Microsoft, Monocultures, Security FUD & Other Fun 509
techiemac writes "Dan Geer, who has been mentioned on Slashdot before due to his warnings about Microsoft's "monoculture" has just been written up by AP for his warnings about the widespread use of Microsoft products and the serious security flaws that are being discovered. This story is quickly becomming big news (Yahoo is currently carrying it on their front page). For those who don't know, Dan Greer was fired from @Stake Inc for his criticism of Microsoft (they are a big client of @Stake Inc). " Somewhat related, there has been interesting reaction pieces on ORA and OSDN to a recent, some say ill-informed article run on DevX.
Re:MS Open Source Is Fertile Ground for Foul Play (Score:5, Interesting)
Interesting spin ... (Score:5, Interesting)
True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened.
Really? Could someone more familiar with Microsoft and their products kindly give me examples?
Rememebr folsk the def for monoculture (Score:0, Interesting)
Monoculture refers to a system(ie culture) in which you have like micro systems(cells)..in other words the micro and macro systems are integrated together and this is the reason why infections are so effective!
Now in PCs for examepl unix like systems are not in the whoel a monoculture whereas MS windows is..why?
Becasue the infrastruce to produce the micro system in this case the OS is different between MS and Unix like systems and different between Unxi flavours!
If all unix flaours were using the exact saem kenrel architecture, development model, and etc yes than it woudl be amonoculture..
Alot of educated bioligists and computer professionals are getting this def worng..
Lets think a little , shall we?
Of course if youa re readin my blog, (shareMe Technologies), then you already know I liek to think and reason through problems, trends, and etc...
Re:They still don't get it (Score:5, Interesting)
And not only do they want us to run thier OS, they want to make sure you are integrating thier Office, and collaboration (think .net) programs.
To get the full value of Windows.
I think I got enough "full value" of windows on my users machine affected by Blaster last fall...
Apple's worse (Score:-1, Interesting)
Whatever problems Microsoft has in this area, Apple is much worse, even forcing you into a monoculture of quirky, overpriced hardware from one single vender (guess what, the one that sells the software).
The Microsoft world, hardware wise, is much more open than this, with hardware standards establishing themselves because they are the best (and beat out competitors) rather than because of a law laid down by someone in an ivory tower in Cupertino.
An example of where this doesn't work is Apple's blunders with "no floppy on the iMac" and "no standard interfaces: use USB before it is ready". This resulted in a booming industry of add-on dongle drives, and USB-to-standard converter cables: Apple tried to ban floppies and standard interfaces at a time when they were still the very useful.
In contrast, the PC world dropped floppies and non-USB interfaces much later, only after they were not that useful anymore.
...picking /self off floor (Score:0, Interesting)
Re:Rememebr folsk the def for monoculture (Score:2, Interesting)
Re:Interesting spin ... (Score:5, Interesting)
USB comes to mind but I think Apple beat them to it?
Well... (Score:0, Interesting)
These reporters are a little bit confused... (Score:2, Interesting)
"Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring "benign mutations" that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."
First of all, since when are only nonfunctional portions of software targetted? A buffer overrun can occur in any portion of code. Second, exactly how would you identify nonfunctional versus functional code, and what mutations could you possibly make to it? Make a bad pointer point to even worse memory? I just don't get it. Looks like another $750K wasted on stupid research.
Hate to admit it... (Score:4, Interesting)
True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened
It's hard enough to get Novel - Mac's - PC's - Windows Servers - And SGI computers all playing nicely in a true heterogeneous environment. I couldn't imagine the nightmare if I had another 2-3 other OS's to integrate.
The problem is not monoculture... (Score:3, Interesting)
Would the IT world be a more stable, reliable & secure place if 95% of the world's comptuer ran OpenBSD?
The problem is crappy software, not closed source commercial software.
It is the general crappiness of commercial software (and the lethargic rates of bug fixes) that have led to the popularity of open source.
Re:MS Open Source Is Fertile Ground for Foul Play (Score:5, Interesting)
I think the better encouragement is not to *keep* the source code. It would be quite difficult for MS to "prove" that any given developer had seen the purloined source, barring the conspiratorial notion that MS is running false-flagged IRC channels and web sites and collecting evidence on who is grabbing it. But not keeping a copy of it (which would be illegal anyway), they remove the easiest proof that they have been tainted by it.
Re:Interesting spin ... (Score:5, Interesting)
Let's start a bit earlier... can you say
mouse
GUI
5 1/4" floppies
cd-rom
post-script printing
true-type/open-type
Firewire
and the list goes on
Re:Open for exploit (Score:5, Interesting)
Yet, other breed of potatos were completely unaffected. It wasn't the reliance on potatos that was to blame, it was the reliance of one strain of potatos that was Irelands achilles heel.
