Dan Geer's Monoculture Bomb Goes Off

Andy Updegrove writes "Three years ago, celebrated security expert Dan Geer lost his job at @stake when he co-authored a paper on the dangers that the Microsoft 'monoculture' represented for end-users. Last fall, he authored a similar warning in a Perspective piece he wrote for CNETNews.com, applauding the action of Massachusetts in adopting OpenDocument Format, thereby reducing its vulnerability to the same type of risk. Four days ago, Dan's prediction came true, when users of Word (but not those that only trade files created in StarOffice, OpenOffice, or other ODF compliant software) began to be infected with the Backdoor.Ginwui virus - a malicious Trojan program that hitches a ride on bogus Word documents. In short, an object lesson that in IT, as in biology, those that exist in diverse gene pools are at a lower risk, both individually and collectively, from those that subsist in a proprietary monoculture."

I saw it happen long ago

[yagu]

One time at work, I was working on code when a rumbling spread across the floor, up and down the building -- people were losing access to their machines, in our MAJOR CORPORATION! Some virus had invaded the corporate network, machines were in infinite recycle loops.

Until the noise was loud enough, I hadn't noticed. I was working on my code on my linux box. And, it was code compatible to be used on the same project everyone else was developing on their Windows boxes. Interesting.

Ultimately, the mono culture in my office got me too because of my dependency on shared drives running on infected Windows machines. It took at least one day to get machines half way back to normal.

I hate Microsoft, but I think Geer's prediction, and point, are well made without blaming or pointing at Microsoft. I Unix or Linux monoculture could be susceptible to the same result (though I think with much more expended effort to achieve the same catastrophic result).

Sudden new point at the end

[XanC]

proprietary is introduced at the end of the summary. It's something of a non-sequitur because up to that point, the discussion has been about monocultures, which looks like an orthagonal issue.

It's not, of course, because if we standardize on an open document format and a crippling bug is discovered in, say, OpenOffice, there are many other programs that exist or could be written implementing the same functionality. Don't really have that option with Word.

Re:Did any bombs go off...

[The+Bungi]

what about PHP/Postgre/linux? or perl/mysql/linux? or PHP/mysql/solaris?

What you're implying is that people would be OK if they just switched to something else? And how is that different from Word? I can count the number of applications I've seen that are *truly* database and OS-agnostic. I'd like to see "everyone" switch phpBB or whatever from MySQL to Postgres in an afternoon. Too difficult... no different from switching from MS OFfice to OpenOffice, except probably in scale.

The vast majority of Linux distros come ship with Perl and Python. Is that not also a monoculture? If I were a virtus writer targetting Linux I don't think I'd run out of "monoculture" to exploit.

The ability to drop an asset that has become insecure is conversely proportional to your dependence on it. People create "monocultures" because they value convenience. Open source is not immune to that.

Open-source monoculture just as risky

[davidwr]

You guys under 25 are too young to remember the Morris Worm but it's a good study in monoculture. Although it affected well under half of the internet-connected computers worldwide, at many institutions it had a disporportionate impact.

Back in '88, Sendmail was to internet-mail-exchange what Outlook Express is to mail-clients today. Thanks to a bug in Sendmail and a bug in a student's project, email came to a grinding halt for several days at universities and other institutions worldwide.

Re:Open-source monoculture just as risky

[SerpentMage]

Wow we are old ;) I was thinking of the same thing. What worries me about these types of assertions is that Linux is just as much a mono culture as Windows.

At an OSCON talk, there was this business guy. His assertion was that if Apache were a company then they would be susceptible to monopoly rules like Microsoft should be.

Re:Open-source monoculture just as risky

[daivdg]

At the time of the Morris worm there was a Unix monoculture, but this was not because it was open source; it wasn't. Please don't confuse the two. Within the Linux community there is diversity, this is a great defence mechanism. Pick a particular type of application and look at how many separate implementations there are. Sure, Firefox is by far the most popular open source browser, but there's also KHTML and several others. Look at the office products and there's way more to choose from.

The problem is we NEED monoculture to a degree

[Sycraft-fu]

I mean the ultimate objective behind OpenDocument is to obtain a monoculture in the document formats. That different things implement it isn't relivant. Why? Well most likely they'll be refernce code and documents to do that, and most likely people will follow those most of the time (why reinvent the wheel?) and thus if a bug happens, most things will be venurable. You see this with things like the libpng bug that affected so much software.

So, why tolerate this? Well because I for one don't want to have to play with interoperability nightmares. I want a single document format I can share, I want standards in how computers operate so I don't have to relearn everything every time I sit at a new workstation.

