|
Security Expert Dan Geer's Letter to MA Senator Pacheco Re ODF |
|
Friday, December 09 2005 @ 03:52 AM EST
|
Here is a letter that security professional Dan Geer has just sent to Massachusetts Senator Marc Pacheco, and he tells me he sent similar letters to Secretary of the Commonwealth Francis Galvin
and Senate President Robert Travaligni. He warns them that the Commonwealth needs to mitigate its risk by avoiding a computing monoculture. If a private company received such a letter, I assure you that their lawyers would take it very seriously, as it would put them on notice, actual notice. Dr. Geer strongly
supports OpenDocument Format, as you will see, and his reasons include concern about security issues.
Here's a paper he has written on the subject of the dangers of a software monoculture, Monoculture on the back of the envelope [PDF], in which he provides some alarming statistics on infection rates in Microsoft PCs and the odds of a cascading failure in an enterprise, and summarizes like this: Which gets you an estimate that perhaps 15% of all desktops are to some degree owned as I write this. This feels high, but as a personal data point, some colleagues recently found 70% of the desktops inside a defense contractor handling classified data to have spyware of one or another sort, and two keyloggers on the section head’s desk....None of this is particularly good news but then again none of it is news at all. We knew this before, we just don’t like hearing it, we shoot messengers, we try to patch things up. Everyone within the sound of my voice knows this. My 87-year-old cost accountant father knows this (his estimate is that over half of the productivity gains computers should have brought the domestic economy were lost due to standardization on the Redmond platform). They know this in Redmond, too, where I do not envy the task they have in front of them, as it is like nothing so much as plugging shell holes below the waterline while under cannonade. In the meantime, Ballmer has one foot on the boat and one foot on the dock. The boat is labeled “Fix the security problem, but lose backward compatibility.” The dock is the converse, “Preserve backward compatibility, but never fix the problem.” If he pulls his foot back onto the dock, he preserves backward compatibility but he never fixes the problem. This is betting that Microsoft is never tagged with liability for the security failures that only a monoculture can exhibit. Liability lawyers of the world are watching, and Steve is one nasty virus away from le deluge, not to mention the so-called progressive legislatures. If he puts both feet in the boat and sails away from backward compatibility, then he absolutely puts into play the desktop in everysingle global corporation; those corporations are only sticking with Windows to amortize their existing investment in it. If they have to start over and write off that capitalization, they are not starting over with another round of “I won’t hit you again, Honey, I promise.” When I read that, I couldn't help but remember that Microsoft's Ray Ozzie said that Microsoft's Office Open XML will provide backward compatibility with pre-existing Office formats . I also wondered if someone should do a security audit on the Commonwealth's government computers to determine what malware the state's employees have on their computers. That might prove educational indeed. **********************************
Hon. Marc R. Pacheco
Massachusetts Senate
State House, Room 312-B
Boston, Mass. 02133
re: OpenDocument Standards
Dear Sen. Pacheco,
My name is Dan Geer. I am one of the half dozen ranking world experts in matters of computer security. By
virtue of a long career both in academia (MIT and Harvard)
and the private sector (six times an entrepreneur), there is
absolutely no one in the State House who is not using software that I had a hand in producing, including yourself. I
am a trusted advisor to the Federal Trade Commission, the
Departments of Justice and Treasury, the National Academy of
Sciences, the National Science Foundation, the US Secret
Service, and the Department of Homeland Security. I am a
Board member for a number of promising startups and their
funding sources, have forty-two refereed publications, books
and book chapters, four patents, over two hundred fifty
invited presentations twenty percent of which were keynotes,
and have been five times before the US Congress -- twice as
lead witness. I have taught ten thousand students in the
aggregate.
