Microsoft, Monocultures, Security FUD & Other Fun 509
techiemac writes "Dan Geer, who has been mentioned on Slashdot before due to his warnings about Microsoft's "monoculture" has just been written up by AP for his warnings about the widespread use of Microsoft products and the serious security flaws that are being discovered. This story is quickly becomming big news (Yahoo is currently carrying it on their front page). For those who don't know, Dan Greer was fired from @Stake Inc for his criticism of Microsoft (they are a big client of @Stake Inc). " Somewhat related, there has been interesting reaction pieces on ORA and OSDN to a recent, some say ill-informed article run on DevX.
They still don't get it (Score:5, Insightful)
And they are wrong about "duoculture". Linux, having many parties behind it(many distros, different kernel versions) has much mure internal variety than all versions of Windows out there.
I hope he's wrong ... (Score:5, Insightful)
Open for exploit (Score:5, Insightful)
Then a viral attack that affected only this particular breed of potato struck. Within less than a year, whole crops failed, the economy collapsed as people literally starved to death.
Yet, other breed of potatos were completely unaffected. It wasn't the reliance on potatos that was to blame, it was the reliance of one strain of potatos that was Irelands achilles heel.
That is our economys achilles heel, Windows.
Re:They still don't get it (Score:5, Insightful)
KIDDING!!!
The article does miss a more important point that they do touch upon [sadly I'm siding with MSFT here...] is that "if you don't fence in the crops deer will eat it all".
A stupid windows user will be an even more stupid linux user. Sorry to tell y'all this. Them the breaks.
What's worse is distros like Redhat which feature binary updates are totally not scalable. Gentoo is one decent approach but requires a hell of a lot of patience to get going [and update when things like KDE pop up].
All in all, MSFT sucks for being slow with updates and for using proprietary standards. Most OSS sucks for being hard to configure [for newbies] and occasionally slow/tiresome to deal with.
So moral? Update as much as you can, don't run every binary you find, use a virus scanner [keep it up to date] and use a firewall. Heck even the stupid WinXP firewall is sufficient to protect users from most default settings virii [e.g. messenger virus, etc].
Tom
Fan-Out is the Killer (Score:3, Insightful)
Even if Linus drives Microsoft products into the minority, infections would still quickly reach Microsoft machines (or machines of any leading platform). Furthermore, under non-monoculture conditions, the dilution of virus writers on any one platform would probably be matched by the dilution of anti-virus resources on that platform. Even under non-monoculture conditions, we'll still have fast-spreading infections.
Connectivity is the real driver of infection.
What Microsoft doesn't want is *Standards* (Score:5, Insightful)
Look at the automobile - tons of competing car companies making different cars, but they all have some standardized equipment customized in a little different way not to radically change the entire experience. Open standards would kill Microsoft (or at least knock them off their behemoth perch), and they know it.
It's sort of the idea that Federal action is better than State action - why worry about 50 different actors doing their own thing (hint: innovating) when the federal government can just fiat whatever they want.
Matt Fahrenbacher
Re:Interesting spin ... (Score:2, Insightful)
Additionally, we would not have such robust technologies as "Intrusion Prevention Systems". as there would have been no demand for it.
and my skills as an information security professional would be less in demand if we all ran *BSD.
Hah! (Score:5, Insightful)
Diversity != incompatibility. One standard, many implementations. What the M$ guy says is pure FUD.
Migration from Microsoft (Score:3, Insightful)
unsound refutation from MS (Score:5, Insightful)
This neglects that fact that Linux itself has internal diversity that makes it less vulnerable to "disease".
It's also not necessary to have "thousands of different operating systems" to gain some resilience. If (for example) half of all computers were Type A and the other half Type B, the rate of transmission of type-specific malware would be slowed dramatically. It wouldn't prevent pandemics, but it would slow them down.
Re:They still don't get it (Score:5, Insightful)
Re:I hope he's wrong ... (Score:4, Insightful)
Re:I hope he's wrong ... (Score:5, Insightful)
But this is just foolish. Doesn't Microsoft explicitly say that Windows is not to be used for critical systems? There are special (i.e., non-mainstream) operating systems which are expressly designed for use in critical systems so that the problems caused by worms, etc. doesn't happen. If someone dies because of a Windows worm, it's the fault of the programmer who made a bad choice of the embedded system.
