Slashdot Mirror
Microsoft, Monocultures, Security FUD & Other Fun
techiemac writes "Dan Geer, who has been mentioned on Slashdot before due to his warnings about Microsoft's "monoculture" has just been written up by AP for his warnings about the widespread use of Microsoft products and the serious security flaws that are being discovered. This story is quickly becomming big news (Yahoo is currently carrying it on their front page). For those who don't know, Dan Greer was fired from @Stake Inc for his criticism of Microsoft (they are a big client of @Stake Inc). " Somewhat related, there has been interesting reaction pieces on ORA and OSDN to a recent, some say ill-informed article run on DevX.
Now part of MS Windows source code is open on Internet so is "MS Open Source Is Fertile Ground for Foul Play"
... the old adage "No one ever got fired for choosing Microsoft" is true after all. Look what happens when you actually try speaking ill of the beast...
Veni, Vidi, Velcro!
And they are wrong about "duoculture". Linux, having many parties behind it(many distros, different kernel versions) has much mure internal variety than all versions of Windows out there.
Once I thought I had mono. They took a culture and it turns out I just had Windows.
WWJD.... for a Klondike bar?
... on why the Microsoft monoculture is so important; from the AP article:
True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened.
Really? Could someone more familiar with Microsoft and their products kindly give me examples?
As much as I dislike the company, there are too many critical systems that are relying on Windows Servers. The release of a kernel crippling virus or worm could result in loss of human life.
A great example of what can/will happen with the Microsoft monoculture can be found in the potato blight of Ireland. For those that lack any historical reference here, Ireland had a booming population due to the introduction of a nice, hardy breed of potato. For years, everything was going great, everyone had food, the potato became the staple of the diet. Everyone ate potatos, it is estimated to have been between 20-40% of all food consumed during this period.
Then a viral attack that affected only this particular breed of potato struck. Within less than a year, whole crops failed, the economy collapsed as people literally starved to death.
Yet, other breed of potatos were completely unaffected. It wasn't the reliance on potatos that was to blame, it was the reliance of one strain of potatos that was Irelands achilles heel.
That is our economys achilles heel, Windows.
Karma Whoring for Fun and Profit.
"Once you start down the road with that analogy, you get stuck in it," said Scott Charney, chief security strategist for Redmond, Wash.-based Microsoft.
One you start down the road with it, you get stuck in it. Sounds like a perfect description of the lock-in aspects of their products, though I think "Roach Motels for your data" is catchier.
This is not the first time that A. Russell Jones has made controversial claims about Linux on DevX. At the end of august last year this story was run here on /. where he claimed that there should be a standard desktop for Linux.
You can't win Darth. If you mod me down, I shall become more powerful than you could possibly imagine
It's not just monoculture that makes viruses spread so quickly. The fact that any computer can send something to any computer is bad. The fact that any computer can send something to so many computers is terrible.
Even if Linus drives Microsoft products into the minority, infections would still quickly reach Microsoft machines (or machines of any leading platform). Furthermore, under non-monoculture conditions, the dilution of virus writers on any one platform would probably be matched by the dilution of anti-virus resources on that platform. Even under non-monoculture conditions, we'll still have fast-spreading infections.
Connectivity is the real driver of infection.
Two wrongs don't make a right, but three lefts do.
Clippy!
karma capped
Really. Look at all the Linux. BSD, and the other *nix distros and all the software that runs between them on different platforms with different packaging systems. I think it's messy at best, but in a world with more than one *major* operating system, the solution is standards.
Look at the automobile - tons of competing car companies making different cars, but they all have some standardized equipment customized in a little different way not to radically change the entire experience. Open standards would kill Microsoft (or at least knock them off their behemoth perch), and they know it.
It's sort of the idea that Federal action is better than State action - why worry about 50 different actors doing their own thing (hint: innovating) when the federal government can just fiat whatever they want.
Matt Fahrenbacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
dont u think , despite the security flaws ,msoft in a way helping the big inet with their products (in a small / big way).Can anything in this be 100% Good--without error /mistake? i think mistakes and flaws happen every where-from cars,govts etc
Why does yahoo do this
Clippy: "It looks like you are trying to write..."
For those who don't know, Dan Greer was fired from @Stake Inc for his criticism of Microsoft
Dan Greer was not fired because he criticized Microsoft. He was fired because he published his opinions about the Microsoft monoculture without making it clear that those were his personal opinions and not those of @Stake.
