Slashdot Mirror
Dan Geer's Monoculture Bomb Goes Off
Andy Updegrove writes "Three years ago, celebrated security expert Dan Geer lost his job at @stake when he co-authored a paper on the dangers that the Microsoft 'monoculture' represented for end-users. Last fall, he authored a similar warning in a Perspective piece he wrote for CNETNews.com, applauding the action of Massachusetts in adopting OpenDocument Format, thereby reducing its vulnerability to the same type of risk. Four days ago, Dan's prediction came true, when users of Word (but not those that only trade files created in StarOffice, OpenOffice, or other ODF compliant software) began to be infected with the Backdoor.Ginwui virus - a malicious Trojan program that hitches a ride on bogus Word documents. In short, an object lesson that in IT, as in biology, those that exist in diverse gene pools are at a lower risk, both individually and collectively, from those that subsist in a proprietary monoculture."
One time at work, I was working on code when a rumbling spread across the floor, up and down the building -- people were losing access to their machines, in our MAJOR CORPORATION! Some virus had invaded the corporate network, machines were in infinite recycle loops.
Until the noise was loud enough, I hadn't noticed. I was working on my code on my linux box. And, it was code compatible to be used on the same project everyone else was developing on their Windows boxes. Interesting.
Ultimately, the mono culture in my office got me too because of my dependency on shared drives running on infected Windows machines. It took at least one day to get machines half way back to normal.
I hate Microsoft, but I think Geer's prediction, and point, are well made without blaming or pointing at Microsoft. I Unix or Linux monoculture could be susceptible to the same result (though I think with much more expended effort to achieve the same catastrophic result).
what about PHP/Postgre/linux? or perl/mysql/linux? or PHP/mysql/solaris?
All the components are modular... if the mysql people slack off with security, you can drop them in favour of postgres, with practically no interruption and minimal retooling.
That's not how I would define "monoculture"
It's not, of course, because if we standardize on an open document format and a crippling bug is discovered in, say, OpenOffice, there are many other programs that exist or could be written implementing the same functionality. Don't really have that option with Word.
What you're implying is that people would be OK if they just switched to something else? And how is that different from Word? I can count the number of applications I've seen that are *truly* database and OS-agnostic. I'd like to see "everyone" switch phpBB or whatever from MySQL to Postgres in an afternoon. Too difficult... no different from switching from MS OFfice to OpenOffice, except probably in scale.
The vast majority of Linux distros come ship with Perl and Python. Is that not also a monoculture? If I were a virtus writer targetting Linux I don't think I'd run out of "monoculture" to exploit.
The ability to drop an asset that has become insecure is conversely proportional to your dependence on it. People create "monocultures" because they value convenience. Open source is not immune to that.
In other words, MS has created a true "software ecosystem".* **
*Patent Pending
** "Software Ecosystem" is a trademark of Microsoft Corporation
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I wouldn't want to be a sys admin in a company that had to support OpenOffice, MS Office, StarOffice, XYZOffice. Or had to support Windows (XP, 2000, 2003), Linux, OSX, and *ix. Can you imagine the headache of getting all of them to play nice with each other on a daily basis? There's something to be said about standardization.
On the other hand, if the sys admin has backups and servers distributed across Windows, Linux, OSX and whatever platforms, that would make sense.
I mean I can understand the argument that diversity can add a certain degree of robustness, but it also raises the level of complexity of that environment, and that complexity comes with a cost that can be easily more expensive than dealing with the occasional severe threat.
I mean the ultimate objective behind OpenDocument is to obtain a monoculture in the document formats. That different things implement it isn't relivant. Why? Well most likely they'll be refernce code and documents to do that, and most likely people will follow those most of the time (why reinvent the wheel?) and thus if a bug happens, most things will be venurable. You see this with things like the libpng bug that affected so much software.
So, why tolerate this? Well because I for one don't want to have to play with interoperability nightmares. I want a single document format I can share, I want standards in how computers operate so I don't have to relearn everything every time I sit at a new workstation.
The magic of computers is really their ability to share information, and for that to work effectively, standards have to develop and prevail. I do not want to work in a world where my word processor has 150 different save formats and I have to pick the right one depending on the instution with which I'm communicating. I do not want a world where there are 50 different previlant microarchitecutres and no software runs on more than a handful, and so on.
We have to accept that we can have diversity only to a degree. There has to be common grounds. Yes, those are going to be potential points for an infection to pass. Well, that's unfortunate, but it's simply something we need to live with if we want easily interoperable computers.
