Slashdot Mirror
Dan Geer's Monoculture Bomb Goes Off
Andy Updegrove writes "Three years ago, celebrated security expert Dan Geer lost his job at @stake when he co-authored a paper on the dangers that the Microsoft 'monoculture' represented for end-users. Last fall, he authored a similar warning in a Perspective piece he wrote for CNETNews.com, applauding the action of Massachusetts in adopting OpenDocument Format, thereby reducing its vulnerability to the same type of risk. Four days ago, Dan's prediction came true, when users of Word (but not those that only trade files created in StarOffice, OpenOffice, or other ODF compliant software) began to be infected with the Backdoor.Ginwui virus - a malicious Trojan program that hitches a ride on bogus Word documents. In short, an object lesson that in IT, as in biology, those that exist in diverse gene pools are at a lower risk, both individually and collectively, from those that subsist in a proprietary monoculture."
Given how easy it is to write MS Office malware, how long until a more advanced version of this worm can search a user's hard drive for other Word/Excel/Powerpoint/Visio documents, infect them, and wait for the next generation of itself to be transmitted?
If the malware itself could change/adapt/evolve (ie, create new functionality within itself), then MS has essentially created a petri dish out of each install of Office.
In other words, MS has created a true "software ecosystem".
Wow we are old ;) I was thinking of the same thing. What worries me about these types of assertions is that Linux is just as much a mono culture as Windows.
At an OSCON talk, there was this business guy. His assertion was that if Apache were a company then they would be susceptible to monopoly rules like Microsoft should be.
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
Is the problem that we have a monoculture, or is it the quality level of that monoculture, or is it that we don't have barriers and quarantines to limit damage?
Thought experiment #1: you have a choice of a diverse world where Apple, Microsoft, Sun and everyone else has written their own sshd, or a monoculture world where everyone runs OpenSSH. Which would you choose?
Thought experiment #2: how worried would you be about monoculture if the operating system on 95% of computers were OpenBSD? SELinux?
Thought experiment #3: before malware enters your body it has to run the gamut of being stuck to mucus and swept out, being sneezed out or coughed out, being hammered by natural antibiotics, being dropped in acid, and potentially being expelled from the digestive tract if found to be toxic. Do our computers have an equal or similar level of protection against unfriendly programs?
Yes, but it's mostly Oracle developers who use stored procedures. I know because I had training in Oracle, both basics and some of the more advanced administration courses. Oracle training puts a lot of emphasis on stored procedures, you are taught PL/SQL from the start and never allowed to forget it.
I recently moved a project that had a MS-Access front-end accessing an Oracle DB into a "LAPP", that is, Linux, Apache, PHP, Postgres. In this project I can say that, definitely, rewriting all the PL/SQL procedures from scratch in PHP was quicker than migrating it to the equivalent Postgres stored procedures. However, that's because the system itself suffered a lot of functional redesign, it wasn't just a matter of transplanting it unaltered.
In the end, I believe that Oracle itself is a dangerous monoculture. Oracle is too complex for anyone to understand well in its entirety. In large Oracle systems there are some very specialized DBAs, for instance people who do nothing but take care of backup and recovery. Over-specialized admins are a weak point for security exploits. I think Oracle is protected by the same thing that protected VMS: obscurity. If Oracle came installed in each PC hackers would sooner or later devise ways to break it.