Linux in Government: Unseating Incumbents

by Tom Adelstein

Despite the riotous cheerleading occuring among Democrats in Boston this week and that soon to occur among Republicans in New York, it's the summer doldrums in a still flat technology market. At times like this, you can imagine tumbleweeds rolling by as the saloon doors flap and creek to stillness.

Can we imagine that GNU/Linux adoption patterns are analogous to the adoption model of other systems, biological or even political ones? No matter what kind of system you want to talk about, shoving out the dominant species takes some reckoning.

The public soon will see that the major party conventions in Boston and New York have less to do with love for their respective candidates than they do with dislike for the opponents. As much as each party wants to quiet the anti-opponent rhetoric, it won't work. A vocal and visual minority on each end of the political spectrum dislikes the other end's candidates. The media continuously reminds us of that fact.

Unfortunately for the election, passion doesn't unseat incumbent office-holders. So, each party is attempting to work the adoption model for the challengers. They are looking for acceptance for their candidates. They are discovering their inability to reach into the installed base of incumbents to get their candidates' message accepted. Sociologists and marketing people understand the adoption model: the incumbents do not have enough blemishes to make an alternative candidate attractive enough. Even the political vulnerabilities around Bill Clinton failed to unseat him as an incumbent.

Radical innovators make up about only 3% of the US population. That can't win you an election. The early adopters make up around 10% of the population, and this segment consists of young, conservative business types. They drive opinion leadership in this country. Even media bias doesn't move the opinion leaders enough to take an anti-incumbent stance.

To reach the early and late majority of Americans--those that make up to 70% of the US population--you need the opinion leaders on your side. Opinion leadership comes to the majority through younger, conservative, straight and narrow people in our population with an eye out for innovation. That eye sees innovation strictly as a business advantage. Although the early adopters can tolerate innovators, they don't share the same values. They don't demonstrate in the streets, carry signs, wear slogan tee shirts, seek visibility, nor do they have the same passion as innovators.

So, without a significant enough complaint, the 70% will go for the status quo. The majority of American people hold conservative values. When it comes time to vote, they won't go with unproven operators.

Another segment of adopters exists in the US. Known as laggards, they make up about 16% of the population. You can reach them with an anti-incumbent campaign, especially if you scare them with slogans about security. What's the problem with this segment? They don't vote, and they do not own computers.

So, most marketeers will say you won't unseat the majority of incumbents and you won't unseat Microsoft this year.

What Does This Have to Do with Microsoft?

In our analogy here, Microsoft is the incumbent. Although Microsoft has plenty of vulnerabilities, it hasn't created enough pain yet to make the Linux desktop the pollsters' choice. But, Microsoft's vulnerabilities have begun to multiply, and those young, conservative opinion leaders are beginning to hear the message. Once that occurs, you can fancy a case for unseating an incumbent.

Innovators exist in every population. Most sociologists put their number at 1-3% of a population. Innovators tend to criticize the status quo, resist norms, have broad social networks and tend to let their feelings be known. Passion also characterizes the innovator. An innovator's visibility tends to make people think the innovator reflects majority opinion.

Today's innovators dislike Microsoft. At a time when the personal computer represented innovation in itself, our young, conservative opinion leaders wanted to break away from IBM mainframe's repressive hold on the enterprise. Microsoft owned the operating system that helped shift the computer model. Writing programs for the text-based Microsoft DOS system attracted an innovative crowd. Although serious technologists preferred the UNIX operating system, the path of adoption did not pass through those doors. Instead, Microsoft teamed up with IBM's PC group and began to replace minicomputers and mainframes. With Microsoft, innovation began to flourish, and a robust market for applications developed around the personal computer.

By the end of the first decade of the personal computer, IBM owned 97% of the PC hardware market. Part of IBM's dominance resulted from using open standards when it came to hardware. Then, in a miscalculated move, IBM changed to a closed architecture called Microchannel. IBM wanted clone manufacturers, such as Tandy, to license IBM's Microchannel design and once again dominate competition.

The market rejected IBM's Microchannel architecture, and a group of computer manufacturers led by Compaq began to grab large market share away from IBM. Within a short period, IBM's 97% share of the PC hardware market shrunk to approximately 4%.

Microsoft escaped the disdain for Microchannel. Instead of breaking bread with IBM, Gates & Co. chose to embrace Compaq, Digital Equipment Corporation, Dell, Gateway, Packard Bell and HP. They also broke Apple Computer's hold on the market by releasing Windows and helping port desktop publishing products from the Mac to the PC.

By the time Intel's 386 processor began shipping, Microsoft Windows had become the dominate graphical-based operating system in the PC market. The election ended and a new leader took over from IBM and Apple. Some called the new administration Wintel; others called it by other names. By 1995, Intel became the corporate standard for hardware and Win32 became the corporate standard for software.

Once Installed in Office, Incumbents Are Hard to Unseat

Microsoft, the incumbent, attempted to become dictator, emperor and czar. In so doing, it negated the vote. In order to vote, you have to have an opposition party. Microsoft has eliminated the competition and has suffered numerous lawsuits as a result. Major anti-trust actions still exist in Europe and Japan, and Microsoft has paid out billions in settlements in the United States.

Of course, innovators in the form of Linux users see an alternative to Microsoft. On the desktop, they have expressed their vote. In studies like this one, Linux appears to have about a 3% desktop share. That would account for the innovators, not the early adopters. As stated above, that paltry group can't win an election and it can't unseat an incumbent.

