Slashdot Mirror
Dan Geer's Monoculture Bomb Goes Off
Andy Updegrove writes "Three years ago, celebrated security expert Dan Geer lost his job at @stake when he co-authored a paper on the dangers that the Microsoft 'monoculture' represented for end-users. Last fall, he authored a similar warning in a Perspective piece he wrote for CNETNews.com, applauding the action of Massachusetts in adopting OpenDocument Format, thereby reducing its vulnerability to the same type of risk. Four days ago, Dan's prediction came true, when users of Word (but not those that only trade files created in StarOffice, OpenOffice, or other ODF compliant software) began to be infected with the Backdoor.Ginwui virus - a malicious Trojan program that hitches a ride on bogus Word documents. In short, an object lesson that in IT, as in biology, those that exist in diverse gene pools are at a lower risk, both individually and collectively, from those that subsist in a proprietary monoculture."
You guys under 25 are too young to remember the Morris Worm but it's a good study in monoculture. Although it affected well under half of the internet-connected computers worldwide, at many institutions it had a disporportionate impact.
Back in '88, Sendmail was to internet-mail-exchange what Outlook Express is to mail-clients today. Thanks to a bug in Sendmail and a bug in a student's project, email came to a grinding halt for several days at universities and other institutions worldwide.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
What's at the real heart of that issue is that Microsoft Word does not and never has interoperated with anything without reverse engineering or hacking. I have entire labs that, though converted from the ODT format to Microsoft Word, will not display any of my equation objects correctly and do not allow me to convert on a non-Math-Type-enabled machine.
If every software had different implementations of the same ultimate functionality, then there would be no monoculture, as one man's implementation of something may be subject to a bug that another man's implementation is not. That is what is meant by reference to a software monoculture.
In the case of MS Word, the users of that will eventually get screwed royally becuase they're locked in, while ODF users have full access to the standard by which the ODF files are written. Thus, anyone who has ODF files can write a document viewer. If Microsoft were to die out over the next decade, all the documents(including government documents) that were written using it would either have to be converted, or a hack would have to be developed, or Microsoft, in its infinite wisdom and as a nicety to the community which used it at one point, would release the standard for its document format.
In programming there are several different ways to implement the same thing, even within the same language. If you factor in the number of languages available, you have a staggering number of possible implementations of the same functionality. The functionality will be the same, yes, but the means toward that functionality will be different.
SRSLY.
It's easy to predict what has happened thousands of times before. It's hard to predict the future.
In my many years of experience managing heterogenous environments (Windows, Mac OS, Linux, FreeBSD desktops and servers), I have not found complexity to be a problem at all. What happens is that you miss out on some more advanced features that you might get from going all Microsoft or all Apple. For example, you can't effectively run Exchange and get all of the features that a lot of end users seem to like. Users get accustomed to using more generic protocols like IMAP and POP for email and maybe some web based calendar system that you install.
;-)
In many ways a heterogeneous environment is actually LESS complex than a homogeneous environment. You either end up using very simple, common protocols or you isolate your users. Put the Windows users on a Windows server and Mac users on an OS X server, for example, which isn't necessarily a bad thing. Usually Mac and Windows users have different organizational roles anyway and the LInux users don't like the Mac and Windows users. Everyone is happy.
Seriously, it isn't bad. And people are happy using the desktop of their choice. But sometimes I guess you really need the kind of "features" that only a monoculture can bring. It's a trade off, for sure.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
How in God's name would you switch a from MySQL to PostgreSQL to Oracle to MS SQL or to anything. Have you ever actually written a real database application?
Seriously, the amount of time spent switching between any of these system is drastic. For a typical, small database application, there is probably 20k-50k lines of stored procedures. All the different vendors have their own SQL proceedures.
How about securing the databases. I'd love to see how anyone could possibly say that the administration of a transition could possibly be an option. If your problem was MySQL security to begin with, how can you possibly suggest that switching to another database could be easy. The simple administration cost of securing a new server, especially with an existing dataset that was previously developed to be secured on another SQL server would be tremendous.
Switching between PHP and Perl, hehe come on now... I won't even bother wasting my time on this one.
Linux and Solaris.... if you have a security issue on one, you have a security issue on both. The fact is that the majority of security bugs that would be related to these is due to servers that are either not kept up to date or due to zero-day exploits. Both server systems are actively hacked and are high level targets for crackers. It doesn't matter which you use, you have to update both pretty much the same way, switching is a waste of time and money.
So, if you were to reason that the original posters comment was regarding the monoculture of PHP/MySQL/Linux, well I'll make it simple....
