hearing

[dan at geer.org (dan at geer.org)]

Ben Williams writes:
-+------------------
 | There's now an amendment being offered to an economic stimulus bill
 | that threatens to roll back the ODF policy. More info on the
 | ConsortiumInfo.org blog:
 | http://consortiuminfo.org/newsblog/blog.php?ID=3D1699
 | It is apparently being debated tomorrow so I encourage you to call or
 | email your Senator.
 | 

I did (Travaligni is my, ahem, guy) and here
is the letter I'm pushing...

--dan


================================================



                                         180 Chestnut Street
                                         Cambridge, Massachusetts
                                         02139

                                         01 Nov 2005

Hon. Marc R. Pacheco
Massachusetts Senate
State House, Room 312-B
Boston, Mass. 02133

re:  OpenDocument Standards

Dear Sen. Pacheco,

     My name is Dan Geer.  I am one of the half dozen rank-
ing world experts in matters of computer security.  By
virtue of a long career both in academia (MIT and Harvard)
and the private sector (six times an entrepreneur), there is
absolutely no one in the State House who is not using soft-
ware that I had a hand in producing, including yourself.  I
am a trusted advisor to the Federal Trade Commission, the
Departments of Justice and Treasury, the National Academy of
Sciences, the National Science Foundation, the US Secret
Service, and the Department of Homeland Security.  I am a
Board member for a number of promising startups and their
funding sources, have forty-two refereed publications, books
and book chapters, four patents, over two hundred fifty
invited presentations twenty percent of which were keynotes,
and have been five times before the US Congress -- twice as
lead witness.  I have taught ten thousand students in the
aggregate.

     As on Officer of the Commonwealth, you understand the
monopoly power of Microsoft quite well as the Commonwealth
was the last man standing in the most recent round of anti-
trust litigation.  What perhaps you did not grasp is the
degree to which a computing monoculture is a security risk
of the highest sort.  It is, and I and others in the secu-
rity research community are on record in unassailable ways
that a computing monoculture is a hazard, but that it is an
avoidable hazard if you want it to be.  Microsoft maintains
its power through user-level lock-in, as the Commonwealth
noted and which it so adequately opposed.  So long as that
lock-in persists, there will be no solution to the monocul-
ture risk.  That lock-in is centered on and wholly confabu-
lated with the use of proprietary formats for all documents
produced by the Office Suite.  Therefore, as a matter of
logic and logic alone, if you care about the security of the
Commonwealth then you must care about the risk of a comput-
ing monoculture.  If you care about the risk of a computing
monoculture, then you must care about barriers to computing
diversification.  If you care about barriers to computing
diversification, then you must care about user-level lock-
in.  If you care about user-level lock-in, then you must
apply yourself to the task of breaking the proprietary for-
mat stranglehold on the Commonwealth.

     Fortunately, that has already begun.  The Enterprise
Technical Reference Model and its call for Open Document
standards is precisely what is needed and it is not a moment
too soon.  As a ranking security professional with a doctor-
ate in statistics, I can provide any amount of technical,
quantitative proof that Open Documents are the point of max-
imum leverage and that the risk of remaining as we are
exceeds any non-specialist's understanding including, with
respect, yours.  Warning times before attacks take place
have fallen to zero.  There is a new Windows virus every
four hours.  Perhaps 15% of all desktop Windows computers
are running malware of some sort and I'll bet you $100 that
includes your office.  There is a direct and demonstrable
correlation between increasing complexity of the Windows
system and the effectiveness of attacks.  Jurisdictional
boundaries are meaningless if not indetectible in an always-
on, fully-networked world.  And as you almost surely know,
your opponents are no longer misanthropic isolates but are
instead professionals.  So long as the Commonwealth volun-
tarily allows itself to be locked-in by the proprietary doc-
ument formats of a proven monopoly, the Commonwealth cannot
diversify and therefore the Commonwealth cannot mitigate its
risk in any but the most marginal and palliative ways.

     I am ready to vigorously debate these points with any
and all comers both privately and in any venue.  This is, in
other words, a matter on which I actually do stake my pro-
fessional reputation, my fortune, and my sacred honor.  How
may I be of assistance?


                              Very truly yours,



                              Daniel E. Geer, Jr., Sc.D.




P.S. I have blind relatives and if genetics is any guide
may have that in my future.  My comments still stand.

================================================