A controversial report and the subsequent departure of @Stake’s CTO Daniel Geer, one of the report authors, has caused no shortage of speculation among security professionals. The report, CyberInsecurity, quickly delivers the first punch: “Microsoft’s efforts to design its software in evermore complex ways so as to illegally shut out efforts by others to interoperate or compete with their products has succeeded. The monopoly product we all now rely on is thus both used by nearly everyone and riddled with flaws. A special burden rests upon Microsoft because of this ubiquity of its product, and we all need to be aware of the dangers that result from reliance upon such a widely used and essential product.”
While the report falls short of directly calling Microsoft a monopoly, much is made of their alleged monopolistic practices and repeatedly warns of the aggregated risk created by so-called monocultures. The authors' argument seems to be that if you have a lot of something, it is more prone to attack, thus the best defense is not to have a lot of something. Through liberal interpretation of Sarnoff's Law, Metcalfe's Law, Moores Law, et al, the authors provide a mathematical model consuming several pages of the report, eventually predicting that new growth “is occurring mostly among ordinary consumers and non-technical personnel who are the most vulnerable to illegal intrusions, viruses, Trojan horse programs and the like.” Doesn't that fairly well someone up all new users? And wouldn't one expect new growth to come from, well, new users?
Their desire for provable figures obviously doesn’t extend to virus impact. In order tomake that case, the illustrious team turned to figures from London-based firm, mi2g Ltd., who, despite any marginally accepted criteria, estimated that “global damage from malicious software inflicted as much as $107 billion in global economic damage this year.” Indeed, mi2g credits the SoBig.F worm alone with nearly a third of that, or almost $30 billion dollars. Rob Rosenberger, editor of the highly popular Vmyths.com, has in past years taken the industry – and mi2g specifically – to task for proffering unverifiable and marketing-driven guesstimates as statistical fact.
To summarize thus far, the first eleven pages of the “provocative” CyberInsecurity report is spent proving ad nauseam the obvious fact that people new to computers are the largest single growth factor in the new computer user category, then blithely presenting unproven – and unprovable – figures of alleged virus damage costs as if they were fact.