We suggest you reboot... (Score:5, Insightful)
And now, here is the "Chief Security Strategist" for MS saying (regarding the monoculture analogy) "Another difference: computers can be unplugged from the network and rebooted; organisms cannot."
So, is he really implying (God I hope not) that most exploits can be solved by unplugging the computer from the network and rebooting???
I hope not, and maybe its just the way the AP story was written, but it sure sounds like a dismissal of most of the Windows security flaws.
Re:These reporters are a little bit confused... (Score:5, Insightful)
Specifically, overflow attacks like to jump the program to the buffer they have written, or a copy thereof. And in that buffer the code needs to reuse existing imports (library calls) so that they can do bad things. If everything moved around during load, exploitation would be harder. Then again, so would processing a core dump
personally, I think there is a better solution, stop using 'buffer overflow' languages like C, C++. Anything else: perl, python, java, C# is more secure. Why are all our systems built on such a foundation of instability?
i hate this ... (Score:5, Insightful)
This is such utter bollocks I can't even handle it.
The reason integration is difficult is because it is made difficult by those who do it.
It has nothing whatsoever to do with 'operating systems'. It seems to me that 'operating systems' don't mean what they used to mean
Nowadays, it seems that an "OS" == "all the crap I think I'm gonna need one day, bundled into a single directory structure".
If the OS is doing its job then integration is not impossible, it is 100% feasible and easy.
An OS which doesn't do its job, doesn't allow integration. Its very telling to me that Microsoft choose to redefine the task of an OS rather than actually make their OS do the job its supposed to do.
Integration between OS's is supposed to be easy. That is what an OS is all about, after all. Maybe someone should tell that to the 'gurus' from Redmond that mouth off about operating systems all day long
Re:The trouble with diversity (Score:4, Insightful)
ahh, the irony... (Score:5, Insightful)
Re:MS Open Source Is Fertile Ground for Foul Play (Score:2, Insightful)
--
More whistleblowing in my sig.
Re:I hope he's wrong ... (Score:3, Insightful)
>is NO WARRANTY with the software.
And that would matter HOW, if the law of a country would say otherwise? In many countries one simply can't get away from responsability through contract terms like that.
Re:Hah! (Score:3, Insightful)
Re:Hate to admit it... (Score:5, Insightful)
As long as basic services are needed, I don't see any problem at all. Use NFS, use SAMBA, use CUPS -- use your protocol of choice where you get clients for all platforms. So far no problem.
We're running Macs, Windows, Linux, BSD, different incarnations of Solaris, Irix, HP-UX, yet even some embedded stuff like vxWorks. No problem to share drives or print to shared printers. No problem to send and receive emails, surf the web.
And all without nightmares.
Re:cant deny msoft does good things also (Score:5, Insightful)
What has microsoft actually created that anyone is intested in?
The browser? no Netscape developed that.
Graphic interface? No Xerox and Apple developed that
digital music? no MP3 and Napster developed that
Plug and Play? no Apple developed that
desktop publishing? once again Apple
multitastking? Unix
desktop video? Amiga
DOS? bought from another company
Perhaps MS developed some business apps, but I suspect that eveything in the Office suite was developed by some one else first.
Please give me some examples of any tech, that is worthwhile, that MS pioneered. I think virii and adware are the only techs that MS truly owns.
Re:They still don't get it (Score:3, Insightful)
Re:I guess ... (Score:5, Insightful)
Re:I hope he's wrong ... (Score:4, Insightful)
You will likely find them doing things like maintaining records of drug allergies, insurance coverage, etc. If those systems fail, people will hopefully fall back on manual records (assuming they exist in an accessable format), but that will introduce delays in treatment and admissions, which might well indirectly result in deaths.
Re:They still don't get it (Score:2, Insightful)
Comment removed (Score:5, Insightful)
Open Standards can kill MS anyway (Score:5, Insightful)
Diversity is great... (Score:5, Insightful)
Re:The real problem is... (Score:3, Insightful)
When writing for the then upcoming NT5, we were supposed to assume that there would be very limited access by non-OS software to anything n the \windows\ directories. Judging by the ease that some VB scripts running in the IE browser use ActiveX to overwrite stuff there, I bet that restriction got lost before shipping. (Yeah yeah, "IE is now part of the OS". Bah!)