And the next year, the Irish planted the same crop. Why? Because that's all they could afford - the English were taxing them to death.
The real problem is... (Score:5, Interesting)
Microsoft made a conscious decision, a long long time ago, to make sure that everything in its Office applications (starting with Word) would be scriptable with VBA. And that the VBA scripts would have access to the entire underlying OS.
At the time, it made perfect marketing sense: the king of word processors was Word Perfect, and it offered advanced scripting functions. Microsoft had to duplicate this functionalities if it wanted to kick WordPerfect ass and establish Windows and Word as the desktop champions. And it worked -- when was the last time you used WordPerfect on your PC?
The only problem is, of course, that Windows security (3.x was a single user, single task operating system) was absolutely broken from the very beginning. After all, if you are the only user on your machine, you don't need a lot of security, do you? Wrong. You may need a different kind of security, but you still need some sort of framework to protect your resources. Windows never provided any kind of security at all.
Then came the Internet. And, with it, a virus transmission vector of incomparable speed. The rest, as they say is history. Microsoft never bothered to create proper security and, because it completely ignored the Internet before 1995 (remember the Gates memo?), they were caught unprepared by the hordes of yahoos who write VBA viruses. VB is easy to use, viruses are easy to program in VB and, thanks to MS stupid decisions, they were allowed to run wild.
In effect, most users and sysadmins are, today, paying the price of a marketing decision: Microsoft decided to design VBA, all the while ignoring the research that proved that application scripting needed to be severely limited and controlled. Emacs LISP scripts and shell files in the UNIX world were prohibited a loooooong time before VBA was even created.
They kicked a competitor out of the field and, in doing so, created more problems for themselves (and for us!) than they solved...
Monoculture not just a Microsoft phenomenon (Score:4, Interesting)
If anything, the ease of code reuse inherent in Open Source software makes monoculture easier to achieve.
I suppose it's wrong to mention... (Score:5, Interesting)
As outlined in the article (assuming anyone reads it), critics of Greer point out that simply adding a new OS into the mix (dare I say Linux?) wouldn't substantially help. You'd have a duoculture instead of a monoculture. How much more difficult would it be for hackers to create a devastating hack? It even extends beyond OS's. Apache has the majority market share for all web servers worldwide. What affect would a devastating Apache exploit have on such a near-monoculture? Nobody wants to say anything about that, though, because Apache represents the side of good and Microsoft is evil.
To truly achieve the technological equivalent of biodiversity, we'd need hundreds or thousands of OS's and differing applications. The complexity of trying to get all that crap to work together would be impossible, especially since convergence of any two app's/OS's would be actively discourages to prevent cross-pollination-type attacks.
It's all well and good to bash Microsoft's monoculture. I'm sure there are many here who'll do nothing but that. However, defining the problem is only the first step; you must present a practical, workable solution. Just saying "Linux will fix it all" simply replaces one monoculture with another. But I bet most people here haven't thought that far ahead.
The trouble with diversity (Score:5, Interesting)
However, diversity of computers fosters a much higher learning curve to a machine that is already far more complex than 80% of the people using them understand. I'm a proponent of unity in the field of computers in that the UI of any OS should be the same as EVERY OTHER UI. This promotes a uniform learning curve for everyone so that learning one machine or OS does not restrict a person to that particular product or platform for life.
People want to learn as much as they need to - and not have to constantly relearn it - in order to do the things they want to do with the computer. Imposing 'bio-diversity' on the operating systems of the world will only create sub-monocultures between which comparability issues and cross learning would be difficult for most to handle unless the UI for each system is essentially the same.
I'd REALLY like to see Linux be available to anyone without having to have any knowledge of Unix protocols, have the same driver support and always be able to run ANY program regardless of the original OS requirements without having to constantly tweak everything into compliance. If anyone knows a way of doing this, or if it's already been done and you know how, PLEASE post it here.
Comment removed (Score:5, Interesting)
Limited Genetic Diversity (Score:5, Interesting)
Re:MS Open Source Is Fertile Ground for Foul Play (Score:4, Interesting)
Besides, if you want to see Microsoft code, use their Visual C++, and get the step into/step over keys backwards. It's easy to accidentally jump inside the cout statement, for example.
And anybody elses code? If you can read assembler, wait for it to GPF. At the college I work at, MSVC++ used to snag any crash and throw it up on the screen as x86 assembler code. (I seem to remember that happening to Netscape 4.x a lot.)