As an Officer of the Commonwealth, you understand the
monopoly power of Microsoft quite well as the Commonwealth
was the last man standing in the most recent round of antitrust litigation. What perhaps you did not grasp is the
degree to which a computing monoculture is a security risk
of the highest sort. It is, and I and others in the security research community are on record in unassailable ways
that a computing monoculture is a hazard, but that it is an
avoidable hazard if you want it to be. Microsoft maintains
its power through user-level lock-in, as the Commonwealth
noted and which it so adequately opposed. So long as that
lock-in persists, there will be no solution to the monoculture risk. That lock-in is centered on and wholly confabulated with the use of proprietary formats for all documents
produced by the Office Suite. Therefore, as a matter of
logic and logic alone, if you care about the security of the
Commonwealth then you must care about the risk of a computing monoculture. If you care about the risk of a computing
monoculture, then you must care about barriers to computing
diversification. If you care about barriers to computing
diversification, then you must care about user-level lock-in. If you care about user-level lock-in, then you must
apply yourself to the task of breaking the proprietary format stranglehold on the Commonwealth.
Fortunately, that has already begun. The Enterprise
Technical Reference Model and its call for Open Document
standards is precisely what is needed and it is not a moment
too soon. As a ranking security professional with a doctorate in statistics, I can provide any amount of technical,
quantitative proof that Open Documents are the point of maximum leverage and that the risk of remaining as we are
exceeds any non-specialist's understanding including, with
respect, yours. Warning times before attacks take place
have fallen to zero. There is a new Windows virus every
four hours. Perhaps 15% of all desktop Windows computers
are running malware of some sort and I'll bet you $100 that
includes your office. There is a direct and demonstrable
correlation between increasing complexity of the Windows
system and the effectiveness of attacks. Jurisdictional
boundaries are meaningless if not undetectable in an always-on, fully-networked world. And as you almost surely know,
your opponents are no longer misanthropic isolates but are
instead professionals. So long as the Commonwealth voluntarily allows itself to be locked-in by the proprietary document formats of a proven monopoly, the Commonwealth cannot
diversify and therefore the Commonwealth cannot mitigate its
risk in any but the most marginal and palliative ways.
I am ready to vigorously debate these points with any
and all comers both privately and in any venue. This is, in
other words, a matter on which I actually do stake my professional reputation, my fortune, and my sacred honor. How
may I be of assistance?
Very truly yours,
Daniel E. Geer, Jr., Sc.D.
P.S. I have blind relatives and if genetics is any guide
may have that in my future. My comments still stand.
|
|
Authored by: Anonymous on Friday, December 09 2005 @ 04:02 AM EST |
. [ Reply to This | # ]
|
|
Authored by: brooker on Friday, December 09 2005 @ 04:04 AM EST |
This is my first time :o)
---
I have never made but one prayer to God, a very short one:
O Lord, make my enemies ridiculous. And God granted it.
~ Voltaire[ Reply to This | # ]
|
|
Authored by: brooker on Friday, December 09 2005 @ 04:09 AM EST |
Making links clisckable is a helpful thing to do.
---
I have never made but one prayer to God, a very short one:
O Lord, make my enemies ridiculous. And God granted it.
