Slashdot Mirror
Dan Geer's Monoculture Bomb Goes Off
Andy Updegrove writes "Three years ago, celebrated security expert Dan Geer lost his job at @stake when he co-authored a paper on the dangers that the Microsoft 'monoculture' represented for end-users. Last fall, he authored a similar warning in a Perspective piece he wrote for CNETNews.com, applauding the action of Massachusetts in adopting OpenDocument Format, thereby reducing its vulnerability to the same type of risk. Four days ago, Dan's prediction came true, when users of Word (but not those that only trade files created in StarOffice, OpenOffice, or other ODF compliant software) began to be infected with the Backdoor.Ginwui virus - a malicious Trojan program that hitches a ride on bogus Word documents. In short, an object lesson that in IT, as in biology, those that exist in diverse gene pools are at a lower risk, both individually and collectively, from those that subsist in a proprietary monoculture."
Given how easy it is to write MS Office malware, how long until a more advanced version of this worm can search a user's hard drive for other Word/Excel/Powerpoint/Visio documents, infect them, and wait for the next generation of itself to be transmitted?
If the malware itself could change/adapt/evolve (ie, create new functionality within itself), then MS has essentially created a petri dish out of each install of Office.
In other words, MS has created a true "software ecosystem".
This is the very reason we need to have open standards. If the standard is robust and exploit-proof, then the only exploits will be in the implimentations. Many different implimentations eliminates the monoculture problem.
:(.
From time to time we discover standards have holes in them. When the holes are serious, such as a fundamental flaw in a cryptography standard, it must be abandoned. However, most of the time the holes can be worked around or the standard can continue albeit with reduced functionality, as vendors patch thier software to not impliment the broken part of the standard. For example, despite standards to the contrary, most web clients will not fully render a page that is in from an untrusted or hostile host, due to broken-ness/exploit-potential in the standard.
If there were only one web browser in common use, then you have both the problem of browser-specific exploits and the problem of a slow-to-patch vendor. Thankfully, we don't have that prob... er, nevermind
By the way, your mentioning of the TCP/IP monoculture raises some good points. The original TCP/IP standards had holes which were initially patched by vendors, or customers for source-licensed code, turning off functionality until the standards could be revised. There are still some issues outstanding and there are probably some we are not yet aware of. However, thanks to open standards, a process for revising the standards, and multiple open- and closed-source implimentations of the standard, the more serious holes tend to be patched quickly by at least one vendor and vendor-specific holes tend not to have as big an impact as they would in a single-vendor environment.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Wow we are old ;) I was thinking of the same thing. What worries me about these types of assertions is that Linux is just as much a mono culture as Windows.
At an OSCON talk, there was this business guy. His assertion was that if Apache were a company then they would be susceptible to monopoly rules like Microsoft should be.
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
Is the problem that we have a monoculture, or is it the quality level of that monoculture, or is it that we don't have barriers and quarantines to limit damage?
Thought experiment #1: you have a choice of a diverse world where Apple, Microsoft, Sun and everyone else has written their own sshd, or a monoculture world where everyone runs OpenSSH. Which would you choose?
Thought experiment #2: how worried would you be about monoculture if the operating system on 95% of computers were OpenBSD? SELinux?
Thought experiment #3: before malware enters your body it has to run the gamut of being stuck to mucus and swept out, being sneezed out or coughed out, being hammered by natural antibiotics, being dropped in acid, and potentially being expelled from the digestive tract if found to be toxic. Do our computers have an equal or similar level of protection against unfriendly programs?
This particular vulnerability was discovered when it was attempted to be used on a highly specific target. This was not your typical 0-day worm or anything, not even close. Targeted attacks will use any vector they can to get in - it may as well have been Winamp or any other program.
I can drop mysql? Easily?
Please tell me how. I have a medium-sized Movable Type install, and I'd like to run WordPress.
I don't want to have to use unsupported third-party hacks that are a year or more out of date, like the existing postgres port of WordPress.
I would love to ditch mysql, which has single-handedly been responsible for more downtime than any other program I have used, and I'm including "Windows" in that list.
Tragically, much like Windows, MySQL has adopted an "embrace and extend" policy encouraging the use of extensions unavailable elsewhere, so in fact, if you have a substantial mysql code base and database involvement, it's rather expensive to move it, and requires serious programmer time.