Just breaking things in to a "duoculture" wouldn't really solve much. I mean lets say we achive that with Linux, 50% Linux, 50% Windows. Ok fine, what happens now, in additon to exploits that happen to affect both, is that stuff still spreads, just among it's subset, or malicious authors start making viruses have dual payloads that execute the right one on the right platform.
To really have any significant effect, you'd have to have hundreds of different types all mixed together that were minimally interoperable. For example Linux running Wine to use Win32 programs does no good, now it executes the same code and thus is venurable in the same way.
Trying to avoid common systems and formats for security may be valid in an isolated, secure environment but it just doesn't work in computing at large. We want interoperable computers and we strive for it (well, some companies like to try and stand in the way of that). That, by necessity, means that there's more possible vector for infection. Hell, when you get down to it, we could really clean all this up by eliminating the TCP/IP monoculture. If every organization used their own proprietary network, then it'd be real hard for an infection to spread outside an organization. However I hardly think that's the answer.
To me his peice seems like just so much anti-MS rehetoric. He's pushing ODF, which is a standard intended for interoperability, intended to create a document format monoculture. Yes, any word processor could use it, but like I said, that doesn't really gain you anything. He seems to be pushing for switching from one to another, rather than pushing for real fragmentation.
This notion of IT "Diversity" being the end all and be all for information security is a sham.
Extend the same logic to the freeway. If we had even more brands, models, and geek knobs to choose from, would our traffic safety improve one bit more than where it is today?
Security quality is security quality. Don't confuse security quality with market forces.
+++
Just because your analogy "sounds right" doesn't make make it a valid thesis. The fact is that computers are not biological organisms and "viruses" don't work the same way. And if you take the analogy for anything more than a mild curiosity, it really exposes your underlying idiocy.
Just because you say that biological organisms and "viruses" don't work the same way, doesn't make it a valid thesis. If you can't explain how, for the purposes of the discussion, the two differ, then you are really just exposing your inate idiocy.
Not to mention it completely ignores the economic factors which created the "monoculture". It's cheaper for society to buy anti-virus than to support multiple OSes, and the analogists just have to deal with that. Computers are tools. Period.
I'm not sure what being "tools" has to do with the rest of your statement, but your assertion that it is cheaper for society to buy anti-virus (software?) than to support multiple OSes is hanging out there just dangling in the wind. You got anything besides your ass to back up that claim?
And how exactly does yet another word virus suddnely prove this theory? It's not like there haven't been many since the paper was published.
Wait, wait, wait. Now you say there is lots of proof for this theory, the one you've been claiming is false up until now? If there are so "many" cases since the paper was published, doesn't that mean that this "anti-virus" really doesn't work so well?
When information is power, privacy is freedom.
if it has happened before. There have been numerous scripting exploits in word...
Also, predicting a security vulnerability in ANY piece of software is like predicting rain. It is *going* to happen, it is not impressive at all, and proves nothing when it happens.
It would in fact probably stop the flow of viruses if most computers all ran different operating systems (if there was no 90% majority of any system), software etc. I think this is fairly obvious.
One thing to consider though is that it would also have additional costs associated training for most companies. Also, in terms of operating systems, no majority platform makes it more difficult for developers to make a profit since everyone is feeding off a tiny segment off the market.
The unices have survived by adopting source level compatibility to broaden their effective market share, and above all by specializing. Apple has also survived by pandering to specific markets (education, graphics artists, home users) at the expense of other markets (business). The problem with having no majority operating system is that you can no longer build a general purpose computer that does everything. Instead one must dual boot, which is what linux users have done for a long time and what mac users are doing now that they can. Now, multi booting isn't the worst thing in the world, but it is an inconvenience.
The last and most problematic issue of having no majority operating systems is drivers. One might think that hardware manufacturers would be most likely to be forced to write their drivers for multiple systems, instead of just windows as they do now, but this is not realistic. A no majority operating system is going to be an environment with lots of highly specialized operating systems. Makers of uncommon hardware are still going to only support one platform, the one on which their hardware is used. If you need to use two specialized gadgets, you are probably going to need to set up two different computers, or dual boot.
