Back Email GreenRiver
Computer Sciences at Purdue University
This note originally appeared on Dave Farber's Interesting People email list. It's reposted here with permission.
Date: Sat, 20 May 2000
From: Gene Spafford <firstname.lastname@example.org>
Several of you have taken me to task for my comments about Microsoft software quality. I don't say these things to bash MS -- I say them based on over a dozen years of experience and research in infosec issues. Quite simply, Microsoft is the vendor that is putting arbitrary scripting commands into their email clients and servers, Microsoft products are ones that continue to exhibit security flaws and problems known to researchers for decades, and it is Microsoft's design decisions and products that result in problems such as Melissa, the "love bug," and a myriad of computer viruses. Couple this with the nearly total Windows population in some environments, and we have an extremely volatile situation.
Ask any biologist, doctor, historian, or agricultural specialist: what happens when you introduce a severe contagion into a monoculture population with little natural resistance? You get pandemic -- widespread infection and damage. Whether it is measles and smallpox killing something like 90% of the Aztecs, Dutch Elm disease destroying a mainstay of the American forest, or ILOVEYOU in Outlook damaging files on machines worldwide, the result is a massive and quick-spreading epidemic.
Analyze statistics from anti-virus researchers, companies, and on-line documents. You will find that there are currently about 60,000 recognized computer viruses (not worms, such as Melissa or ILOVEYOU, but traditional viruses). Of these (as of this week):
So, over 85% of all the known viruses are for Microsoft platforms (nearly all the self-propagating worms are as well). The rate of new reports -- especially for macro viruses -- means that pattern-based virus detectors can never be up-to-date and provide 100% protection. (Note: I'm not trying to draw grand conclusions here about the reasons for this skew, but simply point out where the overwhelming threat is.) Fast-spreading, self-propagating worms using Outlook move so quickly that they are likely to be upon us before an anti-virus vendor can even get a copy to analyze.
The situation is made worse by Microsoft trying to minimize the scope of the problem and claim that they aren't responsible in any way. The MS spin doctors are even attempting to blame the users! (One MS executive even claimed that we should beat our users to prevent problems such as the "love bug": http://www.digitalmass.com/columns/software/0508.html (NOTE: this URL is no longer valid as of 05/23/2001). Microsoft employees and apologists are attempting to claim that these are problems that every software platform has, as if this somehow makes the gaping vulnerabilities less of a problem. This is simply not true -- you can't construct a "Melissa" or "love bug" worm without Outlook and MS Windows scripting host.
So, we need to do what we can ourselves to help our situation. What should you, as Purdue system and security administrators, consider doing?
The key here is to think about total cost of operation and the needed core functionality. When you put a machine in service there may be the up-front cost of the box and the software, and in this regard a Wintel box seems the best choice. But add in the time spent applying security patches, strengthening the default installation, responding to (and cleaning up after) break-ins and malware incidents, and the time spent staring at blue screens -- time for you and your staff is valuable, as is the loss of productive work time by your users. Yes, Windows runs thousands more programs than does Unix or a Mac -- but do you ever need those in a work or lab environment? Most are games, or are versions of software you don't need or already have in another form. Consider carefully what you want: buying a system because it runs programs you will never use and that may cost more over its lifetime to operate is not a bargain.
This is not intended to suggest that Microsoft is the source of all evil, or that you
should run out and replace all your Windows boxes with something else. There are good
people working for MS -- and several of them are former students and colleagues. The
university (and the world around us) would come to a very abrupt halt if we didn't have MS
products for everyday use. Furthermore, other vendor products are hardly bug-free -- we
continue to see security advisories for Solaris, HP-UX, Linux, and others. But the number
of security problems for MS products and the near ubiquity of MS platforms in many
environments means that we need to be especially concerned about this as a potential
problem area. (See
Several security experts, myself included, are convinced that we have seen only the tip of the iceberg as far as new worm/virus code is concerned. Being aware of alternatives and threats is the first step in protecting ourselves. Trying to reduce the "monoculture" environment and replace the most vulnerable members of the population is simply one step towards protecting our environment against future threats.
You do have choices, and if only enough people exercised their choices we might find all the vendors paying a little more attention to security.
Eugene H. Spafford is a professor of Computer Sciences at Purdue University, the university's Information Systems Security Officer, and is Director of the Center for Education Research Information Assurance and Security. CERIAS is a campus-wide multi-disciplinary Center, with a broadly-focused mission to explore issues related to protecting information and information resources. Spaf has written extensively about information security, software engineering, and professional ethics. He has published over 100 articles and reports on his research, has written or contributed to over a dozen books, and he serves on the editorial boards of most major infosec-related journals.
Dr. Spafford is a Fellow of the ACM, Fellow of the AAAS, senior member of the IEEE, and is a charter recipient of the Computer Society's Golden Core award. Among other activities, he is chair of the ACM's U.S. Public Policy Committee, a member of the Board of Directors of the Computing Research Association, and is a member of the US Air Force Scientific Advisory Board. He regularly serves as a consultant on information security and computer crime to law firms, major corporations, U.S. government agencies, and state and national law enforcement agencies around the world.
More information may be found at http://www.cerias.purdue.edu/homes/spaf.
In his spare time, Spaf wonders why he has no spare time.