Re:These reporters are a little bit confused... (Score:5, Insightful)
What's nonfunctional code doing in there in the first place? I've lost count of the number of times someone has posted on LKML, "I'm removing frobnicate_foo() because I just rewrote the last place that calls it and it's not needed anymore," or, "I just realized that nothing calls x() anymore, so here's a patch to remove it."
Re:Apple's worse (Score:5, Insightful)
Yeah, and we all know how many awful hardware vulnerabilities there have been in recent decades... :p
dropped floppies and non-USB interfaces much later, only after they were not that useful anymoreExcept that you're ignoring the chicken-v-egg problem. USB did not become ubiquitous until after Apple forced the issue. No one else had the balls to say "screw dumb serial ports, USB is better". GUI, 3.5", CD-ROM, PnP, etc... Apple intentionally drives technology forward, even when many people are kicking and screaming to stay behind.
Meanwhile, none of this has anything to do with security and monocultures.Re:Interesting spin ... (Score:2, Insightful)
Another interesting spin ... (Score:5, Insightful)
Re:They still don't get it (Score:4, Insightful)
sPh
Re:I hope he's wrong ... (Score:1, Insightful)
Power management systems.
Telephone systems.
Traffic light central schedulers.
Food shipment order systems.
All of these are frequently (and alas, unfortunately!) Windows based. Oh, you only asked for *one* example and I gave you four? Whoops....
Re:Fan-Out is the Killer (Score:5, Insightful)
If I have a Windows box and a Linux box sitting side by side, each able to perform all the critical functions of the other, then a virus has to effect them both at the same time for me to lose functionality. When Blaster hits the Windows box I'm free to take it offline to clean it up. Vice versa for a *nix worm. Personally I add a Mac into the mix for three way security.
This doesn't mean I can't get hit by a virus. It means that a virus can't take me down. And that's the point. Not that infections don't spread, but that infections are genetically specific. Your email worm targeted at a Windows address book, can't even find the address book on my Linux box. The mutt exploit is worthless against my Windows box. The Mac just keeps chugging along, mostly because no one cares to waste time writing a virus for a system even more obscure than Linux (That would be OS8 for those Mac heads about to pounce on me for saying that Macs are popular).
Resilience through diversity, not absolute immunity.
KFG
Re:The trouble with diversity (Score:3, Insightful)
Re:Not monoculture, just laziness... (Score:3, Insightful)
That brick helps prevent *funding* or release of new products that would provide basic security for VPN use, built-in Ethernet encryption to protect us from packet sniffing, SSH instead of unencrypted telnet for programming routers safely, etc.
Comment removed (Score:3, Insightful)
DevX article author is a tool (Score:5, Insightful)
OTOH, with any closed source system, you have no code review. You have no chance to spot a security hole, purposeful or not. With CS, you simply have no chance.
Let's review: with OS, you have the opportunity for exposure, but also the opportunity to catch it. With CS, you have no opportunity to know anything. Sounds like the old free markets argument to me. The only person who would really support the CS position is an uniformed tool.
Re:I guess ... (Score:5, Insightful)
(Heck, every Linux install has the potential to be a potentially new OS; my kernel is most likely the only kernel exactly like it in the world, as as I use gentoo, even a lot of the support programs are customized and potentially unique. I've tried five or six binary vulnerabilities that Linux programs are vulnerable to, and while several managed to crash my computer, not a single one of them has resulted in privilege escalation or anything meaningful, because my system is so different at the binary level from anybody else's. Even to the extent that Linux is a monoculture I've not suffered the price of living in a monoculture.)
Re:They still don't get it (Score:2, Insightful)
Which begs the question of whether you need "true diversity."
My slightly uneducated guess is that semi-true diversity would work just fine. After all, think of it this way: with simply one other computing platform to choose from, you've just increased the number of options you have by 100%.
Re:I guess ... (Score:5, Insightful)
is not monoculture, is evolution. (Score:5, Insightful)
connected to Internet in the world?