~ Voltaire[ Reply to This | # ]
|
- OffTopic here: - Authored by: brooker on Friday, December 09 2005 @ 04:11 AM EST
- Like your sig... - Authored by: Anonymous on Friday, December 09 2005 @ 05:10 AM EST
- Blind? - Authored by: Anonymous on Friday, December 09 2005 @ 04:50 AM EST
- Blind? - Authored by: Anonymous on Friday, December 09 2005 @ 04:56 AM EST
- Blind? - Authored by: free980211 on Friday, December 09 2005 @ 04:59 AM EST
- Blind? - Authored by: Anonymous on Friday, December 09 2005 @ 05:02 AM EST
- Blind? - Authored by: Anonymous on Friday, December 09 2005 @ 01:54 PM EST
- Blind? - Authored by: Wol on Friday, December 09 2005 @ 09:33 AM EST
- Blind? - Authored by: Wol on Friday, December 09 2005 @ 10:57 AM EST
- Blind? - Authored by: Anonymous on Friday, December 09 2005 @ 01:40 PM EST
- Blind? An answer ... - Authored by: Anonymous on Friday, December 09 2005 @ 05:53 AM EST
- PR war continues - Authored by: grouch on Friday, December 09 2005 @ 06:05 AM EST
- PR war continues - Authored by: Anonymous on Friday, December 09 2005 @ 11:08 AM EST
- Berlin will fall - Authored by: Anonymous on Friday, December 09 2005 @ 07:05 AM EST
- MS standards Dirty Tricks - Authored by: Winter on Friday, December 09 2005 @ 07:19 AM EST
- Winter, I like what you are doing!! - Authored by: Mecha on Friday, December 09 2005 @ 09:06 AM EST
- Has anyone presented this document to anyone at MA Senate, or other elected, involved in MA ODF? - Authored by: Anonymous on Friday, December 09 2005 @ 09:34 AM EST
- Re: MS standards Dirty Tricks - Authored by: Anonymous on Friday, December 09 2005 @ 09:48 AM EST
- Windows vs. OS2 fights (were not what they appeared)! IBM was played from the start! Beware ODF! - Authored by: Anonymous on Friday, December 09 2005 @ 10:48 AM EST
- Here's another one: SNTP - Authored by: Anonymous on Friday, December 09 2005 @ 11:25 AM EST
- My imagination or not? Rdesktop being played with by MS security update? - Authored by: Anonymous on Friday, December 09 2005 @ 11:32 AM EST
- I think you are off base with respect to "boot sectors" - Authored by: Anonymous on Friday, December 09 2005 @ 12:20 PM EST
- I think you are off base with respect to "boot sectors" - Authored by: Anonymous on Friday, December 09 2005 @ 12:39 PM EST
- Boot sector changes during a M$ windows update - Authored by: Anonymous on Friday, December 09 2005 @ 02:35 PM EST
- Fiction - Authored by: Anonymous on Saturday, December 10 2005 @ 01:00 PM EST
- This can be fixed... - Authored by: webster on Saturday, December 10 2005 @ 02:02 PM EST
- Truely Fiction - Authored by: Anonymous on Saturday, December 10 2005 @ 06:45 PM EST
- Truely Fiction - Authored by: nyte on Monday, December 12 2005 @ 08:47 AM EST
- Truely Fiction - Authored by: Anonymous on Monday, December 12 2005 @ 08:22 PM EST
- Incompetent fabricator? - Authored by: Anonymous on Tuesday, December 13 2005 @ 12:46 AM EST
- You tell me. - Authored by: Anonymous on Tuesday, December 13 2005 @ 01:29 PM EST
- OK - Authored by: Anonymous on Tuesday, December 13 2005 @ 05:40 PM EST
- OK - Authored by: Anonymous on Wednesday, December 14 2005 @ 06:47 PM EST
- OK - truce. - Authored by: Anonymous on Wednesday, December 14 2005 @ 10:47 PM EST
- Incompetent fabricator? - Authored by: Anonymous on Tuesday, December 13 2005 @ 12:48 AM EST
- There needs to be a full compilation of all misdeeds done by MS - Authored by: Anonymous on Friday, December 09 2005 @ 05:33 PM EST
- MS misuse of RC4 encryption for Word or Excel - Authored by: SpaceLifeForm on Friday, December 09 2005 @ 10:22 PM EST
- Next 30 days (reminders posted here)! UK DRM comments (last day today)! - Authored by: Anonymous on Friday, December 09 2005 @ 07:19 AM EST
- OffTopic here: - Authored by: Anonymous on Friday, December 09 2005 @ 07:42 AM EST
- OffTopic here: - Authored by: Kalak on Friday, December 09 2005 @ 08:17 AM EST
- Thank you - Authored by: Anonymous on Friday, December 09 2005 @ 09:21 AM EST