Tarsnap: Online backups for the truly paranoid
Diversity != incompatibility. One standard, many implementations. What the M$ guy says is pure FUD.
As is usual the US is slow at change. We are stuck in our was and that is especially true for the government. Were there are many places in the world that realize the problems with M$ and are migrating to alternatives it's big news here. We (US) are being slow to wake up and realize the truth. But, that is how the US works.
Evolution or ID?
This neglects that fact that Linux itself has internal diversity that makes it less vulnerable to "disease".
It's also not necessary to have "thousands of different operating systems" to gain some resilience. If (for example) half of all computers were Type A and the other half Type B, the rate of transmission of type-specific malware would be slowed dramatically. It wouldn't prevent pandemics, but it would slow them down.
http://alternatives.rzero.com/
Somebody explain to me how this makes any sense?
"Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring "benign mutations" that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."
First of all, since when are only nonfunctional portions of software targetted? A buffer overrun can occur in any portion of code. Second, exactly how would you identify nonfunctional versus functional code, and what mutations could you possibly make to it? Make a bad pointer point to even worse memory? I just don't get it. Looks like another $750K wasted on stupid research.
True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened
It's hard enough to get Novel - Mac's - PC's - Windows Servers - And SGI computers all playing nicely in a true heterogeneous environment. I couldn't imagine the nightmare if I had another 2-3 other OS's to integrate.
The problem is crappy software.
Would the IT world be a more stable, reliable & secure place if 95% of the world's comptuer ran OpenBSD?
The problem is crappy software, not closed source commercial software.
It is the general crappiness of commercial software (and the lethargic rates of bug fixes) that have led to the popularity of open source.
I have thought about this whole monoculture thing recently, and here is my take on it...
Microsoft made a conscious decision, a long long time ago, to make sure that everything in its Office applications (starting with Word) would be scriptable with VBA. And that the VBA scripts would have access to the entire underlying OS.
At the time, it made perfect marketing sense: the king of word processors was Word Perfect, and it offered advanced scripting functions. Microsoft had to duplicate this functionalities if it wanted to kick WordPerfect ass and establish Windows and Word as the desktop champions. And it worked -- when was the last time you used WordPerfect on your PC?
The only problem is, of course, that Windows security (3.x was a single user, single task operating system) was absolutely broken from the very beginning. After all, if you are the only user on your machine, you don't need a lot of security, do you? Wrong. You may need a different kind of security, but you still need some sort of framework to protect your resources. Windows never provided any kind of security at all.
Then came the Internet. And, with it, a virus transmission vector of incomparable speed. The rest, as they say is history. Microsoft never bothered to create proper security and, because it completely ignored the Internet before 1995 (remember the Gates memo?), they were caught unprepared by the hordes of yahoos who write VBA viruses. VB is easy to use, viruses are easy to program in VB and, thanks to MS stupid decisions, they were allowed to run wild.
In effect, most users and sysadmins are, today, paying the price of a marketing decision: Microsoft decided to design VBA, all the while ignoring the research that proved that application scripting needed to be severely limited and controlled. Emacs LISP scripts and shell files in the UNIX world were prohibited a loooooong time before VBA was even created.
They kicked a competitor out of the field and, in doing so, created more problems for themselves (and for us!) than they solved...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
The benefit of linux, bsd, and other non-microsoft OS's come from the variety of services run. Microsoft's OS's have to run many services and modules that other OS's can leave to the discretion of the operator. For instance, I can run an old version of linux with no services and its safe. I can run any number and variety of servers. Microsoft seems to have to do it one way and one way only with all these modules that have to be running.
As easy as it is to point to Microsoft as an example of monoculture, Open Source software is equally at fault here. Take "deflate" encoding as an example: How many different implementations are there? What fraction of deflate-using applications use an implementation other than zlib?
If anything, the ease of code reuse inherent in Open Source software makes monoculture easier to achieve.
Tarsnap: Online backups for the truly paranoid
...that Greer's against monoculture but doesn't explore the effects of what would be needed to overcome that monoculture.
