SEATTLE—The dominance of Windows in the marketplace continues to represent a threat to the safety and security of the Internet and is a problem that must be addressed at the highest levels of government, a noted security researcher said in his keynote speech at the Black Hat Windows conference here Thursday.
Dan Geer, one of the authors of last years controversial paper on the subject of the Windows monoculture on the Internet, said that the assertions in the paper and his speech are not new and are beginning to draw the attention of legislators and government officials in the United States and abroad.
“This wasnt a shot out of the dark. Its not a new idea, even though in some sense I got fired publicly because I said this,” said Geer, who was fired as the chief technology officer of security consultancy @stake Inc. following the papers publication. “This is a problem that demands attention on the national government scale and maybe the world scale. It is an idea whose time has come.”
Geer, who is now heading his own risk management firm and is also chief scientist at security vendor Verdasys Inc., said that Windows dominance is only part of a complex equation that has led to this state of affairs. Also contributing to the problem is the relative lack of skill of most PC users and the number of current vulnerabilities in Windows.
To combat the combination of these issues, Geer endorsed the idea of a central authority that would collect data on virus outbreaks and other problems, analyze the malware, look for protective measures, and look for new infection vectors and ways to defend against those attacks.
The idea for a kind of Centers for Disease Control and Prevention for the Internet is not new, nor is it Geers. It was first proposed in a paper called “How to Own the Internet in Your Spare Time,” which was presented at the 2002 Usenix Security Symposium.
“The idea of a CDC-type organization for the Internet is a very intriguing one,” Geer said.
Given the magnitude of the MyDoom virus outbreak this week, it is an idea that may begin to get some traction.
Geer also raised the possibility that the government would be forced to develop some regulations regarding security and liability if the industry doesnt address the problem on its own.
“Let me be clear. I loathe regulation. Loathe it,” he said. “But we are going to get some regulation. I just want to make sure that we get the right kind.”