- "Matsushita Electric to Reorganize Overseas Mobile Phone Operations" Press Release - Authored by: Anonymous on Friday, December 09 2005 @ 09:21 AM EST
- "Microsoft rivals petition to join EU antitrust case" - Authored by: Anonymous on Friday, December 09 2005 @ 09:38 AM EST
- Enough is Enough!! - Authored by: pfusco on Friday, December 09 2005 @ 10:00 AM EST
- Music publishers and song lyrics - Authored by: TiddlyPom on Friday, December 09 2005 @ 10:19 AM EST
- Constitutional challenge by Gilmore and the EFF - Authored by: Anonymous on Friday, December 09 2005 @ 11:40 AM EST
- ODF Format - Authored by: Anonymous on Friday, December 09 2005 @ 01:01 PM EST
- ODF Format - Authored by: pfusco on Friday, December 09 2005 @ 02:35 PM EST
- ODF Format - Authored by: Anonymous on Friday, December 09 2005 @ 02:42 PM EST
- ODF Format - Authored by: Anonymous on Friday, December 09 2005 @ 03:50 PM EST
- New Canadian Voice in Digital Rights Issues: Online Rights Canada (ORC) - Authored by: JSGasse on Friday, December 09 2005 @ 01:26 PM EST
- "Berlin is about to switch to Linux, too" - Authored by: Anonymous on Friday, December 09 2005 @ 02:58 PM EST
- "Globe Talk: France Telecom's China leap" - Authored by: Anonymous on Friday, December 09 2005 @ 03:06 PM EST
- "Intel Chairman Derides $100 Laptop" - Authored by: Anonymous on Friday, December 09 2005 @ 03:10 PM EST
- For the attention of Sony: " In open source, an unexpected trap" - Authored by: Anonymous on Friday, December 09 2005 @ 03:33 PM EST
- grokline announcement - Authored by: Anonymous on Friday, December 09 2005 @ 04:12 PM EST
- BBC: Sony BMG repents over CD debacle - Authored by: Anonymous on Friday, December 09 2005 @ 04:38 PM EST
- RIM made unacceptable offer NTP says - Authored by: SpaceLifeForm on Friday, December 09 2005 @ 05:28 PM EST
- OffTopic here: - Authored by: Anonymous on Friday, December 09 2005 @ 05:29 PM EST
- Don't understand - Authored by: Anonymous on Friday, December 09 2005 @ 08:40 PM EST
- Don't understand - Authored by: Anonymous on Saturday, December 10 2005 @ 08:13 AM EST
- Worldcup: USA vs. Czech Republic: "Yikes" - Authored by: Anonymous on Friday, December 09 2005 @ 05:40 PM EST
- Holiday Motion Practice - Authored by: Rob_B on Friday, December 09 2005 @ 06:52 PM EST
- Quick cry for help - Authored by: Anonymous on Friday, December 09 2005 @ 07:52 PM EST
- " French open-source plan draws ire" - Authored by: Anonymous on Friday, December 09 2005 @ 09:09 PM EST
- "Mandriva "back in black," CEO says" - Authored by: Anonymous on Friday, December 09 2005 @ 09:35 PM EST
|
Authored by: PM on Friday, December 09 2005 @ 04:10 AM EST |
Organisations seem to take peculiar views of risk. For example an IT employee
in a major oil company says the company does not favor open souce software as
there is no one to sue if things go wrong. They seem to forget that they are
unlikely to successfully sue anyone for the greatest risk - business disruption,
fraud and theft of confidential information through viruses and worms.
The biggest scream of the lot IMO was a draft contract drawn up by a lawyer to
cover a cable company installing cable on a power company's poles. The contract
required the cable company to indemnify the power company if the power company
was sued because cable content breached copyright. The contract was slent on
what would happen if power poles fell down under the extra weight of the cable.
Of course no one asks the engineers until it is too late.
It just shows how organisations take a lop sided view of risk management.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 09 2005 @ 05:01 AM EST |
Dan Geer has in the past been associated with the Computer &
Communications Industry Association (CCIA) who were mentioned in a post on
Wednesday urging ECMA to not support Microsoft's Document format.
In
2003 CCIA published a scathing report by Dan Greer on the perils of a Microsoft
monoculture (pdf
) This report led to Dan Greer being sacked by his then employer who numbered Microsoft among their
customers.
