Slashdot Mirror
Microsoft, Monocultures, Security FUD & Other Fun
techiemac writes "Dan Geer, who has been mentioned on Slashdot before due to his warnings about Microsoft's "monoculture" has just been written up by AP for his warnings about the widespread use of Microsoft products and the serious security flaws that are being discovered. This story is quickly becomming big news (Yahoo is currently carrying it on their front page). For those who don't know, Dan Greer was fired from @Stake Inc for his criticism of Microsoft (they are a big client of @Stake Inc). " Somewhat related, there has been interesting reaction pieces on ORA and OSDN to a recent, some say ill-informed article run on DevX.
And they are wrong about "duoculture". Linux, having many parties behind it(many distros, different kernel versions) has much mure internal variety than all versions of Windows out there.
As much as I dislike the company, there are too many critical systems that are relying on Windows Servers. The release of a kernel crippling virus or worm could result in loss of human life.
A great example of what can/will happen with the Microsoft monoculture can be found in the potato blight of Ireland. For those that lack any historical reference here, Ireland had a booming population due to the introduction of a nice, hardy breed of potato. For years, everything was going great, everyone had food, the potato became the staple of the diet. Everyone ate potatos, it is estimated to have been between 20-40% of all food consumed during this period.
Then a viral attack that affected only this particular breed of potato struck. Within less than a year, whole crops failed, the economy collapsed as people literally starved to death.
Yet, other breed of potatos were completely unaffected. It wasn't the reliance on potatos that was to blame, it was the reliance of one strain of potatos that was Irelands achilles heel.
That is our economys achilles heel, Windows.
Karma Whoring for Fun and Profit.
Really. Look at all the Linux. BSD, and the other *nix distros and all the software that runs between them on different platforms with different packaging systems. I think it's messy at best, but in a world with more than one *major* operating system, the solution is standards.
Look at the automobile - tons of competing car companies making different cars, but they all have some standardized equipment customized in a little different way not to radically change the entire experience. Open standards would kill Microsoft (or at least knock them off their behemoth perch), and they know it.
It's sort of the idea that Federal action is better than State action - why worry about 50 different actors doing their own thing (hint: innovating) when the federal government can just fiat whatever they want.
Matt Fahrenbacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
Diversity != incompatibility. One standard, many implementations. What the M$ guy says is pure FUD.
This neglects that fact that Linux itself has internal diversity that makes it less vulnerable to "disease".
It's also not necessary to have "thousands of different operating systems" to gain some resilience. If (for example) half of all computers were Type A and the other half Type B, the rate of transmission of type-specific malware would be slowed dramatically. It wouldn't prevent pandemics, but it would slow them down.
http://alternatives.rzero.com/
You know, there was, at one time, a long running joke about Microsoft tech support. The answer to any problem, according to MS support (and I heard this directly from them on more than a few occasions) was "We suggest you reboot to fix this problem" OR, Shut up and re-install.
And now, here is the "Chief Security Strategist" for MS saying (regarding the monoculture analogy) "Another difference: computers can be unplugged from the network and rebooted; organisms cannot."
So, is he really implying (God I hope not) that most exploits can be solved by unplugging the computer from the network and rebooting???
I hope not, and maybe its just the way the AP story was written, but it sure sounds like a dismissal of most of the Windows security flaws.
"Our funds have never taken part in toxic or death spiral convertible financings of any sort" -BayStar's managing partne
You could imagine transforms that move code around in memory, so that while the buffer overflow is still there, it is hard to exploit -primarily because all the other interesting addresses are missing.
:(
Specifically, overflow attacks like to jump the program to the buffer they have written, or a copy thereof. And in that buffer the code needs to reuse existing imports (library calls) so that they can do bad things. If everything moved around during load, exploitation would be harder. Then again, so would processing a core dump
personally, I think there is a better solution, stop using 'buffer overflow' languages like C, C++. Anything else: perl, python, java, C# is more secure. Why are all our systems built on such a foundation of instability?
different operating systems, which would make integrating computer systems and networks virtually impossible.
... in the good ol' days, an "OS" was all you needed in order to get some basic work and programming done on some hardware.
...
This is such utter bollocks I can't even handle it.
The reason integration is difficult is because it is made difficult by those who do it.
It has nothing whatsoever to do with 'operating systems'. It seems to me that 'operating systems' don't mean what they used to mean
Nowadays, it seems that an "OS" == "all the crap I think I'm gonna need one day, bundled into a single directory structure".
If the OS is doing its job then integration is not impossible, it is 100% feasible and easy.
An OS which doesn't do its job, doesn't allow integration. Its very telling to me that Microsoft choose to redefine the task of an OS rather than actually make their OS do the job its supposed to do.