The magic of computers is really their ability to share information, and for that to work effectively, standards have to develop and prevail. I do not want to work in a world where my word processor has 150 different save formats and I have to pick the right one depending on the instution with which I'm communicating. I do not want a world where there are 50 different previlant microarchitecutres and no software runs on more than a handful, and so on.

We have to accept that we can have diversity only to a degree. There has to be common grounds. Yes, those are going to be potential points for an infection to pass. Well, that's unfortunate, but it's simply something we need to live with if we want easily interoperable computers.

Just breaking things in to a "duoculture" wouldn't really solve much. I mean lets say we achive that with Linux, 50% Linux, 50% Windows. Ok fine, what happens now, in additon to exploits that happen to affect both, is that stuff still spreads, just among it's subset, or malicious authors start making viruses have dual payloads that execute the right one on the right platform.

To really have any significant effect, you'd have to have hundreds of different types all mixed together that were minimally interoperable. For example Linux running Wine to use Win32 programs does no good, now it executes the same code and thus is venurable in the same way.

Trying to avoid common systems and formats for security may be valid in an isolated, secure environment but it just doesn't work in computing at large. We want interoperable computers and we strive for it (well, some companies like to try and stand in the way of that). That, by necessity, means that there's more possible vector for infection. Hell, when you get down to it, we could really clean all this up by eliminating the TCP/IP monoculture. If every organization used their own proprietary network, then it'd be real hard for an infection to spread outside an organization. However I hardly think that's the answer.

To me his peice seems like just so much anti-MS rehetoric. He's pushing ODF, which is a standard intended for interoperability, intended to create a document format monoculture. Yes, any word processor could use it, but like I said, that doesn't really gain you anything. He seems to be pushing for switching from one to another, rather than pushing for real fragmentation.

Re:Stupid Analogies

In IT, as in biology, those that exist in diverse gene pools are at a lower risk, both individually and collectively, from those that subsist in a proprietary monoculture

Just because your analogy "sounds right" doesn't make make it a valid thesis. The fact is that computers are not biological organisms and "viruses" don't work the same way. And if you take the analogy for anything more than a mild curiosity, it really exposes your underlying idiocy.

They do actually work in similar ways.

Not to mention it completely ignores the economic factors which created the "monoculture". It's cheaper for society to buy anti-virus than to support multiple OSes, and the analogists just have to deal with that. Computers are tools. Period.

ecological factors create monocultures in biological species as well. economic and ecological come from similar roots and differ only with nomos and logos, the law and the word. There isn't that much separating the two, and in fact, a famous greek book equated called laws with The Word (btw, I'm an atheist).

And how exactly does yet another word virus suddnely prove this theory? It's not like there haven't been many since the paper was published.

This is more than a mere macro virus. As I understand it, it exploits a vulnerability that isn't simply a macro that you have to get asked permission to run.

Uhmm

[NitsujTPU]

from those that subsist in a proprietary monoculture.

Actually, that would be a "monoculture," not just a proprietary one. If everybody ran Linux and such a vulnerability existed, the same thing would happen.

Re:Uhmm

[Vo0k]

If everyone was running the same distro of Linux in the same config.

If I pick Qmail, I'm immune to Sendmail holes. If I pick KOffice, screw OOo bugs. Many Apache exploits hit my webserver running on Boa. If Firefox is compromised, I can pull out Galleon. If I get a Thunderbird exploit, Pine ignores it.

Microsoft is a very deep-reaching monoculture. Not just Windows. You can expect the Windows computer will run MS Office, cooperate with Exchange through Outlook or Outlook Express, use MSIE for the web, the webserver will be IIS, the database will be MSSQL or Access (and predictable which where), so you get lots of machines running all the same software. In case of Linux, thanks to multitude of choices the users have, there is no monoculture, each install is custom-made.

What I never understood

[Budenny]

Isn't it the MS Product Management culture?

You have a PM who is measured on sales. Sales by now are hugely upgrades. The only way to motivate upgrades is new features. So you introduce them, whether they are really needed or wanted, or not. They are then heavily used by the salespeople, before the sale, selling to people who are not the end users of those features.

And so it comes about that IT buys, and what the ordinary user thinks of as a glorified on screen typewriter actually becomes, via Word macros, a powerful if flawed programming language, and what the end user thinks of as a document becomes a program that can wipe his hard drive or change anything at all on his machine it chooses.

This is not about mono culture versus poly. If you had twenty different PMs behaving like this across the whole industry, it would be as bad or worse. Its about feature driven business models in areas where the buyer is not a sophisticated end user of the products. IT buys Office. What does IT really know about using Word to write? Hosts of features can be sold to IT that could never be sold to the people who use the stuff....

I'm sorry, did I read that correctly?

