Slashdot Mirror


Microsoft, Monocultures, Security FUD & Other Fun

techiemac writes "Dan Geer, who has been mentioned on Slashdot before due to his warnings about Microsoft's "monoculture" has just been written up by AP for his warnings about the widespread use of Microsoft products and the serious security flaws that are being discovered. This story is quickly becomming big news (Yahoo is currently carrying it on their front page). For those who don't know, Dan Greer was fired from @Stake Inc for his criticism of Microsoft (they are a big client of @Stake Inc). " Somewhat related, there has been interesting reaction pieces on ORA and OSDN to a recent, some say ill-informed article run on DevX.

25 of 509 comments (clear)

  1. Re:MS Open Source Is Fertile Ground for Foul Play by syn3rg · · Score: 5, Interesting

    I hope no FOSS developers look at that source. It could "taint by association" -- which makes me wonder if that wasn't the real reason for the release. MS now realizes the fight is over source code. By releasing (through an agent: Mainsoft) the source they can now claim injury if similar methods appear in FOSS.

    --
    The contents of this message have been doubly encrypted by ROT13
  2. Interesting spin ... by Anonymous Coward · · Score: 5, Interesting

    ... on why the Microsoft monoculture is so important; from the AP article:

    True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened.

    Really? Could someone more familiar with Microsoft and their products kindly give me examples?

    1. Re:Interesting spin ... by Airconditioning · · Score: 5, Interesting

      If Microsoft decides to support a product, piece of hardware, or whatever out of the box with their next version of Windows, that piece of technology starts to become very popular. That technology then gets refined and maybe, later on an integral part of a computer system.

      USB comes to mind but I think Apple beat them to it?

    2. Re:Interesting spin ... by Anonymous Coward · · Score: 5, Interesting

      USB comes to mind but I think Apple beat them to it?

      Let's start a bit earlier... can you say
      mouse
      GUI
      5 1/4" floppies
      cd-rom
      post-script printing
      true-type/open-type
      Firewire
      and the list goes on

  3. Re:They still don't get it by DangerSteel · · Score: 5, Interesting
    >>Microsoft still want us to believe that the only way to integrate is to run One System (theirs) everywhere. They don't get (more precisely: don't want to) common open standards and protocols.

    And not only do they want us to run thier OS, they want to make sure you are integrating thier Office, and collaboration (think .net) programs. To get the full value of Windows. I think I got enough "full value" of windows on my users machine affected by Blaster last fall...

  4. Hate to admit it... by Zordas · · Score: 4, Interesting
    but this is true..

    True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened

    It's hard enough to get Novel - Mac's - PC's - Windows Servers - And SGI computers all playing nicely in a true heterogeneous environment. I couldn't imagine the nightmare if I had another 2-3 other OS's to integrate.

  5. The problem is not monoculture... by Anonymous Coward · · Score: 3, Interesting

    The problem is crappy software.

    Would the IT world be a more stable, reliable & secure place if 95% of the world's comptuer ran OpenBSD?

    The problem is crappy software, not closed source commercial software.

    It is the general crappiness of commercial software (and the lethargic rates of bug fixes) that have led to the popularity of open source.

  6. Re:MS Open Source Is Fertile Ground for Foul Play by swb · · Score: 5, Interesting

    You're totally right, but it'll be hard for a lot of people to not look at it. I say this tongue in cheek, but people will slow to look at a car wreck -- why not the "Windows" source code? Plus these are highly curious people.

    I think the better encouragement is not to *keep* the source code. It would be quite difficult for MS to "prove" that any given developer had seen the purloined source, barring the conspiratorial notion that MS is running false-flagged IRC channels and web sites and collecting evidence on who is grabbing it. But not keeping a copy of it (which would be illegal anyway), they remove the easiest proof that they have been tainted by it.

  7. Re:Open for exploit by Fulcrum+of+Evil · · Score: 4, Interesting

    Yet, other breed of potatos were completely unaffected. It wasn't the reliance on potatos that was to blame, it was the reliance of one strain of potatos that was Irelands achilles heel.

    And the next year, the Irish planted the same crop. Why? Because that's all they could afford - the English were taxing them to death.

    --
    "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  8. The real problem is... by Noryungi · · Score: 5, Interesting

    I have thought about this whole monoculture thing recently, and here is my take on it...

    Microsoft made a conscious decision, a long long time ago, to make sure that everything in its Office applications (starting with Word) would be scriptable with VBA. And that the VBA scripts would have access to the entire underlying OS.

    At the time, it made perfect marketing sense: the king of word processors was Word Perfect, and it offered advanced scripting functions. Microsoft had to duplicate this functionalities if it wanted to kick WordPerfect ass and establish Windows and Word as the desktop champions. And it worked -- when was the last time you used WordPerfect on your PC?

