BOSTON -- The audience was equally tough on both men. But if a show of hands before and after the event was any...
indication, most shared noted security researcher Dan Geer's concern that a Microsoft-dominated world is one in peril.
"The bigger the prey, the juicier it is" for the predator, Geer said during yesterday's debate with Microsoft Chief Trustworthy Computing Strategist Scott Charney at the USENIX technical conference in Boston. The debate focused on a paper Geer and six others authored last year warning that Microsoft's market dominance with faulty software threatens national security and puts critical infrastructure at risk to hackers, malware and cyberterrorists. An operating system monoculture, Geer warned, "is a threat to security; a danger in principle and practice. All monocultures live on borrowed time."
Geer said a monoculture allows for more amateur attacks, compared to a more diverse environment that produces intruders of a much higher ability.
Charney argued the monoculture theory is overly simplistic; that it would require an incredible amount of diversity and create a new security nightmare.
"True impactful diversity would require hundreds, if not thousands, of different operating systems, which would make security even more difficult," Charney said. "Solutions need to be actionable to work. We need to deal with the problems we face today instead of forcing the world to spend time, money and resources to diversify with primitive products."
Charney acknowledged Microsoft products aren't perfect, but noted the computer revolution is only a couple decades old and the focus must be on solutions where companies can get a reasonable return on investment.
The paper's release last fall generated controversy and Geer lost his job with network security vendor @stake over it. The paper cited the biological principle that species with little genetic variation are most vulnerable to catastrophic epidemics. Genetic diversity increases the chances some may survive an attack and the same principle can be applied to global computer security, according to the report, co-authored by Bruce Schneier, CTO at MSSP Counterpane Internet Security; Becky Bace, CEO of consultancy Infidel; Peter Gutmann, a computer science researcher at the University of Auckland; Charles Pfleeger; master security architect at Exodus Communications; John Quarterman, founder of InternetPerils; and Perry Metzger, managing partner at Metzger, Dowdeswell & Co.
Schneier and Metzger were among those who packed the Marriott hotel conference room for the exchange.
At one point, Metzger approached the microphone and challenged Charney's claim that the paper advocated total diversity as the solution to every problem.
"We're well aware diversity won't solve everything," Metzger said. He then asked Charney, "Are you really going to say that if I have all Windows I'll be better off against Windows attacks without a second system?"
Charney said he sees diversity as a factor in solving some security problems, but repeated his view that it isn't a solution in and of itself.
To that, Metzger said, "No one said it would fix everything, just that it could address certain problems."
Dr. Aviel Rubin, technical director of the Johns Hopkins Information Security Institute and moderator of the debate, asked Geer to respond.
"On a world basis the percentage of pirated Windows platforms is high," Geer said. "It's quite possible to harden the environment in a way that makes things brittle as well as hard."
One questioner challenged Geer, saying the problem with diversity is that other systems don't help when the big one is getting pounded.
"You're right," Geer said, but added that it's better than having the big system under attack with nothing else to fall back on.
Before the debate, Rubin asked the audience for a show of hands on whose argument they agree with. Before the debate, a vast majority raised their hands in Geer's favor. When it was over, the vast majority still sided with him.