Integration between OS's is supposed to be easy. That is what an OS is all about, after all. Maybe someone should tell that to the 'gurus' from Redmond that mouth off about operating systems all day long
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Start by Installing a stable, easy to use and secure Linux distro. So.. In order to be diverse, everyone must use Linux. Aparently your dictionary has a different definition of diverse than mine. Hackers are about to make it even easier for you to be flattened by a virii attack now that Microsoft source has been leaked to the entire world. Exactly how is "Windows Source available on the internet" more dangerous than "Linux source available on the internet" ? The problem isn't that Microsoft software has security issues. All the OS's have 'em to some degree. The problem is exactly "monoculture". One bullet kills all. I'm more of a mind that companies need three operating systems. ... Call them Alpha, Bravo and Charlie to avoid the existing OS arguments.
Alpha runs on the corporate web servers, ftp servers and in general anything hooked to the outside world.
Bravo runs on the intranet servers that provide file storage, user authentication, etc etc.
Charlie runs on the employee desktops.
Thus any virus that targets the public layer (Alpha) won't effect internal operations. Any virus that targets the workstations (Charlie) won't spread to the intranet servers (where important data should be stored, and regularly backed up) and any virus that targets the intranet servers (Bravo) needs to get past the other two (Alpha and Charlie) -- or introduced directly -- to be a threat.
If I remember my computer history, wasn't Microsoft the alternative to the IBM monoculture? Now that IBM has embraced FOSS, they're the alternative to the Microsoft monoculture...
As long as basic services are needed, I don't see any problem at all. Use NFS, use SAMBA, use CUPS -- use your protocol of choice where you get clients for all platforms. So far no problem.
We're running Macs, Windows, Linux, BSD, different incarnations of Solaris, Irix, HP-UX, yet even some embedded stuff like vxWorks. No problem to share drives or print to shared printers. No problem to send and receive emails, surf the web.
And all without nightmares.
I can deny it.
What has microsoft actually created that anyone is intested in?
The browser? no Netscape developed that.
Graphic interface? No Xerox and Apple developed that
digital music? no MP3 and Napster developed that
Plug and Play? no Apple developed that
desktop publishing? once again Apple
multitastking? Unix
desktop video? Amiga
DOS? bought from another company
Perhaps MS developed some business apps, but I suspect that eveything in the Office suite was developed by some one else first.
Please give me some examples of any tech, that is worthwhile, that MS pioneered. I think virii and adware are the only techs that MS truly owns.
Wonder how Slashdotians will feel when they fully explore the anti-monoculture philosophy and realize it means keeping Microsoft rather than eliminating it and creating a new monoculture?
Solaris, AIX, HP-UX, BSD, FreeBSD, OpenBSD, NetBSD, SCO Unixware, Tru64, Linux etc. running on PCs, SPARCS, DEC PDPs and other vendor-specific server hardware...
Still looking for that "UNIX monoculture" in there...
Gentoo Linux - another day, another USE flag.
In the long run (think the next 10-25 years), Microsoft will be forced to go along with open standards or get left behind as Open Source picks up more momentum. As IBM, Novell, large countries, and other big gorillas put their weight behind Linux and Open Source, the standards they use could become "the standard". This isn't going to happen likely anytime soon, but it definately has to start with the corporate world. If XYZ Inc. decides to use Open Office and Linux to save money (and we know businesses aren't doing anything radical to save money these days), and suddenly their employees must use it, guess what software package could end up on their home computers? As I said, it's not going to be a fast process, but it is possible.
ce n'est pas un Sig.
Diversity can help keep viruses and such from spreading, but it can also be a hindrance. If linux had some standardization where all of the distros all used the same directory structure, package management, etc, it would be a lot easier for companies to write software for it. Now the best they can do is write the software and hope someone else will port it over, or spend time porting it to .RPM, .DEB, etc etc. With windows you don't ever run across cascading dependency nightmares, and every software company knows how to write their software for it. Yes, you should be able to compile linux packages from source without any problems, but when you're talking about trying to get home users to accept linux more, making them compile packages from source definately isn't the way to do it.
slashdot, news for crazed liberal socialist zealots
For that matter, nonfunctional code should have been optimized away.
What's nonfunctional code doing in there in the first place? I've lost count of the number of times someone has posted on LKML, "I'm removing frobnicate_foo() because I just rewrote the last place that calls it and it's not needed anymore," or, "I just realized that nothing calls x() anymore, so here's a patch to remove it."
Yeah, and we all know how many awful hardware vulnerabilities there have been in recent decades... :p
dropped floppies and non-USB interfaces much later, only after they were not that useful anymoreExcept that you're ignoring the chicken-v-egg problem. USB did not become ubiquitous until after Apple forced the issue. No one else had the balls to say "screw dumb serial ports, USB is better". GUI, 3.5", CD-ROM, PnP, etc... Apple intentionally drives technology forward, even when many people are kicking and screaming to stay behind.
