Slashdot Mirror
The Software Monoculture
balster neb writes "CNET News.com has a piece titled 'Seeds of Destruction' on monoculture in software and its effect on security. The article talks about similarities between software attacks such as last year's MSBlast, and agricultural catastrophes such as the Irish Potato Famine. Isn't this another good argument against monopolies?"
To add to michael's point, Jonathan Wignall made an excellent presentation(sorry it's PPT) at DefCon 11 last year about how we could fight network worms.
He basically concluded that we could not launch counter worms (like ones that would patch vulnerable Windows systems). The best solution was to diversify the OS we have our servers running on. A worm can spread in a matter of minutes as the creator of the worm usually chooses a set of powerful vulnerable machines as his first hit.
Some OS like to keep things more open and easy to configure like Windows 2k server, which showed a whole in MS SQL server 2K in which the DB could be accessed over the net. As a network admin you just needed to keep your DB firewalled and things would have been ok. Other OS like Solaris are more of a pain to configure but usually leave less stuff open.
It is not enough to have a good mind. The main thing is to use it well. - Rene Descartes (1637)
Yes. It's an argument against monopolies. But it's also an argument against standards and any kind of compatibility.
With the good comes the bad.
In fact, the monoculture argument is used all the time against SMTP, just in different words. The difference is that the only way to fix a broken standard is to replace it. Microsoft argues that its operating systems are fixable. Whether or not that's true is still debatable, although the evidence support MS to date.
This is from the article: Being the top species in the information chain means more attention from the malicious coders.
On the desktop, MS is definately "top of the information chain", so naturally more attention will be brought their way.
Apache is the top web server, running over 2/3 of the sites on the Internet. Why is it that Microsoft's IIS, at less than 20% of web sites, is the one that keeps getting exploited?
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
The Blaster worm might have slowed reaction to the conditions that precipitated the Blackout of 2003. I believe a handful of people died as the result of the blackout.
BTW: this is a great article, great to show the PHBs that perhaps having a diversity of platforms is better than "standardizing" on one. Standardizing on one platform, be it Windows, Linux, MacOS X or even Amiga, is bad policy and potentially dangerous.
Knowledge is power. Knowledge shared is power multiplied.
In organic farming monoculture is anathema. Having a variety of species in the same field reduces exposure to disease. It is more work to farm like this so the product is more expensive but of better quality. The same can be applied to network running open source software, more work to properly maintain but more secure.
Especially the way the question is phrased. If you think it's a good argument against monopolies you need to answer no.
Just look at the question with the word order changed and the subject highlighted:
Is this not another good argument?
Clearly this is all too confusing. The thing that makes it truly ironic is that if you replace the question with a double negative:
Isn't this not another good argument
suddenly yes becomes the right answer to give if you think it's a good argument.
In conclusion: isn't this is a very, very poor way to start a sentence.
As a point of interest, Oracle sells far larger database implementations than Microsoft SQL Server can support, and has been selling them for far longer than Microsoft has been selling SQL Server. Which has an archetecture that virus and worm writers have been able to exploit.
Apache on Linux, BSD and Solaris hosts significantly more web sites than IIS on Windows does, and has for several years longer. Which combination is more prone to being abused by viruses and worms?
Sendmail, hosts an order of magnitude more e-mail transactions than Exchange does. Which gets less press for it's holes because it runs on a platform that gets exploited so often people expect the worm of the week to attack?
The applications that get the worst rap for security problems are the ones with the most users, Internet Explorer, and Outlook (any variation). The fact that they happen to run on the same basic platform as the SQL server and IIS web servers do, should provide sufficient evidence that the alternatives running on other platforms would _tend_ to be more secure.
That does not prevent problems from being possible in a Linux monoculture, or a BSD monoculture. It just suggests that the underlying structure is more secure, and less likely to be a significant source of security problems for e-mail and web browser clients running on top of them.
-Rusty
You never know...
