Monday March 29, 1999
The following editorial was written by
Linux Today reader Paul
The problems caused the past few days by the Melissa
virus have served to punctuate another issue relating to software
monopolies. It centralizes around everyone owning exactly the same
software, and how that homogeny relates to network security. The
problem: There is weakness in a network built upon homogeneous
Witness the Melissa virus modus operandi: Infect one
computer with Word and Outlook express, and you can exploit the
security hole across a huge portion of the network, including the
Internet. Word executes a macro when the recipient opens their
email. The macro uses the names in the user's personal address book
to send more copies of the infected document. There is more to it
than this, but no need to go further to make the point.
Why? Because the whole virus would be a moot point,
if there were more diversity and competition in the mail client and
word processing marketplace. Outlook express is used in a lot of
corporate environments as a "standard". Never mind that we can't
look at the source code to Word and Outlook and find the holes that
were exploited - somebody found them there anyway.
This is another example of the security weaknesses of
proprietary software. With no peer review of its code, the system
is vulnerable to attack because of the limited understanding of the
authors who wrote the program. The patch is that much harder to
implement, because the people affected by the problem cannot get to
the very source of it.
The virus works with a another basic assumption: That
all of the people getting the infected mail will have Microsoft Word and Outlook.
Microsoft dominates many aspects of personal computing, and word
processing software is one of those areas. Possibly Word is a
superior product. Possibly, some might say more likely, Word
dominates the market due to the so-called "network effects" that
popular software titles experience in the current marketplace.
I'm familiar with these network effects. Often I'm at
a customer site that is replacing their word processing software
with Microsoft Word. The reasons rarely have to do with their old
technology not being good enough. The real reasons seem to revolve
around the fact that everyone is getting email sent to them in
Microsoft Word format, and they can't read it.
Is this a good reason to switch to a different
software program? Because its file format is so proprietary that
you cannot use the software you already have to view it?
Whether or not Word is purchased for these reasons is
not the point. If we all end up using any one particular program
for something as important and pervasive as word processing, our
overall network security can potentially sink to the level of that
program. In this case, it's two proprietary programs working in
Digital diversity is viewed by some as a disease. If
everyone uses the same API's, programs and operating systems, we
supposedly all benefit. This is a misunderstanding of the issues at
hand. What they are really saying is that it's a good thing that
Joe Public can go down to the local software shack and select a
software title like a child playing pin the tail on the donkey. He
can just grab it off the shelf with no regard as to whether or not
it will work with his system.
Since everybody is running Microsoft Windows, then
it's a good thing, right? Nobody needs to worry about Unix, Mac or
OS/2 software. The software companies can ditch support for those
platforms -- they were a headache to code for anyway. Regardless of
the development method, the owner of the standards, or whether or
not those standards are open, this benefits all, these people
But does it?
Doesn't it make us all open to exploitation by a huge
corporation? Doesn't it also make us all open to exploitation by
virus writers who count on everyone having the same operating
system and other "standard" programs installed?
It does if the software is full of holes that no one
but someone with bad intentions has a chance of finding. Buying and
using proprietary software is like riding in a boat where the
captain refuses to let you inspect the hull. The fix is not to find
a captain you can trust, the fix is to find a captain who will let
you inspect the hull. Patching this hole in Word and Outlook
express is not going to make the system that much more secure, it's
simply going to stop this particular virus.
What's needed is something else: Digital standards
that work with diversity, and not against it. Maybe pure XML as a
document standard for all Word processing software, and Java or
some other multi-platform standard for programs that are to execute
on a computer. If this is ever to happen, it will happen in the
Open Software community first. Huge corporations are too involved
in protecting their intellectual property turf to provide this
level and secure playing field. In the mean time, the source code
itself is providing this open standard.
Look at the proprietary "Open" Unix vendors and their
staunch habit of crossing the incomparability lines. It has taken
Linux to open their eyes to the new way to compete in the Internet
age. Possibly it is also the dawning comprehension that cooperation
will truly be needed in the face of proprietary standards like
But, Linux should not be the platform to rule as
well. The more diverse, the better, as long as there are open
standards for cross platform compatibility. Imagine a homogeneous
network evenly composed of Linux, FreeBSD, Beos, Mac, OS/2,some
other Unix, or yes, even Windows. It will surely be a strength
compared to today. But imagine the strength of that network if all
of those operating systems and programs were open source. Today,
it's un-imaginable. But there is hope for tomorrow. Linux, FreeBSD
and new emerging open source word processing software titles
provide that hope.
We can no longer afford to have our standards
"embraced and extended". It's simply too dangerous to network
security because people confuse true standards with de-facto ones.
If our community is a global one, open standards based upon open
software is a must. It's simply too dangerous to privacy, freedom
If you do have Microsoft Word installed, please don't
assume that everyone has it. Please compose your email attachments
using an open file format, like HTML for example.
If you are on the other side of the fence, you should
try and restrain yourself from purchasing Word next time you get a
document that you cannot view. Of course, here I'm speaking to a
small group of people. You people are among the few on the planet
Earth that don't have Word installed. I number among you. Possibly
you should consider another alternative. Why don't you email that
person and ask for the file in HTML, or some other open
That is, if they have Word and working email after
Melissa strikes this Monday....