Slashdot Mirror
Dan Geer's Monoculture Bomb Goes Off
Andy Updegrove writes "Three years ago, celebrated security expert Dan Geer lost his job at @stake when he co-authored a paper on the dangers that the Microsoft 'monoculture' represented for end-users. Last fall, he authored a similar warning in a Perspective piece he wrote for CNETNews.com, applauding the action of Massachusetts in adopting OpenDocument Format, thereby reducing its vulnerability to the same type of risk. Four days ago, Dan's prediction came true, when users of Word (but not those that only trade files created in StarOffice, OpenOffice, or other ODF compliant software) began to be infected with the Backdoor.Ginwui virus - a malicious Trojan program that hitches a ride on bogus Word documents. In short, an object lesson that in IT, as in biology, those that exist in diverse gene pools are at a lower risk, both individually and collectively, from those that subsist in a proprietary monoculture."
When all the thousands of PHP/AWStats defacements were made last year as well? Or is the PHP/MySQL/Linux triad not considered a "monoculture"?
One time at work, I was working on code when a rumbling spread across the floor, up and down the building -- people were losing access to their machines, in our MAJOR CORPORATION! Some virus had invaded the corporate network, machines were in infinite recycle loops.
Until the noise was loud enough, I hadn't noticed. I was working on my code on my linux box. And, it was code compatible to be used on the same project everyone else was developing on their Windows boxes. Interesting.
Ultimately, the mono culture in my office got me too because of my dependency on shared drives running on infected Windows machines. It took at least one day to get machines half way back to normal.
I hate Microsoft, but I think Geer's prediction, and point, are well made without blaming or pointing at Microsoft. I Unix or Linux monoculture could be susceptible to the same result (though I think with much more expended effort to achieve the same catastrophic result).
It's not, of course, because if we standardize on an open document format and a crippling bug is discovered in, say, OpenOffice, there are many other programs that exist or could be written implementing the same functionality. Don't really have that option with Word.
Object lesson? I think you mean an 'abject lesson' but I could be wrong. Of course, I could predict that some virus will infect Microsoft in the future too. And that a much lesser used format will not be affected. I suppose I could blog about it. Then when it happens, I could blog some more about it, saying how smart I was. Maybe I'd misuse the word 'irony' too as in "isn't it ironic that Microsoft got infected when linux didn't"... It would be a web-trifecta...
You guys under 25 are too young to remember the Morris Worm but it's a good study in monoculture. Although it affected well under half of the internet-connected computers worldwide, at many institutions it had a disporportionate impact.
Back in '88, Sendmail was to internet-mail-exchange what Outlook Express is to mail-clients today. Thanks to a bug in Sendmail and a bug in a student's project, email came to a grinding halt for several days at universities and other institutions worldwide.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Given how easy it is to write MS Office malware, how long until a more advanced version of this worm can search a user's hard drive for other Word/Excel/Powerpoint/Visio documents, infect them, and wait for the next generation of itself to be transmitted?
If the malware itself could change/adapt/evolve (ie, create new functionality within itself), then MS has essentially created a petri dish out of each install of Office.
In other words, MS has created a true "software ecosystem".
In other words, MS has created a true "software ecosystem".* **
*Patent Pending
** "Software Ecosystem" is a trademark of Microsoft Corporation
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I wouldn't want to be a sys admin in a company that had to support OpenOffice, MS Office, StarOffice, XYZOffice. Or had to support Windows (XP, 2000, 2003), Linux, OSX, and *ix. Can you imagine the headache of getting all of them to play nice with each other on a daily basis? There's something to be said about standardization.
On the other hand, if the sys admin has backups and servers distributed across Windows, Linux, OSX and whatever platforms, that would make sense.
I mean I can understand the argument that diversity can add a certain degree of robustness, but it also raises the level of complexity of that environment, and that complexity comes with a cost that can be easily more expensive than dealing with the occasional severe threat.
I mean the ultimate objective behind OpenDocument is to obtain a monoculture in the document formats. That different things implement it isn't relivant. Why? Well most likely they'll be refernce code and documents to do that, and most likely people will follow those most of the time (why reinvent the wheel?) and thus if a bug happens, most things will be venurable. You see this with things like the libpng bug that affected so much software.
So, why tolerate this? Well because I for one don't want to have to play with interoperability nightmares. I want a single document format I can share, I want standards in how computers operate so I don't have to relearn everything every time I sit at a new workstation.
The magic of computers is really their ability to share information, and for that to work effectively, standards have to develop and prevail. I do not want to work in a world where my word processor has 150 different save formats and I have to pick the right one depending on the instution with which I'm communicating. I do not want a world where there are 50 different previlant microarchitecutres and no software runs on more than a handful, and so on.
We have to accept that we can have diversity only to a degree. There has to be common grounds. Yes, those are going to be potential points for an infection to pass. Well, that's unfortunate, but it's simply something we need to live with if we want easily interoperable computers.
Just breaking things in to a "duoculture" wouldn't really solve much. I mean lets say we achive that with Linux, 50% Linux, 50% Windows. Ok fine, what happens now, in additon to exploits that happen to affect both, is that stuff still spreads, just among it's subset, or malicious authors start making viruses have dual payloads that execute the right one on the right platform.
To really have any significant effect, you'd have to have hundreds of different types all mixed together that were minimally interoperable. For example Linux running Wine to use Win32 programs does no good, now it executes the same code and thus is venurable in the same way.
Trying to avoid common systems and formats for security may be valid in an isolated, secure environment but it just doesn't work in computing at large. We want interoperable computers and we strive for it (well, some companies like to try and stand in the way of that). That, by necessity, means that there's more possible vector for infection. Hell, when you get down to it, we could really clean all this up by eliminating the TCP/IP monoculture. If every organization used their own proprietary network, then it'd be real hard for an infection to spread outside an organization. However I hardly think that's the answer.
To me his peice seems like just so much anti-MS rehetoric. He's pushing ODF, which is a standard intended for interoperability, intended to create a document format monoculture. Yes, any word processor could use it, but like I said, that doesn't really gain you anything. He seems to be pushing for switching from one to another, rather than pushing for real fragmentation.
This notion of IT "Diversity" being the end all and be all for information security is a sham.
Extend the same logic to the freeway. If we had even more brands, models, and geek knobs to choose from, would our traffic safety improve one bit more than where it is today?
Security quality is security quality. Don't confuse security quality with market forces.
+++
This is the very reason we need to have open standards. If the standard is robust and exploit-proof, then the only exploits will be in the implimentations. Many different implimentations eliminates the monoculture problem.
:(.
From time to time we discover standards have holes in them. When the holes are serious, such as a fundamental flaw in a cryptography standard, it must be abandoned. However, most of the time the holes can be worked around or the standard can continue albeit with reduced functionality, as vendors patch thier software to not impliment the broken part of the standard. For example, despite standards to the contrary, most web clients will not fully render a page that is in from an untrusted or hostile host, due to broken-ness/exploit-potential in the standard.
If there were only one web browser in common use, then you have both the problem of browser-specific exploits and the problem of a slow-to-patch vendor. Thankfully, we don't have that prob... er, nevermind
By the way, your mentioning of the TCP/IP monoculture raises some good points. The original TCP/IP standards had holes which were initially patched by vendors, or customers for source-licensed code, turning off functionality until the standards could be revised. There are still some issues outstanding and there are probably some we are not yet aware of. However, thanks to open standards, a process for revising the standards, and multiple open- and closed-source implimentations of the standard, the more serious holes tend to be patched quickly by at least one vendor and vendor-specific holes tend not to have as big an impact as they would in a single-vendor environment.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Just because your analogy "sounds right" doesn't make make it a valid thesis. The fact is that computers are not biological organisms and "viruses" don't work the same way. And if you take the analogy for anything more than a mild curiosity, it really exposes your underlying idiocy.
Just because you say that biological organisms and "viruses" don't work the same way, doesn't make it a valid thesis. If you can't explain how, for the purposes of the discussion, the two differ, then you are really just exposing your inate idiocy.
Not to mention it completely ignores the economic factors which created the "monoculture". It's cheaper for society to buy anti-virus than to support multiple OSes, and the analogists just have to deal with that. Computers are tools. Period.
I'm not sure what being "tools" has to do with the rest of your statement, but your assertion that it is cheaper for society to buy anti-virus (software?) than to support multiple OSes is hanging out there just dangling in the wind. You got anything besides your ass to back up that claim?
And how exactly does yet another word virus suddnely prove this theory? It's not like there haven't been many since the paper was published.
Wait, wait, wait. Now you say there is lots of proof for this theory, the one you've been claiming is false up until now? If there are so "many" cases since the paper was published, doesn't that mean that this "anti-virus" really doesn't work so well?
