Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft, Monocultures, Security FUD & Other Fun

Posted by Hemos on from the starting-the-morning-with-coffee-and-flame dept.

techiemac writes "Dan Geer, who has been mentioned on Slashdot before due to his warnings about Microsoft's "monoculture" has just been written up by AP for his warnings about the widespread use of Microsoft products and the serious security flaws that are being discovered. This story is quickly becomming big news (Yahoo is currently carrying it on their front page). For those who don't know, Dan Greer was fired from @Stake Inc for his criticism of Microsoft (they are a big client of @Stake Inc). " Somewhat related, there has been interesting reaction pieces on ORA and OSDN to a recent, some say ill-informed article run on DevX.

6 of 509 comments (clear)

  1. not the first time... by ThaReetLad · · Score: 5, Informative

    This is not the first time that A. Russell Jones has made controversial claims about Linux on DevX. At the end of august last year this story was run here on /. where he claimed that there should be a standard desktop for Linux.

    --
    You can't win Darth. If you mod me down, I shall become more powerful than you could possibly imagine
  2. Solution: Multi-OS Boxes by G4from128k · · Score: 5, Informative

    One solution to the monoculture problem is multi-OS architectures in which a single process is executed on multiple independent codebases within each box.

    On high-reliability systems (Space Shuttle & X-29 flight controls), multiple redundant subprocessors attempt to compute the same answer. If the subprocessors get different answers, the majority-rules and the system logs the exception. If each processor ran independent code, then exploits of any one codebase would be detected and disinfected. A multi-system with one exploited/infected codebase would continue running while ignoring the output of the infected subprocessor.

    The system would still have some vulnerabilties. Simultaneous attack on a majority of the codebases might succeed in redefinig the majority to suit the malware. Also, codebase independence is very hard. More than likely several codebases might share the same fault (e.g. a buffer overrun bug). Attacks on the overseer/majority-rules system might also succeed. Finally, if the standard has an exploit (e.g., decrypting WiFi WEP), then all codebases implementing the standard are vulnerable.

    The biggest downside is bloat and cost. But at least it would give people a reason to buy the latest greatest chips from Intel, AMD, IBM, etc.

    --
    Two wrongs don't make a right, but three lefts do.
  3. Re:For those who don't know... by Anonymous Coward · · Score: 5, Informative

    If you read the paper that was published, listened to any of the news accounts (including the conference call press conference), and read CCIA's disclaimers, you would know that he made it perfectly clear that this was something he was doing on his personal time, and had nothing to do with @stake. He went pretty far to disclaim any @stake connection to the paper.

  4. Re:I hope he's wrong ... by Anonymous Coward · · Score: 5, Informative

    I call bullshit. Give me one example.

    I work as a consultant in Health IT and I'll give you 5 that I've found in my travels.

    1. Pharmacy systems
    2. Allergy interaction checking systems
    3. Dietary system, wrong or delayed diets can kill a patient
    4. Workstations in the ER that have access to critical applications and patient charts
    5. Workstations that communicate with the ambulence and med chopper teams

  5. Re:MS Open Source Is Fertile Ground for Foul Play by Kilobug · · Score: 5, Informative

    As I said in the news about the source code leakage, this is a false fear, the same one MS uses about the GPL "do not read GPL code or you'll never be able to write commercial code afterwards".

    Copyright is _NOT_ patent. You can read copyrighted work and then write something similar by yourself. Copyright does not protect ideas, structures, algorithms or data formats. Copyright protectes the actual code - copy/pasting or recopying Windows code into Free Software would be disastrous. Reading Windows source code to understand protocols or formats and then writing your own Free implementation is not.

    Of course, you're not allowed to have windows source code at first, and you can be sued for having it. Not for writing source code with the knowledge you gained for it; the same way that reverse engineering is fordbidden in US, but if you use reverse to write Samba or a XFree driver, Samba or the driver will be legal. You can be sued if it's proven you used reverse, but your code will not.

  6. Re:MS Open Source Is Fertile Ground for Foul Play by Anonymous Coward · · Score: 5, Informative

    Reverse engineering is NOT illegal, you just have to do it carefully. Various companies do it ALL THE TIME. You have one group decompile the program or take apart the device. They then write a specification for the device based on what they learned (bonus points if it's a school). This specification is given to a middle layer which then passes it on to the programming team. The programming team writes code to match the spec they got from the middle layer. The code is no different from what they would write if the spec was simply made from scratch, in fact, the programming team is never told that they're working from a reverse engineered spec. All you have to do is make sure that no one from the decompile team has contact with anyone from the programming team and you're good to go.

    If absolutely nothing else, you can do the reverse engineering in the UK, where reverse engineering is explicitly allowed by law. The law even says that regardless of EULA terms, you can decompile software.