As outlined in the article (assuming anyone reads it), critics of Greer point out that simply adding a new OS into the mix (dare I say Linux?) wouldn't substantially help. You'd have a duoculture instead of a monoculture. How much more difficult would it be for hackers to create a devastating hack? It even extends beyond OS's. Apache has the majority market share for all web servers worldwide. What affect would a devastating Apache exploit have on such a near-monoculture? Nobody wants to say anything about that, though, because Apache represents the side of good and Microsoft is evil.
To truly achieve the technological equivalent of biodiversity, we'd need hundreds or thousands of OS's and differing applications. The complexity of trying to get all that crap to work together would be impossible, especially since convergence of any two app's/OS's would be actively discourages to prevent cross-pollination-type attacks.
It's all well and good to bash Microsoft's monoculture. I'm sure there are many here who'll do nothing but that. However, defining the problem is only the first step; you must present a practical, workable solution. Just saying "Linux will fix it all" simply replaces one monoculture with another. But I bet most people here haven't thought that far ahead.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
You know, there was, at one time, a long running joke about Microsoft tech support. The answer to any problem, according to MS support (and I heard this directly from them on more than a few occasions) was "We suggest you reboot to fix this problem" OR, Shut up and re-install.
And now, here is the "Chief Security Strategist" for MS saying (regarding the monoculture analogy) "Another difference: computers can be unplugged from the network and rebooted; organisms cannot."
So, is he really implying (God I hope not) that most exploits can be solved by unplugging the computer from the network and rebooting???
I hope not, and maybe its just the way the AP story was written, but it sure sounds like a dismissal of most of the Windows security flaws.
"Our funds have never taken part in toxic or death spiral convertible financings of any sort" -BayStar's managing partne
Without a doubt, online security is a major concern. The idea of monoculturism may be applicable to the computer industry due to the prevalence of MS operating systems. This, of course, assumes everyone has the same version of an MS operating system, with a single, universal exploitable flaw. The fact that not everyone has the exact same operating system nor the exact same component and software configuration tends to undermine the argument of 'monoculture' somewhat more.
However, diversity of computers fosters a much higher learning curve to a machine that is already far more complex than 80% of the people using them understand. I'm a proponent of unity in the field of computers in that the UI of any OS should be the same as EVERY OTHER UI. This promotes a uniform learning curve for everyone so that learning one machine or OS does not restrict a person to that particular product or platform for life.
People want to learn as much as they need to - and not have to constantly relearn it - in order to do the things they want to do with the computer. Imposing 'bio-diversity' on the operating systems of the world will only create sub-monocultures between which comparability issues and cross learning would be difficult for most to handle unless the UI for each system is essentially the same.
I'd REALLY like to see Linux be available to anyone without having to have any knowledge of Unix protocols, have the same driver support and always be able to run ANY program regardless of the original OS requirements without having to constantly tweak everything into compliance. If anyone knows a way of doing this, or if it's already been done and you know how, PLEASE post it here.
One solution to the monoculture problem is multi-OS architectures in which a single process is executed on multiple independent codebases within each box.
On high-reliability systems (Space Shuttle & X-29 flight controls), multiple redundant subprocessors attempt to compute the same answer. If the subprocessors get different answers, the majority-rules and the system logs the exception. If each processor ran independent code, then exploits of any one codebase would be detected and disinfected. A multi-system with one exploited/infected codebase would continue running while ignoring the output of the infected subprocessor.
The system would still have some vulnerabilties. Simultaneous attack on a majority of the codebases might succeed in redefinig the majority to suit the malware. Also, codebase independence is very hard. More than likely several codebases might share the same fault (e.g. a buffer overrun bug). Attacks on the overseer/majority-rules system might also succeed. Finally, if the standard has an exploit (e.g., decrypting WiFi WEP), then all codebases implementing the standard are vulnerable.
The biggest downside is bloat and cost. But at least it would give people a reason to buy the latest greatest chips from Intel, AMD, IBM, etc.
Two wrongs don't make a right, but three lefts do.
different operating systems, which would make integrating computer systems and networks virtually impossible.
... in the good ol' days, an "OS" was all you needed in order to get some basic work and programming done on some hardware.
...
This is such utter bollocks I can't even handle it.
The reason integration is difficult is because it is made difficult by those who do it.
It has nothing whatsoever to do with 'operating systems'. It seems to me that 'operating systems' don't mean what they used to mean
Nowadays, it seems that an "OS" == "all the crap I think I'm gonna need one day, bundled into a single directory structure".