When information is power, privacy is freedom.
if it has happened before. There have been numerous scripting exploits in word...
Also, predicting a security vulnerability in ANY piece of software is like predicting rain. It is *going* to happen, it is not impressive at all, and proves nothing when it happens.
It would in fact probably stop the flow of viruses if most computers all ran different operating systems (if there was no 90% majority of any system), software etc. I think this is fairly obvious.
One thing to consider though is that it would also have additional costs associated training for most companies. Also, in terms of operating systems, no majority platform makes it more difficult for developers to make a profit since everyone is feeding off a tiny segment off the market.
The unices have survived by adopting source level compatibility to broaden their effective market share, and above all by specializing. Apple has also survived by pandering to specific markets (education, graphics artists, home users) at the expense of other markets (business). The problem with having no majority operating system is that you can no longer build a general purpose computer that does everything. Instead one must dual boot, which is what linux users have done for a long time and what mac users are doing now that they can. Now, multi booting isn't the worst thing in the world, but it is an inconvenience.
The last and most problematic issue of having no majority operating systems is drivers. One might think that hardware manufacturers would be most likely to be forced to write their drivers for multiple systems, instead of just windows as they do now, but this is not realistic. A no majority operating system is going to be an environment with lots of highly specialized operating systems. Makers of uncommon hardware are still going to only support one platform, the one on which their hardware is used. If you need to use two specialized gadgets, you are probably going to need to set up two different computers, or dual boot.
Possibly multiple operating systems could adopt the same driver model, but I have to ask why that isn't happening right now when it is already advantageous for linux and others. Right now the only operating capable of using foreign drivers that I know about are freedos and reactos (using DOS and windows NT drivers respectively of course). Frankly, it would be a big boon for the desktop market and others if linux or freebsd could use stock windows drivers... but I suspect there are some technical problems with this. Linux developers have always quoted as a reason for not maintaining binary compatibility with drivers that they didn't want to impose arbitrary restrictions in the kernel. My suspicion is that compatibility with windows drivers, if technically feasible at all, would have performance issues for linux. Would someone more familiar with the kernel and the windows driver model care to comment?
This stuff is so silly ... if you're using your box correctly, and not running as admin, this whole thing is meaningless and amusing.
The freeway system is NOT a monoculture. Yes, it has a set of "open standards" in the form of somewhat-uniform road signs and driving rules, but in its implimentation it varies widely from road to road and vehicle to vehicle.
We have concrete roads, asphalt roads, and in some places around the world roads made of dirt or ice. We have cars, trucks, buses, motorcycles, and in some places bicycles and rick-shaws. Vehicles are powered by gasoline, diesel, more exotic fuels, and human-power.
We have exit and entrance ramps in a variety of configurations.
Now, imagine if you will a country where all the roads are made of the same material from the same factory and are built by the same vendor. Imagine that there is a flaw in the material or road-making process that shortens the useful life of the road by 25%. I'd say that country has a serious problem. Much more serious than they would if a variety of vendors built the roads using a variety of materials sourced from a variety of manufacturing plants.
All in all roads, at least in the USA, are not a monoculture in its implimentation. Not by a long shot.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
From an organizational point of view (be it a company, a government department, whatever), while it's true that a monoculture introduces security risks, a 'polyculture' introduces other problems - complexity in terms of patch administration, help desk, staff training, desktop imaging, license compliance, etc etc. This is precisely why organisations generally standardise on a single product + version - regardless of the underlying format.
Switching to an open format (eg ODF) does not imply a polyculture, it just doesn't preclude it. Chances are that a given organisation will standardise on a software tool to work with that format; they'll still be a monoculture and (theoretically) subject to the same risks.
Having said all this, I agree on the statement that publically owned documents should avoid proprietary formats. That's a no-brainer.
If your box has a local-user privilage escalation exploit that you can be tricked into executing, then a black hat can 0wn your box.
If your box and boxes used by 80% of the computing public share that same exploit, it makes a very attractive target.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
from those that subsist in a proprietary monoculture.
Actually, that would be a "monoculture," not just a proprietary one. If everybody ran Linux and such a vulnerability existed, the same thing would happen.
If you can't explain how, for the purposes of the discussion, the two differ,
There's no point in dissecting something that's just a literary mechanism. If someone actually believes that computers function just like biological organisms, the burden is on them to prove it. However nobody in their right mind thinks that, so it's not a useful discussion.
but your assertion that it is cheaper for society to buy anti-virus (software?) than to support multiple OSes is hanging out there just dangling in the wind.
Try looking out the window. Standardization is moving forward as always. I don't have to prove what is obvious to anyone in the IT industry.
The point about tools: Many people believe Ecology to be a moral end in itself, while computers are functional items that exist to perform automated tasks in the cheapest manner possible. And monoculture is considered cheaper. Nobody thinks there should be an "endangered species act" to protect AmigaOS, for example, or if they do, they are operating on an entirely different moral framework than the rest of society.
Now you say there is lots of proof for this theory, the one you've been claiming is false up until now?
Don't stick words in my mouth. I was just wondering why this relatively minor virus was important enough to be declared "The Monoculture Bomb!!"
Whenever I hear the word 'Innovation', I reach for my pistol.
It's news if a worm doesn't exploit a large piece of monoculture software (a.k.a. MS Windows or Word). This same story could have been rewritten with the same words, just exchanging virus names for almost any virus. News would be a terrible virus exploiting a less wide-spread piece of software, like the blackice firewall software and the witty worm a few years ago.
For example, look at the list on the libpng problem I noted (http://www.securityfocus.com/bid/10857/info). I mean my god, that's a ton of platforms. Windows, MacOS, multiple linuxes, multiple browsers, etc. The problem is that they all implemented PNG and for somplicity, they were all using reference code to do it. Thus the exploit, found in that code, applied to all of them.
I'm not saying that's not harder to exploit than a bunch of systems 100% the same, I'm saying it's still a problem. If you REALLY want to protect thigns by a heterogenoius environment, you need to have thigns that are majorly different. Use different OSes, different microarchitectures, different document formats, etc, etc.
I don't think it's a problem having common standards and even common platforms, we gain more than we lose. We just need to get in a more secure mindset.
As an example of a big monoculture that most people are quite happy about is x86. Everything in the consumer world uses it these days, now even Macs. It's wonderful for interoperability, ask anyone that's ever messed with VMWare. However, it is a weakness. If the machine code is 100% different, it means you need two totally different binaries to affect two platforms. With a shared microarchitecture, that's at least taken care of. However I don't think you'll find many that would seriously suggest we should have tons of different platforms just to avoid problems.
Open standards are great, but precisely because they can create a monoculture standard, the one format everyone uses to exchange a certian kind of data. The problem with Word isn't the monoculture, it's the lack of openess.
I use Word on four computers, and I haven't seen this infection.
Hmm, maybe because unlike in biology, we can easily fix computers without years of clinical trials. and research studies.
The whole concept that diversity somehow protects from viruses is ludicrous. It may stop a universal outbreak by limiting it to some subset of the population, but if you are part of that vulnerable population, a virus is no less devastating. Empirically, when there *was* a diversity of computer operating systems, viruses *still* ran rampant. Think about the late 1980s. There were substantial populations of MSDOS, Commodore, Apple, Macintosh, Amiga, Atari, etc. computers around. Most people here are probably too young to remember but there were a lot of viruses in those days too. It is not the evil Microsoft monoculture that brought about viruses. They pre-existed that by a long while.
I would go so far as to predict that a diverse culture of computer operating systems would actually *increase* the damage viruses can do. Sure, a single virus couldn't take down everything at once, but there would also be far fewer resources thrown at stopping any given virus. Antivirus software would have to be written and maintained for each platform. Security vulnerabilities would have to be patched for each platform. Each time you diversify the culture, you increase the amount of redundant work needed to keep the entire population safe. Fewer resources means more vulnerabilities and slower response times. That, in turn, would mean more viruses doing damage in the real world.
An epidemic keeps propagating if, on average, an infected subject infects more than one target. If it infects less than one, the next "generation" will be smaller than the previous one, etc. The number of infected targets depends on how many contacts the subject has, and how many of these get infected.
For human infections, an infected subject contacts family members, maybe schoolmates and coworkers. On average, it takes more than a simple casual contact to get infected. So, the number of contacted targets is small. If enough are vaccinated, or otherwise invalid, the average number of infected targets drops below 1, and the epidemic stops. The interesting result is that the infection stops before every potential target is infected. A typical infection affect a city or a province, and then stops.
Computer infections are very different. A virus infected computer can contact thousands of other computers. Even if many are protected, chances are than many more than 1 in a thousand will be infected. Computer viruses can spread very fast!