A: IPV4
Q:What is the single mail protocol used by all
computers connected to the internet?
A: SMTP
Q:What is the single protocol used to search the
Internet and exchange most information over the
Internet?
A: HTTP
According to evolution, diversity is the
consequence of adaptation.
Specialization, Mutation, Adaptation.
Adaptation is the
consequence of a changing environment. A
changing environment is the consequence of a
finite amount of resources and competition.
The Internet in it's current stage resources are
plenty and competition is little.
Internet is currently in the specialization
stage. The Internet has not being forced(YET) to
depart from it's standard protocols (mutate) to
survive an attack.
Forcing diversity (by mandate rather of natural
competition) not only makes the system less
robust, it slows down evolution.
Re:Interesting spin ... (Score:4, Insightful)
Simulation (Score:5, Insightful)
My paper on worm propagation [lemuria.org] from last year (just updated with some more data) shows very clearly what a monoculture does.
I assumed 40 mio. vulnerable systems in it and showed how a malicious worm can wipe them out in minutes.
Some of the advisories that eeyes still has on the unpublished list estimate 300 mio. vulnerable systems.
We've been talking about flash and warhol worms for years now. With each passing day I'm more surprised that it hasn't happened, again.
Re:The real problem is... (Score:5, Insightful)
And Microsoft's goal (gaol) of backwards compatibility ensures that these misfeatures will stay in the infrastructure indefinitely. I realized this yesterday when cleaning spyware off a friend's Windoze box.
Windows has so many legacy interfaces for loading programs at boot like win.ini, autoexec.bat, ect. that no longer have a pratical purpose, are easily exploitable, are are in a word, "cruft". Their OS is full of this cruft, and it will continue to become more so, as long as Microsoft continues their indiscrimate adding of features without regard to security.
USB not "generally superior" (Score:1, Insightful)
USB is not "Generally superior" for many things. Printers, for example. Stuff prints out the same on your typical inkjet whether or not it is plugged in through a Centronix port or USB.
Re:They still don't get it (Score:5, Insightful)
Realistically, this is only true if the stupid windows user adds himself to the admins group (or signs in as administrator) and the linux user does not. It's just as possible for someone to always logon as root in linux or to add root permissions to their daily-logon account in linux as it is to do the equivalent in Windows!
The only way your comment makes sense is if you're not distinguishing between the myriad versions of Windows that are out there. Windows 98, sure... you were able to easily spork the entire computer -- 6 years ago. Windows 2000 and XP give you all the power you need to not make your daily-logon account an admin by default.
Imagine the uproar on Slashdot if Windows apologists showed up here (every day) posting things like "Linux has a local root exploit" and provided a link to some Redhat 5.2 hack from 6 years ago. Come on.
Re:Apple's worse (Score:1, Insightful)
Given the number of users, it's much more likely that USB only became ubiquitous because Win98 finally provided decent support for it.
Comment removed (Score:4, Insightful)
Re:I suppose it's wrong to mention... (Score:3, Insightful)
While the core product is the same, the fact that it runs on dozens of OSs alone makes for a lot of difference. For many low-level attacks, offsets will be different, or compiler flaws exist on one system, but not another.
This is partly true for the windos world as well. Some of the attacks we've seen recently require slightly different code for XP and NT, for example.
Re:Interesting spin ... (Score:2, Insightful)
I think the appropriate analogy here would be the early days of railroad. It used to be that each train company had their own standard for the width of the rails. The train engines and cars from one company could not fit on the rails from a competing railway.
Obviously, it would be *impossible* to connect the entire country by rails unless a single company owned all of the tracks.
Re:cant deny msoft does good things also (Score:3, Insightful)
Maybe Lotus, Wordperfect and Borland? I remember an ad from Wordperfect that listed the "whats new" of Office 95 or 97, and on the side they put the year since WordPerfect had it, all several of years before, even a lot in the 80's.
Most of their "innovations" were copying (good examples above), licensing (i.e. ms sql->sybase) or buying (vbasic, frontpage) technology from others.
But of course, we can deny the hand of MS in all their derived products. Now we can be hacked/infected reading email, having a database accesible thru internet or opening a spreadsheet, things that before was calified as impossible or a joke.