    The only problem is, of course, that Windows security (3.x was a single user, single task operating system) was absolutely broken from the very beginning. After all, if you are the only user on your machine, you don't need a lot of security, do you? Wrong. You may need a different kind of security, but you still need some sort of framework to protect your resources. Windows never provided any kind of security at all.

    Then came the Internet. And, with it, a virus transmission vector of incomparable speed. The rest, as they say is history. Microsoft never bothered to create proper security and, because it completely ignored the Internet before 1995 (remember the Gates memo?), they were caught unprepared by the hordes of yahoos who write VBA viruses. VB is easy to use, viruses are easy to program in VB and, thanks to MS stupid decisions, they were allowed to run wild.

    In effect, most users and sysadmins are, today, paying the price of a marketing decision: Microsoft decided to design VBA, all the while ignoring the research that proved that application scripting needed to be severely limited and controlled. Emacs LISP scripts and shell files in the UNIX world were prohibited a loooooong time before VBA was even created.

    They kicked a competitor out of the field and, in doing so, created more problems for themselves (and for us!) than they solved...

    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  9. Monoculture not just a Microsoft phenomenon by cperciva · · Score: 3, Interesting

    As easy as it is to point to Microsoft as an example of monoculture, Open Source software is equally at fault here. Take "deflate" encoding as an example: How many different implementations are there? What fraction of deflate-using applications use an implementation other than zlib?

    If anything, the ease of code reuse inherent in Open Source software makes monoculture easier to achieve.

  10. I suppose it's wrong to mention... by prisoner-of-enigma · · Score: 4, Interesting

    ...that Greer's against monoculture but doesn't explore the effects of what would be needed to overcome that monoculture.

    As outlined in the article (assuming anyone reads it), critics of Greer point out that simply adding a new OS into the mix (dare I say Linux?) wouldn't substantially help. You'd have a duoculture instead of a monoculture. How much more difficult would it be for hackers to create a devastating hack? It even extends beyond OS's. Apache has the majority market share for all web servers worldwide. What affect would a devastating Apache exploit have on such a near-monoculture? Nobody wants to say anything about that, though, because Apache represents the side of good and Microsoft is evil.

    To truly achieve the technological equivalent of biodiversity, we'd need hundreds or thousands of OS's and differing applications. The complexity of trying to get all that crap to work together would be impossible, especially since convergence of any two app's/OS's would be actively discourages to prevent cross-pollination-type attacks.

    It's all well and good to bash Microsoft's monoculture. I'm sure there are many here who'll do nothing but that. However, defining the problem is only the first step; you must present a practical, workable solution. Just saying "Linux will fix it all" simply replaces one monoculture with another. But I bet most people here haven't thought that far ahead.

    --
    In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
  11. The trouble with diversity by rqqrtnb · · Score: 5, Interesting

    Without a doubt, online security is a major concern. The idea of monoculturism may be applicable to the computer industry due to the prevalence of MS operating systems. This, of course, assumes everyone has the same version of an MS operating system, with a single, universal exploitable flaw. The fact that not everyone has the exact same operating system nor the exact same component and software configuration tends to undermine the argument of 'monoculture' somewhat more.

    However, diversity of computers fosters a much higher learning curve to a machine that is already far more complex than 80% of the people using them understand. I'm a proponent of unity in the field of computers in that the UI of any OS should be the same as EVERY OTHER UI. This promotes a uniform learning curve for everyone so that learning one machine or OS does not restrict a person to that particular product or platform for life.

    People want to learn as much as they need to - and not have to constantly relearn it - in order to do the things they want to do with the computer. Imposing 'bio-diversity' on the operating systems of the world will only create sub-monocultures between which comparability issues and cross learning would be difficult for most to handle unless the UI for each system is essentially the same.

    I'd REALLY like to see Linux be available to anyone without having to have any knowledge of Unix protocols, have the same driver support and always be able to run ANY program regardless of the original OS requirements without having to constantly tweak everything into compliance. If anyone knows a way of doing this, or if it's already been done and you know how, PLEASE post it here.

  12. Not monoculture, just laziness... by pandrijeczko · · Score: 4, Interesting
    Is it just me or do all these pro- and anti-Microsoft "prophets" seem to be missing the point entirely?

    The Internet is created on a suite of open protocols that were originally designed for academics & research people to use. Go back 20-odd years and there were no issues of security because only a select few had access to computer networks. Consequently, there was no security built into TCP/IP because there was no need for them.

    Now we have a situation whereby if you are a sensible & knowledgeable computer type, whether you use open or closed source software, you can make a pretty good job of securing computers for the Internet - sure, you probably have a reliance on getting the latest patches, putting in a firewall or two but you can do it. No computer is ever fully secure but you can make it enough of a challenge so that the 99.9% of script kiddies give up trying to crack it and the other 0.1% of knoweledgeable crackers probably don't want to waste time with your little box anyway.