Diversifying with two or three brands of software will maybe minimize the results, but cannot stop such infections before all vulnerable machines are infected. To limit the infection to "a city or a state" when a sick machine contacts thousands of otehrs, something like 99.9% of the machines must be either "different" (diversity) or "vaccinated" (anti-virus,etc). Unless you are ready to manage diversity by running a thousand different brand of software, the anti-virus route looks much more realistic.
-- Louarnkoz
Hi! I have a helpful link for you.
The ______ Agenda
It's easy to predict what has happened thousands of times before. It's hard to predict the future.
Retraining won't be a problem. You just need to have computer literate employees. :-)
Is the problem that we have a monoculture, or is it the quality level of that monoculture, or is it that we don't have barriers and quarantines to limit damage?
Thought experiment #1: you have a choice of a diverse world where Apple, Microsoft, Sun and everyone else has written their own sshd, or a monoculture world where everyone runs OpenSSH. Which would you choose?
Thought experiment #2: how worried would you be about monoculture if the operating system on 95% of computers were OpenBSD? SELinux?
Thought experiment #3: before malware enters your body it has to run the gamut of being stuck to mucus and swept out, being sneezed out or coughed out, being hammered by natural antibiotics, being dropped in acid, and potentially being expelled from the digestive tract if found to be toxic. Do our computers have an equal or similar level of protection against unfriendly programs?
This particular vulnerability was discovered when it was attempted to be used on a highly specific target. This was not your typical 0-day worm or anything, not even close. Targeted attacks will use any vector they can to get in - it may as well have been Winamp or any other program.
Yes it is obvious. It is also obvious that the standardization does not yield a single product instead of multiple different ones that conform to a standard. Thus, it does not support the idea that multiple operating systems are more expensive to society than one with anti-virus software.
So you are correct, you don't have to prove the obvious. But you do have to prove just what in blue blazes it has to do with the assertion.
So which came first again?
The chicken or the egg?
I predict that because of ... monoculture... whatever... err microbiology, nanoparticles and so on, a virus for Vista will be created.
That's it. In one year Slashdot will write about me and my amazing prediction came true, how the hell I can be so smart to ever guess this coming?!
Isn't it the MS Product Management culture?
You have a PM who is measured on sales. Sales by now are hugely upgrades. The only way to motivate upgrades is new features. So you introduce them, whether they are really needed or wanted, or not. They are then heavily used by the salespeople, before the sale, selling to people who are not the end users of those features.
And so it comes about that IT buys, and what the ordinary user thinks of as a glorified on screen typewriter actually becomes, via Word macros, a powerful if flawed programming language, and what the end user thinks of as a document becomes a program that can wipe his hard drive or change anything at all on his machine it chooses.
This is not about mono culture versus poly. If you had twenty different PMs behaving like this across the whole industry, it would be as bad or worse. Its about feature driven business models in areas where the buyer is not a sophisticated end user of the products. IT buys Office. What does IT really know about using Word to write? Hosts of features can be sold to IT that could never be sold to the people who use the stuff....
How in God's name would you switch a from MySQL to PostgreSQL to Oracle to MS SQL or to anything. Have you ever actually written a real database application?
Seriously, the amount of time spent switching between any of these system is drastic. For a typical, small database application, there is probably 20k-50k lines of stored procedures. All the different vendors have their own SQL proceedures.
How about securing the databases. I'd love to see how anyone could possibly say that the administration of a transition could possibly be an option. If your problem was MySQL security to begin with, how can you possibly suggest that switching to another database could be easy. The simple administration cost of securing a new server, especially with an existing dataset that was previously developed to be secured on another SQL server would be tremendous.
Switching between PHP and Perl, hehe come on now... I won't even bother wasting my time on this one.
Linux and Solaris.... if you have a security issue on one, you have a security issue on both. The fact is that the majority of security bugs that would be related to these is due to servers that are either not kept up to date or due to zero-day exploits. Both server systems are actively hacked and are high level targets for crackers. It doesn't matter which you use, you have to update both pretty much the same way, switching is a waste of time and money.
So, if you were to reason that the original posters comment was regarding the monoculture of PHP/MySQL/Linux, well I'll make it simple....
The open source community forces this crap down our throughts all the time, they love this solution, it works more or less. There are books on it. There are sections on Orielly's website dedicated to it. It's advertised regularly everywhere. This solution is chosen not specifically on its merits for simplicity/stability/security, but it chosen because it is relatively simple, relatively stable, and relatively secure, AND most importantly, it's Open Pop Culture.
I know a bunch of sales people that love to sell the hell out of the solution because it's fun to say LAMP. They don't know what it means, but they make up all kinds of neat new industry sales terms regularly to make them sounds like they have a clue... they don't. Oh, they also think P stands for PHP or Perl, not both. They don't understand how a letter can be variable.
So, before you put your 2 cents in, think first. Your rinky dink 50 line PHP scripts for changing passwords is not representative of a full mature system. In a real development work, we use features like stored procedures, complex views, server specific indexes. Also, just because your blog hasn't been hacked, don't think that just installing a new SQL server is actually going to secure anything, some of us have actually spent hundreds, if not thousands of hours just setting securities and permissions to different data sets.
The LAMP monoculture is real, it is there. Once you use it, you're locked into it. There is no transitioning from one to another.
Now if I misunderstood you and you really meant that Linux/MySQL/PHP itself wasn't a monoculture because you can choose different options when you're first starting... well ok, that may be true, but the majority doesn't. Perl rarely appears on the web anymore, the web is typically PHP, ASP, or JSP. I don't have exact numbers, but if you want to make me look like an idiot, post real numbers with reference that contradicts me. LAMPHP is a monoculture because it's used so often that lack of talent on the other solutions keeps it that way.
No go and try to sound like you know something somewhere else
Depends what the standard is, and how closely one needs to conform to it. For something as complex as Win32, there's probably never going to be muliple implementations that are "good enough". For something simple like SMTP, there is not that much cost in supporting multiple implementations.
Whenever I hear the word 'Innovation', I reach for my pistol.
Here's the definition of the word "Analogy" from Dictionary.net: A resemblance of relations; an agreement or likeness between things in some circumstances or effects, when the things are otherwise entirely different. Thus, learning enlightens the mind, because it is to the mind what light is to the eye, enabling it to discover things before hidden.
Yes, computers aren't biological organisims and "viruses" don't work the same way, but the concept is still the same - that's what makes it an analogy. Diversity increases security. It's not exactly a new idea, and I think calling someone an idiot for saying so especially when you have given no sort of evidence is just stupid.
>underlying idiocy
We shouldn't put people on pedestals above all criticism, but Dan Geer has earned the right to have people at least offer some evidence when they accuse him of "idiocy".
Incidentally, Kephart and White have used biological epidemiological math to model the spread of malware, as have Williamson and Leveille. Actual researchers are finding the pathogen analogy fruitful.
This discussion could not be complete without a car analogy.
Analogies are like cars. Sometimes they're buggy or unsuited for the job but if you test them carefully they can be superb tools.
First we hear about our beloved, albeit cloned bananas at risk of going extinct, now Apples and Windows lemons are in danger... it's all over folks. Get out your tin foil and wrap your fruit up tight.
And MAYBE part of the reason Word is being infected with worms, isn't some side-effect of monoculture and the lack of software diversity, but rather a result of hackers almost solely targeting Microsoft products.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Postgres/Oracle/DB2/MSSQL/MySQL all have a similar functionality set, so they can reproduce the data the user wants with a lot more certainty.
I'm sorry, but your premise is too insufficiently developed for your conclusion to naturally follow. By the same logic, one can say that since Word has font sizes, families, bold, and italic, as well as the ability to set text as having certain styles, and so does every other word processor, that would be a "similar functionality set" and therefore can reproduce the data the user wants with a lot more certainty.
Can I just shut down Postgres, bring in MySQL and point it at the file(s?) that Postgres was using and just have it work, or is there more to it than that?
Anyway. He is right, although wrong at the same time. The widespread use of just one forum software package has indeed led to a mono-culture of sorts and a discovered hole in the package means thousands of sites are at risk.
He is however wrong in thinking this says anything about Linux Mysql Apache or even PHP. The bug is in the software written with it. It would be like blaming C (or whatever word is written in) for word virusses.
But the fact that everyone use phpBB for their forum in its default form is a perfect example of the risks of a monoculture. You gain the benefit of standard software but the moment a security risk develops everyone is at risk.
The more people use your software the more secure it has to be. It is unlikely anyone will bother to hack my own php login script. You probably will never even find it. A lock on a door somewhere in the artic just doesn't need to be as solid as that off one in london.
Especially if the lock in the artic is unique and everyone in london uses the same lock (and even the same key).
HOWEVER there is one advantage to opensource. I can easily rewrite the phpBB software to make it invulnareble to standard attacks. Good luck rewriting MS Office or anyother closed source piece of software.