If the OS is doing its job then integration is not impossible, it is 100% feasible and easy.
An OS which doesn't do its job, doesn't allow integration. Its very telling to me that Microsoft choose to redefine the task of an OS rather than actually make their OS do the job its supposed to do.
Integration between OS's is supposed to be easy. That is what an OS is all about, after all. Maybe someone should tell that to the 'gurus' from Redmond that mouth off about operating systems all day long
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
What's certainly true is that there's a lot more to having good security than getting rid of the monoculture problem. Probably the most important thing is to care about security from the start...
Anyway, something the DoD and others have done for some time is to have triple barriers for certain things like firewalls. So instead of having the same firewall product and system all over the place, for each firewall, you have a series of 3 systems: one is a "hardware" firewall (an appliance basically), followed by two different firewall products running on two different architectures. This way a single flaw on one firewall or system will not comprimise overall security.
They also turn the IT infrastructure into compartments, each walled out with firewall groups. So you have one compartment for front-end servers, one for desktop users, one for your data, etc.
Yeah it adds to complexity, but this is what the paranoid types do to give themselves peace of mind.
It's Dan Geer.
-dave
If I remember my computer history, wasn't Microsoft the alternative to the IBM monoculture? Now that IBM has embraced FOSS, they're the alternative to the Microsoft monoculture...
The Internet is created on a suite of open protocols that were originally designed for academics & research people to use. Go back 20-odd years and there were no issues of security because only a select few had access to computer networks. Consequently, there was no security built into TCP/IP because there was no need for them.
Now we have a situation whereby if you are a sensible & knowledgeable computer type, whether you use open or closed source software, you can make a pretty good job of securing computers for the Internet - sure, you probably have a reliance on getting the latest patches, putting in a firewall or two but you can do it. No computer is ever fully secure but you can make it enough of a challenge so that the 99.9% of script kiddies give up trying to crack it and the other 0.1% of knoweledgeable crackers probably don't want to waste time with your little box anyway.
Then onto email viruses... Knowledgeable computer users don't suffer from email viruses because they either use email clients that can't execute attachments or they set their machines up so that they know when and when not to run attachments - probably by simply looking at whether or not the sender of the email is to be trusted.
So, in summary, I see this as two core issues, nothing more:
1. Hype and marketing - Microsoft and other software vendors need to step away from the "sales speak" and simply not be allowed to tell Joe Public that PCs are "easy to use" or "secure". It's no different to reminding people to watch their speed and check their tyre treads on a new car, after all... Where are all these "advertising standards" groups that are supposed to ensure adverts convey truth, not lies?
2. User laziness - Joe Public needs to get off his backside and learn how to use the Internet properly and how to secure his PC - again, no different to spending time and money in learning to drive. Far too many people, taken in by the glossy adverts and hype, just sit back and expect software vendors to take away all their responsibility away from them because they themselves simply cannot be bothered.
What really annoys me about this whole issue is that software (and hardware) companies are only going to react to security issues in their products in a way that makes them more money. If the vendor already has his boxed software on the store shelves, he really has no incentive to employ people to work on further security for his products unless his reputation is so bad that he is forced to improve his software at the risk of losing sales - and you only have to look at Microsoft's currently poor reputation and their actual focus on security to see how far down that reputation must go before any action is taken...
However, on the other hand, DRM can be sold as a security-improving product on the back of peoples' fears of Internet viruses while allowing the Microsoft and others to make money licensing DRM.
I wish people like Dan Greer would focus more on the ultimate impact of letting Microsoft "take the blame" only to have Microsoft respond with a technology that will make them more money and cut off our freedoms in the process.
Gentoo Linux - another day, another USE flag.
The integration of the browser's ability to directly run code in Windows is the big hole that Microsoft has failed to fix. Integration of user software, such as Outlook or Office, directly to the operating system makes Windows the virtual equivalent of a petri dish for the internet and giving every 11 year old hacker the ability to cripple corporate networks globally.
Nature deals with breakdowns in a complex system with evolution, and a very important part of evolution is the extinction of particular species. It's a sort of backtracking mechanism that corrects an evolutionary mistake. The Internet is an ecology, so if you build a species on it that is vulnerable to a certain pathogen, it can very well undergo extinction. By the way, the species that go extinct tend to have limited genetic diversity. -Atrributed to Bill Joy - Had preserved in my Blog Dan Greer's writings bear the same too.