M$ tight integration could cause more harm ... (Score:5, Interesting)
Last week a client of mine wanted me to do some work on his computer and to remove M$ IM on WinXP. You try it, it will tell you that WinXP depends on some functionality of IM. What? The OS needs this crummy application you can get for free somewhere? If that is really true, then no wonder their system is so freaking vulnerable to all kinds of things.
just about anyone who write large software knows that u have make it modular design and if possible striving independent modules as possible to reduce risk and propagation of faults. consider this, even after the trial, M$ still continues to bind unrelated OS functionality with applications. Apps and OS services are completely different.
while M$ tries to give you a big bloated piece of software with OS and THEIR apps tightly integrated. look at what the people doing micro-kernels are doing. they are trying to make the kernel as simple as possible (hence easier to debug, understand, etc.). Then, the OS services are just apps (again, very independent form each other--though they may use the services provided by the other). but their is no need for that particular app, just any app providing that service.
Re:Hate to admit it... (Score:2, Interesting)
Re:Interesting spin ... (Score:2, Interesting)
> other respects. One can ask his neighbor if he doesn't know how to do something. Most documents are
> in the same, albeit proprietary, formats.
Looking at the consumer electronics industry I'd say this argument doesn't hold.
My neighbor can easily ask me how to do a certain thing with her CD player/DVD player/video recorder, while hers use an entirely different internal; operating system then the ones I own.
What they do is comply with a common set of standards regarding media, and offer enough similarity in operation for as far as the user is concerned.
> If there truly were thousands of operating systems, it would also be quite hard to just go to
> a store and buy additional hardware or software that is guaranteed, or even likely, to work.
How interesting. Why is this possible when it comes to other complex consumer electronics then?
I can buy a sony dvd player and connect it to a panasonic TV set without any trouble, and it is very likely to work, and in quite a few cases guaranteed to work.
You make the same mistake as microsoft, you are confusing standards with implementations.
Re:I guess ... (Score:5, Interesting)
Luckily, the climate is changing, but it is ever so slowly...
Re:Apple's worse (Score:5, Interesting)
PC manufacturers dropped certain technologies when they were finally perceived not to be useful any more.
Apple can act as the gentle motivational herder, because they have complete control over their flock, as long as they make sure they replace the things they phase out with generally superior technologies, and they have (floppy > email, legacy ports > USB).
PC manufacturers have no choice, as there is less unity and it is human nature to be wary of new things, and to want to stick to what is tried and tested. In this scenario where it is impossible to move the flock forward as a whole (as the direction of the industry is dictated by many) it must first be shown and proven that the newer technology is superior.
So I would hardly call this scenario a 'blunder' on Apple's behalf! Quite the opposite in fact - I'm sure it was of great benefit to both Apple and their users to make a swift concerted step forward.
Re:Not monoculture, just laziness... (Score:2, Interesting)
Since we are relating things to biology, you could say this is survival of the fittest. People who are willing to change their bad habbits on the internet will 'survive'.
The Wall has been Breached (Score:5, Interesting)
The best way they can disentangle their products is to force Microsoft to publish their protocols, so others can build competitive products that can integrate cleanly.
Perhaps their software should be declared an "essential service", much like teachers and hospital workers here in Canada. When teachers/medical workers strike for too long, the government steps in and says "get back to work, you're essential to our functioning as a culture".
The bottom line is Bill Gates and his minions are liars and can't be trusted. They comply to every defeat dealt to them with their middle finger raised, and then go right back to abusing their position in the marketplace. The only rules Billy plays by are his own, and the only reasonable way to deal with him is to be unreasonable in demanding he comply.
Word of the Day: frisson (Score:4, Interesting)
frisson
n : an almost pleasurable sensation of fright; "a frisson of
surprise shot through him" syn: shiver, chill, quiver,
shudder, thrill, tingle
Overall, this is one of the best written articles I've read in quite some time. The author lets the intelligence of his sources shine clearly. And it's always nice to learn a new word.
Re:Another older monoculture (Score:3, Interesting)
I do agree that we need different, non-Unix OS's to be available, but your comparison isn't valid.
Chris
Tinfoil Hats and ReactOS (Score:1, Interesting)
Re:Apple's worse (Score:4, Interesting)
because only complete morons say that.
Serial ports have their place and will be here for a really long time. I dare you to config a cisco router or switch with your USB port. or dare you to configure any of the middle to high end home automation equipment out there with your USB port.
USB is excellent for low-performance high bitrate data transfers.. firewire beat's it to hell for performance needs (ever wonder why you can't get high end DV cameras with USB?) and RS232/RS485 serial is better than anything that USB or firewire can do for low speed high reliability.
apple did NOT force the adoption of USB... the explosion of cheap usb products by the release of cheap usb interface chipsets.