With each of your examples, the same security problem cannot affect all of these systems. There are lots of species of potato, but because the population of Ireland were reliant on mainly one species, anything that affected this had a massive impact.
Genetic diversity does not prevent disease, but it does reduce the effect one disease has on a population. This is the analogy I believe was being drawn. Imagine a virus wiped out (not just crashed) an OS. If all computers in the world were that OS, all computers would be wiped out, if computers were of mixed OSes, a proportion would be wiped out, but enough would survive to keep the infrastrucure intact, this is the point against monopolies.
Now, maybe a virus cannot completely wipe out a computer it infects (for now anyway) and the computer can be patched and rebooted, but even with non-fatal viruses that just crash and require a reboot 'genetic' diversity can smooth the effect a nasty strain of virus has.
--
FreeNET user? Comfortable with the adverse selection?
It is a well-known fact that the Irish Potato Famine wasn't caused by a lack of potatoes; rather it was an overabundance of Irishmen.
Seriously, though, agriculture is a risky proposition. Prior to European conquest of Africa, the natives largely existed as hunter-gatherers. As such they tended to just eke out an existence on what little food they could find. Also, humans naturally become infertile when they're not fed enough, so during a time of scarcity the population stabilized itself, with the standard very-young and very-old dying off.
The Europeans brought agriculture to Africa. (I'm talking large-scale, tied-to-one-patch-of-dirt agriculture here.) This has upset the "natural balance" by creating subsistence farming. People do tremendously well during good years, but are devastated that much more when a drought comes along. The population swells greatly due to the static nature of life and the need for people to work the farms. Those same populations are routinely eviscerated by famine every decade or so. (Not to mention the social problems as formerly nomadic people have been lumped together in aribtrarty boundaries drawn by their conquerors.) For some reason Sally Struthers seems to think the solution to this problem is to provide more food. It's a short-term fix but it's also a vicious cycle.
Agriculture can bring tremendous profit and clearly supply much more food than the hunter-gatherer lifestlye. But the risks are greater, too, especially once your society becomes dependent on large-scale farming. I saw on Discovery channel the speculation that years of poor harvests led to the extincion of some Middle American people around 1200 AD. (Mayans? I can't remember.) In modern times, we see these risks introducing themselves in new ways, such as mad cow disease, brought about by imposing a cannibalistic diet on cows, which in turn happens because of market pressures to keep producing cheaper meat for an increasing number of increasingly hungrier (to the point of obesity) population. Something has to give. We are also seeing the depletion of natural fish stocks, and the "latest study" says that farmed fish contain much more mercury and PCBs than wild fish.
I liked the CNet article a lot; they could have mentioned SQL Slammer's apparent role in the blackouts last year. I guess that hasn't been explicitly proven and overty recognized, it would probably be too costly to Microsoft's share value, and by extension the economy, and by extension Bush's reelection strategy.
#1. Microsoft WAS handed their monopoly. From IBM. Back when IBM licensed MS-DOS for the IBM PC.
#2. Check the DR-DOS history. See how Microsoft used bogus "error" messages against competitors.
#3. Check the Netscape trial. See how Microsoft used OEM contracts against competitors.
DUH! Did you MISS the part where Microsoft was found GUILTY of ILLEGAL LEVERAGING their MONOPOLY?
Yes, if Linux gained more desktop space there WOULD BE FEWER VULNERABILITIES. Just take a look at how much market share Apache has and compare the market share to web server vulnerablities that have been exploited. Specifically, how many IIS servers have been exploited.
And you WOULD make the news IF your exploit/virus/trojan/whatever could hit BOTH Windows and Linux boxes.
Get real. If all the factors were equal, we'd see a LOT more Apache exploits. There are over TWICE as many Apache sites as there are IIS sites.
Your beliefs do not seem to coincide with the facts of the real world.
I'm a biologist, biatch!
/RANT
A biological population can experience genetic bottlenecks. For example, everyone in Iceland is practically genetically identical, since they are descended from a group of about a few dozen (already closely related) Vikings.
