Simon Phipps's Blog: September 2003 Archive

I commented recently that, while we can each take steps to prevent virus and worm attacks on our computer systems, the biggest threat we actually face is the fact that we have a computer monoculture.

Most of the world�s computers run Microsoft�s operating systems, thus most of the world�s computers are vulnerable to the same viruses and worms at the same time. The only way to stop this is to avoid monoculture in computer operating systems, and for reasons just as reasonable and obvious as avoiding monoculture in farming. Microsoft exacerbates this problem via a wide range of practices that lock users to its platform. The impact on security of this lock-in is real and endangers society.

Actually, I didn't write that - it's from the executive summary in the report CCIA are promoting, 'Cyber InSecurity' [PDF, 880k]. The (brave) authors include Bruce Schneier, who I respect greatly, and Daniel Geer, who @Stake (a Microsoft contractor) have shockingly summarily dismissed despite the fact that the report simply states the self-evident and makes recommendations that are just common-sense:

While appropriate remedies require significant debate, these three alone would engender substantial, lasting improvement if Microsoft were vigorously forced to: � Publish interface specifications to major functional components of its code, both Windows and Office. � Foster development of alternative sources of functionality through an approach comparable to the highly successful "plug and play" technology for hardware components. � Work with consortia of hardware and software vendors to define specifications and interfaces for future developments, in a way similar to the Internet Society's RFC process to define new protocols for the Internet

These need some safeguards; the usual approach with which these things are addressed means each would probably be turned into a revenue and lock-in opportunity or to source of monopoly growth.

Before the usual and inevitable cries of 'Microsoft-hater' are raised, can I make a plea to people to look at the issue here (and read John Lettice's take too). It's actually not based on an instinctive hatred of Microsoft - as Geer himself says:

"If the monoculture was all Linux, it would be just as bad"

It's a fact [huge page] that they have a monopoly, that it's resulted in a monoculture and that this provides a big, squishy target for the black hats no matter how hard anyone tries to fix the bugs, and no amount of safe behaviour by customers is going to fix it. It's the facts that need addressing. Either every country has to become a police state or we need diversity.

[Also posted to Webmink]

An Open Spirit

Posted by webmink on September 14, 2003 at 09:36 AM | Permalink | Comments (1)

In the first posting in her new weblog, Anne Thomas Manes talks about the idea of porting Jakarta to Mono, the project to implement C# and the core of the CLI from .NET on Linux. She says:

But from the moment Miguel initiated the Mono project, I�ve been worried about its future potential. I�ve feared that it would go the way of DCOM on Unix. (DCOM is an Open Group standard � and Microsoft retains ownership of its intellectual property.) A number of vendors implemented DCOM on Unix, but almost no one ever used it, because DCOM is pretty worthless without a bunch of application-level class libraries, such as ODBC, OLE DB, ADO, and ASP to run on top of it. Microsoft never released these specifications to the public, so these technologies have never been available for Unix. Hence DCOM on Unix faded away into irrelevancy.

With DCOM back in our minds again because of its exploitation by the Blaster worm, the reminder of how DCOM is an 'open' technology because it was 'donated' to Open Group as a marketing stunt is a good reminder that the path Microsoft has taken with C#/CLI is not new. Another expression of 'openness' was the availability of NT on chipsets other than Intel, which withered because Microsoft was really only interested in NT on Intel and left the really active maintenance of the code to partners who couldn't keep up, that NT/Intel was the only really viable platform.

What we learn from each of these forays into openness is that it doesn't matter how sound the vehicle being used to express the apparent 'openness' is (ECMA for C#, Open Group for DCOM, partenr community for NT), what ultimately matters is the open spirit of the originator. If their intent and method is essentially open, the process bugs get fixed along the way and more and more becomes open.

In the case of the Java environment, things have gradually opened up to the point where Apache are able to implement the whole of J2EE (in their Geronimo project). The process bugs (there have been plenty over the years and as Anne hints there are still a few to fix) resulted in the most part from the design of the process by humans. Sometimes it took waaay too long to fix them, but the underlying spirit has remained an open spirit that's resulted in increasing openness. The result has been a rich and diverse marketplace with many strong players, and for J2EE there is wide choice at every stage for the developer.

So when Anne proposes

So the way I see it, in order for Mono to succeed, we need to develop a set of open frameworks, engines, utilities, tools, APIs, and class libraries that run on top of it.

I am left asking, why bother? Why not instead support Geronimo? What is the IP encumberance that makes Geronimo unsuitable? The history of the Apache project is that it has acted as a gadfly to Java, causing the (mostly unintended) process bugs to get sorted. I anticipate Geronimo having the same effect, 'outing' the bugs and getting them addressed. Supporting it will strengthen the openness of Java and help ensure a future for choice. My instinct tells me that getting developers working on C#/CLI projects to re-invent the Java wheel will not have the same effect.

[Also posted to Webmink]

Powered by
Movable Type 3.01D

java.net RSS Feeds