You can get an incumbent impeached, however, if you have one overwhelming piece of evidence showing incompetence that could lead to a national security crisis. Overwhelming security failures affect market share, while moral transgressions--copyright infringement, restraint of trade and anti-competitive practices--do not. According to this model, Microsoft has perpetrated the latter and survived.

Now, to Have a Regime Changed

To effect a regime change, you first need to determine whether an incumbent has committed a violation of trust and if the incumbent has serious vulnerabilities. What does that do to a candidate, even a dictator? It creates the motivation for and a platform on which a change of leadership can occur. It provides the means to put the change into action. You can accomplish this, however, only if a viable alternative exists. You cannot change it if the incumbent shows no weakness in public. If the incumbent controls the media, then few will understand the violations or the vulnerabilities.

Microsoft remains in a position of leadership, so we must not feel yet the violation of trust keenly enough to do something about it. Given the ongoing security situation, one wonders why people don't recognize the company's indifference for their safety.

We need to feel it personally in order to gather the will to make the change. Below, we illustrate important ways Microsoft might be violating our trust and at the same time determine if this office-holder has enough vulnerabilities to affect its ability to complete its duties.

The Incumbent Has No Clothes

For those who use Microsoft, to understand the security risk you face, we're going to explain why Microsoft must issue XP Service Pack2 while the remaining installed base continues to be unprotected.

To give you an idea of the kinds of vulnerabilities you may not have focused on, let's look at a seemingly non-correctable problem exposed by Graymagic Software in 2002, the DSO vulnerability (GreyMagic Security Advisory GM#001-IE). The Security Advisory titled "Executing arbitrary commands without Active Scripting or ActiveX" illuminates a hole in the security model used by Microsoft.

Windows clients generally use anti-virus software, but rarely do they use anti-spyware checks, even though a free package for it exists on the Web: Spybot-Search & Destroy.

Spybot - Search & Destroy can detect and remove spyware of different kinds from your computer. Spyware is a relatively new kind of threat that common anti-virus applications do not yet cover. If you see new toolbars in your Internet Explorer that you didn't intentionally install, if your browser crashes, or if you browser start page has changed without your knowing, you most probably have spyware. But even if you don't see anything, you may be infected, because more and more spyware is emerging that is silently tracking your surfing behavior to create a marketing profile of you that will be sold to advertisement companies. Note: As of this writing, over 15,000 Spyware exploits exist.

Using Spybot, we did a fresh install of Windows and added every security patch available. We ran Spybot S & D and discovered 16 major problems. We cleaned them off, immunized the system and made one more trip to Microsoft's Web site to look for updates. After the visit we ran Spybot S & D again and discovered that two of the exploits continued to exist. You can see that information in Figure 1.

Linux in Government: Unseating Incumbents

Figure 1. Exploits Remain

In the previous first run of Spybot S & D, we selected "Fix selected problems". DSO responded as fixed, as demonstrated in Figure 2.

Linux in Government: Unseating Incumbents

Figure 2. DSO Responded as Fixed

Next, we installed and launched Mozilla Firefox for Windows and applied the recommend patch for possible vulnerabilities. We surfed the Web, shutdown the browser and ran Spybot S & D again. We captured the screenshot, see Figure 3, after we discovered the DSO vulnerability once again.

Linux in Government: Unseating Incumbents

Figure 3. DSO Vulnerability Once Again

Understanding the Vulnerability

The problems associated with spyware relate to executing arbitrary command on your computer. The way Microsoft explains it like this: "Vulnerability in Windows Shell Could Allow Remote Code Execution".

On July 14, 2004, the US Computer Emergency Readiness Team (CERT) issued TA04-196 A, "Multiple Vulnerabilities in Microsoft Windows Components and Outlook Express". In each segment, the vulnerability relates to executing code on your computer to gain access. CERT states, "a remote, unauthenticated attacker may exploit VU#717748 to execute arbitrary code on an IIS 4.0 system". The CERT warning continues:

Exploitation of VU#106324, VU#187196, VU#920060 and VU#228028 would permit a remote attacker to execute arbitrary code with the privileges of the current user. The attacker would have to convince a victim to view an HTML document (web page, HTML email) or click on a crafted URI link.

Vulnerabilities described in VU#647436 and VU#868580 permit a local user to gain elevated privileges on the local system. Exploitation of VU#869640 can lead to a denial-of-service condition against Outlook Express.

On July 14, 2004, we received another warning from CERT (Vulnerability Note VU#713878) that simply advises people to "use a different web browser":

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing un-trusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML).

What Conclusions Can We Reach

People who use computers need to understand that no competitive advantage exists today simply in using a computer. In the past, a competitive advantage existed between those who owned computers and those that did not. Today, though, the advantage one can gain by deploying one system over another makes little difference.

However, if you do not use computers, you lose your competitive equivalency. By having an unstable operating system you may not be able to keep pace. By allowing others to read your database of information--your network--you stand the chance of giving away information critical to maintaining your pace.

The question you may wish to ask yourself is this: Do I stay with the incumbent simply because I'd rather not deal with this problem or have I finally had enough? If the answer is the latter, enterprise Linux is waiting for you.

Tom Adelstein lives in Dallas, Texas, with his wife, Yvonne, and works as a Linux and open-source software consultant locally and nationally. He's the co-author of the upcoming book Exploring the JDS Linux Desktop, published by O'Reilly and Associates. Tom has written numerous articles as a guest editor for a variety of publications on Linux technical and marketing issues. His latest venture has him working as the webmaster for JDSHelp.org.

Load Disqus comments

Firstwave Cloud