Senthil
Since when was big news defined by Yahoo bringing it on their front page?
Solaris, AIX, HP-UX, BSD, FreeBSD, OpenBSD, NetBSD, SCO Unixware, Tru64, Linux etc. running on PCs, SPARCS, DEC PDPs and other vendor-specific server hardware...
Still looking for that "UNIX monoculture" in there...
Gentoo Linux - another day, another USE flag.
In the long run (think the next 10-25 years), Microsoft will be forced to go along with open standards or get left behind as Open Source picks up more momentum. As IBM, Novell, large countries, and other big gorillas put their weight behind Linux and Open Source, the standards they use could become "the standard". This isn't going to happen likely anytime soon, but it definately has to start with the corporate world. If XYZ Inc. decides to use Open Office and Linux to save money (and we know businesses aren't doing anything radical to save money these days), and suddenly their employees must use it, guess what software package could end up on their home computers? As I said, it's not going to be a fast process, but it is possible.
ce n'est pas un Sig.
Diversity can help keep viruses and such from spreading, but it can also be a hindrance. If linux had some standardization where all of the distros all used the same directory structure, package management, etc, it would be a lot easier for companies to write software for it. Now the best they can do is write the software and hope someone else will port it over, or spend time porting it to .RPM, .DEB, etc etc. With windows you don't ever run across cascading dependency nightmares, and every software company knows how to write their software for it. Yes, you should be able to compile linux packages from source without any problems, but when you're talking about trying to get home users to accept linux more, making them compile packages from source definately isn't the way to do it.
slashdot, news for crazed liberal socialist zealots
than good. yes, this is not a new idea, but the fact that M$ continues to do it is to me, evidence that they are not serious about security.
.v
Last week a client of mine wanted me to do some work on his computer and to remove M$ IM on WinXP. You try it, it will tell you that WinXP depends on some functionality of IM. What? The OS needs this crummy application you can get for free somewhere? If that is really true, then no wonder their system is so freaking vulnerable to all kinds of things.
just about anyone who write large software knows that u have make it modular design and if possible striving independent modules as possible to reduce risk and propagation of faults. consider this, even after the trial, M$ still continues to bind unrelated OS functionality with applications. Apps and OS services are completely different.
while M$ tries to give you a big bloated piece of software with OS and THEIR apps tightly integrated. look at what the people doing micro-kernels are doing. they are trying to make the kernel as simple as possible (hence easier to debug, understand, etc.). Then, the OS services are just apps (again, very independent form each other--though they may use the services provided by the other). but their is no need for that particular app, just any app providing that service.
Yeah, and we all know how many awful hardware vulnerabilities there have been in recent decades... :p
dropped floppies and non-USB interfaces much later, only after they were not that useful anymoreExcept that you're ignoring the chicken-v-egg problem. USB did not become ubiquitous until after Apple forced the issue. No one else had the balls to say "screw dumb serial ports, USB is better". GUI, 3.5", CD-ROM, PnP, etc... Apple intentionally drives technology forward, even when many people are kicking and screaming to stay behind.
Meanwhile, none of this has anything to do with security and monocultures.I have to disagree, Apple dropped certain technologies when they were replaced by superior ones, and were thus 'not that useful any more.'
PC manufacturers dropped certain technologies when they were finally perceived not to be useful any more.
Apple can act as the gentle motivational herder, because they have complete control over their flock, as long as they make sure they replace the things they phase out with generally superior technologies, and they have (floppy > email, legacy ports > USB).
PC manufacturers have no choice, as there is less unity and it is human nature to be wary of new things, and to want to stick to what is tried and tested. In this scenario where it is impossible to move the flock forward as a whole (as the direction of the industry is dictated by many) it must first be shown and proven that the newer technology is superior.
So I would hardly call this scenario a 'blunder' on Apple's behalf! Quite the opposite in fact - I'm sure it was of great benefit to both Apple and their users to make a swift concerted step forward.
This sig has been deprecated.
My favorite quote on the topic came from Wired. Marcus Ranum thinks Geer's message would have been mostly ignored by the public at large, except for @stake's "brilliant surgical marketing strike on its left foot by firing Dan".
