Article
7 comments

Microsoft’s Shadow Ecosystem

Costco Software

There are many measures of success, and some are less desirable than others. Windows is the standard by which cybercriminals measure their wares—eh, malware. Their devotion to Windows is testament to Microsoft’s success. The company should just accept the feint praise for what it is.

Microsoft claims that Windows is more widely attacked by malware than, say, Mac OS X because of volume; many, many more people use Windows PCs than Macs. The claim is great PR, because it kind of makes sense and is unprovable without Macs gaining lots more marketshare. But on closer examination, the claim is pure BS. Microsoft security experts know so, or they’re delusional.

Malware writers go where the money is, just like bank robbers of an earlier era. For years, Mac defenders have argued that Mac OS X was much more secure than Windows. That its architecture was more hardened to attack—analogous to a bank with better security systems and hardened vault. I’ve made the same claim, too. But Windows Vista and successor 7 tighten up administration rights so that they’re closer to Mac OS X security. Also, Mac OS X has yet to be tested the way Windows has. There wasn’t enough money in it for malware writers, and, again, that has little to do with Windows’ greater adoption.

I’ve long asserted that Windows succeeded because it allowed so many third parties to make money. It’s one of attributes of successful platforms:

  • They have at least one killer application people really want
  • Tools and APIs make good applications easy to develop
  • Platform provides plenty of really useful applications
  • Third parties make lots of money

The fourth attribute is the most important, and it’s fundamentally reason why Microsoft eclipsed Apple in the late 1980s and 1990s. By controlling the hardware and not licensing the software, Apple limited how many partners could make how much money off the Macintosh platform. By comparison, Windows offered seemingly limitless opportunities. Windows was a gold rush for business adopters, component manufacturers and suppliers, PC OEMs, peripheral manufacturers, resellers, retailers, software developers, software distributors and system builders, among others.

Victim of Its Own Success
Microsoft describes this community of moneymakers the Windows ecosystem. That’s an apt description, with natural overtones. Wikipedia, citing RW Christopherson, Geosystems: An Introduction to Physical Geography, Prentice Hall 1996, describes:

An ecosystem is a natural unit consisting of all plants, animals and micro-organisms (biotic factors) in an area functioning together with all of the physical (abiotic) factors of the environment. An ecosystem is a unit of interdependent organisms which share the same habitat. Ecosystems usually form a number of food webs which show the interdependence of the organisms within the ecosystem.

Microsoft’s Windows platform fits the definition in an economic sense, with money substituted for “food webs.” These independent organisms feed off the money opportunities exposed by the Windows platform.

I wasn’t a computer nerd in school. But I was a science geek, and biology was my primary field of study at a time when schools discouraged the major. I’ve got pretty good sense about how biological systems work—well, good enough for this post.

A parasitic lifecycle

A parasitic lifecycle

Within natural ecosystems, some organisms feed off—in human terms, exploit—others. Microsoft talks about the Windows ecosystem in context of the aforementioned “good” partners. But there is a shadow ecosystem, too, of so-called cybercriminals and malware writers who profit for many of the same reasons as hardware manufacturers, retailers or software developers.

Some of these Windows ecosystem organisms are parasites. In nature, many parasites serve important roles. Can the same be said for computing? Absolutely. Within the human gut are bugs necessary to digestion. There are members of the shadow ecosystem that profit from fixing security bugs rather than exploiting them; their assistance is vital to Microsoft and its customers and partners.

But many of these parasites and other organisms are hostile. They attack the Windows ecosystem and would destroy it by profiting from it. Microsoft can’t escape the shadow ecosystem. The ecosystem of developers, resellers and other partners make money from Windows platform strengths. The shadow ecosystem profits from the platform’s weaknesses.

Ecosystems Must be Managed
I’m surprised that Microsoft’s math-oriented cyberfighters don’t apply more science to shrinking the shadow ecosystem. Many environmentalists and some politicians propagate amazing folklore that natural systems should be allowed to run amok. That it’s wrong to interfere with natural systems. Bullshit. Natural systems tend to thrive when they are carefully, but not too aggressively managed. Human beings are part of the natural ecosystem and have a role, too.

Human beings’ role is far more important and obvious for the ecosystems they create for themselves. For example, financial systems are ecosystems, too. In the aftermath of the econolypse, economists, politicians and other experts are concluding there wasn’t enough regulation (e.g., management) to maintain balance.

The government played a role, by lowering interest rates so far that they became fertilizer for destructive weeds (credit/debt and other derivatives) that overwhelmed the financial ecosystem. The treasure of valuable foodstuffs that many people thought they had procured during the boom turned out to be nothing but valueless weeds in the bust.

Natural ecosystems could teach Microsoft something about security

Microsoft is fairly aggressive about managing the larger Windows ecosystem, but needs to better manage the shadow ecosystem and reduce its numbers. The monthly security patches is good management practice. People tend to forget that, aside from zero-day exploits, Microsoft acts proactively. The releases are security due diligence. Last week’s beta release of Security Essentials is another good move. I’m on the beta and will report about using the software sometime soon.