Opensource is not immune to mono-culture problems. It is just easier to prevent it/fix it.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I'm not denying the analogy is not enlightening or even valid to some degree. However, that doesn't necessarily mean you can draw the same conclusions sans argument. In particular, the analogy is an attempt to align "alternative" computing to the same framework as Ecological morals, which is where it breaks down quite badly.
And "Diversity increases security" is far short of "Diversity increases economic efficiency" or "Diversity reduces costs" (as has been repeatedly argued on Slashdot), and that's a rather poor mental shortcut.
Whenever I hear the word 'Innovation', I reach for my pistol.
The other reason for the attack being a Word only is down to the number of copies of Word which are used day to day compared to the alternatives. As Star Office/Open Office etc become more popular the number of attacks will increase.
The same thing is true for Firfox, the browser with the biggest market penetration is the one which will suffer the attacks.
--- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
Just because you say that biological organisms and "viruses" don't work the same way, doesn't make it a valid thesis. If you can't explain how, for the purposes of the discussion, the two differ, then you are really just exposing your inate idiocy.
... , n -- each plant is a self-contained entity... if one stalk of wheat dies over here, the other stalks continue growing, completely oblivious to the death of the first.
I'll help him out here. In epidemiological terms, a monoculture is susceptible to widespread, possibly devastating infection because the members of that population all share similar genetic makeup and background. A single variant of a particular grain crop, which is planted over thousands of acres, with an identical genetic makeup would be an example of a biological monoculture. Now, if a disease comes along that affects ONE of those plants, *every* plant in the thousands of acres you've planted is susceptible, and probably will be affected. In short, monoculture is the practice of putting all your eggs in one basket.
Now with that in mind, diversity does not prevent the disease from affecting some of your crop, it simply mitigates the impact of the disease to your overall crop -- instead of losing 100% of your crop to some sort of wheat blight, you lose 20%, instead... only the susceptible plants die. The problem with this is, in order to increase the diversity of your crop, you have to spend the time, effort, and money sacrificing the economy of scale that you can achieve by planting thousands of acres with the same genetic variant. 1 strain == same fertilizers, same maintenance & upkeep, same planting & tilling requirements; More strains require variations of the fertilizer mix, upkeep, planting & tilling, and so you can't fertilizer in bulk... you can't apply fertilizer using a big sprayer that covers your whole field... you can't plant all your seeds at once, since some strains require different planting depths & intervals... so the farmers decide that the tradeoff between the risk of complete crop destruction, versus the costs of diversity, are worth the risk, and create monocultures in their fields.
So far, we're on a close parallel. But as you look deeper, the analogy fails, and in spectacular fashion, because of this simple reason:
In a field of wheat, wheat stalk #1 does not depend, in any appreciable way, on stalks #2, 3, 4, 5,
Now, let's look at an IT example... let's say you have a 4-way even split (25% apiece) between Mac OS, Solaris, Red Hat Linux, and Windows in your enterprise. Now, I knock 25% of your systems offline via an exploit in one of those operating systems. How has diversity helped you? Sure, the other 75% of your systems are up, but you're probably missing critical services (DNS? LDAP? Web Services? Web SERVERS? Network drives? Domain Controllers? NIS masters?) that are hurting even the "unaffected" 75% of your systems.
So what does that diversity get you, in business terms? Very few reduced risks (sure, 75% of your systems may not be directly affected by the worm, but if 100% of your systems are unable to be used effectively to get work done, that diversity has gotten you absolutely nowhere.), and quite a lot of extra cost: the sacrificed economies of scale you can achieve by standardizing on a particular technology "stack", and the overhead of managing all the varieties of O/S and making them play nice together. And please, don't even try to claim that managing 100 Linux, 100 Windows, 100 Unix, and 100 Mac OS systems under one roof would be equivalent or less work than managing 400 of *one* variety.
Four days ago, Dan's prediction came true ...for the 200th or so time. Remember Outlook? The corporate mail system monoculture? At home, it might have 20% or so of the market, but it's big with business users.
True, the Word thing is more nifty, because people don't expect it, and it's not a macro virus. But even so, this is hardly the first time MS users get bitten exactly because they are MS users.
Assorted stuff I do sometimes: Lemuria.org
While I do enjoy someone writing a think piece on the idea of the dangers of a mono-culture. This work has been throughly research by Stephanie Forrest ( http://www.cs.unm.edu/~forrest/ ) at the university of new mexico via the sante fe institue and the complex systems program at the University of Michigan. For anyone that wants to acutally learn more about the application of immunization models to computer security, I suggest you check out her research.
The fact is that computers are not biological organisms and "viruses" don't work the same way.
In certain areas, they do and the analogy is quite valid. For example, worm propagation on the Internet very closely resembles biological population growth models.
While computers and biological organisms are indeed very different critters, on the systems level (i.e including their environments) there are many similarities.
Assorted stuff I do sometimes: Lemuria.org
The analogy is not neccessarily false when you introduce the factor of human interaction into the equation. Since computers are operated by humans, and very large percentage of malware depends on human interaction, the lack of enough potential hosts can indeed make the spread of certain types of malware impossible.
For example, if a person must open up a email attachment and execute some bad code in order to get infected and spread the worm further, potential targets are a large factor in the ability of the worm to spread. Just as only a certain percentage of people who come in contact with a sick person will actually get sick themselves, only a certain number of people who get email worms in their inbox will fall for it and infect themselves. The mitigating factors are different of course, but the end result is that the inectious agent, whether it be biological or electronic must have sufficient contact with other potential hosts to propogate.
So the common thread that makes the biological/electronic analogy work is humans. The person who volunteers to teach spaggetti art to 3 and 4 year olds at the pre-school, is more likely to catch a cold than the person who doesn't - just as the person who browses porn with IE while logged on as an admin is more likely to catch some nasty malware than someone who doesn't.
Network borne worms that require only internet conetivity (no human interaction) to spread are another story. Because every potential host on the planet is reachable in a matter of milliseconds, and contact with another vulnerable host guaratees infection, the percentage of vulnerable hosts on the net is almost irrelevant. The BlackICE worm from a few years back is proof positive of this.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
You seem to be assuming that even with diverse OSes, some or all mission-critical services would still be limited to one OS platform.
Too, just because "the" mailserver was down, say, doesn't mean that people on the OSes couldn't be creating documents, crunching numbers, doing database queries, playing Solitaire.
I also think that the OP is very mistaken concerning "the cost to society". One company might find a monoculture cheaper, but different companies implementing different OSes wouldn't cost society one bit more, and in terms of avoided loss of productivity due to the diversity, societ would thus save money via OS diversity. I fart in your general direction, sir.
It's a good read.
http://outcampaign.org/
But they're called "computer virus" for a reason, and in many ways they do indeed function similarily:
For the purpose of this discussion, I'd say they're pretty much identical. It's well-known that large areas of monoculture, say in agriculture, increases the risk that a single plant-disease can wipe out a large area completely, whereas a more diverse environment, such as a forest, is very unlikely to be wiped by a single plant-disease, because it consists of hundreds to thousands of different plants, and they're unlikely to all be equally vulnerable to a single disease.
Fact is, if your 3 DNS-servers run completely different operating-systems and completely different dns-software, the odds are lower that a single vulnerability will knock them all out. For the same reason, if you've got one GSM-phone, one POTS-landline and one sip-over-cabletv-internet phone it's fairly likely any problem which hits one of them will leave the others working. (the possible single-point-of-failure here could be electrical power, POTS-phones normally get all the power they need over the phone-line though)
I've looked for reasearch like this before, as the commonalites between the spread of biological agents and electronic malware has always interested me, but have never seen this.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
The reason this not-particularly-widespread virus was worrying (IIRC) is:
... can it evolve Linux?
:P)
(Sorry, couldn't resist
He didn't draw any conclusions sans argument from the analogy. It was just an analogy. His arguments come immediately afterwards in the article.
He also didn't draw any conclusions on increasing economic efficiency. If others have argued that that's their problem, not his.
I don't even want to get into arguing the analogy, but since it isn't obvious...
The difference is that we frequently want code to be passed between computers. A system that is resilant to viral software is also resiliant to desirable software, such as MS Office. Therefore monoculture is prized in computing deployments.
Whenever I hear the word 'Innovation', I reach for my pistol.
Security, like all facets of commercial computing is just an element of economic efficency or risk. It's not possible to even bring it up without implicity raising costs associated with it.
Whenever I hear the word 'Innovation', I reach for my pistol.
Hmm. A targetted attack pretty much undermines the "eco-pocolypse" argument.
Whenever I hear the word 'Innovation', I reach for my pistol.
Well DUH, that much better stated that I could ever put it. Thanks.
