The Software Monoculture

balster neb writes "CNET News.com has a piece titled 'Seeds of Destruction' on monoculture in software and its effect on security. The article talks about similarities between software attacks such as last year's MSBlast, and agricultural catastrophes such as the Irish Potato Famine. Isn't this another good argument against monopolies?"

Not just monopolies

[grasshoppa]

Isn't this another good argument against monopolies?"

In a very near sighted way, yes. But we are talking about mono-cultures here, which is a bit more broad than that. And, something that the linux crowd will want to be wary of.

With all the momentum behind linux right now, it could soon find itself faced with the same problems MS is faced with. While I don't doubt the ability of the linux folks to find better solutions than MS did, it is still a concern that people should be aware of.

Re:Not just monopolies

[Carnildo]

Linux can't be a monoculture in the way that Windows is. There are too many variations from box to box -- one worm that targets a buffer overflow in OpenSSL uses over a dozen different attack modes just to handle different versions of RedHat, and this is just to deal with boxes that use standardized, pre-compiled binaries. Once you factor in the fact that there are at least two different programs you can use for a given operation, and that many of these programs are compiled by the end user (using any of a number of different, binary-incompatible compilers), you find you've got a platform that can't be vulnerable to the "one-size-fits-all" attacks that Windows keeps getting hit with.

Re:Not just monopolies

[ManoMarks]

As Linux gets more powerful, however, you're more likely to see turn-key solutions, out of box servers that have little or no modification by vender. That's when you'll see the real danger from attacks.

Re:Not just monopolies

[31415926535897]

As Linux gets more powerful, however, you're more likely to see turn-key solutions, out of box servers that have little or no modification by vender. That's when you'll see the real danger from attacks.

So what you're saying is that there are a lot of operator errors? There are a lot of people who install software but then don't change the defaults to secure it. I've seen that happen with RedHat...if you don't install the patches right after you install it (and you allow it in the net), it gets hacked (this was back during version 7 I believe).
Same thing happens with Microsoft. It does become unsecure for the default install--the default settings. How long did people know about the RPC vulnerabilities before the first worms attacked it, and yet hardly anybody patched their boxes.

I'm not trying to make a case that Microsoft is as secure as Linux (not by a long shot), but while we have (uneducated) users operating their computers, no matter what the platform, exploits will be successful. I have run many Windows machines over the years, both workstation and server, and not once has one of the machines I'm responsible for been hacked or hit by a virus/worm. However, I have run Linux boxes before, and because I'm not as familiar with them, they have been exploited (remote root exploits--I had to give my machine up to the FBI for investigation, this was back when I worked at a government institution).

The best you can do is write secure apps, but people will always fail at some point because no one is perfect. Exploits will always exists, and many exploits will be discovered over time. But if you don't have the users updating to covers the holes in the software they are using, it doesn't matter which OS they use, or which culture it came from, they will be hacked. And I believe that even if Linux were to gain 90% overall marketshare, we would still see as many problems as we do with Microsoft because of the users.

Re:YES!

[MoonFog]

With some competition Microsoft would be forced to write more secure software faster, so in a way monopoly is to blame.
Then again, AFAIK, Windows is not leading on the server side, but perhaps somebody can correct or confirm that ?

This is from the article: Being the top species in the information chain means more attention from the malicious coders.

On the desktop, MS is definately "top of the information chain", so naturally more attention will be brought their way.

Loss of life...

[AgentOJ]

Of course, it is obvious that no computer virus has caused loss of human life (yet). However, it is probably only a matter of time until a virus or computer bug causes a massive loss of human life. Due to our huge reliance on computers, and due to the fact that 90% of the computers out there are running the same OS (including some of those that control critical infrastructures like 911, nuclear reactors, etc), the frightening implication is that in the event of a loss of life, it could be much, much worse than the Irish Potato Famine.

BIND is also a Monoculture

[Pup5]

I think that this concept also applies to BIND.

Most DNS servers run either ISC BIND, or a package based on BIND source. Although I am a hostmaster and respect BIND, I often wonder if this isn't one of the reasons that DNS is such a prime hacker target.

It seems clear that even with this example of an open-source program (although it's not GPL), groups prefer to avoid the cost of development at the expense of security (via the same monoculture argument). I've asked DNS appliance vendors this question (while they're trying to sell me on their product's security), and it's clear that they've never seriously considered the issue.

Same Argument Applied to Standards

[fiendo]

Couldn't this same argument be applied to omnipresent standards and not just monopolies? If everyone uses TCP/IP and a security flaw is found in it, doesn't that amount to the same type of security threat?

And yes I'm playing devil's advocate, but it's a slow morning :)

Potato famine fallacy.

