Slashdot Mirror
The Software Monoculture
balster neb writes "CNET News.com has a piece titled 'Seeds of Destruction' on monoculture in software and its effect on security. The article talks about similarities between software attacks such as last year's MSBlast, and agricultural catastrophes such as the Irish Potato Famine. Isn't this another good argument against monopolies?"
"Isn't this another good argument against monopolies?"
The answer is yes, or maybe no.
Call me a complainer, but I really don't like the Slashdot postings that end with such vague questions.
Isn't this another good argument against monopolies?"
In a very near sighted way, yes. But we are talking about mono-cultures here, which is a bit more broad than that. And, something that the linux crowd will want to be wary of.
With all the momentum behind linux right now, it could soon find itself faced with the same problems MS is faced with. While I don't doubt the ability of the linux folks to find better solutions than MS did, it is still a concern that people should be aware of.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Isn't this another good argument against monopolies?
You could use the same argument against "standards." But you wouldn't. Yes, if everything were made completely different from everything else, sure, it would be harder to mount large scale attacks against anything. You would have to tailor your exploit to all of the different architectures you are interested in. The downside of course is that you will have thousands of people constantly working on different designs for the same wheel. Promoting diversity within even a company like Microsoft would likely accomplish the same thing, but once again, would be highly impractical.
Potato famine was not deliberate - it was caused by a microorganism. Both the hack and the monopoly are socially constructed. Science can fight the former, but not the latter.
Of course, it is obvious that no computer virus has caused loss of human life (yet). However, it is probably only a matter of time until a virus or computer bug causes a massive loss of human life. Due to our huge reliance on computers, and due to the fact that 90% of the computers out there are running the same OS (including some of those that control critical infrastructures like 911, nuclear reactors, etc), the frightening implication is that in the event of a loss of life, it could be much, much worse than the Irish Potato Famine.
Prevent email address forgery. Publish SPF records for y
"People have brought over species that we didn't expect here, just like people have created viruses that Microsoft didn't expect to deal with," said Jeff Dukes, professor of biology at the University of Massachusetts at Boston, who studies diversity and growth in ecological systems. "These introduced species have had a major impact on our forest and have knocked out entire species."
Excuse me, but how can you compare a biological occurrance to a technological occurrance? There are too many variables in the biological virus. Or can you in fact make a definite comparison?
Saying people created viruses Microsoft didn't expect to deal with is bogus. That's a cop-out.
Microsoft was well aware of many of it's security holes. It's been going on for years.
There is a significant difference between what's happening in computer security and the potato famine. They didn't know any better than to farm without diversity at the time. We've learned a great deal about agriculture and soil conservation since then... the famine itself was one large, nasty lesson.
The big difference wrt computer security is that we *do* know better and are still failing to get it right! The phone "Phreaks" from decades past should have taught us a lesson (not to mention the telco's of the time). The Morris Worm should have been a giant, looming reminder of security and secure programming practices and the internet became more ubiquitous and our economic dependence on it greater... but we (producers of software everywhere) still keep f-ing it up!
The writing is on the wall, has been there for a long time and it needs to be heeded.
I think that this concept also applies to BIND.
Most DNS servers run either ISC BIND, or a package based on BIND source. Although I am a hostmaster and respect BIND, I often wonder if this isn't one of the reasons that DNS is such a prime hacker target.
It seems clear that even with this example of an open-source program (although it's not GPL), groups prefer to avoid the cost of development at the expense of security (via the same monoculture argument). I've asked DNS appliance vendors this question (while they're trying to sell me on their product's security), and it's clear that they've never seriously considered the issue.
"People have brought over species that we didn't expect here, just like people have created viruses that Microsoft didn't expect to deal with"
The difference here is that we have US Customs doing its best to stop people bringing forigne species over. If US Customs did things like Microsoft, they would hand out culture dishes to exicute your Windows Script code on and implant your cultures into the environment w/o asking the end user.
It's funny how a company can leave holes in everything, let people get used to being insecure, then tout fixing the problems as an innovation.
Couldn't this same argument be applied to omnipresent standards and not just monopolies? If everyone uses TCP/IP and a security flaw is found in it, doesn't that amount to the same type of security threat?
:)
And yes I'm playing devil's advocate, but it's a slow morning
I went to the city because I wished to live without deliberation.
The article glossed over the heart of the matter...
...except for that brief mention. The English were the ones that killed the Irish, because they demanded payment in food, even when the Irish could not pay.
Most of it, however, was intended for export to England.
To liken the conditions of the software industry to the Irish Potato(e) famine is ridiculous. To whom or what is the industry beholden to? If we cannot produce code will we starve to death? Is someone occupying our cities and towns, threatening our lives if our code fails to compile? I'm not Irish, (though I do like potatoes), but please think again before you make analogies such as these.
Sig Hire!
Firstly, the snide comment on monopolies is simply unwarranted and certainly not as sarcastically entertaining as I'm sure it was intended. Too often the word "monopoly" is used as merely a code-name for "those-who-are-winning-and-who-aren't-me!" So 'nuf said there.