Whenever I hear the word 'Innovation', I reach for my pistol.
The quoted passage explicity says "Windows Sucks", yet somehow you think he's a MS Shill for posting it. Good reading comprehension, tex.
Whenever I hear the word 'Innovation', I reach for my pistol.
Monoculture?! Try bad coding and bad management. There's plenty of propietary software out there that is excellent and secure, it's just done properly.
"One of the reasons that birds feed in flocks is that it means more eyes to watch for danger. Most of the time, at least one member of the flock will see the hawk coming and sound the alarm." - Hawks at the Feeder
The moral is obvious: living in a "proprietary monoculture" can reduce your risks.
Reduce, reuse, cycle
The symantec description doesn't provide enough detail to be sure, but like everyone else I'll assume that this attack is enabled by a Word macro exploit.
.doc files have been around for over a decade now, and the closest thing I've ever seen to a legitimate use of them is to write self-propagating viruses. (in fact, I once received a CD from Microsoft - the original "wolfpack" cluster server beta - that had macro viruses in its .doc files. Gave the virus scanner a fit when it couldn't scrub the files...)
.vbe or .vbs) But that's been an obvious solution for a decade, and they haven't done it yet, so I wouldn't hold my breath.
Word macros included in
It seems that in all this time *someone* could have taken the effort (granted, a large one even with the libraries out there for dealing with Office file formats) to write a filter to strip macros from Word documents. Then install this filter in all your mail servers, and voila - no more word macro viruses.
Of course the easiest solution would be for MS to remove the ability to include macros in Word documents entirely, and require them to be saved to and read from a separate, executable file type. (e.g. one of the existing VBscript file types, like
Okay evolution in viruses is easy. A couple of random numbers and you're away. Use one to determine whether to modifiy the virus itself (low probability, on the order of 5% because most mutations are bad rather than good for an organism), whether to leave it alone and copy it as is or whether to lengthen or shorten the code. The second random number determines which byte within the code to modify if you're going to modify the code and a third random number gives you the value to change it to.
There you go... Evolution. Most of the modified copies won't work and are "dead", but some will and they will go on to pass on their code to the next generation.
Additional strategies... Don't infect every potential file with every execution, that'll give you low diversity and you're looking for wide diversity. A few per execution, also chosen at random. Also don't bother checking to see if a file is already infected, just re-infect it because most of the infections will after all be dead; think of it as predatory behaviour.
So you now have an evolving organism taking advantage of the software environment. A monoculture such as Windows and Word will allow it to spread far and wide. A Linux or OSX monoculture would be just as vulnerable.
Deleted
Just as biological entities want to pass 'good' biological code around
That's reproduction homes.
Where the difference lies is more that with polyculture (good eh)
I.T. infrasturcture you're talking hybridization, one system (or entity)
evolving (through via code monkeys) to use bits of another system.
or sommat.
Hmm. A targetted attack pretty much undermines the "eco-pocolypse" argument.
You keep making these ridiculous assertations.
How is this "targetted attack" any different from say a weaponized malaria?
If you are unfamiliar with the relationship between malaria, racial genetics and sickle cell anemia, you should look it up before responding. Unless of course you just decide to say something like, "Try looking out the window. There's no point in dissecting something that's just a literary mechanism." Then you don't need to know anything about what you are talking about.
When information is power, privacy is freedom.
I think some of you guys have the "mono-culture" thing all wrong.
I believe the notion that formats and standards developed by a group of people with an intellectual mono-culture are more likely to have flaws than, say, formats and standards developed and maintained by many.
This has nothing to do with the fact that the formats and standards themselves are a mono-culture.
Some here would be implying that the basic design of a dog is wrong, simply because dogs are similar- in that they all have 4 legs. This is just silly- we should be looking at the diversity of the dog's gene pool, and the power of this ability to improve the dogs resilience, longevity, etc.
In a field of wheat, wheat stalk #1 does not depend, in any appreciable way, on stalks #2, 3, 4, 5, ... , n -- each plant is a self-contained entity... if one stalk of wheat dies over here, the other stalks continue growing, completely oblivious to the death of the first.
You are presuming that each "stalk" is a computer within an organization. The analogy works just fine where each "stalk" is a seperate grouping of computers - be it an entire corporatation, a division within the corp or just the server room versus the office area.
The point is that a true monoculture in computing can make an entire society, perhaps even the entire world, vulnerable. But if there is diversity, even at the macro level, the society/economy is not 100% vulnerable. It may suffer huge damages, but 30% inoperable is a hell of a lot better than 100% inoperable.
For example - a bacteria comes along that decimates the tiger population in "the jungle." There are plenty of other predators like leopards, panthers that are close enough in form and function to fill the ecological niche of the tigers in the jungle without severely upsetting the ecosystem. Sure it will be out of whack for a while, but it will restablize. But, if tigers were the only predators at all, the entire ecosystem of that jungle would eventually collapse once they died off.
When information is power, privacy is freedom.
So when the there is a pileup, if you're in one type or model of car you're more likely to kick the bucket than another model. And you know what, people do look at safety when buying a car so there's a gradual evolution to safer vehicles.
You're right, diversity isn't the be all and end all, it doesn't help the individual, but look at the number of species on the planet which are not single sex species. The whole point of sex is to increase diversity so that when disaster hits, there are enough mutations out there that the species as a whole doesn't disappear. The organisation isn't halted completely.
Deleted
From this, we learn the lesson that we don't have to have a single vendor in order to have universal interoperability. This funny thing called "open standards" allows numerous different vendors to interoperate with each other. And then apps live and die by how user friendly they are and how well they support the standards.
They do actually work in similar ways.
Computer and organisims work in totally different ways.
Their behaviours and effects on the other hand, can be described by similar mathematical models.
May the Maths Be with you!
Movable Type can run on Postgresql. Create an installation of Movable Type using Postgresql. Export the posts from your MySQL Movable Type installation and import them into your Postgresql Movable Type installation.
If it's a question of moving to WordPress, there are many who have made the switch before you and some have even supplied instructions.
If what you're really looking for is a one-click method to make the shift, maybe you should reconsider your future in IT.
blog
I hate to point flaws in your analysis. But then that is what I do, you use a very basic biologic organism to shoot holes in Dan's monoculture theory. In some ways the multiple stalks of wheat are dependent upon one another for reproduction. Also, if you expand your analysis to more complex organisms the interdependence of organisms upon one another continues to hold up. I have heard Dan speak on numerous occasions and he brings a very interesting perspective to the IT world. If my memory serves correctly his formal training was as a biostatistician which is where his monoculture theory originates. Your mileage may vary. But just my two cents on the topic.
I'd argue that in Windows World the virus model in biological organisms is fairly accurate. An infected cell starts producing more virus that in turn infect other hosts. And that model is unique to Windows, unless your Linux boxes are really poorly configured.
Computers are tools in the sense they are machines but you won't see my chainsaw pick up a virus then go off on a tagent and try to infect the lawn mower.
Suggesting the monoculture model is more efficient from a management standpoint is one of those ideas that seems true but doesn't really hold up in real life. The fatal flaw being it assumes all elements in a mixed OS system require the same amount of administrative oversight and that's simply not the case. I have LAMP stack applications that will run for months at a time without any administrator oversight.
Put that in your TCO pipe and smoke it. ;)
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
My bad - it looks like it may be a buffer overrun exploit, not a macro attack. So it's not a problem with the Word design and functionality, but the implementation, of the sort that no one should make and almost everyone does.
So to get my 2 bits in on monoculture:
Buffer exploits - whether the Morris worm or this attack - rely on monoculture. This expolit is in fact an extreme example, only infecting Word 2003. (since it crashes other versions of Word, it looks like the vulnerability is present in those other versions, but the virus writer either didn't or couldn't craft an overrun string that would hijack multiple versions properly.)
Lots of other exploits don't rely on monoculture. But buffer exploit attacks rely on the (almost) exact position of the stack pointer and a variable on that stack; merely recompiling a program with a different optimization level will probably require exploit code to be re-written. At this level, open-source systems like Apache aren't necessarily a monoculture, as long as everyone isn't running the same version of the same distro.
How about this to break monocultures?
Give every processor a different instruction set. So if you want code to run on a particular machine, it has to be compiled for that particular machine. In practice that's likely to mean compiled on that machine. Then there's next to no chance of "foreign" code {viruses, worms, trojans, whatever} running on your machine.
This would mean it would be very difficult to sell closed source software, but that's no great loss IMHO. Remember, before Windows, software for the various Unix versions and VAX/VMS often was supplied in source form but without a licence permitting distribution. And anyway, the lack of source code never prevented anyone from copying Windows or Office.
Je fume. Tu fumes. Nous fûmes!
