Linux Today: Linux News On Internet Time.

Digital Diversity

Mar 29, 1999, 08:41 (35 Talkback[s])
(Other stories by Paul Ferris)
Digital Diversity
Monday March 29, 1999

The following editorial was written by Linux Today reader Paul Ferris

The problems caused the past few days by the Melissa virus have served to punctuate another issue relating to software monopolies. It centralizes around everyone owning exactly the same software, and how that homogeny relates to network security. The problem: There is weakness in a network built upon homogeneous proprietary software.

Witness the Melissa virus modus operandi: Infect one computer with Word and Outlook express, and you can exploit the security hole across a huge portion of the network, including the Internet. Word executes a macro when the recipient opens their email. The macro uses the names in the user's personal address book to send more copies of the infected document. There is more to it than this, but no need to go further to make the point.

Why? Because the whole virus would be a moot point, if there were more diversity and competition in the mail client and word processing marketplace. Outlook express is used in a lot of corporate environments as a "standard". Never mind that we can't look at the source code to Word and Outlook and find the holes that were exploited - somebody found them there anyway.

This is another example of the security weaknesses of proprietary software. With no peer review of its code, the system is vulnerable to attack because of the limited understanding of the authors who wrote the program. The patch is that much harder to implement, because the people affected by the problem cannot get to the very source of it.

The virus works with a another basic assumption: That all of the people getting the infected mail will have Microsoft Word and Outlook. Microsoft dominates many aspects of personal computing, and word processing software is one of those areas. Possibly Word is a superior product. Possibly, some might say more likely, Word dominates the market due to the so-called "network effects" that popular software titles experience in the current marketplace.

I'm familiar with these network effects. Often I'm at a customer site that is replacing their word processing software with Microsoft Word. The reasons rarely have to do with their old technology not being good enough. The real reasons seem to revolve around the fact that everyone is getting email sent to them in Microsoft Word format, and they can't read it.

Is this a good reason to switch to a different software program? Because its file format is so proprietary that you cannot use the software you already have to view it?

Whether or not Word is purchased for these reasons is not the point. If we all end up using any one particular program for something as important and pervasive as word processing, our overall network security can potentially sink to the level of that program. In this case, it's two proprietary programs working in tandem.

Digital diversity is viewed by some as a disease. If everyone uses the same API's, programs and operating systems, we supposedly all benefit. This is a misunderstanding of the issues at hand. What they are really saying is that it's a good thing that Joe Public can go down to the local software shack and select a software title like a child playing pin the tail on the donkey. He can just grab it off the shelf with no regard as to whether or not it will work with his system.

Since everybody is running Microsoft Windows, then it's a good thing, right? Nobody needs to worry about Unix, Mac or OS/2 software. The software companies can ditch support for those platforms -- they were a headache to code for anyway. Regardless of the development method, the owner of the standards, or whether or not those standards are open, this benefits all, these people say.

But does it?

Doesn't it make us all open to exploitation by a huge corporation? Doesn't it also make us all open to exploitation by virus writers who count on everyone having the same operating system and other "standard" programs installed?

It does if the software is full of holes that no one but someone with bad intentions has a chance of finding. Buying and using proprietary software is like riding in a boat where the captain refuses to let you inspect the hull. The fix is not to find a captain you can trust, the fix is to find a captain who will let you inspect the hull. Patching this hole in Word and Outlook express is not going to make the system that much more secure, it's simply going to stop this particular virus.

What's needed is something else: Digital standards that work with diversity, and not against it. Maybe pure XML as a document standard for all Word processing software, and Java or some other multi-platform standard for programs that are to execute on a computer. If this is ever to happen, it will happen in the Open Software community first. Huge corporations are too involved in protecting their intellectual property turf to provide this level and secure playing field. In the mean time, the source code itself is providing this open standard.

Look at the proprietary "Open" Unix vendors and their staunch habit of crossing the incomparability lines. It has taken Linux to open their eyes to the new way to compete in the Internet age. Possibly it is also the dawning comprehension that cooperation will truly be needed in the face of proprietary standards like Windows NT.

But, Linux should not be the platform to rule as well. The more diverse, the better, as long as there are open standards for cross platform compatibility. Imagine a homogeneous network evenly composed of Linux, FreeBSD, Beos, Mac, OS/2,some other Unix, or yes, even Windows. It will surely be a strength compared to today. But imagine the strength of that network if all of those operating systems and programs were open source. Today, it's un-imaginable. But there is hope for tomorrow. Linux, FreeBSD and new emerging open source word processing software titles provide that hope.

We can no longer afford to have our standards "embraced and extended". It's simply too dangerous to network security because people confuse true standards with de-facto ones. If our community is a global one, open standards based upon open software is a must. It's simply too dangerous to privacy, freedom and security.

If you do have Microsoft Word installed, please don't assume that everyone has it. Please compose your email attachments using an open file format, like HTML for example.

If you are on the other side of the fence, you should try and restrain yourself from purchasing Word next time you get a document that you cannot view. Of course, here I'm speaking to a small group of people. You people are among the few on the planet Earth that don't have Word installed. I number among you. Possibly you should consider another alternative. Why don't you email that person and ask for the file in HTML, or some other open standard.

That is, if they have Word and working email after Melissa strikes this Monday....