The potatoes in Ireland where a similar example. Not only was everyone growing potatoes - all of these potatoes were descended from a small number of potatoes brought over from the New World. The original population of New World potatoes were genetically diverse - but the potatoes brought to Ireland were all especially susceptible to the fungus that brought on the Irish Potato Famine, so it was catastrophic.
You can also get a genetic bottleneck in an entire species. The few surviving Andean condors probably only represent a fraction of the genetic diversity the Condor had at the height of its population. The diversity is gone forever.
The same is not true for rarely used, or even completely unused, software. If some disaster befalls us that makes other operating systems useless, we can resurrect OS/2 Warp even if not a single installation remains anywhere in the world.
On the other hand, without a population of OS/2 Warp installations, OS/2 Warp cannot evolve. It exists in a form of stasis that, over time, may render OS/2 inviable, in much the same way that environmental changes might drive the andean condor all the way to extinction (while it might have survived with the genetic diversity that the species has already lost.)
The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
That does not prevent problems from being possible in a Linux monoculture, or a BSD monoculture. It just suggests that the underlying structure is more secure, and less likely to be a significant source of security problems for e-mail and web browser clients running on top of them.
Part of the problem with an MS monoculture isn't just a lot of people using Windows, it's a lot of people using Windows + Outlook + IE. If we take a hypothetical situation where the three in combination are individually more secure than some other OS/Browser/Mail Client combo, it is still more profitable for a virus writer to find one flaw in the dominant software then to find a much more exploitable flaw in some other less prevalent software.
William of Ockham had no beard. The most likely explanation is that it was chewed off by squirrels every morning.
With Linux emerging as the platform of choice for scientific applications, I would imagine NASA has had to have changed this policy, so I would like to hear from some NASA people what the current policies are.
One thing is clear, open source is being demonized by people with vested interests, and are trying to pass actual laws along the lines of "This is Godless and Communistic." I personally think open source is a really good fit for OS and language design. These are foundations on which everything else rests. Without open source you don't know if what you are building lies over a fault line or an artisian well.
I'm sure Microsoft is cutting deals behind closed doors with various governments about putting in code to "track the bad guys". It's not just a matter of having stuff in there you don't know about, but having it steal your processor cycles, and having unintended interactions. And since it's black box and probably DRM, it will probably become illegal to deactivate it. And since you can't rip it out, or should even know it's in there, someone comes along with a real killer virus exploit that turns on your own DRM against you.
Letter To Iran
Monoculturalistic tendencies -- agricultural or technological -- develop because short term, they are more efficient, leading to economic benefits. Long term, of course, they are disasterous, because they lead to a lack of advancement and, if universal, lead to inevitable collapse of the entire system if a vulnerability exists and is exploited. This is a great example of what economists call "market failure," in which market forces drive a specific environment toward the *least* desirable outcome (for a primer on this problem, study articles relating to "the tragedy of the commons"). Eventually, such systems collapse because of these flaws, and are then subject to regulation or restrictive laws (see the government's ongoing oversight of Microsoft).
I didn't make myself very clear. When I was thinking of my example of diversity within Microsoft, I was thinking of diversity in programming in general I guess. It would be great if everyone used different methods in an attempt to obfuscate their problems.. which is how I think of all security methodology. So far, no operating system has proven secure. Some have lasted longer than others in not getting "rooted", but all are shown to be vulnerable over time. Anyway, I am getting off my point again. What I meant is that it wouldn't be practical to have all of your programmers in your company operating with drastically different procedures. I was making a far-fetched comparison to the amount of diversity you would need on the internet to make sweeping trojans like Blaster irrelevant. You would need to diversify to the point of uselessness.
When the IBM PC came out, there was a very splintered computer culture, composed of TRS80, Apple, Commodore, CP/M (with lots of different disk formats, just to stay interesting) and a few other splinter processors.
And, dont ya know, NOTHING was portable. Perhaps some CP/M programs worked cross-platform, but the interesting programs used the Serial Ports or the Monitor Capabilities -- and so were customized for the particular home system.