From the article: "Examples are as plentiful as they are sad: Consider the virus that brought on the Irish potato famine".
*Viruses* had nothing to do with the Irish potato famine. While there were many factors for the famine, many of them political, the pathological reason was the *fungus* Phytophthora infestans.
The "monoculture bomb" analogy only goes so far before failing. When we're talking about corn or something like that, obviously a specific engineered disease could cause widespread devastation. But in the computer world, viruses can do far more insidious things than just shut down a network, and a polyculture might actually make that easier.
Let's say you've got a hacker who wants access to a file on your network that a bunch of users have access to. In this case, the hacker isn't trying to infect ALL the computers; any one of them will do. In this case, a polyculture actually HURTS security, becuase the hacker only has to find one flaw in any of the many different applications people are running. Can't hack his way into Word? That's okay, some nerd in the office is running StarOffice and he can find a backdoor for that. Or whatever.
Not to mention, in a monoculture it's easier to standardize training and security. The security guys in an all-Windows place only need to keep up with the (legion) Windows vulnerabilities out there. In a polyculture environment, they have to know about Windows vulnerabilities PLUS Linux, Mac, and all sorts of other vulnerabilities, because one compromised computer can mean a whole lot of lost information.
Not to mention it completely ignores the economic factors which created the "monoculture". It's cheaper for society to buy anti-virus than to support multiple OSes, and the analogists just have to deal with that. Computers are tools. Period.
Linux and BSDs are developed by volunteers who take pleasure, are free-as-in-freedom, and most of the times are free of monetary cost.
Corporations (like Redhat) make money from this model too, and they give back to the community. It works nice. Simple users are not oblidged to comply with the monetary cost.
Windows cost money to all. Anti-virus cost money to all. A computer jammed from a virus/trojan/malware cost money to all.
Give every processor a different instruction set. So if you want code to run on a particular machine, it has to be compiled for that particular machine. In practice that's likely to mean compiled on that machine. Then there's next to no chance of "foreign" code {viruses, worms, trojans, whatever} running on your machine.
That doesn't follow at all. It just means that they will have to distribute themselves in source form and compile themselves on the target machine--or rather, trick the target machine into compiling and loading them. This is already close to what macro-malware does, and is exactly what the old pine worm did (the subject line tricked users into pressing two keys which would save it to a file, compile, and run it on most systems). It worked on any processor that had a roughly-posix OS with good C compiler called "C".
--MarkusQ
The thing that amazes me is that there are *so* many interesting issues that this view of computer systems raises and the best that the collective wisdom (such as it is) of the net can come up with is a bunch of mindless Linux advocacy and Windows counter defense. In general, any discussion of this topic without also recognizing systems other than Windows and Linux is missing the point.
Have a nice day!
That is all.
I commend you on your creation and use of this straw man, (that "Diversity" is the end all and be all for information security). Then, like a soda virtuoso soda jerk putting a cherry atop some frozen confection, you deftly place a car analogy upon the crown of your straw man. I don't think anyone (that has any intelligence) is arguing that a diverse computing environment is going to solve all computer problerms.
Incidentally, using your freeway analogy, what would happen if one day, without warning, there simply was not enough gasoline? Gasoline powered vehicles would not function, and unless there were vehicles capable of running on alternative power sources, transportation in any meaningful sense would just not happen. The more alternatives there are to gasoline engines in actual use, the less impact such a sudden loss of gasoline motive power would have.
Does that rough analogy clue you in as to what the conversation is really about?
It's not offtopic, dumbass. It's orthogonal.
Another advantaqe of diverse biological polycultures is that infections tend to be confined to small areas, as they can't find a convenient host to infect. One problem with the internet is that all potential hosts are only a few router hops away ... but the same reasoning still applies - to find new hosts, the virus will have to hit a LOT more possibl hosts, and this sort of activity could be noticed by hosts that are NOT part of that particular culture. Maybe we'll see a self-healing net in the future.
You seem to be assuming that even with diverse OSes, some or all mission-critical services would still be limited to one OS platform.
And do you think it's even remotely likely that -- for example -- a company would choose to implement DNS using multiple platforms? Half your DNS servers Windows, half Linux? You've never worked for a corporate IT department, have you? This suggestion, even taken at its ludicrous face value, fails to address economies of scale that would be lost to the organization by having to support mission-critical servers running multiple OS'es that don't always play well together.
Too, just because "the" mailserver was down, say, doesn't mean that people on the OSes couldn't be creating documents, crunching numbers, doing database queries, playing Solitaire.
And again -- have you ever worked in a corporate environment? Creating documents often is not done out of whole cloth, and requires documents on networked drives, access to web sites, email communication with peers, customers, vendors, etc. Yes, it's possible that people could create documents, or crunch numbers, or do database queries, but the point is, when part of a networked environment goes down, especially in a highly interconnected office setting, all of the nodes on that network suffer a reduction in performance.
I also think that the OP is very mistaken concerning "the cost to society". One company might find a monoculture cheaper, but different companies implementing different OSes wouldn't cost society one bit more, and in terms of avoided loss of productivity due to the diversity, societ would thus save money via OS diversity.
But seriously -- "not cost society one bit more?" You don't think that operating costs for a company contribute directly to the bottom line prices it's able to offer to consumers? Read about WalMart sometime, and tell me that their low prices are *anything* but a function of lower operating costs achieved by economies of scale. Your claim that "society would THUS SAVE MONEY" via OS diversity doesn't hold water -- if it did, companies would be moving to diverse platforms in order to reduce their operating costs. Instead, in companies such as the one I work for, they've embarked on a multi-year program of standardizing OS and hardware combinations across tens of thousands of desktops, laptops, and servers.
I fart in your general direction, sir.
And I saw your post on Slashdot. It sucked.
You are presuming that each "stalk" is a computer within an organization. The analogy works just fine where each "stalk" is a seperate grouping of computers - be it an entire corporatation, a division within the corp or just the server room versus the office area.
Ah, so we're redefining the term "monoculture" to mean something else now? In the analogy to a wheat field, 1 plant == 1 computer. And while your Mac computer may continue to work if all the Windows systems in the world go down, you STILL lose a great deal of the usefulness of that computer, simply because it relies on (or you rely on) stuff that is housed on those computers that are affected. The interconnected nature of computing today makes it very difficult for diversity to provide you with any sort of "herd immunity."
Nobody is arguing that there are not tradeoffs between standardizing and being diverse. Diverse platforms can mean that your organization MAY limp along, at a reduced capacity, if 30% of the computers in the world go down. But diversity comes with an administrative cost to that organization, and in a lot of organizations, a lot of very smart people have come to the conclusion that it's cheaper to simply secure your systems and do contingency planning than to try and support, day in and day out, a broad range of diverse operating systems that will each come with their own administrative hassles & issues.
Word viruses have been around for at least 8 years, and the Microsoft Word monoculture for longer than that. How is this new?
If I don't put anything here, will anyone recognize me anymore?
Explain how, by expressing a ressemblance between things otherwise unlike, he invalidates his analogy.
Not to mention it completely ignores the economic factors which created the "monoculture".
And also explain how these economic factors invalidate the analogy. Do use examples of agroeconomic factors pertaining to crop monocultures while doing so (I expect the word "locust" to make an appearance in this explanation).
You can't take the sky from me...
Wal-Mart is hardly an example to hold up in admiration. Economies of scale are not infinite, and their so-called "lowest prices" are based on top-down direction to pressure suppliers to decrease *their* costs to Wal-Mart, not on some magical efficiency Wal-Mart came up with.
It doesn't mean much now, it's built for the future.
you use a very basic biologic organism to shoot holes in Dan's monoculture theory.
He's the one who chose an agricultural term to expound on his theory, not me. I'm pointing out the dissimilarity between a true biological monoculture (in which each individual in the population is independent, and does not depend upon or rely upon the other individuals in any appreciable way for survival), and his concept of a computing monoculture. Yes, lots of people run Windows. No argument there. Yes, that makes most of those systems vulnerable to the same exploits. No argument there. At this point, the monoculture analogy still works.
But it lacks in huge ways when you take into account the interconnected nature of computers today. If a server hosting a mission critical service goes down, then all of the clients of that service WILL be affected, regardless of their particular platform. If (for example) your Windows DNS servers & desktops go down, you might be able to still use your Linux or Mac desktops, but they will do so at a degraded efficiency, and it's possible that they will still be essentially unusable for a large majority of your population. This is something that "diversity" in any form cannot prevent.
In some ways the multiple stalks of wheat are dependent upon one another for reproduction.