Possibly multiple operating systems could adopt the same driver model, but I have to ask why that isn't happening right now when it is already advantageous for linux and others. Right now the only operating capable of using foreign drivers that I know about are freedos and reactos (using DOS and windows NT drivers respectively of course). Frankly, it would be a big boon for the desktop market and others if linux or freebsd could use stock windows drivers... but I suspect there are some technical problems with this. Linux developers have always quoted as a reason for not maintaining binary compatibility with drivers that they didn't want to impose arbitrary restrictions in the kernel. My suspicion is that compatibility with windows drivers, if technically feasible at all, would have performance issues for linux. Would someone more familiar with the kernel and the windows driver model care to comment?
When people make these sort of suggestions about real, non-trivial production environments, they usually get laughed out of the room (and shortly thereafter, the job).
The freeway system is NOT a monoculture. Yes, it has a set of "open standards" in the form of somewhat-uniform road signs and driving rules, but in its implimentation it varies widely from road to road and vehicle to vehicle.
We have concrete roads, asphalt roads, and in some places around the world roads made of dirt or ice. We have cars, trucks, buses, motorcycles, and in some places bicycles and rick-shaws. Vehicles are powered by gasoline, diesel, more exotic fuels, and human-power.
We have exit and entrance ramps in a variety of configurations.
Now, imagine if you will a country where all the roads are made of the same material from the same factory and are built by the same vendor. Imagine that there is a flaw in the material or road-making process that shortens the useful life of the road by 25%. I'd say that country has a serious problem. Much more serious than they would if a variety of vendors built the roads using a variety of materials sourced from a variety of manufacturing plants.
All in all roads, at least in the USA, are not a monoculture in its implimentation. Not by a long shot.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
From an organizational point of view (be it a company, a government department, whatever), while it's true that a monoculture introduces security risks, a 'polyculture' introduces other problems - complexity in terms of patch administration, help desk, staff training, desktop imaging, license compliance, etc etc. This is precisely why organisations generally standardise on a single product + version - regardless of the underlying format.
Switching to an open format (eg ODF) does not imply a polyculture, it just doesn't preclude it. Chances are that a given organisation will standardise on a software tool to work with that format; they'll still be a monoculture and (theoretically) subject to the same risks.
Having said all this, I agree on the statement that publically owned documents should avoid proprietary formats. That's a no-brainer.
from those that subsist in a proprietary monoculture.
Actually, that would be a "monoculture," not just a proprietary one. If everybody ran Linux and such a vulnerability existed, the same thing would happen.
The whole concept that diversity somehow protects from viruses is ludicrous. It may stop a universal outbreak by limiting it to some subset of the population, but if you are part of that vulnerable population, a virus is no less devastating. Empirically, when there *was* a diversity of computer operating systems, viruses *still* ran rampant. Think about the late 1980s. There were substantial populations of MSDOS, Commodore, Apple, Macintosh, Amiga, Atari, etc. computers around. Most people here are probably too young to remember but there were a lot of viruses in those days too. It is not the evil Microsoft monoculture that brought about viruses. They pre-existed that by a long while.
I would go so far as to predict that a diverse culture of computer operating systems would actually *increase* the damage viruses can do. Sure, a single virus couldn't take down everything at once, but there would also be far fewer resources thrown at stopping any given virus. Antivirus software would have to be written and maintained for each platform. Security vulnerabilities would have to be patched for each platform. Each time you diversify the culture, you increase the amount of redundant work needed to keep the entire population safe. Fewer resources means more vulnerabilities and slower response times. That, in turn, would mean more viruses doing damage in the real world.
An epidemic keeps propagating if, on average, an infected subject infects more than one target. If it infects less than one, the next "generation" will be smaller than the previous one, etc. The number of infected targets depends on how many contacts the subject has, and how many of these get infected.
For human infections, an infected subject contacts family members, maybe schoolmates and coworkers. On average, it takes more than a simple casual contact to get infected. So, the number of contacted targets is small. If enough are vaccinated, or otherwise invalid, the average number of infected targets drops below 1, and the epidemic stops. The interesting result is that the infection stops before every potential target is infected. A typical infection affect a city or a province, and then stops.
Computer infections are very different. A virus infected computer can contact thousands of other computers. Even if many are protected, chances are than many more than 1 in a thousand will be infected. Computer viruses can spread very fast!
Diversifying with two or three brands of software will maybe minimize the results, but cannot stop such infections before all vulnerable machines are infected. To limit the infection to "a city or a state" when a sick machine contacts thousands of otehrs, something like 99.9% of the machines must be either "different" (diversity) or "vaccinated" (anti-virus,etc). Unless you are ready to manage diversity by running a thousand different brand of software, the anti-virus route looks much more realistic.
-- Louarnkoz
Isn't it the MS Product Management culture?