At the time, the industry leader was the Apple II because it had an open architecture and a Plug in Expansion Card system.
The poor folks had TRS-80 (like me), rich folks had APPLEII or S-100.
Then the IBM PC and the Apple Mac came out. And the MAC was a closed box (Warranty void if you add memory), but the IBM PC was an open system. IBM published the BIOS and everyone and his brother came out with cards and clones... and we became a monoculture.
But suddenly all the people that were running in all different directions on all different machines embraced the open architecture... and there was a blooming of creativity and interesting software. All of a sudden, you could make a data disk at home. and when you got where you were going, you could count on something reading that disk. Interchange and communication and a sort of an easy interoperability (all the machines were well nigh identical) became the norm. People could build on the exploits of others, because everyone rallied around the same set of standards, namely DOS interrupts, IBM Format Floppy, Serial ports that were virtually identical no matter who made the machhine, large (comparatively) memory areas of 640KB and disk capacity of 20 MB.
It was a golden age. The only loser at that time was the Mac, and for the very reason the Apple II was a success, the Mac lost. The Mac made it impossible to erad or write to the new "lingua franca" of computerdom, the 360K floppy. They did not even support MFM on their machines, so that while most CPM machines could either read or write a DOS floppy, the MAC by its very design could NOT.
Also, the peripheral market surged. Now instead of a dozen different competing busses, the target was easy... 8 or 16 bit ISA -- take your pick. And controller cards and interface cards proliferated, spurred by the economy of scale.
Eventually even the Mac had to include the capability of creating and reading a DOS formatted floppy. It was the only game in town.
I believe that computers got to where they are today because of the proliferation and preeminence of a single type of computer... the accident is that it was the IBM machine, and MS-DOS. Any other single system would have had a similar spur.
The monoculture was uniquely poised to become ubiquitous.
But now, we have the social carnivores... the virus writer, the cyber anarchist who is not happy with people computing placidly, people who see the seams and cracks and vulnerabilities of the monoculture and pick at the weak points.
And here is where the monoculture is bad. Because EVERY MACHINE has nearly the same undocumented behaviour. When i started, these quirks were published as "workarounds" for things the system designers did not really want you to do. Some of these became so widespread that when they were no longer accidental, they needed to be emulated on newer and newer hardware. Some early 386 bugs are trapped by the BIOS and emulated!
It's only a short step, though, from using these tricks to further a legitimate purpose and using them for vandalism. Computers have had a remarkable freedom from predators for many years. Now the predators, the vandals, the black-hats are taking advantage of the same tricks that led to many of the game programming tricks, computation shortcuts, and undocumented features to prey on the weak places.
So is monoculture bad? i say it is a mixed blessing.
Regards.
Ed, KB40RA
to say that "[Microsfot] SQL Server [...] has an archetecture that virus and worm writers have been able to exploit" is simply pathetically desprate misleading of the audience. Here is why.
The Slammer worm has used a vulnerability that was NOT an architectural design flaw across the product. It was a simple stack buffer overflow in an implementation of the SQL Resolution Service.
On a seemingly unrelated topic, here is a plethora of buffer overflow vulnerabilities of Oracle from some time ago. How much mass media attention did that receive. Close to none, because it doesn't pay the media in advertising revenue to show an expert talking tech about buffer overflows and authorization headers. But does pay off to create a bombastic news report on a big-time screw-up of the largest software company in the world.
I am sorry to bust your balls, but I do recall several instances of similar problems such as an Apache worm on FreeBSD. I am not arguing that Apache et al. have more flaws, I am just pointing out that everyone who has coding skills prefers to explore IIS's quality rather than some Apache's because of simple "I can pick on the weaker guy easier" predatory concept from kindergarten.
Very good point.
3 /msg00044.html .