    Then onto email viruses... Knowledgeable computer users don't suffer from email viruses because they either use email clients that can't execute attachments or they set their machines up so that they know when and when not to run attachments - probably by simply looking at whether or not the sender of the email is to be trusted.

    So, in summary, I see this as two core issues, nothing more:

    1. Hype and marketing - Microsoft and other software vendors need to step away from the "sales speak" and simply not be allowed to tell Joe Public that PCs are "easy to use" or "secure". It's no different to reminding people to watch their speed and check their tyre treads on a new car, after all... Where are all these "advertising standards" groups that are supposed to ensure adverts convey truth, not lies?

    2. User laziness - Joe Public needs to get off his backside and learn how to use the Internet properly and how to secure his PC - again, no different to spending time and money in learning to drive. Far too many people, taken in by the glossy adverts and hype, just sit back and expect software vendors to take away all their responsibility away from them because they themselves simply cannot be bothered.

    What really annoys me about this whole issue is that software (and hardware) companies are only going to react to security issues in their products in a way that makes them more money. If the vendor already has his boxed software on the store shelves, he really has no incentive to employ people to work on further security for his products unless his reputation is so bad that he is forced to improve his software at the risk of losing sales - and you only have to look at Microsoft's currently poor reputation and their actual focus on security to see how far down that reputation must go before any action is taken...

    However, on the other hand, DRM can be sold as a security-improving product on the back of peoples' fears of Internet viruses while allowing the Microsoft and others to make money licensing DRM.

    I wish people like Dan Greer would focus more on the ultimate impact of letting Microsoft "take the blame" only to have Microsoft respond with a technology that will make them more money and cut off our freedoms in the process.

    --
    Gentoo Linux - another day, another USE flag.
  13. Limited Genetic Diversity by Phoe6 · · Score: 5, Interesting

    Nature deals with breakdowns in a complex system with evolution, and a very important part of evolution is the extinction of particular species. It's a sort of backtracking mechanism that corrects an evolutionary mistake. The Internet is an ecology, so if you build a species on it that is vulnerable to a certain pathogen, it can very well undergo extinction. By the way, the species that go extinct tend to have limited genetic diversity. -Atrributed to Bill Joy - Had preserved in my Blog Dan Greer's writings bear the same too.

    --
    Senthil
  14. Re:MS Open Source Is Fertile Ground for Foul Play by Short+Circuit · · Score: 4, Interesting

    Well, a car wreck is convenient to look at. (You're driving right past it.) ... I would have to look for the source code, which I'm not even going to bother to do.

    Besides, if you want to see Microsoft code, use their Visual C++, and get the step into/step over keys backwards. It's easy to accidentally jump inside the cout statement, for example.

    And anybody elses code? If you can read assembler, wait for it to GPF. At the college I work at, MSVC++ used to snag any crash and throw it up on the screen as x86 assembler code. (I seem to remember that happening to Netscape 4.x a lot.)

  15. M$ tight integration could cause more harm ... by verrol · · Score: 5, Interesting

    than good. yes, this is not a new idea, but the fact that M$ continues to do it is to me, evidence that they are not serious about security.

    Last week a client of mine wanted me to do some work on his computer and to remove M$ IM on WinXP. You try it, it will tell you that WinXP depends on some functionality of IM. What? The OS needs this crummy application you can get for free somewhere? If that is really true, then no wonder their system is so freaking vulnerable to all kinds of things.

    just about anyone who write large software knows that u have make it modular design and if possible striving independent modules as possible to reduce risk and propagation of faults. consider this, even after the trial, M$ still continues to bind unrelated OS functionality with applications. Apps and OS services are completely different.

    while M$ tries to give you a big bloated piece of software with OS and THEIR apps tightly integrated. look at what the people doing micro-kernels are doing. they are trying to make the kernel as simple as possible (hence easier to debug, understand, etc.). Then, the OS services are just apps (again, very independent form each other--though they may use the services provided by the other). but their is no need for that particular app, just any app providing that service. .v

  16. Re:I guess ... by fewnorms · · Score: 5, Interesting
    And here I thought all this time it was "No one ever got fired for choosing IBM".
    You are correct of course, but I think the saying should be changed to "No one ever got fired for choosing $MONOPOLY", which would be true. From personal experience I can tell you people in my enviroment actually have been fired for suggesting/choosing a hardware/software solution which is not industry standard and 10 times more expensive.
    Luckily, the climate is changing, but it is ever so slowly...
    --
    Veni, Vidi, Velcro!
  17. Re:Apple's worse by Nexum · · Score: 5, Interesting

    I have to disagree, Apple dropped certain technologies when they were replaced by superior ones, and were thus 'not that useful any more.'