Meanwhile, none of this has anything to do with security and monocultures.My favorite quote on the topic came from Wired. Marcus Ranum thinks Geer's message would have been mostly ignored by the public at large, except for @stake's "brilliant surgical marketing strike on its left foot by firing Dan".
The question is not so much how fast a virus spreads, but what percentage of the computer population is affected at any one time, and what function does that percentage play in the workings of the whole.
If I have a Windows box and a Linux box sitting side by side, each able to perform all the critical functions of the other, then a virus has to effect them both at the same time for me to lose functionality. When Blaster hits the Windows box I'm free to take it offline to clean it up. Vice versa for a *nix worm. Personally I add a Mac into the mix for three way security.
This doesn't mean I can't get hit by a virus. It means that a virus can't take me down. And that's the point. Not that infections don't spread, but that infections are genetically specific. Your email worm targeted at a Windows address book, can't even find the address book on my Linux box. The mutt exploit is worthless against my Windows box. The Mac just keeps chugging along, mostly because no one cares to waste time writing a virus for a system even more obscure than Linux (That would be OS8 for those Mac heads about to pounce on me for saying that Macs are popular).
Resilience through diversity, not absolute immunity.
KFG
OTOH, with any closed source system, you have no code review. You have no chance to spot a security hole, purposeful or not. With CS, you simply have no chance.
Let's review: with OS, you have the opportunity for exposure, but also the opportunity to catch it. With CS, you have no opportunity to know anything. Sounds like the old free markets argument to me. The only person who would really support the CS position is an uniformed tool.
...tizzyd
OpenBSD, FreeBSD, NetBSD, OS X, varients of Linux so dissimilar they are just barely the same operating system, revived BeOS, the HURD, and the continuing divergence of existing operating systems and potential availability of new ones (Plan 9 may have largely failed but where it failed others can succeed (hint: driver support)) is an odd definition of "new monoculture".
(Heck, every Linux install has the potential to be a potentially new OS; my kernel is most likely the only kernel exactly like it in the world, as as I use gentoo, even a lot of the support programs are customized and potentially unique. I've tried five or six binary vulnerabilities that Linux programs are vulnerable to, and while several managed to crash my computer, not a single one of them has resulted in privilege escalation or anything meaningful, because my system is so different at the binary level from anybody else's. Even to the extent that Linux is a monoculture I've not suffered the price of living in a monoculture.)
Linux/Unix hardly runs a risk of becoming a monoculture, it's too easy to specialize. Regardless, talking about eliminating Microsoft is meaningless. If they get knocked back to 50% marketshare then their quality will improve and we won't need to hate them so much. The problem is the monopoly, the symptom is the software.
Q:What is the single protocol used by all computers
connected to Internet in the world?
A: IPV4
Q:What is the single mail protocol used by all
computers connected to the internet?
A: SMTP
Q:What is the single protocol used to search the
Internet and exchange most information over the
Internet?
A: HTTP
According to evolution, diversity is the
consequence of adaptation.
Specialization, Mutation, Adaptation.
Adaptation is the
consequence of a changing environment. A
changing environment is the consequence of a
finite amount of resources and competition.
The Internet in it's current stage resources are
plenty and competition is little.
Internet is currently in the specialization
stage. The Internet has not being forced(YET) to
depart from it's standard protocols (mutate) to
survive an attack.
Forcing diversity (by mandate rather of natural
competition) not only makes the system less
robust, it slows down evolution.
- these are not the droids you are looking for -
I know it's a stupid thing to /. yourself, but here we go:
My paper on worm propagation from last year (just updated with some more data) shows very clearly what a monoculture does.
I assumed 40 mio. vulnerable systems in it and showed how a malicious worm can wipe them out in minutes.
Some of the advisories that eeyes still has on the unpublished list estimate 300 mio. vulnerable systems.
We've been talking about flash and warhol worms for years now. With each passing day I'm more surprised that it hasn't happened, again.
Assorted stuff I do sometimes: Lemuria.org
And Microsoft's goal (gaol) of backwards compatibility ensures that these misfeatures will stay in the infrastructure indefinitely. I realized this yesterday when cleaning spyware off a friend's Windoze box.
Windows has so many legacy interfaces for loading programs at boot like win.ini, autoexec.bat, ect. that no longer have a pratical purpose, are easily exploitable, are are in a word, "cruft". Their OS is full of this cruft, and it will continue to become more so, as long as Microsoft continues their indiscrimate adding of features without regard to security.