Re:The problem is not monoculture... (Score:2, Insightful)
No one is hacking windows with NERO (a great product). No one is hacking Linux with xroast, or cdbakeoven or cdrecord.
No one is hacking a Linux or Windows box with Java. However, Windows boxes are being hacked with ActiveX.
Why, because by the above definition of crappy software, Nero, Java, cdbakeoven, xroast and cdrecord are not crappy software. Whereas ActiveX ,Outlook, IISS, Exchange Server, and Internet Explorer are crappy (read insecure) software.
Re:Interesting spin ... (Score:3, Insightful)
B) Evolution is specifically designed to "be like Outlook" It has a look/feel about it that mimics Outlook. Basically, Open Office, Mozilla, and Evolution (and a number of other apps) simply try to be a better widget than Microsoft's version. If Microsoft had chosen to release Office for platforms other than Windows & Mac, and had chosen to play nicely instead of trying lock-in via file-format (and the 3 Es), most of these products wouldn't exist now or would be much less developed because there'd be much less motivation to have them.
All that aside, I was simply attempting to be witty through the clever use of irony. Microsoft says basically, "If not for us, we wouldn't have so much innovation..." and I agree. If not for their sub-optimal products, draconian licensing, underhanded tricks, etc., many of the really awesome and cool technologies we enjoy *wouldn't* exist...but that's not because Microsoft made them. Microsoft just made them possible and (by their own actions) inevitable.
And I find that ironic, and funny...but this needn't be mod'ed as such.
Re:i hate this ... (Score:3, Insightful)
No, sorry, but an OS is responsible for the interaction between a human and a machine, and nothing else.
If a humans' interaction with the machine requires that that machine be 'integral' with other machines, then this is the job of the Operating System
The reason it is so difficult to integrate Microsoft operating systems with other OS's (and not the other way around) is because Microsoft don't produce an 'operating system', they produce an 'operating system + suite
If Microsoft really cared about integration, it wouldn't be an issue. They would use open specs, and open protocols for everything (not just the 2% of their system services demanded by the market...) But the problem is, they -know that integration is a key point for an operating system- and thats why they blur the lines between what is an 'integration model' and what is an 'application model'.
It is next to impossible to sync a users' home dirs on a Windows box and a Unix box, on Windows. Its totally possible to do it the other way around, sync'ing 'from unix'
"Integration", to Microsoft, means "Embraced, Extended".
Re:is not monoculture, is evolution. (Score:4, Insightful)
Re:I suppose it's wrong to mention... (Score:3, Insightful)
This is an assertion that cannot be backed up. I've had NT 4.0 webserver that have run years without compromise, and I've seen poorly-run Apache systems that were hacked within 30 minutes of going live. You can say that Apache is much more secure than IIS by default, but an experienced administrator can secure any box, even an IIS one.
It all comes down to knowing what you're doing and which platform you're more familiar with. I'd rather have an IIS box run by a guru-level administrator than a Linux/Apache box run by a newbie anyday.
Re:They still don't get it (Score:3, Insightful)
No security?!? (Score:3, Insightful)
Re:They still don't get it (Score:5, Insightful)
ARE THE SAME FUCKING THING ON A HOME PC.
As for modding the kernel you have to have root privileges to mod your
The truth is you have to login as root to admin then as your user to use it. hence the name "user". You can't admin a box from a non-root account without chmod 777 all of your dirs/files in which case what's the point?
So the clueless newb will either run linux as root or login as root and install everything they see under the sun [re: virii]
Thanks, you fail it.
The solution is really smarter users. They have to know what a root account means and how to use it properly otherwise you need automation which we know is often exploitable.
Tom
Re:I guess ... (Score:4, Insightful)
That being said, I don't have that much of an issue with the Windows OS itself. Including it as another tool in IT's belt to be used in specific situations is a good thing to have.
The problem I have is the predisposition of Windows' advocates to have tunnel vision with respect to the use of said tools. IMHO, Windows is a square peg and every problem is a hole of varying shape that possibly needs to be modified to fit that peg. Couple this with a marketing engine that is second to none in the IT world, and you end up with the situation that Geer describes in which 95% of the desktops and perhaps 50% of the servers in the world are vulnerable to individual bugs and attacks. IOW, just one nasty bug can wipe out nearly the world's entire IT infrastructure because of the lack of genetic diversity.