[lothar123]

Admittedly, this is off-topic. But I did my Ph.D. on the stuff and comments like that perturb me!

It is a common misconception that the disease known as late blight, caused by the Oomycete (Phytophthora infestans) "caused" the Irish potato famine. Yes it is true that the Irish were growing only a few varieties of potato (monoculture), but the REAL reason was the socio-economic structure put in place by those bastard English. Essentially, most of the Irish farmers (which was damn near everyone), "rented" the land from rich English landowners. This meant that they grew vegetables, wheat, etc. to pay for the rent, and grew potatoes for food because they stored well. Late blight reduces crop yield both before harvest (lost foliage) and after harvest (tuber rot), and by removing potatoes as a food source, the Irish began starving. The English did nothing to help the them during this time. In fact, the rental system stayed in place throughout the whole famine.

Re:YES!

[rusty0101]

As a point of interest, Oracle sells far larger database implementations than Microsoft SQL Server can support, and has been selling them for far longer than Microsoft has been selling SQL Server. Which has an archetecture that virus and worm writers have been able to exploit.

Apache on Linux, BSD and Solaris hosts significantly more web sites than IIS on Windows does, and has for several years longer. Which combination is more prone to being abused by viruses and worms?

Sendmail, hosts an order of magnitude more e-mail transactions than Exchange does. Which gets less press for it's holes because it runs on a platform that gets exploited so often people expect the worm of the week to attack?

The applications that get the worst rap for security problems are the ones with the most users, Internet Explorer, and Outlook (any variation). The fact that they happen to run on the same basic platform as the SQL server and IIS web servers do, should provide sufficient evidence that the alternatives running on other platforms would _tend_ to be more secure.

That does not prevent problems from being possible in a Linux monoculture, or a BSD monoculture. It just suggests that the underlying structure is more secure, and less likely to be a significant source of security problems for e-mail and web browser clients running on top of them.

-Rusty

Re:Monopolies

[JimDabell]

You could use the same argument against "standards."

No you couldn't. IIS and Apache both implement the HTTP standard, but only one of them was vulnerable to Code Red et al.

Avoiding a monoculture doesn't mean making everything as different as possible. It means that one implementation of a standard shouldn't monopolise the marketplace. If anything, open standards promote this, as you are free to use differing implementations rather than the single implementation that can handle a particular proprietary format or protocol.

Does diversity end if the code goes unused?

[sam_handelman]

I'm a biologist, biatch!

A biological population can experience genetic bottlenecks. For example, everyone in Iceland is practically genetically identical, since they are descended from a group of about a few dozen (already closely related) Vikings.

The potatoes in Ireland where a similar example. Not only was everyone growing potatoes - all of these potatoes were descended from a small number of potatoes brought over from the New World. The original population of New World potatoes were genetically diverse - but the potatoes brought to Ireland were all especially susceptible to the fungus that brought on the Irish Potato Famine, so it was catastrophic.

You can also get a genetic bottleneck in an entire species. The few surviving Andean condors probably only represent a fraction of the genetic diversity the Condor had at the height of its population. The diversity is gone forever.

The same is not true for rarely used, or even completely unused, software. If some disaster befalls us that makes other operating systems useless, we can resurrect OS/2 Warp even if not a single installation remains anywhere in the world.

On the other hand, without a population of OS/2 Warp installations, OS/2 Warp cannot evolve. It exists in a form of stasis that, over time, may render OS/2 inviable, in much the same way that environmental changes might drive the andean condor all the way to extinction (while it might have survived with the genetic diversity that the species has already lost.) /RANT

Re:Not a good connection

[Wandering+Hoosier]

Potato famine was not deliberate - it was caused by a microorganism. Both the hack and the monopoly are socially constructed. Science can fight the former, but not the latter.

However, the "monoculture" policy of having an entire population's survival depend on a single crop WAS deliberate. The policy was just as "socially constructed" as a monopoly. Therefore, the connection between the two is a good one.

Re:YES!

[protogeek]

Just in case you actually are new to this issue, and not trolling....

[oversimplification] Back in the day, Windows was a popular operating system. Not the only popular one, but popular enough that an OEM who didn't offer Windows pre-installed was going to lose a lot of business. MS basically said that the OEM would pay them $fee for every processor sold, regardless of the OS installed, or else the OEM would not be allowed to sell Windows machines at all. Most OEMs recognized that they couldn't afford the hit they'd take if they couldn't sell Windows, so they agreed to this devil's deal. And then, since they were paying for the darned thing anyway, they installed Windows on all of their machines. [/oversimplification]

This is how to turn a merely successful product into a monopoly, while making a lot of enemies as a free bonus!