So CCIA seems firmly in the anti-Microsoft camp, yet
interestingly enough CCIA lists Microsoft among its members.
I wonder if this is a case of Microsoft keeping
close to its enemies?
delboy711 - Anonymous because login is not working
at the moment [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 09 2005 @ 05:23 AM EST |
So they've received notice that a monoculture is potentially a security risk.
I don't see why it's *particularly* relevant to lawyers, even in a private
company - because it's not obvious to me that them choosing to favor a
monoculture (even if undesirable) is itself a crime, or a tort, or particularly
legally significant in any way.
Lots of public and private organizations receive all kinds of mail requesting
them to favor one or another purchasing or policy decision over another, for all
kinds of reasons. These may also contain "actual notice". So what?
In-house counsel is only going to sit up and take notice, if it's actual notice
of a crime, or a tort, or legally significant facts.
[ Reply to This | # ]
|
|
Authored by: Anni on Friday, December 09 2005 @ 06:08 AM EST |
Perhaps 15% of all desktop Windows computers are running malware of
some sort and I'll bet you $100 that includes your
office.
Together with the expertise detailed in the first
paragraph, this should make the recipients rather nervous. But then, they are
professional politicians, so who knows.
--- Sometimes it is better to
light a flamethrower than curse the darkness. [ Reply to This | # ]
|
- Easy money - Authored by: Anonymous on Friday, December 09 2005 @ 07:16 AM EST
- Glaring math error! - Authored by: Anonymous on Friday, December 09 2005 @ 11:53 AM EST
|
Authored by: grouch on Friday, December 09 2005 @ 06:29 AM EST |
Absolutely stunning! Dr. Geer's letter is overwhelming.
---
-- grouch
http://edge-op.org/links1.html
[ Reply to This | # ]
|
- Fantastic! - Authored by: RPN on Friday, December 09 2005 @ 06:48 AM EST
- Fantastic! - Authored by: Anonymous on Friday, December 09 2005 @ 06:48 AM EST
- Fantastic! - Authored by: Anonymous on Friday, December 09 2005 @ 08:03 AM EST
- I don't think so - Authored by: Anonymous on Saturday, December 10 2005 @ 01:54 AM EST
- Fantastic! - Authored by: Anonymous on Saturday, December 10 2005 @ 10:06 AM EST
|
Authored by: Anonymous on Friday, December 09 2005 @ 07:16 AM EST |
I remember reading where he is the chair of THE JOINT COMMITTEE ON ECONOMIC
DEVELOPMENT AND EMERGING TECHNOLOGIES, and I remember reading where he was one
of the 3 that was chosen to be advised on tech matters as the developed in the
state (might relate to ODF as well)!
STATE SENATOR
JACK HART
State House
Room 109-C
Boston, MA 02133
Telephone: (617) 722-1150
Party Affiliation - DEMOCRAT
E-Mail Address: JHart@Senate.State.MA.US
Committees on which the legislator serves:
Economic Development & Emerging Technologies (Chair)
Tourism, Arts & Cultural Development (Chair)
Bonding, Capital Expenditures & State Assets
Mental Health & Substance Abuse
Public Service
Veterans & Federal Affairs
[ Reply to This | # ]
|
|
Authored by: DaveJakeman on Friday, December 09 2005 @ 07:19 AM EST |
...except that what Microsoft is actually doing is intentionally sabotaging
backwards compatibility, whilst perpetuating the security problem.
---
Should one hear an accusation, first look to see how it might be levelled at the
accuser.[ Reply to This | # ]
|
- Nice Argument... - Authored by: Anonymous on Friday, December 09 2005 @ 07:56 PM EST
|
Authored by: Anonymous on Friday, December 09 2005 @ 07:44 AM EST |
I am amazed at the power that comes out of these words. I think this is one of
the most intense official documents I have ever read. Have to say: I love it!
Congratulations for such a piece!