    PC manufacturers dropped certain technologies when they were finally perceived not to be useful any more.

    Apple can act as the gentle motivational herder, because they have complete control over their flock, as long as they make sure they replace the things they phase out with generally superior technologies, and they have (floppy > email, legacy ports > USB).

    PC manufacturers have no choice, as there is less unity and it is human nature to be wary of new things, and to want to stick to what is tried and tested. In this scenario where it is impossible to move the flock forward as a whole (as the direction of the industry is dictated by many) it must first be shown and proven that the newer technology is superior.

    So I would hardly call this scenario a 'blunder' on Apple's behalf! Quite the opposite in fact - I'm sure it was of great benefit to both Apple and their users to make a swift concerted step forward.

    --

    This sig has been deprecated.
  18. The Wall has been Breached by Ridgelift · · Score: 4, Interesting

    "But Geer says the company should disentangle its tightly integrated products, such as Microsoft Word and Outlook."

    The best way they can disentangle their products is to force Microsoft to publish their protocols, so others can build competitive products that can integrate cleanly.

    Perhaps their software should be declared an "essential service", much like teachers and hospital workers here in Canada. When teachers/medical workers strike for too long, the government steps in and says "get back to work, you're essential to our functioning as a culture".

    The bottom line is Bill Gates and his minions are liars and can't be trusted. They comply to every defeat dealt to them with their middle finger raised, and then go right back to abusing their position in the marketplace. The only rules Billy plays by are his own, and the only reasonable way to deal with him is to be unreasonable in demanding he comply.

  19. Word of the Day: frisson by ronmon · · Score: 3, Interesting

    "The hoopla around him losing his job gave the story some extra frisson," said Internet security expert Bruce Schneier, a co-author of Geer's.

    frisson
    n : an almost pleasurable sensation of fright; "a frisson of
    surprise shot through him" syn: shiver, chill, quiver,
    shudder, thrill, tingle

    Overall, this is one of the best written articles I've read in quite some time. The author lets the intelligence of his sources shine clearly. And it's always nice to learn a new word.

  20. Re:Apple's worse by Lumpy · · Score: 3, Interesting

    No one else had the balls to say "screw dumb serial ports, USB is better".

    because only complete morons say that.

    Serial ports have their place and will be here for a really long time. I dare you to config a cisco router or switch with your USB port. or dare you to configure any of the middle to high end home automation equipment out there with your USB port.

    USB is excellent for low-performance high bitrate data transfers.. firewire beat's it to hell for performance needs (ever wonder why you can't get high end DV cameras with USB?) and RS232/RS485 serial is better than anything that USB or firewire can do for low speed high reliability.

    apple did NOT force the adoption of USB... the explosion of cheap usb products by the release of cheap usb interface chipsets.

    --
    Do not look at laser with remaining good eye.
  21. Nothing new by jkabbe · · Score: 5, Interesting

    Monoculture (or, the problems associated with it) are not a new concept. When I was studying at U of Mi in 1992-93 (or thereabouts) we discussed the internet worm in my system administration class. The instructor pointed out that U of M was only moderately affected because of the variety of Unix systems comprising the network. The lesson was that a diverse network makes one less succeptible to attack affecting a single platform.

  22. Which Culture? by smccto · · Score: 4, Interesting

    Monoculture or Diversity?

    The AP ran a story this weekend, captured by Yahoo, talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.

    Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).

    Just the facts, Mam

    I found it intriguing that, as the AP article mentioned:

    "Steven Cooper, the Homeland Security Department's chief information officer... acknowledged [monoculture] was a concern and said the department would likely expand its use of Linux and Unix as a precaution."

    Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia and their product listing. Doesn't anyone care that Solaris 9 had more advisories (42) in 2003 than Windows 2000 Server (36)? Doesn't it scare anyone that, while Windows XP Home edition had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 had 186!

    Doesn't Open Source claim to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?

    Missing the forest for the trees

    Take a look at this, also from the AP article:

    "Mike Reiter of Carnegie-Mellon University and Stephanie Forrest, a University of New Mexico biologist who has been gleaning lessons for computer security from living organisms for years, recently received a $750,000 National Science Foundation (news - web sites) grant to study methods to automatically diversify software code.

    Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring "benign mutations" that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."

    Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.

    Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)

    Miopic Intelligence

    Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is s

  23. "Big News" Fueled by a Slashdotting? by breadbot · · Score: 3, Interesting
    This story is quickly becomming big news (Yahoo is currently carrying it on their front page).
    I wonder how many stories get elevated to "big news" by being Slashdotted:
    1. Publish Story
    2. Link to it from Slashdot
    3. Yahoo's automatic pull-the-most-popular-up algorithm puts it on the front page
    4. Everybody else notices it too

    Now, that didn't happen in this case, as the story was already on the front page before Slashdot linked it. But it could happen, no?