Secondly, the ubiquitous nature of the Internet is the single biggest reason behind it's success. While I agree that the "genetic makeup" of the Internet may also be its weakest link, I have to ask, "What's the alternative?"
Look at how the Internet, much like the telephone, has made communication so much more efficient. It has opened channels across the world, across socio-economic cultures, across demographic diversities that have never been accessible before - at least to the average Joe/Jane. This would have been impossible if, say, every country was forced to use its own network transport layer. Sure, Cisco would love it - they'd be able to sell country-specific routers to automate the traffic translations. They'd make a fortune!
Is the article suggesting that we create multiple network infrastructure to obfuscate malicious interrogation? If so, how could it be done without public standards - which would defeat the purpose anyway?
The article's viewpoint is short-sighted. The answer is not to mutate the DNA of the Internet (Ethernet/TCP/IP/etc), but rather to enhance its perimeter defenses, such as SMTP. That protocol itself is way to vulnerable. Outlook is a fine product; I doubt anyone would argue that. But look how much it's been [editorially] attacked recently because it's based on an ancient protocol and has been jerryrigged to overcome the security holes of its communication layer.
I don't know, maybe I'm rambling, but the article irked me. Just a bad day I guess.
Why is arguing against monopolies arguing against standards or arguing against compatibility?
The presence of a monopoly *guarantees* a standard, but does not guarantee compatibility. Microsoft can (and has, accidentally) broken compatibility between various versions and flavors of it's various programs.
The absence of a monopoly does not have any bearing on standards or compatibility. It is, in fact, preferred for there to be a standard in the absence of monopoly; witness the DVD standard, the CD standard, the various interface standards...? It means that people can talk and interact sanely when no one individual has control.
If you mean diversity argues against standards and compatibility? I don't think that holds either.
Philips, Panasonic, Samsung, Sony, IBM, Apple, Dell, RCA, Aiwa, and Kenwood all adhere to the CD standard, and thus a CD that can play in one can play in all, without there existing a monoculture or a monopoly. The same holds true of paper, nails, DVDs, and many other things. Of course some products are crappier than other products, which affect compatibility and quality, but it's not due to lack of monoculture, since Microsoft decisively also has crappy products and crappy quality as well.
Diversity means competition.
Last I recalled, competition meant progress, and growth, as well as strength and robustness. If one product/method/attempt fails, then another can succeed. If one is suboptimal, and alternative may be optimal.
In a monoculture, none of that applies. You can't have difference without choice, you can't have competing theories without choice, you can't have flexible strengths without choice.
You just have no choice.
GPL Deconstructed
According to a Netcraft report, 2/3 of the web now runs on Apache.
Granted, it could be Window/Apache, it's most likely Linux/Apache.
It is not enough to have a good mind. The main thing is to use it well. - Rene Descartes (1637)
It is not standards that are a problem, it is "De Facto" standards.
A "De Facto" standard is really not a standard at all. It's just an implementation that happens to gain critical mass.
In (economic) theory, such an implementation should be the Darwinian best; in theory the best product always wins. However, we know from engineering experience this is almost always untrue. Another way to put this is that fitness to reach monopoly status is not necessarily fitness for the tasks and uses to which we'd like to put a thing.
The advantage of real standards over "de facto" standards are that they designed to allow multiple competing implementations, avoiding the monoculture problem. The other advantage is that that they are "designed" rather than just happening.
The disadvantage of standards over "de facto" standards is that the standards process is less agile at the outset.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
False logic: You talk about the weakness of standards, which is valid, and then switch topics. The logic breaks when you do that.
You talk about the difficulty of diversity in an extremely exaggerated and unrealistic manner as a solution against standards and monoculture, when the realistic solution is neither.
In real life, you have competing *standards*. DVD-R and DVD+R. Blueray and HD-DVD. uPnP and Zeroconf. POP and IMAP. And often times, in real life, you don't settle for *one* standard, you accept multiple. Of course there are exceptions, like HTTP and BIND or TCP/IP protocols, but your argument has no bearing on reality otherwise.
So you then talk about diversity being impractical, without supplying any logic whatsover. You just assume because encouraging *no* standards is impractical, that diversity is impractical. They are different.
Support multiple standards, support open standards, and their implementation is not impractical, highly or otherwise. That is the whole reason standards exist!
Use different hardware and OSes to protect a company is not 'highly impractical' NetBSD on x86 for firewalls. Solaris on Sparc for servers. Linux on Itanium for compute nodes. OS X on PPC for desktops.
This is *natural* because each environment and tool have different strengths and weaknesses. It's like having multiple tools in a tool chest!
You wouldn't use Linux and Itanium for *everything*. Nor would you use OS X on PPC, or Solaris on Sparc. Nor *should* you use Windows on x86. It makes you too vulnerable and weak, and you sacrifice the strengths of each platform and environment!
GPL Deconstructed
Yes, it is all black and white. There are simple causes for every outcome. Because of this, THIS happens. Oh, and capitalization makes things more true. REALLY!
