years, and about Linux for five. His work has appeared in IBM Personal Systems Journal, LinuxGazette, LinuxWorld, Newsforge, phrack, SecurityFocus, LinuxJournal.com, and VARLinux.org. He is the founder of The Dweebspeak Primer, home of the official newsletter of the Linux Liberation Army, an organization in which he holds the honorary rank of Corporal-for-life.