Please note -- I'm not knocking Windows itself as an OS. As I mentioned before, it fits in certain situations. I am specifically targetting the misguided directions of our IT management, programmers, and the Microsoft marketing departments that have put us in this situation. This is yet another human problem -- not a technological one -- and one that could have been, and can yet be fixed.
Re:The real problem is... (Score:2, Insightful)
average windows users (Score:2, Insightful)
he's a typical windows user. he does think of security. he doesn't do anything stupid outright. he insists on running a virus scanner, although he doesn't know how or why to update it, so he never does. he runs a firewall but again, does'nt update.
he's a typical home windows user. typical people are scared of virus's (because of the news coverage) but do not now how to protect themselves, nor know where to find information. He doesn't ever update windows because he doesn't have time / doesn't know how. he runs windows 98 because it 'just works'.
no matter how fast microsoft patch things, if they dont release a product thats secure upon release, whats the point to home users? thats a good reason why people should use alternatives.
Re:They still don't get it (Score:3, Insightful)
I dunno where you get your facts but most people I know admin their own windows boxes. Most newbies I know either ignore updates or attempt them theirselves.
There is no "sandbox" in either OS though. At some point you have to run as super to install updates. That will be your point of vulnerability. Sure Linux [and all other Unix like OSes] benefit from having a non-root "sandbox'ed like" user but that doesn't stop them from running viruses as their user [e.g. DDOS zombie, wipe all their files, etc].
The point isn't that Windows is insecure it's that most users don't setup/use their computer properly. Changing the OS won't really solve this problem.
Tom
Re:is not monoculture, is evolution. (Score:2, Insightful)
However: all protocols need to be implemented and every and all implementations will have bugs. To have a monoculture of implementation will cause there to be a monoculture of one of more bugs which are things outside of the protocol, which should not happen but sometimes it does... if one fails, they all fail.
IPv4 is so trivial that I could write (have writen) my own, but what is the point?... My MTA (SMTP protocol) is postfix, my web server (http, webdav) is Apache1, but there are others out there and not many people have the same as me...
Mutating Software (Score:3, Insightful)
If there is non-functional code that can be modified without causing problems, shouldn't that code be removed?
Re:May be legal, but also stupid (Score:2, Insightful)
So, novel writers shouldn't read work done by authors in the same field, movies makers shoudln't watch other movies, musicians shouldn't listen to music, and so on ?
Reading what other people did in the same area (same kind of novels, movies, music,
There is no mystery why most sci-fi writers were sci-fi readers during their teens, why most musicians were music lovers and why most movies makers where movies addict. The same goes for programmers: reading other people's source code to get ideas you can use (adding your own idea in the mixture) in your programs is the only way to make better and better programs. That's why patents are so bad in the computing field: because program writing is, in some aspects, more akin to book writing than to classical engineering.
Plagiarism is what I could call "search and replace copy and paste", like, you copy and paste and then rename all the variables... this si still copy and paste. A true rewrite of the same global ideas isn't plagiarism.
Network Diversification and the Potato Famine (Score:3, Insightful)
Re:They still don't get it (Score:3, Insightful)
But you're only scratching the surface, and you know it. Security is a lot more than access to the root account. No point in going into detail, as it's bloody obvious.
Re:Not monoculture, just laziness... (Score:3, Insightful)
1. Both Unix and Linux came out of unstressed environments.
2. The PC market has led to hysterical commercialism.
Today we see a planned obsolescence that even the US automotive industry would be ashamed of. As Mark Minasi found when interviewing marketing suits for his book 'The Software Conspiracy', the suits know about security and bugs, but they deliberately prioritise them down.
They need to get to market instead.
Unix had its exploits in the beginning. It was dead easy to install a trojan at the login screen. Heck, I devised a hack that worked on all SVR4 machines to take over root. It's just that Unix and Linux have both had a chance to mature without all this hysterical going-on plaguing the market Microsoft is in.
Plus, and this is a no-brainer: there are a lot more talented people working at Bell Labs and with Linus.