As a matter of fact RIPE has recognized 'monoculture' at the Root DNS Server Level (at one time all the root servers did run BIND) as a similar potential/problem vulnerability quite some time ago. They have since moved a couple to different packages. The 'K' root server, for example, now runs NSD 1.0.2-REL . For more information, please see their origional announcemnt at: http://www.ripe.net/ripe/mail-archives/dns-wg/200
In a networking class that I teach at Xavier University I make sure that the students apply their lessons on multiple platforms for this reason exactly.
Great occasions do not make heroes or cowards; they simply unveil them to the eyes. -Bishop Westcott
Open specifications
With multiple implementations
On multiple platforms
This is what published standards allow.
Monopolies tend to produce:
Closed specifications
With single implementations
On single platforms
which is why they're easier targets for exploits.
Note that most of the modern scripting languages occupy an intermediate point here, since they tend to have a single implementation which effectively is the specification. Perl/Ruby/tcl are like that. Python is a little better since it has multiple implementations, but no formal specification other than a test suite (correct me if I'm wrong, Python people).
To a Lisp hacker, XML is S-expressions in drag.
The vast majority of MIS departments, given the choice, will try to standardize on products.
Yes, they will.
1. It is good for management.
2. It is bad for security.
Nobody doubts 1.
You deliver no proof that 2 isn't true.
The arguement against "Monoculture" is just a twist on "Security Through Obscurity"
Diversity is something different than obscurity.
Obscurity makes management of heterogeneous sites difficult. Avoid obscurity in heterogeneous sites - use diverse implementations that build on standards.
Diversity of implementation makes the site more secure, because different implementations have different bugs (no single points of failure).
which anybody who actually works in security knows is not really security at all: it's palcebo security.
Please upgrade your placebo arguments to something real.
Sorry wrong answer, thanks for playing.
What a misinformed arrogant ass. Tell me what is in FTP or DNS that allows for root exploits for those running implementations of those standards. What? You mean there is nothing in the standard that is inherantly insecure? You mean you are confusing systems that aren't encrypted and equating them to systems that aren't secure?
Yes people can intercept data from those implementations. But oh, you can run them through a secure tunnel a la ssh. Oh, you mean you didn't realize it's a good thing to have separate standards for encryption and, say, file transfers? That hacking into two different binaries that just happen to be listening on the same port can require vastly different attack techniques?
Grandparent had a good point, too bad you were too far into yourself to see that.
Why, o why must the sky fall when I've learned to fly?
Not at all, not according to research models, actual case studies, and biological examples.
The study of networks, and scale free networks, has been applied to virus vaccination, and I do believe those results apply equally to the internet, or any other network. You don't need to immunize everyone, and you don't need to make all network nodes different, you just need to immunize hubs, and you just need to vary and protect vital hubs.
Here's a thought exercise: If you had 3 lans at work (one wireless, and two wired), you don't need to diversify every network to protect the entire place; You only need to protect three internal firewalls, three routers, one external firewall, and three DHCP machines to effectively protect up to 750 machines. Even better of course is the fact that all 750 machines don't have to be identical, since there will be the odd Linux server, Mac desktop or laptop for the graphic folks, and perhaps a Sun workstation or two here and there.
So it's not like you'd have to diversify to uselessness at all; just intelligently.
GPL Deconstructed
"Standards" contribute to the problem of monoculture in much the same way that standardizing on "front door with lock that opens with a key" contributes to home burglary. For that matter, all thieves speaking the same language in their home town makes it easier to discuss burglary. But the same standards also help us get around every day, so there is a tradeoff.
Now, interestingly enough, I suspect we are heading for an era of fewer such standards! Communication is already in flux due to encryption; my encrypted discussion with another person will appear as complete jibberish when intercepted, like when the Japanese intercepted US Navy transmissions that were actually clear-text conversations between North American Indians working in the radio room. As for locks...what happens when homes lose their locks in favor of AI, and simply recognize who can come in and who cannot? It is much harder to crack a system that is watching you while you attempt to crack it. After all, the house could simply kill you if it had the right weaponry. At the least, it would not be as gullible as a lock.