[IDontLinkMondays]

How in God's name would you switch a from MySQL to PostgreSQL to Oracle to MS SQL or to anything. Have you ever actually written a real database application?

Seriously, the amount of time spent switching between any of these system is drastic. For a typical, small database application, there is probably 20k-50k lines of stored procedures. All the different vendors have their own SQL proceedures.

How about securing the databases. I'd love to see how anyone could possibly say that the administration of a transition could possibly be an option. If your problem was MySQL security to begin with, how can you possibly suggest that switching to another database could be easy. The simple administration cost of securing a new server, especially with an existing dataset that was previously developed to be secured on another SQL server would be tremendous.

Switching between PHP and Perl, hehe come on now... I won't even bother wasting my time on this one.

Linux and Solaris.... if you have a security issue on one, you have a security issue on both. The fact is that the majority of security bugs that would be related to these is due to servers that are either not kept up to date or due to zero-day exploits. Both server systems are actively hacked and are high level targets for crackers. It doesn't matter which you use, you have to update both pretty much the same way, switching is a waste of time and money.

So, if you were to reason that the original posters comment was regarding the monoculture of PHP/MySQL/Linux, well I'll make it simple....

The open source community forces this crap down our throughts all the time, they love this solution, it works more or less. There are books on it. There are sections on Orielly's website dedicated to it. It's advertised regularly everywhere. This solution is chosen not specifically on its merits for simplicity/stability/security, but it chosen because it is relatively simple, relatively stable, and relatively secure, AND most importantly, it's Open Pop Culture.

I know a bunch of sales people that love to sell the hell out of the solution because it's fun to say LAMP. They don't know what it means, but they make up all kinds of neat new industry sales terms regularly to make them sounds like they have a clue... they don't. Oh, they also think P stands for PHP or Perl, not both. They don't understand how a letter can be variable.

So, before you put your 2 cents in, think first. Your rinky dink 50 line PHP scripts for changing passwords is not representative of a full mature system. In a real development work, we use features like stored procedures, complex views, server specific indexes. Also, just because your blog hasn't been hacked, don't think that just installing a new SQL server is actually going to secure anything, some of us have actually spent hundreds, if not thousands of hours just setting securities and permissions to different data sets.

The LAMP monoculture is real, it is there. Once you use it, you're locked into it. There is no transitioning from one to another.

Now if I misunderstood you and you really meant that Linux/MySQL/PHP itself wasn't a monoculture because you can choose different options when you're first starting... well ok, that may be true, but the majority doesn't. Perl rarely appears on the web anymore, the web is typically PHP, ASP, or JSP. I don't have exact numbers, but if you want to make me look like an idiot, post real numbers with reference that contradicts me. LAMPHP is a monoculture because it's used so often that lack of talent on the other solutions keeps it that way.

No go and try to sound like you know something somewhere else

Yeah for competition

[Enderandrew]

Big corporations love stability. They love consistency. They fear the unknown. They love going with the de facto standard, and keeping it standard across the board. So while people may argue against monoculture, don't expect it to change in big corporate environments.

And MAYBE part of the reason Word is being infected with worms, isn't some side-effect of monoculture and the lack of software diversity, but rather a result of hackers almost solely targeting Microsoft products.

For real research on the subject

[erwejo]

While I do enjoy someone writing a think piece on the idea of the dangers of a mono-culture. This work has been throughly research by Stephanie Forrest ( http://www.cs.unm.edu/~forrest/ ) at the university of new mexico via the sante fe institue and the complex systems program at the University of Michigan. For anyone that wants to acutally learn more about the application of immunization models to computer security, I suggest you check out her research.

A failure in the hypothesis.

[ZombieRoboNinja]

The "monoculture bomb" analogy only goes so far before failing. When we're talking about corn or something like that, obviously a specific engineered disease could cause widespread devastation. But in the computer world, viruses can do far more insidious things than just shut down a network, and a polyculture might actually make that easier.

Let's say you've got a hacker who wants access to a file on your network that a bunch of users have access to. In this case, the hacker isn't trying to infect ALL the computers; any one of them will do. In this case, a polyculture actually HURTS security, becuase the hacker only has to find one flaw in any of the many different applications people are running. Can't hack his way into Word? That's okay, some nerd in the office is running StarOffice and he can find a backdoor for that. Or whatever.

Not to mention, in a monoculture it's easier to standardize training and security. The security guys in an all-Windows place only need to keep up with the (legion) Windows vulnerabilities out there. In a polyculture environment, they have to know about Windows vulnerabilities PLUS Linux, Mac, and all sorts of other vulnerabilities, because one compromised computer can mean a whole lot of lost information.