You have a PM who is measured on sales. Sales by now are hugely upgrades. The only way to motivate upgrades is new features. So you introduce them, whether they are really needed or wanted, or not. They are then heavily used by the salespeople, before the sale, selling to people who are not the end users of those features.
And so it comes about that IT buys, and what the ordinary user thinks of as a glorified on screen typewriter actually becomes, via Word macros, a powerful if flawed programming language, and what the end user thinks of as a document becomes a program that can wipe his hard drive or change anything at all on his machine it chooses.
This is not about mono culture versus poly. If you had twenty different PMs behaving like this across the whole industry, it would be as bad or worse. Its about feature driven business models in areas where the buyer is not a sophisticated end user of the products. IT buys Office. What does IT really know about using Word to write? Hosts of features can be sold to IT that could never be sold to the people who use the stuff....
When people make these sort of suggestions about real, non-trivial production environments, they usually get laughed out of the room (and shortly thereafter, the job).
When it's justified, you can actually change databases or move from a traditional N tier model to something a bit more scalable. Just don't try it because you've screwed up your indexes or something.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
>underlying idiocy
We shouldn't put people on pedestals above all criticism, but Dan Geer has earned the right to have people at least offer some evidence when they accuse him of "idiocy".
Incidentally, Kephart and White have used biological epidemiological math to model the spread of malware, as have Williamson and Leveille. Actual researchers are finding the pathogen analogy fruitful.
This discussion could not be complete without a car analogy.
Analogies are like cars. Sometimes they're buggy or unsuited for the job but if you test them carefully they can be superb tools.
And MAYBE part of the reason Word is being infected with worms, isn't some side-effect of monoculture and the lack of software diversity, but rather a result of hackers almost solely targeting Microsoft products.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Postgres/Oracle/DB2/MSSQL/MySQL all have a similar functionality set, so they can reproduce the data the user wants with a lot more certainty.
I'm sorry, but your premise is too insufficiently developed for your conclusion to naturally follow. By the same logic, one can say that since Word has font sizes, families, bold, and italic, as well as the ability to set text as having certain styles, and so does every other word processor, that would be a "similar functionality set" and therefore can reproduce the data the user wants with a lot more certainty.
Can I just shut down Postgres, bring in MySQL and point it at the file(s?) that Postgres was using and just have it work, or is there more to it than that?
Anyway. He is right, although wrong at the same time. The widespread use of just one forum software package has indeed led to a mono-culture of sorts and a discovered hole in the package means thousands of sites are at risk.
He is however wrong in thinking this says anything about Linux Mysql Apache or even PHP. The bug is in the software written with it. It would be like blaming C (or whatever word is written in) for word virusses.
But the fact that everyone use phpBB for their forum in its default form is a perfect example of the risks of a monoculture. You gain the benefit of standard software but the moment a security risk develops everyone is at risk.
The more people use your software the more secure it has to be. It is unlikely anyone will bother to hack my own php login script. You probably will never even find it. A lock on a door somewhere in the artic just doesn't need to be as solid as that off one in london.
Especially if the lock in the artic is unique and everyone in london uses the same lock (and even the same key).
HOWEVER there is one advantage to opensource. I can easily rewrite the phpBB software to make it invulnareble to standard attacks. Good luck rewriting MS Office or anyother closed source piece of software.
Opensource is not immune to mono-culture problems. It is just easier to prevent it/fix it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Just because you say that biological organisms and "viruses" don't work the same way, doesn't make it a valid thesis. If you can't explain how, for the purposes of the discussion, the two differ, then you are really just exposing your inate idiocy.
... , n -- each plant is a self-contained entity... if one stalk of wheat dies over here, the other stalks continue growing, completely oblivious to the death of the first.
I'll help him out here. In epidemiological terms, a monoculture is susceptible to widespread, possibly devastating infection because the members of that population all share similar genetic makeup and background. A single variant of a particular grain crop, which is planted over thousands of acres, with an identical genetic makeup would be an example of a biological monoculture. Now, if a disease comes along that affects ONE of those plants, *every* plant in the thousands of acres you've planted is susceptible, and probably will be affected. In short, monoculture is the practice of putting all your eggs in one basket.