Actually no, they aren't. The stalks of wheat are harvested, they are not allowed to reproduce in the farmer's field. The big agricultural concerns have a diverse culture of wheat strains which they raise to produce the seed to sell to farmers. If I walk into a wheat field, and rip out three or four stalks of wheat, the rest of that field continues growing, and being wheaty, without so much as a blip. If I go into your server closet, and rip out a few power cords to take a few of your systems down, you'd notice that little event really quickly.
Also, if you expand your analysis to more complex organisms the interdependence of organisms upon one another continues to hold up.
Yes... and we're all pretty roundly F'ed if a disease comes along that wipes out, for example, all the doctors in the world, or all the engineers, or all the farmers, or all the mechanics. That interdependence of complex organisms is exactly why I'm saying the monoculture theory doesn't really hold up that well. Having a diverse ecology does NOT prevent problems, the only thing it can do is help to mitigate the impact in a group of independent individuals. I don't care how diverse New York City is, if every doctor in the city dropped dead tomorrow, then the rest of the city would goddamn well notice it.
The monoculture theory works if your population is not interdependent... if it is interdependent, then diversity versus monoculture is not a simple "4 legs good, 2 legs bad" proposition.
From the millions of Windows-only trojans, viruses, etc.? Yeah, the most fruitful target will attract the most exploits (and also the most investment in countermeasures). The thesis was obvious, and this Word-only trojan is hardly the first demonstration of it.
Heck, it had already been well-demonstrated when it was first suggested.
OTOH, the biological analogy is flawed in many ways, most notably that computer systems don't reproduce themselves, and therefore the central risk associated with a monoculture (that a single hazard will reduce the population to below where it is reproductively viable) doesn't exist.
That neither the target systems nor the exploits evolve in the darwinian sense is also a critical difference which makes the dynamics radically disanalogous.
Given the mass disk imaging techniques currently in use at many corporate sites in lieu of traditional installations, and given the ability for Linux sysadmins to lock down end user boxes so that only the central admins could install software, I could certainly see a "monoculture" being a very real possibility at a given site even when running Linux in a corporate context.
Now, whether or not that monoculture represents the same kind of risk that a Windows monoculture does is a different question. :-) But there is still some risk.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
Wal-Mart is hardly an example to hold up in admiration.
I'd actually beg to differ with that statement in a lot of cases. But anyway, Wal Mart was chosen as an example simply because their scale, and their supply chain management practices, are excellent examples of how the economies of scale can reduce costs to consumer. When you buy by the case, you pay more per unit than when you buy by the truckload. It's the same principle that drives "bulk" stores such as BJs, Costco, and Sam's Club. Wal Mart didn't "invent" economies of scale, but they are a great example of how applying them can reduce costs.
Economies of scale are not infinite,
Nobody claimed they were. If they were, Wal Mart would be the only supplier of all consumer goods, and they would give everything away free. Yes, they use their size to pressure suppliers into reducing prices... but Wal Mart is also not stupid enough that they're going to put all of their suppliers out of business. And Wal-Mart politics aside, economies of scale derived from monoculture practices are one of the few reasons modern agriculture survives as a break-even proposition. The difference between Wal-Mart's $5.89 bottle of detergent, and Mom&Pop's grocery's $6.19 bottle of detergent really *is* that crucial when you get into the agricultural model -- it's the difference between breaking even (or maybe making a small profit), and going bankrupt and having condos built where your farm used to be.
If the Apache foundation was conquered by crazy quilters, they might force you to by an Apache quilt in order to run their monopoly. They too would be in violation of the Sherman Act. This is a silly example, but the point is that monopolies may be bad for security or free markets but they are not illegal.
A monopoly is a bit like a spouse. Having a spouse is not illegal, but abusing your spouse for personal gain is both illegal and repugnent.
Think global, act loco
Geer and company stated that any uniform and ubiquitous OS could cause similar problems, so it is not as though this is a MSFT-only situation.
.
The NSA, meanwhile, used to mitigate the risk by using the same OS (*nix variant) compiled in different ways.
CCIA still has the report on its Website: http://www.ccianet.org/papers/cyberinsecurity.pdf
The report is as true today as ever......
Will Rodger
Comes from the word Anal and the greek word Logus (meaning 'to look like')
Thus the original meaning of 'Looking like an Ass'
I live in Soviet Canuckistan you insensitive clod!
If you generalize things enough then you can make almost any rule apply to fields that it wouldn't normally apply to. Of course diversity makes it harder to write viruses and spyware, but at the same time forcing diversity upon the computer industry might also make virus writers write multi-platform viruses. The motivation of evolution and that of a virus writer should not be compared since once is based on natural selection and the other is based on the conscience choice. It's not that non MS programs don't have exploits it just that most malicious programmers are not interested in writing a virus for openoffice or linux. The comparison is really not valid at all beside that of saying DUH diversity can be advantageous. Unlike the real world however diversity in the computer field leads to confusion, lowered productivity and much harder administration. Must a person make up a catchy phrase to claim credit for knowing that MS would get hit first my virus writers? I think anyone who knows anything about viruses already knew this information over a decade ago. This really isn't news just a fancy way of saying I told you so. Open document standards are a great idea, but it's not as big a disadvantage to MS as you would think. The competitions products simply are not that great. All MS has to do is make legacy products like Office 2000 work with open document standards to include diversity while excluding competitors.
Are you sure the word "mono" still applies ?
Except that Microsoft got legal trouble for trying to prevent alternative solution (like closed standart preventing interoperability).
Given the availibility and the license of Apache's source code, I don't think user feel "locked-in".
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Ah, so we're redefining the term "monoculture" to mean something else now?
No, you redefined it first. Your redefinition is far more narrow than the working definition.
When information is power, privacy is freedom.
Although I don't agree with the parent post I don't think his post should be marked as a troll. Let's have open, honest discussions not try to silence the opinions with which we don't agree.
The race isn't always to the swift... but that's the way to bet!
I think that the folks over at Consortiuminfo need to hire some real life tech experts
t ures-and-document-formats-dans-bomb-goes-off/
http://rjdohnert.wordpress.com/2006/05/24/monocul
Duh!
My analogy of 1 computer == 1 wheat plant in a field is exactly correct. A monoculture of computers is a collection of computers that all (or almost all) run the same operating system, in much the same way that a monoculture in a field consists of millions of individual genetically identical plants.
I actually did RTFA, and as a software engineer who was trained as a biotechnologist, I actually know at least a little bit about computers, genetics, and disease. But you feel free to try again if you have something valuable to add, instead of trying to ignore my point by redefining the terms being used.
My point remains unaddressed, at least by you. In an interdependent network, increasing diversity does little to mitigate the extent of damage, because even systems that aren't affected directly by the virus / worm will operate with reduced capacity because services provided by affected systems are unavailable. Yes, diversity can help mitigate the extent of the damage, but that increased diversity comes with an increased cost in terms of administrative hassle & overhead. While it may be a nice buzz phrase, simply parroting "monoculture bad, diversity good!" does nothing to address these trade-offs.
But that's an internal monoculture. IBM isn't going to have the exact same system as Sun, or RedHat, or whoever. You can have a standard base without being exactly like everyone else.
My blog. Good stuff (when I remember to update it). Read it.
But this just brings us full circle back; a monoculture is easier to maintain, upgrade, troubleshoot, etc. -- all things that an IT department wants. Computer break? Lemme re-image a new one. Bam. 1 hr later and you're back to exactly where you were (you did keep backups, or all files on the server, right?).
I think the larger problem is monoculture outside of each corp -- sure, a virus might take ABC, Inc. down because all their computer share the same vulnerability, and that's too bad, but if almost all computers globally (ATMs running Windows variants, anyone?) also share that vulnerability, it's not bad, it's a *disaster*.
Returned Peace Corps IT Volunteer
Well that does pose a risk. I can see in the next five years someone making a wide-spreading Linux worm/virus, and if all your boxen are identical then the same vulnerabilities would be present across your organization. A virus would indeed shut your company down for hours like it does today. However, you've still got diversity across multiple organizations. Sure, your Linux version of Sasser or MyDoom could shut you down, but it won't shut EVERYONE down like MyDoom did. Best security practices would dictate that you keep at least a few machines running something else (Linux in a Windows shop, Windows or *BSD in a Linux shop, etc.) so that you can restore and keep going. Make sure that your servers are one thing (or a bunch of things) and your client machines are another. The network admin's box is something else. Hard to maintain? Maybe, but you can still standardize with X number of known systems, so long as everyone isn't bringing in their own distros or copies of Windows and installing their own apps in root mode.
I'll be honest, we're throwing science against the wall to see what sticks. -Cave Johnson
My analogy of 1 computer == 1 wheat plant in a field is exactly correct.
If 1 organization within a society != 1 wheat plant in a field, then what does it equal? If you insist it is not a monoculture model, then what it is it? Software engineer with biotechnologist training, you must have a label and a criteria to match that distinguishes the two.