A couple things:
On point #1:
1. DOS does not equal windows
2. MacOS, UNIX, AmigaOS, BeOS, Solaris, etc. Operating systems have competed, and lost (so far). Is it because Microsoft practices illegal monopolistic crap? That certainly is likely to be a contributing factor. But so do other businesses that fail.
On #2: Want to help us out and provide a link? I don't think this proves anything about monoculture in software, but it might be interesting.
On #3: see the above.
Okay, so fewer vulnerabilities? Prove it. Don't state it, prove it. And the Apache vs. IIS argument is a bit silly - Apache isn't Linux, and IIS isn't Windows. Linux owes its ability to be secure to the experiences of the marketplace, many of which comes from experiences with Windows. So no, there is no way to prove that Linux would be more secure. Open your eyes, and take a look around. Linux is probably more secure RIGHT NOW than Windows, but who the hell knows what it'd be if not for Windows?
Since this has gotten all point to point, one last thing. Writing an exploit for both is too hard for these script kiddies - there are two pieces to the puzzle - easiest screw with the most effect. That's Windows right now.
So, sir, I say, "Get Real, yourself."
Hope to hear from you soon!
The socio-economic structure at the time can be likened to corporate addiction on Microsoft products. Because of the large investment in Word format documents and interoperability needs, your company is stuck with Office and Windows (unable to plant other varieties of potatoes). This monoculture is easily taken down by a single attacker, as we've seen several times now.
The attack would not have been possible if there was true diversity in both cases. Diversity would've been possible if not for English oppression or Microsoft monopoly. The attack simply exposes vulnerabilities in a deeply flawed system.
Why is it such an irritating analogy to you?
"Plain old capitalism" is exactly what the railroad robber barons did in the 1800s. And it is one reason that anti-trust laws exist today. It is not legal to use "industry leadership" in one area whether it's railroads or operating systems to create monopolies in areas where you are not the best player but just the richest or most powerful (due to dominance in another area).
Let's imagine a "hypothetical situation." A company produces a software application in addition to its very popular operating system. The new software application is not as good as the competition's product and isn't as popular with secretaries. By bullying the retailers (as in "if you include our competitor's software on your computers, we won't let you use our operating system"), that company might very well find itself an industry leader without ever having to improve the product.
Of course, this is purely an hypothetical example...
"Obviously, I'm not an IBM computer any more than I'm an ashtray" (Bob Dylan)
Many different vendors implemented SMTP/POP3 and TCP/IP differently - and yet they were all succeptible to their historical fiascos.
We got a TTL field, a clean-up of the Ack response, and a reorganization of the old email-handoff architecture - but it still ended up costing a comparable amount of time and resources to deal with as any other hack.
HTTP, like any technical standard monoculture, is also susceptible to legal problems - just as linux is. The [object] debacle is going to cost more than just microsoft manpower, and money. And should a legitimate SCO-style IP claim be levelled against Linux, updating all the various builds out there will be a similar resource drain for every vendor.
So while standards may not have the same attraction for directed malicious individuals as does a monoculture OS - they do still come with monoculture risks and vulnerabilities.
One might argue that the prevalence of SMTP/POP3 as mail standards is to blame for much of the time, energy, and money used to combat spam.
If there wasn't such entrenched usage of the dominant standards, software would necessarily need to support multiple standards. Then it would be easier for clients to demand an improved solution, as they'd be more free to junk a particularly troublesome standard.
Sure, standards are largely a necessary evil for effective communication across systems. But because they are necessary doesn't mean they don't still carry traditional monoculture risks.
// "Can't clowns and pirates just -try- to get along?"
You also missed the part where IBM approached Gary Killdall to license CP/M but failed and then went to Microsoft who stole CP/M, rebranded it and licensed it to IBM. So, you can't really say that IBM just "handed Microsoft their Monopoly."
I used both CP/M and DR-DOS and remember being rightfully pissed off as the slapjob that was MS-DOS took over. Unfortunately, I think the greater blame falls on Killdall's head as he had the OS IBM wanted and the opportunity license it, but blew it. Big time.
And MS would be a tiny software company if Compaq/Pheonix hadn't figured out how to reverse engineer IBM's only secret part of the PC (the rest was from off the shelf components. Unlike all the other myriad of personal computers the rest of the companies largely did in house operating systems, like Apple. Even if you somehow built a Mac what you you run on it, if you were an OEM, not a geek.
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
When there are similarities in software running on computers over the internet the process of fixing bugs is simplified e.g. Microsoft only needs one copy of the relevant patches per OS version.
"It's not a question of whether Linux vs. Windows on security is arguable or not, just whether it can be proven."
It can never be "proven" because there is no way to know that every possible bug has been found.
All that can be shown is statistical evidence.
Your point is well-taken, but it has some uncomfortable consequences. Consider that most people on this planet don't get enough to eat. They're not as badly off as the potato-dependent Irish, but they're still pretty badly off. And, like the Irish, they're not starving because there's no food to feed them. They're starving because the economic deck is stacked against them.
There is a difference in that the Irish lived on the very land that could have fed them, and even grew the crops they weren't allowed to eat. But I'm not sure that's a difference with any moral value. It certainly isn't a difference that matters to the millions who hate and envy us for our full bellies.