OK...my point approaches. Think for a moment about the shifting stairways and jumping rooms (well there was one at least in the last book) in the fabled Hogwarts School of Witchcraft and Wizardry. Ignore for a moment all the spellcraft going on...just look at what you could do with the architecture...can you imagine trying to take that place with a SWAT team? What route would they storm through? What alternates would they plan? What if things started moving even faster during a suspected attack? Further, what if the students and staff knew the rules and could function well enough regardless? An assault would not even bear the attempt. Given a similar kind of approach to software (and it really is just an approach, not magick at all) the best defensive strategy in OSs would be to have them randomize themselves on-the-fly. Most binaries could afford a certain amount of NOP space inserted. During final compile a "deviantC++" compiler could randomly insert busy loops or security trips or even totally bogus code, like whole other apps laying around already (games come to mind) and have them jumped over by properly executing code. We have plenty of RAM on our systems and generally an excess of CPU cycles; let 50% or more of binary be lines of random or calculated diversion codes. And let the code move itself around!
We're so accustomed to the idea of optimizing code. We even reuse code and data objects and this is seen as a virtue and at present it is. But we could quickly decide that times have changed and it is no longer a virtue. My machine no longer has just 640K RAM, guys, and it has enough spare CPU to run Setiathome. I'm willing to sacrifice some of my slack for an OS and apps that gleefully rewrite themselves every few minutes. If that became very common then the notion of exploiting a computer remotely via known vuls would become a quaint memory of a primitive era in technology.
And now I will hustle my butt over to the USPTO to patent this scheme for the financial benefit of my heirs. Remember, you read it here first.
=^..^= all your rodent are belong to us
The focus of the discussion is monoculture of binarys, software, etc. I believe the point isn't software, it's focus of developer energies.
Microsoft is getting serious about security not because it is good, or proper. It is because they are losing sales because of it. It has become an issue this year, not because there is more damage, more worms, more insecurities. In fact, it could be said that MS stuff is more secure than it was two or three years ago. It is an issue this year because Microsoft is losing sales.
I Love You worm was in 2000. It cost lots of money. My sister was working for an accounting firm, and their systems were down for a week. I'm quite sure that MS' clients screamed at them. MS said, well, we will try to fix things. What could anyone do? There weren't any real alternatives available. Even now, the Linux desktop is just getting to the point of being ready. Linux on the server was good, but not at all a proven reliable choice as it is now. So MS didn't lose any sales. So they didn't need to focus the whole of their energies to fix the security issues.
Which brings to mind another question. If Outlook was the problem, where is the thriving market choice for Windows mail applications? There isn't any. Still, for Window's users, they are essentially stuck with Outlook. On Linux, there is a very good choice, with competitive features, and active development in most. If one showed a real problem, no big deal. Apt-get another one and carry on. Just like the choice of MTA's. Don't like Sendmail? Use Exim, Qmail, postfix, etc. The maintainers of each are aware that security is a necessity, so at least they are working on it. Microsoft, until recently, didn't care at all.
I believe that this last August's spate of security issues that cost real money and time resulted in a loss of sales. There is a truly viable alternative in the server room. A multi-culture if you will, in a healthy marketplace. Users could slam MS, tell their sales rep to shove the f****** trash up their a**, without any repercussions, because there is an alternative. Microsoft has had no choice but to respond, and fix the problems.
Remember, security is an expense. You can't successfully sell security. Features do sell. Lack of security only costs sales. Your best people are put to a task that is difficult and costly, and when you get it right, the issue and problem disappear and are forgotten. The only thing that will keep security in the forefront as it needs to be is a competitive market, where there are alternatives. If IIS sucks, use Apache. If Apache sucks, use something else. There is choice.
Microsoft will probably get things reasonably secure, and the issue will die as a major sales factor, all else being equal. The differences between open and closed source, updating methods etc. will in the end be minor points to argue over. But only as long as there are viable alternatives in the marketplace to keep all the participants focused. That I think is what is dangerous about a monoculture.
Derek