But if you know of a trivial and fast way to ditch it in favor of postgres, lemme know. I would do it in an instant. I would pay good money to be able to run whatever I want and never have to see another mysql daemon again.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Yes it is obvious. It is also obvious that the standardization does not yield a single product instead of multiple different ones that conform to a standard. Thus, it does not support the idea that multiple operating systems are more expensive to society than one with anti-virus software.
So you are correct, you don't have to prove the obvious. But you do have to prove just what in blue blazes it has to do with the assertion.
I don't even want to get into arguing the analogy, but since it isn't obvious...
The difference is that we frequently want code to be passed between computers. A system that is resilant to viral software is also resiliant to desirable software, such as MS Office. Therefore monoculture is prized in computing deployments.
Whenever I hear the word 'Innovation', I reach for my pistol.
The symantec description doesn't provide enough detail to be sure, but like everyone else I'll assume that this attack is enabled by a Word macro exploit.
.doc files have been around for over a decade now, and the closest thing I've ever seen to a legitimate use of them is to write self-propagating viruses. (in fact, I once received a CD from Microsoft - the original "wolfpack" cluster server beta - that had macro viruses in its .doc files. Gave the virus scanner a fit when it couldn't scrub the files...)
.vbe or .vbs) But that's been an obvious solution for a decade, and they haven't done it yet, so I wouldn't hold my breath.
Word macros included in
It seems that in all this time *someone* could have taken the effort (granted, a large one even with the libraries out there for dealing with Office file formats) to write a filter to strip macros from Word documents. Then install this filter in all your mail servers, and voila - no more word macro viruses.
Of course the easiest solution would be for MS to remove the ability to include macros in Word documents entirely, and require them to be saved to and read from a separate, executable file type. (e.g. one of the existing VBscript file types, like
In a field of wheat, wheat stalk #1 does not depend, in any appreciable way, on stalks #2, 3, 4, 5, ... , n -- each plant is a self-contained entity... if one stalk of wheat dies over here, the other stalks continue growing, completely oblivious to the death of the first.
You are presuming that each "stalk" is a computer within an organization. The analogy works just fine where each "stalk" is a seperate grouping of computers - be it an entire corporatation, a division within the corp or just the server room versus the office area.
The point is that a true monoculture in computing can make an entire society, perhaps even the entire world, vulnerable. But if there is diversity, even at the macro level, the society/economy is not 100% vulnerable. It may suffer huge damages, but 30% inoperable is a hell of a lot better than 100% inoperable.
For example - a bacteria comes along that decimates the tiger population in "the jungle." There are plenty of other predators like leopards, panthers that are close enough in form and function to fill the ecological niche of the tigers in the jungle without severely upsetting the ecosystem. Sure it will be out of whack for a while, but it will restablize. But, if tigers were the only predators at all, the entire ecosystem of that jungle would eventually collapse once they died off.
When information is power, privacy is freedom.
Yes, but it's mostly Oracle developers who use stored procedures. I know because I had training in Oracle, both basics and some of the more advanced administration courses. Oracle training puts a lot of emphasis on stored procedures, you are taught PL/SQL from the start and never allowed to forget it.
I recently moved a project that had a MS-Access front-end accessing an Oracle DB into a "LAPP", that is, Linux, Apache, PHP, Postgres. In this project I can say that, definitely, rewriting all the PL/SQL procedures from scratch in PHP was quicker than migrating it to the equivalent Postgres stored procedures. However, that's because the system itself suffered a lot of functional redesign, it wasn't just a matter of transplanting it unaltered.
In the end, I believe that Oracle itself is a dangerous monoculture. Oracle is too complex for anyone to understand well in its entirety. In large Oracle systems there are some very specialized DBAs, for instance people who do nothing but take care of backup and recovery. Over-specialized admins are a weak point for security exploits. I think Oracle is protected by the same thing that protected VMS: obscurity. If Oracle came installed in each PC hackers would sooner or later devise ways to break it.
Geer and company stated that any uniform and ubiquitous OS could cause similar problems, so it is not as though this is a MSFT-only situation.
.
The NSA, meanwhile, used to mitigate the risk by using the same OS (*nix variant) compiled in different ways.
CCIA still has the report on its Website: http://www.ccianet.org/papers/cyberinsecurity.pdf
The report is as true today as ever......
Will Rodger