My point remains unaddressed, at least by you. In an interdependent network,
Your point is meaningless within the context of my original post. Your presumption of interdependence between hetereogenous systems is certainly true in some cases, but is not an issue when individual organizations standardize on different systems. You want to set up strawmen, go ahead, but all that can do is prove or disprove some other point beside the one under discussion.
When information is power, privacy is freedom.
Yeah, and that label would be "a group of individual wheat plants." Computers run operating systems. Your server closet is simply a handy collection of computers running operating systems. Your engineering organization is -- from a computing perspective -- a collection of individual computers running an operating system, or several operating systems. A collection of objects should not be confused with the objects themselves. And in the computer monoculture model, lumping together a bunch of computers under the term "organization" does nothing to change the fundamental principles.
I'd also like to point out that what I have, in fact, stated is simply that the monoculture model, and the underlying presumption that diversity of operating systems is a valid way to make a network of computers more secure & robust is horrendously insufficient. Comparing computer networks to the agricultural practice of monoculture fails for reasons I've already noted, and which you've not addressed. Asserting that diversity in operating systems will make for a more robust network also fails, for reasons I've noted, most notably, the simple fact of the interdependence of networked machines.
You seem to be stating that, as long as various organizations standardize on various operating systems, then you've eliminated most of the risk, and that fails as well, for the simple reason of interdependence. For sake of argument, let's say that:
- UPS standardizes on a Windows platform;
- Amazon standardizes on Linux
- and then you attempt to order some stuff using a Mac system;
- Verizon services both of their data centers, and your DSL line, and uses Solaris;
Eliminate any one of those operating systems & shut down the company running that OS for a few days. How do you propose to order something, and expect timely delivery? Answer: You don't.Organizations are interdependent, networked computers are interdependent, and the monoculture model's solution of diversification does nothing to address that fact. Thank you for playing.
Crap, the sky is falling. Again.
Terrible karma and aiming lower, which in this environment of one-sided reason, is higher.
That's intelligent design.
Web 2.0 == Giant Blogspam Circle Jerk
Use Word in SAFE MODE!
I'm not kidding...TechTarget reported that this morning in one of my security emails...
Microsoft expects scores of millions of office workers to reboot their systems into Safe Mode to write a document until they offer a fix next month...
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
If everyone technology adhered to the same standard, be it ODF, ECMAscript (javascript), tcp/ip, etc., would that constitute an equally vulnerable, just not proprietary, monoculture too?
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
You have resorted to nothing but name-calling and missing the point completely.
Actually, Jah-Wren Ryel, you've posted nothing here but cheapshots and haughty denials, and finally 3rd tier internet insults like "asshat". It's quite fitting that you went AC because your cowardace has made you incapable of making any sort of affirmative case. What exactly is your "point"? Nothing but knee-jerk ABM political correctness as far as I can tell.
I'm guessing that my rather straight-forward observation about this analogy took a big shit all over your masters thesis or something. Boohoo.
Whenever I hear the word 'Innovation', I reach for my pistol.
Did it happen because it was foreseen or because his ideas sowed the seeds?
"Consensus" in science is _always_ a political construct.
Lol. Backed you into a corner and you obviously know it by the way you are grasping at straws, or maybe that's stalks?
For sake of argument, let's say that:
Eliminate any one of those operating systems & shut down the company running that OS for a few days. How do you propose to order something, and expect timely delivery? Answer: You don't.
The problem with your example is not the interdependence, it is that you've defined it as a bunch of monocultures, and hugely ironic at that... You presume that the only shipping service is UPS, that the only webstore is Amazon and that Verizon is the only ISP.
Let's take a little bit more of realistic look at the real world where polycultures abound:
Shippers: UPS has standardized on Windows, DHL runs MacOS, Fedex runs Linux, and the USPS runs Solaris.
Webstores: Amazon runs Linux, Buy.com runs Windows, Sears.com runs MacOS, Ebay runs HPUX and Walmart runs Xenix.
ISPs: Verizon runs Solaris, Earthlink runs FreeBSD, Comcast runs Windows, SBC runs Linux.
Eliminate one of these operating systems and you've only crippled a fraction of each industry. How do you propose to order something and expect timely delivery? Answer: You place your order with a company that is not dependent on the OS that is MIA, and use a shipper that is not dependent on the OS that is MIA via an ISP that is not dependent on the OS that is MIA on a computer that is not running the OS that is MIA. If you personally don't have access to such a computer or such an ISP, well TS. But the guy next door, who is also part of your society DOES and he can still order stuff.
Because of the diversity in all markets, society to continues to function with only minor difficulty despite the loss of one operating system. Thank you for paying.
When information is power, privacy is freedom.
those that exist in diverse gene pools are at a lower risk, both individually and collectively, from those that subsist in a proprietary monoculture."
s/from/than
Check out my women's designer clothing store.
The System V mailers and the V8 mailers (AT&T Bell Labs Research stuff between Version 7 and Plan 9) mostly ran with group-mail privileges instead of root, and the Upas derivatives had simple and elegant rewrite rules. Both sendmail and the AT&T versions dealt with UUCP as long as that mattered, which was another can of worms (though Honey DanBer cleaned it up a lot), but sendmail couldn't really defend itself well against UUCP problems.
As far as monoculture goes, the BSD side of the world almost all ran sendmail, the System V world mostly didn't (but most of the Internet ran BSD variants including SunOS), and it took a while for SMTP to supplant UUCP, largely because of the Acceptable Use Policies that kept the Internet quasi-non-commercial until the Commercial Internet Exchange opened it up.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You make a decent argument in the microscale, but you don't consider the macroscale. In epidemiological terms, one business equals one organism. A monoculture exists when all business/organisms are vulnerable to the same bug and each new infected organism becomes a vector for infection of its neighbors.
Your arguments about the cost of diversity fall flat when we assume that no more than 25% of businesses will run any given OS as an internal monoculture, though.. Business W is 100% FreeBSD; business X is 100% Windows; business Y is 100% Solaris; business Z is 100% OS X, etc.
A virus that wipes out all the Windows businesses will still leave 75% of the ecosystem up and running. No individual business sees any untoward cost from having to maintain internal diversity. Nor does the ecosystem between businesses suffer any increased cost form such diversity, because nobody is paying to keep everyone in synch.
In fact, it costs more to maintain a monoculture at that level than it does to maintain diversity. Imagine trying to put the entire Fortune 500 list of companies on exactly the same suite of computing resources. The synchronization costs would be horrific.
>Big boon? Short-sighted users and developers may think so. It is difficult to get hardware documentation from
>some major vendors (NVIDIA, for instance), and embracing binary drivers certainly does not help at all.
Is that there will never be documentation for every little hardware device on the market. *Not* *ever*. Seriously, if they had to document ever feature, some devices just wouldn't be made. Today people write drivers by walking down the hall to the guy who made the hardware and asking him how you do various things.
Obviously, I'm not talking about ATI cards here, but there are plenty smaller devices that can't have documentation released.
Also, as far as NVIDIA and ATI cards go, let me clue you in. No one using them cares whether the binaries are open source or not. If ATi is willing to release decent binary drivers, then that's what users will use. If ATI only puts out decent binary drivers for one platform, that sucks, but if there's a workaround to get those to work, there's no reason not to use it.
Or, as it is done here in the University where I work, "bring-your-own-distro" is tolerated, as long as : 1. The service's local sysadmin is informed and has given consent, 2. details of the installation are kept written some whare.
Beside, university-wide, two distro are officially supported : Mandrake is supported by the Linux people, Suse is (starting to get) supported by the Novell team.
And I can almost add Solaris to the list of supported "partly opensource" systems, now that Sun is putting some effort with the OpenSolaris kernel...
(Most server here are running Solaris, Linux, NetWare, there are some running MacOS X. Admins try to avoid Windows as much as possible whenever possible - During the MyDoom wave, only the (windows-based) desktops were unavailable. The servers remained up).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
*Viruses* had nothing to do with the Irish potato famine. While there were many factors for the famine, many of them political, the pathological reason was the *fungus* Phytophthora infestans.
*ahem*
[shallow and pedantic]
*Fungi* had nothing to do with the Irish potato famine. Phytophtora is an oomycete, not a fungus.
[/shallow and pedantic]
This is really just an economic decision. An IT monoculture brings with it certain benefits, such as decreased (non-virus-related) support costs, but also certain costs, such as increased vulnerability to viruses. It's worthwhile for people like Dan Greer to make the IT world aware of those costs, but even once they become aware, a Windows monoculture may still be preferable for some. OTOH, I don't think the costs of supporting multiple OSs are as high as most people think. We have a small network with OS X Server serving files and doing authentication for a bunch of Windows and Linux boxes, and it's really not very hard to keep running.