"But Geer says the company should disentangle its tightly integrated products, such as Microsoft Word and Outlook."
The best way they can disentangle their products is to force Microsoft to publish their protocols, so others can build competitive products that can integrate cleanly.
Perhaps their software should be declared an "essential service", much like teachers and hospital workers here in Canada. When teachers/medical workers strike for too long, the government steps in and says "get back to work, you're essential to our functioning as a culture".
The bottom line is Bill Gates and his minions are liars and can't be trusted. They comply to every defeat dealt to them with their middle finger raised, and then go right back to abusing their position in the marketplace. The only rules Billy plays by are his own, and the only reasonable way to deal with him is to be unreasonable in demanding he comply.
Ruby on Rails Screencast
OTOH, with any closed source system, you have no code review. You have no chance to spot a security hole, purposeful or not. With CS, you simply have no chance.
Let's review: with OS, you have the opportunity for exposure, but also the opportunity to catch it. With CS, you have no opportunity to know anything. Sounds like the old free markets argument to me. The only person who would really support the CS position is an uniformed tool.
...tizzyd
"The hoopla around him losing his job gave the story some extra frisson," said Internet security expert Bruce Schneier, a co-author of Geer's.
frisson
n : an almost pleasurable sensation of fright; "a frisson of
surprise shot through him" syn: shiver, chill, quiver,
shudder, thrill, tingle
Overall, this is one of the best written articles I've read in quite some time. The author lets the intelligence of his sources shine clearly. And it's always nice to learn a new word.
They keep all the focus on hacking their POS operating system and help my mac and linux servers avoid the amount of attacks that would happen if they didn't exist.
MS is a competitive advantaget to those that compete with vendors providing MS based services. BTW my company does have MS servers, Linux servers and we are testing some new OS X server implementations to see if we can eliminate some of our admin tasks with their slick UI & tools.
Q:What is the single protocol used by all computers
connected to Internet in the world?
A: IPV4
Q:What is the single mail protocol used by all
computers connected to the internet?
A: SMTP
Q:What is the single protocol used to search the
Internet and exchange most information over the
Internet?
A: HTTP
According to evolution, diversity is the
consequence of adaptation.
Specialization, Mutation, Adaptation.
Adaptation is the
consequence of a changing environment. A
changing environment is the consequence of a
finite amount of resources and competition.
The Internet in it's current stage resources are
plenty and competition is little.
Internet is currently in the specialization
stage. The Internet has not being forced(YET) to
depart from it's standard protocols (mutate) to
survive an attack.
Forcing diversity (by mandate rather of natural
competition) not only makes the system less
robust, it slows down evolution.
- these are not the droids you are looking for -
Not true, because all the versions of Windows were made by one company, and none of those versions of were made concurrently to compete against another version of Windows...sure, one could argue that anything new is still competing with Windows 98 on the desktop, but that's not the point.
I do agree that we need different, non-Unix OS's to be available, but your comparison isn't valid.
Chris
No one else had the balls to say "screw dumb serial ports, USB is better".
because only complete morons say that.
Serial ports have their place and will be here for a really long time. I dare you to config a cisco router or switch with your USB port. or dare you to configure any of the middle to high end home automation equipment out there with your USB port.
USB is excellent for low-performance high bitrate data transfers.. firewire beat's it to hell for performance needs (ever wonder why you can't get high end DV cameras with USB?) and RS232/RS485 serial is better than anything that USB or firewire can do for low speed high reliability.
apple did NOT force the adoption of USB... the explosion of cheap usb products by the release of cheap usb interface chipsets.
Do not look at laser with remaining good eye.
I know it's a stupid thing to /. yourself, but here we go:
My paper on worm propagation from last year (just updated with some more data) shows very clearly what a monoculture does.
I assumed 40 mio. vulnerable systems in it and showed how a malicious worm can wipe them out in minutes.
Some of the advisories that eeyes still has on the unpublished list estimate 300 mio. vulnerable systems.
We've been talking about flash and warhol worms for years now. With each passing day I'm more surprised that it hasn't happened, again.
Assorted stuff I do sometimes: Lemuria.org
Yes, and there are thousands of utilities that run on all those versions of Windows as a few binaries and libraries that are put on the PC at installation time.
Try finding a single compiled binary or library that runs on all UNIXes across all the hardware that UNIX runs on. (Surely someone with 20 years UNIX experience would know this?)
