Ever since Microsoft CEO Steve Ballmer identified Linux as the biggest threat to Windows back in January, Redmonds marketing and PR offensive against the open-source software (OSS) development model has gone into overdrive. By now, few in the industry are unaware of Microsofts more outrageous attacks, such as Windows Platform Group VP Jim Allchins sly implication that the open-source General Public License (GPL) is somehow “anti-American,” or Ballmers characterization of Linux as a “cancer.” Amid all of the hyperbole, however, much less attention has been paid to their low-key but persistent claims of inherent insecurities in the open-source model.
While there is certainly room to disagree on these issues, the security community has largely rejected Microsofts assertions of superiority. Experts question whether open-source software is more secure than its proprietary counterparts, but almost none would argue that it is less so. Nonetheless, Microsoft apparently has decided that it doesnt need to argue its point and simply can state it as established fact. In his now-famous May 3 anti-GPL address at NYU, Microsoft senior VP Craig Mundie devoted five words to the issue: “[OSS] has inherent security risks.”
In theory, this low-key approach might have allowed Redmond to convince the general public that OSS presents a security risk while avoiding a concerted response from the security community, but the fates were not on Microsofts side. As luck would have it, Mundies speech coincided with the discovery of a devastating security bug in Windows 2000.
More important, however, was the announcement several weeks later by Lloyds of London underwriter J.S. Wurzler Underwriting Managers. Wurzler said its customers who use Windows NT were seeing much more downtime due to security problems than those using Linux and other operating systems. As a result, Wurzler decided to raise premiums on NT users.
Rest assured, Wurzlers move comes with a host of caveats. First of all, the announcement only applies to Windows NT—not Windows 2000. Moreover, a connection between NT use and security problems does not necessarily indicate causation; other factors, such as differences in IT training and experience, are likely to have caused some or all of the correlation. Accordingly, OS usage is only one of a host of factors insurance firms use in assessing security risks and assigning premiums. Finally, as of yet, Wurzler is the first and only underwriter to have taken this step.
That said, Wurzlers actions speak a lot louder than Microsofts words. John Wurzler is no slouch; he has as much experience in network security as anyone in the insurance industry. And as far as I know, he has no investment in the open-source debate; on the contrary, his business rises or falls on the accuracy of his risk assessments. No, Im not running to unplug my Windows machines—but neither am I about to give Redmond the benefit of the doubt.