Security blame games

With the Sobig.F worm on the wane and its successor presumed to be waiting in the wings, fingers are pointing angrily at Redmond.

"People sometimes ask me why I loathe and detest Microsoft with such a visceral passion," wrote packet-radio pioneer and security expert Phil Karn on his Web site. "A major reason is the never-ending stream of viruses and worms infesting [Microsoft's] abysmally insecure software."

For users of Linux and Mac OS X, the recent outbreak was a bittersweet validation. These systems were immune to the worm but -- because we are all e-mail users -- not to its effects.

Open source software partisans never seem to follow their argument to its logical conclusion, however. If more people used Linux and/or Mac OS X, more attackers would exploit the vulnerabilities of these systems. Hardly anybody argues that those systems are invulnerable to attack. What most serious advocates claim, rather, is that the open source process includes a more thorough review of code, resulting in more effective means for discovering and repairing flaws. That's a credible claim, especially when you compare today's open source methodology to what Microsoft, by its own admission, has been doing until recently. But times change.

Critics used to delight in saying that Microsoft would never "get" the Internet. Now that Microsoft is a leading contributor to Internet standards, you don't hear that complaint so much. In fact, the Microsoft that didn't "get" security has largely been reinvented. The effects of Microsoft’s heightened awareness and newfound commitment to rigorous code review, however, won't be felt for a long time, especially because Windows 9x isn't going away anytime soon. According to Microsoft Senior Developer Chris Brumme, who was diverted from stress-testing the CLR (Common Language Run time) to reviewing the DCOM (Distributed Component Object Model) stack in the wake of MSBlast, "Some of those source files contain comments from the ’80s."

You can't turn Windows’ installed base on a dime, but you can turn it eventually. In four or five years, the true nature of the struggle between the methodologies of Microsoft and the open source community may finally begin to emerge. My hunch is that both strategies will produce reliable and secure software, and that competition between them will benefit everyone. Neither strategy will deliver perfect security, of course, because no such thing exists. We'll always be assessing risks and making trade-offs.

In his new book, Beyond Fear, Bruce Schneier -- one of the world's leading authorities on security trade-offs -- completes the metamorphosis from cryptographer to pragmatist that began with Secrets and Lies, published in 2000. The new book dissects a range of security solutions in terms of the agendas of the players (attackers and defenders) and touches -- too briefly -- on ways of modifying those agendas. I particularly like the idea that insurance, the standard tool used in business to control risk and convert variable costs to fixed costs, can help make developers accountable for insecure software. Product-liability laws aren't likely to change anytime soon. But if actuaries measured the risk associated with use of competing software products and priced insurance policies accordingly, maybe we could close the feedback loop in a positive way.

The mess we're in is largely Microsoft's fault, to be sure, but any dominant software player would have created a similar mess. Ideology, of any flavor, won't help. We need rational ways to quantify risk and to value its mitigation.