But security software is a reactive solution. Microsoft needs to be even more proactive, and monthly patches don’t go far enough. Sure, Microsoft deserves praise for proactively undertaking its managed code initiative and making security analysis a fundamental and vital part of software development. Given this post is already so long, I’ll save proactive suggestions for the future.

The American Chestnut Metaphor
To reiterate, Microsoft cannot avoid the shadow ecosystem. It’s a natural byproduct of the broader Windows ecosystem. But Microsoft can better manage—and even reduce—the risks. Every ecosystem is susceptible to devastation. The shadow ecosystem can do more than just release malware, which steal personal identities or account information for auctioning on eBay-like black markets (there’s even trade in viruses). If not properly managed—or contained—the shadow ecosystem can become a fungus capable of devastating the broader Windows ecosystem.

For North America, the greatest environmental tragedy of the Twentieth Century wasn’t the increase of global emissions but the mass destruction of a thriving and vital natural ecosystem. In 1903-04, the Bronx Zoo imported Chinese Chestnut trees for display. A deadly fungus infected the imported trees; the American Chestnut had no natural defense.

American Chestnut Tree (Uncredited, historical photo)

American Chestnut Tree (Uncredited, historical photo)

The Chestnut was a popular fixture in Nineteenth Century but not Twentieth Century literature for a reason. In many locales along the North American Eastern seaboard, the Chestnut was one in four trees; there were whole groves in the Appalachians. Within three decades, the blight killed 90 percent of the Chestnut trees in North America.

The Chestnut all but disappeared from the American landscape. The tree’s demise devastated timbering, tannin and other industries. Huge populations of wildlife diminished because they lost food supply. For example, wild turkeys declined more because of the Chestnut’s loss than from the intrusion of humans into their habitats.

How many habitats and industries would be lost if the Windows ecosystem were similarly and suddenly devastated? What? It can’t happen, you say? That’s a discussion for the comments.

7 Comments

  1. I am not going to argue your idea of a Windows ecosystem, but I’d like to add a corollary to your theory, the law of unintended consequences (I was a math major).

    The idea of open hardware has added to the instability of the Windows infrastructure. Expecting manufactures to independently follow complex guidelines is tough. Then expecting them to explore all the possible permutations of coexistence, is really tough. The consequence has created a great deal of confusion, resulting in the comment, “It works fine on my computer”. Microsoft added insult to injury with operating systems that have been less than stable. Part of Apple’s success is that they have controlled both the hardware and the software. They have a much easier problem to solve. This is not necessarily a bad thing, as long as market share stays below 50% or so.

    Another area where I find fault with the Windows ecosystem revolves around ActiveX and the System Registry. What poor choices they were, particularly in the area of unintended consequences. ActiveX gave developers tremendous power and flexibility in controlling and manipulating Windows. Unfortunately, for all the good that ActiveX can do, there is more than enough bad that can occur. Using IE, to hook to Outlook, to extract an Address Book, to propagate spam, is the tip of the iceberg. The System Registry is an example of putting all you eggs in one basket. Old wives tales are old, and wise, for a reason. Expecting everyone to behave correctly, and not corrupt the registry, was ill-conceived. Shame on Microsoft for ever letting this concept get passed the idea stage.

    Back to your ecosystem idea. If the parasite kills the host, it too shall parish. It needs to continue to feed off the host or it too will die. Or, it needs to evolve itself, and find another host to feed off of. The cybercriminals could conceivably kill off Microsoft. Which gets us to the basic question, can malware survive outside the Windows ecosystem?

    Reply

  2. I think the eco-system also gets damaged by MS’s interference. If they see someone making money or being popular inside their eco-system they work to supplant them and take the business. Witness Netscape, WordPerfect, Lotus 123, dBase, Media Players and such. Now they are moving on to anti-virus, CRM and ERP packages. The only thing is that as MS gets bigger and more unwieldy, at some point its all going to fall over/down under its own bloated weight. Then MS is also having a lot of trouble with the Internet, which they have been so far unsuccessful to subvert.

    Reply

  3. Windows 7 security is nothing like OSX. Windows has services which will allow any malware author to execute any code they like without UAC prompting them. OSX actually has proper user separation and the only way that malware could take over the system is to find a privilege escalation bug or get the user to enter their password.

    For real security look at Android and the iPhone. Android isn’t even vulnerable to user-installed malware and the iPhone needs the binary to be signed before it will even run.

    Apple tried selling via retailers but they were shunned because of a backroom deal made by Microsoft. That is why they have their own stores. OSX development is way more open and accessible than Windows development.

    Reply

  4. Joe, I find this article’s definition of the shadow ecosystem far more accurate and better than your previous posts on this subject. The malware industry is not important to Windows success, but exclusively a side effect of it.

    Unlike peripheral, software, services, or other ecosystem components it generates zero sales pull back into the ecosystem.
    These vendors are also responsible for their fair share of problems (example nVidia Vista drivers, etc), but also give back to the Windows world.