I'm tired of all this let's kill windows bullshit.
Fine, in which case you've responded to the wrong posting - I implied "let's kill those Windows users who are too lazy to learn how their PCs work", a big difference.
I've been a unix and now linux person for almost 20 years.
I'm tired of the elitist shit that goes on in our community.
So you have a problem with people learning to better themselves, do you? Then you're no different to those lazy users that cause these problems in the first place.
Gentoo Linux - another day, another USE flag.
Monoculture (or, the problems associated with it) are not a new concept. When I was studying at U of Mi in 1992-93 (or thereabouts) we discussed the internet worm in my system administration class. The instructor pointed out that U of M was only moderately affected because of the variety of Unix systems comprising the network. The lesson was that a diverse network makes one less succeptible to attack affecting a single platform.
Yeah, without Microsoft products, Al Gore couldn't have invented the internet.
I see my mission now.. to reply to every post with this lame ass joke with information about how it is NOT TRUE. You've heard of snopes.com, the Urban Legends Reference Pages? Please read this article before posting this lie. The proper joke would be, "Al Gore says he took the initiative in creating the Internet!". While certainly a poor choice of words for Mr. Gore even in context of the interview, he did not claim to invent the Internet.
That goes for you too, moderators. This cliche is certainly not +5 Funny and you know it.
Speak truth to power.
Monoculture or Diversity?
The AP ran a story this weekend, captured by Yahoo, talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.
Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).
Just the facts, Mam
I found it intriguing that, as the AP article mentioned:
Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia and their product listing. Doesn't anyone care that Solaris 9 had more advisories (42) in 2003 than Windows 2000 Server (36)? Doesn't it scare anyone that, while Windows XP Home edition had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 had 186!
Doesn't Open Source claim to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?
Missing the forest for the trees
Take a look at this, also from the AP article:
Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.
Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)
Miopic Intelligence
Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is s
no security built into TCP/IP because there was no need for them. TCP/IP was not developed for academics, it's development was paid for by the Department of Defense, thus security was a consideration in the design of TCP/IP from day one. That is why TCP/IP was designed to dynamically reconfigure routing to work around failures, as opposed to SNA, in which the network was statically configured.
"Freedom means freedom for everybody" -- Dick Cheney
Now, that didn't happen in this case, as the story was already on the front page before Slashdot linked it. But it could happen, no?
To the letter of the law, that's true. However, there's also something called plagiarism which DOES NOT have to be a "cut-n-paste," but can be a situation in which I looked at your work and implemented my version in much the same way. That is a potentially illegal breach of copyright in software just as it is in school with papers.
As such, the best way to protect oneself from copyright violations is complete ignorance of anything one might potentially infringe. As you say, an implementation is not copyrightable, so if you have never seen someone eles's implementation, you're clean. Basically, proving you've seen someone else's code can be damaging if you get sued for violation. You don't want that. And there's no reason to make the first critical part of their case for them.
Of course, this is what makes copyright different than patent, as you say. Ignorance does not protect one from patent violations (although it can with regard to penalties, which can be trebled given intent, I believe). Ignorance aka "cleanroom implementation" DOES give complete immunity with regard to potential copyright violations.
like my dad. i forced him to stop using ie, he uses opera now. he's a typical windows user (probably wouldn't userstant outlook if i let him use it anyway).
he's a typical windows user. he does think of security. he doesn't do anything stupid outright. he insists on running a virus scanner, although he doesn't know how or why to update it, so he never does. he runs a firewall but again, does'nt update.
he's a typical home windows user. typical people are scared of virus's (because of the news coverage) but do not now how to protect themselves, nor know where to find information. He doesn't ever update windows because he doesn't have time / doesn't know how. he runs windows 98 because it 'just works'.
no matter how fast microsoft patch things, if they dont release a product thats secure upon release, whats the point to home users? thats a good reason why people should use alternatives.
"Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring 'benign mutations' that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."
If there is non-functional code that can be modified without causing problems, shouldn't that code be removed?