The open source community forces this crap down our throughts all the time, they love this solution, it works more or less. There are books on it. There are sections on Orielly's website dedicated to it. It's advertised regularly everywhere. This solution is chosen not specifically on its merits for simplicity/stability/security, but it chosen because it is relatively simple, relatively stable, and relatively secure, AND most importantly, it's Open Pop Culture.
I know a bunch of sales people that love to sell the hell out of the solution because it's fun to say LAMP. They don't know what it means, but they make up all kinds of neat new industry sales terms regularly to make them sounds like they have a clue... they don't. Oh, they also think P stands for PHP or Perl, not both. They don't understand how a letter can be variable.
So, before you put your 2 cents in, think first. Your rinky dink 50 line PHP scripts for changing passwords is not representative of a full mature system. In a real development work, we use features like stored procedures, complex views, server specific indexes. Also, just because your blog hasn't been hacked, don't think that just installing a new SQL server is actually going to secure anything, some of us have actually spent hundreds, if not thousands of hours just setting securities and permissions to different data sets.
The LAMP monoculture is real, it is there. Once you use it, you're locked into it. There is no transitioning from one to another.
Now if I misunderstood you and you really meant that Linux/MySQL/PHP itself wasn't a monoculture because you can choose different options when you're first starting... well ok, that may be true, but the majority doesn't. Perl rarely appears on the web anymore, the web is typically PHP, ASP, or JSP. I don't have exact numbers, but if you want to make me look like an idiot, post real numbers with reference that contradicts me. LAMPHP is a monoculture because it's used so often that lack of talent on the other solutions keeps it that way.
No go and try to sound like you know something somewhere else
... but if you are part of that vulnerable population, a virus is no less devastating.
How is this different from biology? The poor moose in the herd who isn't immune to spongiform encephalopathy isn't protected by the diversity of his herd-mates.. but the herd as a whole is. The analogy does hold.
Your point about multiple architectures dividing the attention of the antivirus community might be true to some extent -- but on the other hand, there might just be more jobs for people writing antivirus programs for all those extra operating systems.
It isn't ludicrous that diversity protects us, as a whole community, from viruses. Some may be hit, but the rest can keep computing. That's the point.
ERROR 144 - REBOOT ?
While I do enjoy someone writing a think piece on the idea of the dangers of a mono-culture. This work has been throughly research by Stephanie Forrest ( http://www.cs.unm.edu/~forrest/ ) at the university of new mexico via the sante fe institue and the complex systems program at the University of Michigan. For anyone that wants to acutally learn more about the application of immunization models to computer security, I suggest you check out her research.
The idea if diversification is threat mitigation. If one part of the company is down with a virus, the rest of the company can continue as normal; instead of telling everyone in the city to stay inside, you tell, for example, people with red hair to stay inside. Everyone else is unaffected and can continue normally. Yes, you may be at risk from more vectors, but each individual vector is less threatening to the continued survival of the system as a whole. It's simple business continuity practices, really.
Marxism is the opiate of dumbasses
if the mysql people slack off with security, you can drop them in favour of postgres, with practically no interruption and minimal retooling.
Yes, except for the "practically no" part.
I have a wall-sized (40,000 LOC) PHP/mysql application that I've wanted to move to Postgres for years. It's not something you can do in your spare time, even if you do have a thin database abstraction layer (i.e. you don't call mysql_* functions in your code, but db_* functions that mostly pass through and do some error handling).
Assorted stuff I do sometimes: Lemuria.org
Movable Type can run on Postgresql. Create an installation of Movable Type using Postgresql. Export the posts from your MySQL Movable Type installation and import them into your Postgresql Movable Type installation.
If it's a question of moving to WordPress, there are many who have made the switch before you and some have even supplied instructions.
If what you're really looking for is a one-click method to make the shift, maybe you should reconsider your future in IT.
blog
From the article: "Examples are as plentiful as they are sad: Consider the virus that brought on the Irish potato famine".
*Viruses* had nothing to do with the Irish potato famine. While there were many factors for the famine, many of them political, the pathological reason was the *fungus* Phytophthora infestans.
Given the mass disk imaging techniques currently in use at many corporate sites in lieu of traditional installations, and given the ability for Linux sysadmins to lock down end user boxes so that only the central admins could install software, I could certainly see a "monoculture" being a very real possibility at a given site even when running Linux in a corporate context.
Now, whether or not that monoculture represents the same kind of risk that a Windows monoculture does is a different question. :-) But there is still some risk.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
[ /me buys Dan a $virtual-beer ]
Suggest you install some Samba servers, and migrate the Windoze shares over for security + reliability.
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??