    Brilliant article in all and again begs the question of why i can read this analysis for free but have to pay subscriptions to places like the WSJ or FT for their often times less though out content…

    Reply

  5. In my opinion Microsoft have partially fuelled Windows’ shadow economy due those reasons:

    .) Up until Vista Windows Update was built into a webpage + ActiveX in IE, making users accustomed to getting updates and patches through webpages; which in turn makes them much more likely to download from nefarious fake update and patch sites.

    .) No inclusion of anti-spyware + av tools although it’s clearly an essential OS function in the Windows world, thus making users vulnerable to malware posing as such tools. In my personal experience these are some of the most common malware infections.

    To me these above changes in Vista, 7 and with Morro are the most significant security enhancements Microsoft have done on the user end, rather than ASLR, patch-tuesday, and other core security enhancements, which is more effective in combating server vulnerability patterns than bad-user-habit-patterns.

    .) A lazy software ecosystem were multi-user unaware apps are still common-place, hence triggering a wave of UAC notifications in Vista and resulting in a huge chunk of Windows apps being Administrator-privilege-only even though they really don’t have to be.
    That is 100% Microsoft’s fault though as the single-user mentality – “i’ll just write my preferences into C:Program FilesMyShittyAppconf” – should have died / been killed with the replacement of Windows ME in ’00 not kinda-sorta discouraged with Vista in ’07.

    .) Windows out of the box being unable to work with essential files and standards like PDF, Java, Flash in many cases, etc which means a Windows user generally has to go and hunt for and install a larger number of helper programs than a OSX user for instance. Generally an OSX user will be installing a whole lot less of these kind of auxilliary apps when they first get their machine, thus they won’t be installing as much malware inadvertently.

    .) The core business model of “Windows by Microsoft + identical bland boxes by 100 competing companies” of course also doesn’t help when these 100 competing box pushers feel compelled to “differentiate” using helpful wireless network managers, Lenovo-style GINA replacements and other unnecessary system tools that ultimately just slow down the overall Windows experience, thus causing people to click on those “Registry fixer” or “Windows speed-up tool” and other such malware ad links.

    Apologies about the length but those are my 2 cents at any rate… :)

    Reply

  6. The System Registry is an example of putting all you eggs in one basket.

    This really is not true. The registry is not a single basket except how it is represented to users. Settings are logically segregated. (User settings are put in one set of files in the user profile directory; while machine settings are stored in the System directory of the boot machine.) Programs should alter their own keys and only their own keys, and corruption of a program key does not cause damage elsewhere. And of course, given that different settings are stored in different files,an error in one file does not destroy the whole registry.

    Reply

  7. Windows 7 security is nothing like OSX. Windows has services which will allow any malware author to execute any code they like without UAC prompting them.

    Actually, no. Windows (Vista onward) and OS X pretty much have the same privilege separation. Well, technically, all of the NTs did, but Microsoft idiotically made default accounts the equivalent to superuser up to and including XP, in order to keep apps running that were used to Win 9x non-existent privilege system. OS X runs services with varing levels of permissions just like the NTs (the various daemons) that run under accounts like lpt, nobody, like WIndows has services that run at various levels of permissions (Local Service, Network Service, System). In both cases, lower priviliged programs (the user) can’t affect upper level programs and services ( Local Service, Network Service, System) without jumping through an elevation barrier (UAC on WIndows, Authenticate on OS X, gksu on my beloved Ubuntu box.) (Although Seven puts a privilege elevation hole right in the middle of the OS, to molify the people complaining about UAC — akin to what Raymond Chen describes as asking for a security hole as a feature, and Microsoft happily obliging.)

    I actually agree with pretty much everything Joe wrote here about the malware system on Windows. While marketshare plays a bit of a role, it’s simply cheaper (I like to think of it in economic terms) to write malware for Windows for all of the reasons Joe describes. Microsoft needs to make it much much more expensive to write malware. Obvious things include closing any security holes they find, but there are many things they can do that aren’t obvious which can really help.

    For instance, everybody agrees OS X applications are well designed and aesthetically pleasing. Mac developers pride themselves on making Mac-like applications, even though it is incredibly hard. That is an expense. A piece of Mac malware will not spread if it looks like an ugly Windows program. Contrast that to a Windows computer that I had to clean of a program called WinAntiSpyware. Dialog boxes were written in barely literate English, with poor grammar, and many typographic errors (probably because most malware is written in Eastern Europe). If something as ugly as WinAntiSpyware was ported to OS X, it would fail dramatically.

    The Mac also sports a very protective community (as Joe once again had the misfortune to rediscover, with the misunderstood Steve Jobs post). It’s a double edged sword, but it does help protect the Mac OS ecosystem from threats. Getting around that community is also expensive. (I’m not sure Microsoft could foster such a community, or if it is even too late given that the Windows install base is huge).

    Reply

Leave a Reply

Required fields are marked *.