Slashdot Mirror
Dan Geer's Monoculture Bomb Goes Off
Andy Updegrove writes "Three years ago, celebrated security expert Dan Geer lost his job at @stake when he co-authored a paper on the dangers that the Microsoft 'monoculture' represented for end-users. Last fall, he authored a similar warning in a Perspective piece he wrote for CNETNews.com, applauding the action of Massachusetts in adopting OpenDocument Format, thereby reducing its vulnerability to the same type of risk. Four days ago, Dan's prediction came true, when users of Word (but not those that only trade files created in StarOffice, OpenOffice, or other ODF compliant software) began to be infected with the Backdoor.Ginwui virus - a malicious Trojan program that hitches a ride on bogus Word documents. In short, an object lesson that in IT, as in biology, those that exist in diverse gene pools are at a lower risk, both individually and collectively, from those that subsist in a proprietary monoculture."
You guys under 25 are too young to remember the Morris Worm but it's a good study in monoculture. Although it affected well under half of the internet-connected computers worldwide, at many institutions it had a disporportionate impact.
Back in '88, Sendmail was to internet-mail-exchange what Outlook Express is to mail-clients today. Thanks to a bug in Sendmail and a bug in a student's project, email came to a grinding halt for several days at universities and other institutions worldwide.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
How in God's name would you switch a from MySQL to PostgreSQL to Oracle to MS SQL or to anything. Have you ever actually written a real database application?
Seriously, the amount of time spent switching between any of these system is drastic. For a typical, small database application, there is probably 20k-50k lines of stored procedures. All the different vendors have their own SQL proceedures.
How about securing the databases. I'd love to see how anyone could possibly say that the administration of a transition could possibly be an option. If your problem was MySQL security to begin with, how can you possibly suggest that switching to another database could be easy. The simple administration cost of securing a new server, especially with an existing dataset that was previously developed to be secured on another SQL server would be tremendous.
Switching between PHP and Perl, hehe come on now... I won't even bother wasting my time on this one.
Linux and Solaris.... if you have a security issue on one, you have a security issue on both. The fact is that the majority of security bugs that would be related to these is due to servers that are either not kept up to date or due to zero-day exploits. Both server systems are actively hacked and are high level targets for crackers. It doesn't matter which you use, you have to update both pretty much the same way, switching is a waste of time and money.
So, if you were to reason that the original posters comment was regarding the monoculture of PHP/MySQL/Linux, well I'll make it simple....
The open source community forces this crap down our throughts all the time, they love this solution, it works more or less. There are books on it. There are sections on Orielly's website dedicated to it. It's advertised regularly everywhere. This solution is chosen not specifically on its merits for simplicity/stability/security, but it chosen because it is relatively simple, relatively stable, and relatively secure, AND most importantly, it's Open Pop Culture.
I know a bunch of sales people that love to sell the hell out of the solution because it's fun to say LAMP. They don't know what it means, but they make up all kinds of neat new industry sales terms regularly to make them sounds like they have a clue... they don't. Oh, they also think P stands for PHP or Perl, not both. They don't understand how a letter can be variable.
So, before you put your 2 cents in, think first. Your rinky dink 50 line PHP scripts for changing passwords is not representative of a full mature system. In a real development work, we use features like stored procedures, complex views, server specific indexes. Also, just because your blog hasn't been hacked, don't think that just installing a new SQL server is actually going to secure anything, some of us have actually spent hundreds, if not thousands of hours just setting securities and permissions to different data sets.
The LAMP monoculture is real, it is there. Once you use it, you're locked into it. There is no transitioning from one to another.
Now if I misunderstood you and you really meant that Linux/MySQL/PHP itself wasn't a monoculture because you can choose different options when you're first starting... well ok, that may be true, but the majority doesn't. Perl rarely appears on the web anymore, the web is typically PHP, ASP, or JSP. I don't have exact numbers, but if you want to make me look like an idiot, post real numbers with reference that contradicts me. LAMPHP is a monoculture because it's used so often that lack of talent on the other solutions keeps it that way.
No go and try to sound like you know something somewhere else
While I do enjoy someone writing a think piece on the idea of the dangers of a mono-culture. This work has been throughly research by Stephanie Forrest ( http://www.cs.unm.edu/~forrest/ ) at the university of new mexico via the sante fe institue and the complex systems program at the University of Michigan. For anyone that wants to acutally learn more about the application of immunization models to computer security, I suggest you check out her research.