Now with that in mind, diversity does not prevent the disease from affecting some of your crop, it simply mitigates the impact of the disease to your overall crop -- instead of losing 100% of your crop to some sort of wheat blight, you lose 20%, instead... only the susceptible plants die. The problem with this is, in order to increase the diversity of your crop, you have to spend the time, effort, and money sacrificing the economy of scale that you can achieve by planting thousands of acres with the same genetic variant. 1 strain == same fertilizers, same maintenance & upkeep, same planting & tilling requirements; More strains require variations of the fertilizer mix, upkeep, planting & tilling, and so you can't fertilizer in bulk... you can't apply fertilizer using a big sprayer that covers your whole field... you can't plant all your seeds at once, since some strains require different planting depths & intervals... so the farmers decide that the tradeoff between the risk of complete crop destruction, versus the costs of diversity, are worth the risk, and create monocultures in their fields.
So far, we're on a close parallel. But as you look deeper, the analogy fails, and in spectacular fashion, because of this simple reason:
In a field of wheat, wheat stalk #1 does not depend, in any appreciable way, on stalks #2, 3, 4, 5,
Now, let's look at an IT example... let's say you have a 4-way even split (25% apiece) between Mac OS, Solaris, Red Hat Linux, and Windows in your enterprise. Now, I knock 25% of your systems offline via an exploit in one of those operating systems. How has diversity helped you? Sure, the other 75% of your systems are up, but you're probably missing critical services (DNS? LDAP? Web Services? Web SERVERS? Network drives? Domain Controllers? NIS masters?) that are hurting even the "unaffected" 75% of your systems.
So what does that diversity get you, in business terms? Very few reduced risks (sure, 75% of your systems may not be directly affected by the worm, but if 100% of your systems are unable to be used effectively to get work done, that diversity has gotten you absolutely nowhere.), and quite a lot of extra cost: the sacrificed economies of scale you can achieve by standardizing on a particular technology "stack", and the overhead of managing all the varieties of O/S and making them play nice together. And please, don't even try to claim that managing 100 Linux, 100 Windows, 100 Unix, and 100 Mac OS systems under one roof would be equivalent or less work than managing 400 of *one* variety.
The point is not that you can switch but that you can start wherever you want, which creates a whole variety of setups around the 'net. If someone targets mySQL/PHP/Linux then the people using Postgre/perl/Solaris are fine. The general idea is similar to genetics: if everyone in a group has the same vulnerability then eventually there will be something that takes advantage of that vulnerability and the whole group is wiped out, however, if there are many varients within the group, and each has it's own different vulnerability then there is less of a chance of something coming about to take advantage of any culnerabilities, and when one does it doesn't wipe the entire group out, only some.
And that was a long run-on sentance...
At the time of the Morris worm there was a Unix monoculture, but this was not because it was open source; it wasn't. Please don't confuse the two. Within the Linux community there is diversity, this is a great defence mechanism. Pick a particular type of application and look at how many separate implementations there are. Sure, Firefox is by far the most popular open source browser, but there's also KHTML and several others. Look at the office products and there's way more to choose from.
Radio on your iPod
From this, we learn the lesson that we don't have to have a single vendor in order to have universal interoperability. This funny thing called "open standards" allows numerous different vendors to interoperate with each other. And then apps live and die by how user friendly they are and how well they support the standards.
The "monoculture bomb" analogy only goes so far before failing. When we're talking about corn or something like that, obviously a specific engineered disease could cause widespread devastation. But in the computer world, viruses can do far more insidious things than just shut down a network, and a polyculture might actually make that easier.
Let's say you've got a hacker who wants access to a file on your network that a bunch of users have access to. In this case, the hacker isn't trying to infect ALL the computers; any one of them will do. In this case, a polyculture actually HURTS security, becuase the hacker only has to find one flaw in any of the many different applications people are running. Can't hack his way into Word? That's okay, some nerd in the office is running StarOffice and he can find a backdoor for that. Or whatever.
Not to mention, in a monoculture it's easier to standardize training and security. The security guys in an all-Windows place only need to keep up with the (legion) Windows vulnerabilities out there. In a polyculture environment, they have to know about Windows vulnerabilities PLUS Linux, Mac, and all sorts of other vulnerabilities, because one compromised computer can mean a whole lot of lost information.
Are you sure the word "mono" still applies ?
Except that Microsoft got legal trouble for trying to prevent alternative solution (like closed standart preventing interoperability).
Given the availibility and the license of Apache's source code, I don't think user feel "locked-in".
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
But that's an internal monoculture. IBM isn't going to have the exact same system as Sun, or RedHat, or whoever. You can have a standard base without being exactly like everyone else.
My blog. Good stuff (when I remember to update it). Read it.