Sincerely,
Filippo Rusconi, PhD
polyxmass.org[ Reply to This | # ]
|
|
Authored by: tz on Friday, December 09 2005 @ 08:21 AM EST |
The problem isn't merely monoculture. It is a monoculture of badly flawed
systems. Anyone remember what MS was saying about putting security first a
few years ago?
Apache has a large share, but fewer attacks than IIS. But Apache isn't part of
the OS.
If every linux system ran as root and had the browser and any media player as
installable kernel modules, it would be hit too.
Or Apple's Mac OS. But they isolate things. You really need to type a security
password before something really bad can happen. And generally you know
what and why you are doing it.
Instead, we get Windows with either no security or where everyone runs with
administrator privileges. I'll give them that in XPSP2 they are finally turning
some security on by default and services off by default, but it isn't perfect
and
was late in coming. Still, you have ActiveX instead of Java, so everything runs
as an executable on your system. IE still has bugs and is so deeply integrated
that an IE flaw is an OS flaw.
If you have a mix of flawed OSes, it is unlikely that many will get infected.
If
you have basically secure OSes, same thing (I find it hard to imagine a block
of ubuntu linux boxen or a Mac OS X lab getting hit - it is possible but would
require a much higher level of hacking - Sony audio CDs won't put rootkits
on either).
The problem is one of a monoculture of horrible fundamental design that
makes security nearly impossible. If Windows was as secure as Linux (not run
as root - and Linux is not designed to be truly secure, it simply isn't silly or
stupid), the monoculture would not likely be a problem.
For a simple example, the Sony CDs should not be able to automatically
install anything on any properly designed OS. Do they put rootkits on
Windows 2003 as well? Will they on Vista?
To put it in more accessible terms, it is easier to install Linux on a box with
bizarre hardware than it is to secure Windows on the most vanilla hardware.
[ Reply to This | # ]
|
|
Authored by: gbl on Friday, December 09 2005 @ 09:06 AM EST |
I believe that when (if?) Longhorn/Vista ships, it will be the last operating
system from MS that is based on the MSDOS/Win design.
Stretching the Windows design to cover multi-core/multi-cpu systems with a
terribly slow thread/process creation model will be impossible.
Apple took the plunge and brought in an OS kernel that worked, will Microsoft
do the same?
---
If you love some code, set it free.[ Reply to This | # ]
|
|
Authored by: jeattimo on Friday, December 09 2005 @ 09:24 AM EST |
Friends
It's a small thing. But Boston metro was kind enough to publish my letter on
OpenDocument. You can see it here
http://tinyurl.com/8ktrp on 12/06/2005 letters to the editor.(My letter was
edited slightly edited by the metro editor.)
Open document format, explained
The article “Microsoft move eases format criticism” (Dec. 1) was misleading. The
whole controversy is not is about open-source vs. Microsoft, it’s about open
standards vs. proprietary formats. The state of Massachusetts will require
that by 2007, all documents produced by the state’s
executive branch must be stored in a new universal
format (OpenDocument format) so that the documents
are accessible to everybody for generations to come. There is nothing to stop
Microsoft from adopting this format except they lose control over your personal
information. Unfortunately, not all officials — elected or not — are happy about
it. Secretary of State William F. Galvin’s office, state Sen.Marc Pacheco, and
other proprietary vendors say they are opposed to the state’s plan to store
documents in an open format without providing any further
explanation about the reasons for their objections.
The OASIS Open Document Format for Office Applications is the only standard
format for editable office documents
that has been: 1) vetted by an independent recognized standards body; 2) has
been implemented by multiple vendors; and 3) can be implemented by any software
developer (including both proprietary software vendors and developers of open
software).
[ Reply to This | # ]
|
|
Authored by: ijramirez on Friday, December 09 2005 @ 09:54 AM EST |
I find this letter to be innefective. I was impressed by the author stating his
qualifications in order for the reader (Mr. Pacheco)to have a feel of the level
of the writer's expertise. But as I continued reading it my mood changed in a
negative way . Pedantic is the word that came to my mind. As a genetic expert
who has advised elected officials on a multitude of health issues, I know
letters to elected officials must be brief and to the point. I also must be
careful not to insult the reader by implying that the other person in incapable
of understanding the issue at hand because and expert and he is not. If that wa
snot enough, follow with a $100 bet?