In an age where the world is becoming ever increasingly dependent on computers, we must take a step back and formulate a strategy to make sure history does not repeat itself in the most disaterous way. It was not too long ago that Ireland suffered its infamous "potato famine" that devistated its population that was, in its day, dependent on the crop. One of the key reasons why the famine was so intense was the fact that the Irish were repeatedly planting the same type of potato throughout the country. By doing this, and not realizing that nature provided diversification in the form of hundreds of varieties of potatos to make sure that one set of circumstances could never decimate the potato population, the Irish learned a very valuable, if not painful, lesson indeed. In the land of computers, this form of "biodiversity" only makes sense. If 90% of all nodes on the network are of one kind of "potato" (namely Microsoft) than it's very easy for one plague (or virus) to have incredibly devestating results. We have already seen the damage caused by recent Windows viruses. Each of these have been relatively small and harmless annoyances compared to what a committed and intelligent person could create should such a someone be so inclined and motivated. However, if the world's computers were not so heavily tilted towards a single OS, such attacks wouldn't stand nearly as much of a chance in succeeding to harm a large section of the world's network population. In conclusion, not only do operating systems such as Mac and Linux (as well as Solaris, Unix, etc) represent an excellent freedom of choice for consumers, they represent an enlightened strategy to prevent a cataclysmic disaster to our networks that we've come so dependent on.
Sugapablo
While the idea of a monoculture has appeal, the common arguments for it assume a lack of diversity, which doesn't help in this case. Because it isn't lack of diversity that's the problem. MS is just too big and easy a target to ignore.
Apple has a greater installed base than Linux. Yet there are no exploits or viruses against Apple OS's to my knowledge, although OS X must open the door a little wider these days.
Programs used under Linux have their own security concerns, naturally. But these programs are used by many other OS's which have their own kinds of vulnerability. You can boil most security concerns with the Linux kernel down to one goal: privileged access. Remember, buffer exploits happen everywhere.
What really makes Microsoft a big target is the scope for attack: privileged access is the easy part. Network attacks are simple, destruction and/or theft of data a matter of social engineering. The latest MS worms are capable of all these attacks, impossible on other OS's. THAT is why it's the premier target. The flow-on effects of the different kinds of attack simply don't exist elsewhere.
insecurity asks the wrong question irritation gives the wrong answer
The rationale behind avoiding monoculture is that not all members have the same weaknesses, so an attack will not destroy the entire population. While this is a valid point for biological populations, there are some issues with it as apply to computer security. We are not dealing with "members" getting "killed" -- we are dealing with "computers" being "compromised".
The first issue is that many elements of the whole in some computer systems have the same degree of access. Perhaps half of the workstations at a company run Linux and half Windows. If all of them have roughly the same tasks (as opposed to devoting Windows to web browsing and Linux to email reading), then a compromise of *any* of them allows a compromise of all the important data. Many security systems are weakest-link -- if one element can be compromised, the whole system falls. In this case, all having a polyculture does is expose more weaknesses, reducing the security of the system as a whole.
The second element is somewhat similar -- most computer networks have some degree of trust relationship between members. It may be something explicit, like having IP-based rsh auth (though that's a bit of an old problem) or allowing access to various intranet Web pages to any internal computers. It may be just allowing a compromised computer to sniff a network that other computers pass traffic over. In this case, a compromise of one member of the network provides an attack vector against the other members of the network. Again, a polyculture exposes more weaknesses, weakening the security of the system as a whole.
Third, there are security management issues. Most medium or large computer networks have someone or some group with some degree of responsibliity for computer security. That group usually has finite resources and budget. Much of their effort can generally be replicated across similar members -- for example, securing a plaintext authentication in Windows means a fix that just has to be replicated across all members in the network. If their time and money must be spread across multiple types of members, they are less able to spend resources on any one group, and each type of member may be less well managed.
Fourth, most networks do not follow a "Russian doll" approach, where a potential cracker must compromise first one computer, then another computer, then another computer to get in to the network proper from the outside. In such a scenerio, making each of the dolls different does improve security, since a cracker must compromise all, rather than just one, system. It's pretty common to just have a NATted network with all hosts inside at roughly the same level of internal access, however.
Overall, I *do* think that it's a good idea to move away from "Microsoft only" on computer networks. Competition tends to improve products, and Microsoft has a poor security track record (and doesn't focus on security very well). However, if an CIO has the sole goal of improving security, and has the choice of rolling out Linux or rolling out Kerberos on existing Windows boxes, I'd have to say that rolling out Kerberos is probably going to do more for security.
May we never see th