Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Software Monoculture

Posted by michael on from the dutch-elm-disease dept.

balster neb writes "CNET News.com has a piece titled 'Seeds of Destruction' on monoculture in software and its effect on security. The article talks about similarities between software attacks such as last year's MSBlast, and agricultural catastrophes such as the Irish Potato Famine. Isn't this another good argument against monopolies?"

10 of 404 comments (clear)

  1. Not just monopolies by grasshoppa · · Score: 5, Insightful

    Isn't this another good argument against monopolies?"

    In a very near sighted way, yes. But we are talking about mono-cultures here, which is a bit more broad than that. And, something that the linux crowd will want to be wary of.

    With all the momentum behind linux right now, it could soon find itself faced with the same problems MS is faced with. While I don't doubt the ability of the linux folks to find better solutions than MS did, it is still a concern that people should be aware of.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
    1. Re:Not just monopolies by Carnildo · · Score: 5, Insightful

      Linux can't be a monoculture in the way that Windows is. There are too many variations from box to box -- one worm that targets a buffer overflow in OpenSSL uses over a dozen different attack modes just to handle different versions of RedHat, and this is just to deal with boxes that use standardized, pre-compiled binaries. Once you factor in the fact that there are at least two different programs you can use for a given operation, and that many of these programs are compiled by the end user (using any of a number of different, binary-incompatible compilers), you find you've got a platform that can't be vulnerable to the "one-size-fits-all" attacks that Windows keeps getting hit with.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    2. Re:Not just monopolies by ManoMarks · · Score: 5, Insightful

      As Linux gets more powerful, however, you're more likely to see turn-key solutions, out of box servers that have little or no modification by vender. That's when you'll see the real danger from attacks.

      --

      That's gotta fit into your schema somewhere

    3. Re:Not just monopolies by 31415926535897 · · Score: 5, Insightful

      As Linux gets more powerful, however, you're more likely to see turn-key solutions, out of box servers that have little or no modification by vender. That's when you'll see the real danger from attacks.

      So what you're saying is that there are a lot of operator errors? There are a lot of people who install software but then don't change the defaults to secure it. I've seen that happen with RedHat...if you don't install the patches right after you install it (and you allow it in the net), it gets hacked (this was back during version 7 I believe).
      Same thing happens with Microsoft. It does become unsecure for the default install--the default settings. How long did people know about the RPC vulnerabilities before the first worms attacked it, and yet hardly anybody patched their boxes.

      I'm not trying to make a case that Microsoft is as secure as Linux (not by a long shot), but while we have (uneducated) users operating their computers, no matter what the platform, exploits will be successful. I have run many Windows machines over the years, both workstation and server, and not once has one of the machines I'm responsible for been hacked or hit by a virus/worm. However, I have run Linux boxes before, and because I'm not as familiar with them, they have been exploited (remote root exploits--I had to give my machine up to the FBI for investigation, this was back when I worked at a government institution).

      The best you can do is write secure apps, but people will always fail at some point because no one is perfect. Exploits will always exists, and many exploits will be discovered over time. But if you don't have the users updating to covers the holes in the software they are using, it doesn't matter which OS they use, or which culture it came from, they will be hacked. And I believe that even if Linux were to gain 90% overall marketshare, we would still see as many problems as we do with Microsoft because of the users.

  2. Re:YES! by MoonFog · · Score: 5, Insightful

    With some competition Microsoft would be forced to write more secure software faster, so in a way monopoly is to blame.
    Then again, AFAIK, Windows is not leading on the server side, but perhaps somebody can correct or confirm that ?

    This is from the article: Being the top species in the information chain means more attention from the malicious coders.

    On the desktop, MS is definately "top of the information chain", so naturally more attention will be brought their way.

  3. Loss of life... by AgentOJ · · Score: 5, Insightful

    Of course, it is obvious that no computer virus has caused loss of human life (yet). However, it is probably only a matter of time until a virus or computer bug causes a massive loss of human life. Due to our huge reliance on computers, and due to the fact that 90% of the computers out there are running the same OS (including some of those that control critical infrastructures like 911, nuclear reactors, etc), the frightening implication is that in the event of a loss of life, it could be much, much worse than the Irish Potato Famine.

  4. BIND is also a Monoculture by Pup5 · · Score: 5, Insightful

    I think that this concept also applies to BIND.

    Most DNS servers run either ISC BIND, or a package based on BIND source. Although I am a hostmaster and respect BIND, I often wonder if this isn't one of the reasons that DNS is such a prime hacker target.

    It seems clear that even with this example of an open-source program (although it's not GPL), groups prefer to avoid the cost of development at the expense of security (via the same monoculture argument). I've asked DNS appliance vendors this question (while they're trying to sell me on their product's security), and it's clear that they've never seriously considered the issue.

  5. Same Argument Applied to Standards by fiendo · · Score: 5, Insightful

    Couldn't this same argument be applied to omnipresent standards and not just monopolies? If everyone uses TCP/IP and a security flaw is found in it, doesn't that amount to the same type of security threat?

    And yes I'm playing devil's advocate, but it's a slow morning :)

    --
    I went to the city because I wished to live without deliberation.
  6. Re:Monopolies by JimDabell · · Score: 5, Insightful

    You could use the same argument against "standards."

    No you couldn't. IIS and Apache both implement the HTTP standard, but only one of them was vulnerable to Code Red et al.

    Avoiding a monoculture doesn't mean making everything as different as possible. It means that one implementation of a standard shouldn't monopolise the marketplace. If anything, open standards promote this, as you are free to use differing implementations rather than the single implementation that can handle a particular proprietary format or protocol.

  7. Re:Not a good connection by Wandering+Hoosier · · Score: 5, Insightful
    Potato famine was not deliberate - it was caused by a microorganism. Both the hack and the monopoly are socially constructed. Science can fight the former, but not the latter.

    However, the "monoculture" policy of having an entire population's survival depend on a single crop WAS deliberate. The policy was just as "socially constructed" as a monopoly. Therefore, the connection between the two is a good one.