I don't think that is the way to influence elected officials.[ Reply to This | # ]
|
|
Authored by: DMF on Friday, December 09 2005 @ 11:12 AM EST |
So long as we're forewarned that giving Microsoft the benefit of the doubt is
like giving a car thief the keys to your Ferrari, let me pose this possibility.
The ECMA submission talks about custom schema. There are two ways to achieve
backward compatibility in Office: write the old schemae into code, or write them
into MSXML. The latter is much cleaner to develop and maintain. As I
understand it such schemae could be obfuscated, but in any case they are
protected IP. Further, since MS' long-term strategy is to move away from the
fat client (fat clients being relatively immune to DRM and subscription fees),
fat code is not desirable. While the old formats would not be part of any
standard going forward, they could be implemented as custom schema within the
standard, and that approach could be justified technically. That it also leaves
the door open for proprietary control of the standard could be an unintended
side effect.
Microsoft *could* be serious about standardizing MSXML going forward
("standardizing" as per our understanding of it). The covenant for
IP, flawed as it is, would seem to support that. Understood that way,
Microsoft's conversion to open standards could be real for most within
Microsoft. Retaining the old formats as closed would continue lock-in for the
near future. (That old documents could be converted to new format does not
imply that any significant percentage would be.) Lock-in gives MS time to exert
its technical muscles to beat open source on quality and features. (Surely
there's no one within MS that doesn't believe they could do a better job than
the disorganized rabble of FOSS.) To MS, in an open standards world the only
real FOSS advantage is the head start.
But the implementation feels more like the compromise decision of a divided
committee. Perhaps Mr. Gates is trying to hedge his bets by planting these
escape hatches. It looks like he's making an honest effort, and if he wins on
merit he's a hero. If he doesn't, he can always play the trump card.
(Aside: I've seen what custom schema can do to a "standard" format.
If you're interested in an example, ask any traffic engineer about the NTCIP
standard and its effect on interoperability. Pray that the Custom Schema Flu
doesn't become a pandemic.)
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 09 2005 @ 11:24 AM EST |
I had the pleasure of working with Dr. Geer back when I was a co-op and
later an employee of OpenVision Technologies. He was an amazing person to work
with who understood the future of the internet and the security risks well ahead
of the industry as a whole. Back in 1995 he was talking about self healing
networks and routers which could detect the progression of not oly trojens and
worms, but mallicious intrusion. The products we were working on were for
security compliance, intrusion detection, kerberos single-signon (bought and
killed by MicroSoft), and hole network servaliance. The products were years
ahead of their time in their scope. Unfortunatly at the time people were more
interested in dealing with problems after the fact. This is still the status quo
today.
Dr. Geer not only knows the problems but he proactively tries to be part of
the solution not only with is voice as in this letter, but with his own money,
funding many start-ups and one open source project that I know of. When he
speeks, he speeks as someone who has worked with these computer systems, written
the code, worked with banks and the government to help secure their networks. He
is not speeking as someone from on high. He speeks as someone who has been
fighting in the trenches for years.
I still run SecureMax on my linux machines at home (and hence my posting
Anonymously as that software is laying forgotten is some companies purchased
IP). I get sad when I think of what could have been accomplished in the past 10
years if we had the ability to continue developing those technologies.[ Reply to This | # ]
|
|
Authored by: Slice on Friday, December 09 2005 @ 11:55 AM EST |
Mr. Geer is making excellent points, but he is making them is the most
high-handed, arrogant manner possible. The TONE of his letter completely
undercuts the FACTUAL content of his arguments. The sneer on his face is almost
audible.
The congressional staffer who opens this letter would have a tough time
justifying bringing it to the Senator's attention.[ Reply to This | # ]
|
|
Authored by: philc on Friday, December 09 2005 @ 12:12 PM EST |
But you are writing to politicians in Massachusetts. These people are well
briefed by all sides. There are formal rules on bringing a Judge up to speed
with issues of a case. That is not needed in politics. We-the-people keep the
politicians well briefed. When they speak it is because that is what they want
to say, because they have made up their (influenced) minds.
Anyone that does not understand the monoculture threat just plain doesn't want
to face the issue. Everyone that uses Microsoft for a while becomes very aware
of the down side of their products. Further, anyone that is involved with IT
matters is well versed.
So, when people start to do things that are unexpected its time to follow the
money trail.[ Reply to This | # ]
|
- Nice try. - Authored by: Anonymous on Friday, December 09 2005 @ 04:40 PM EST
|
Authored by: Anonymous on Friday, December 09 2005 @ 12:54 PM EST |
Let me preface by saying that I am truly impressed by Geer's credentials.
However, I think that the letter skirts around issues and doesn't get to the
point. He confuses operating system security with document security. Does he
really think that if you use OpenDocument instead of MS Office on a MS Windows
computer, then your overall security is significantly improved? No, he talks
about such things as keyloggers instead, which have nothing to do with document
formats. This argument is disengenuous at best.
Further, he does not explain why MS Office formats are less secure than
OpenDocument. He seems to dwell on the dangers of a monopoly, instead. Both MS
Office and OpenDocument support macros, so both are at risk. However, he does
not explain why OpenDoc macros are less risky than MS Office macros (if indeed
they are).
It would have been a much more effective letter had he stuck to the issue at
hand - that of document formats and document security.[ Reply to This | # ]
|
|
Authored by: Totosplatz on Friday, December 09 2005 @ 02:34 PM EST |
Bruce Schneier' blog has a
comment on security claims and counterclaims about Office XML and ODF.
I
do not know how to reference his comment directly, but on the blog page the
comment is entitled "OpenDocument Format and the State of Massachusetts"; the
gist of it is to counter Microsoft's argument that ODF is less secure than
Office XML:
"So far, nothing here is relevant to this blog. Except that
Microsoft, with its proprietary Office document format, is spreading rumors that
ODF is somehow less secure."
This, from the company that allows Office
documents to embed arbitrary Visual Basic programs?
Yes, there is a way to
embed scripts in ODF; this seems to be what Microsoft is pointing to. But at
least ODF has a clean and open XML format, which allows layered security and the
ability to remove scripts as needed. This is much more difficult in the binary
Microsoft formats that effectively hide embedded programs.
--- All
the best to one and all. [ Reply to This | # ]
|
|
Authored by: SpaceLifeForm on Friday, December 09 2005 @ 04:51 PM EST |
Mandamus Complaint (PDF)
Trying to ignore the law is not
going to work.
[ Reply to This | # ]
|
|
Authored by: hbo on Friday, December 09 2005 @ 05:32 PM EST |
Anyone who has had anything to do with the Usenix association know's Dan Geer's
name. And it's not just because he's a past president. He has one of the
clearest visions of anyone I know that observes technology and business. The
referenced article was published in ;login, the magazine of Usenix and SAGE,
this month, In it, the "15% owned" number is derived from Symantec's estimate
that 30,000 systems are added to "botnets" every day. There is also this coda to
the article, left out of PJ's quote, but appearing right after it. Dan is a
perceptive observer, and I think this statement gives insight into Microsoft's
future direction with respect to security:
"And that, my
friends, explains why Ballmer bought Connectix: the only way to
introduce a new
platform that arguably cures the security problem without kicking
in the teeth
of those who count on backward compatibility is to take the old
insecure stuff
and encapsulate it in some sort of virtual machine. It breaks the
monoculture
without breaking the monopoly, one part evil and one part
brilliant."
Never, ever forget that these guys are really, really
smart, in addition to being whatever else they are.
--- "Even if
you are on the right track, you'll get run over if you just sit there" - Will
Rogers [ Reply to This | # ]
|
|
|
|
|