Re:I guess ... (Score:2, Interesting)
When M$ finally dies the well-deserved and overdue death, we can still have a lot of diversity without them.
Let's see:
Linux (dozens of distros)
*BSD (several variants)
MacOS
Solaris and other *nixes
Plan9 and other obscurities
I'm not so sure anymore if I can count properly, but that sounds a lot more diverse to me than:
windos (some variants)
uh, whatever those freaks nobody cares about use
Re:I suppose it's wrong to mention... (Score:3, Interesting)
If I didn't know better, I'd say that's a derogatory comment. Not a good way to start off your response if you want to be taken objectively.
But did you critically evaluate whether his argument that we'd need ridiculous numbers of OSes is sound? Ireland didn't need thousands of breeds of potatoes for its population to all survive the potato blight; a handful of still-viable varieties would have been enough to feed them.
All analogies break down at some point (yet another paraphrasing job, I'm afraid). You say a handful of still-viable varieties would be enough. What if a virus targetted those? To achieve total practical immunity, each organism (or application/OS) would have to be unique. Obviously that's impractical, so what you're actually arguing is at what level is the risk acceptable?
Likewise, in an alternate universe where the desktop computer landscape today was a roughly even mix of Windows, Mac OS, Linux, BSD, OS/2, BeOS, and Amiga, the "network effect" that spreads malware like wildfire in our universe would be drastically reduced.
Productivity would almost certainly be similarly reduced due to lack of high-level interoperability between these disparate platforms. Oh, sure, you'd have some base level of commonality amongst all of them (a potential attack vector, by the way), but what you'd end up with is lowest-common-denominator functionality. That is not a blueprint for progress. New functionality would then only come as a result of consensus between competing vendors, traditionally a long, drawn out process. Further, customers just don't like to wait for that stuff. Outlook is a prime example. It introduced a number of non-standard ways for dealing with email (many of which have resulted in security holes, BTW), but consumers loved it enough to eschew the standards-based alternatives. This has been the case in software for decades (remember when Netscape flouted the HTML standards committee on frames?) and is not likely to change.
You're right that Linux won't "fix it all". But a duoculture is more robust than a monoculture, and a true multiculture - even if it consisted of equal numbers of just the top four of the desktop OSes I mentioned - would be even more so.
Again, you completely ignore the possible effects any such duo- or multiculture might introduce into the current setup. Right now, people can exchange data between monocultures pretty seamlessly, flawlessly, and effortlessly. By going to a duoculture you may double the work a hacker may do, but you've also doubled the number of points of failure for software interoperability, you've doubled the technical support requirements of both helpdesks and software developers, and you've potentially (worst case) halved the productivity of people trying to exchange data between differing platforms. These are not insignificant concerns.
You also can't argue that these disparate platforms would ever work well together. By definition of avoidance of monoculture, convergence of the platforms would almost have to be actively discouraged; history has shown us that convergence is a natural phenomena with any group of disparate programs that are expected to work together. Any such convergence would again lead us to a quasi-monoculture scenario where an attack vector exists where application/OS overlap and interoperability exist.
In short, you can't have it both ways. Users like programs and systems that work together easily, yet those same systems are at higher risk to attack due to that same interoperability. Removing that attack vector would also remove many productivity-enhancing tools and methodologies we've gained due to greater software integration. I don't know about you, but it's been my experience that if users have to choose between security and functionality, they choose functionality almost exclusively. After, Windows and Office offer lo
Nothing new (Score:5, Interesting)
Which Culture? (Score:4, Interesting)
Monoculture or Diversity?
The AP ran a story this weekend, captured by Yahoo [yahoo.com], talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.
Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).
Just the facts, Mam
I found it intriguing that, as the AP article mentioned:
Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia [secunia.com] and their product listing [secunia.com]. Doesn't anyone care that Solaris 9 [secunia.com] had more advisories (42) in 2003 than Windows 2000 Server [secunia.com] (36)? Doesn't it scare anyone that, while Windows XP Home edition [secunia.com] had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 [secunia.com] had 186!
Doesn't Open Source claim [devx.com] to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?
Missing the forest for the trees
Take a look at this, also from the AP article:
Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension [sun.com]. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.
Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)
Miopic Intelligence
Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is s
Re:MS Open Source Is Fertile Ground for Foul Play (Score:3, Interesting)
And how well has that worked for SCO so far? It'd be easier for MS to do what's often been claimed about the SCO code -- deliberate insertion to claim copyright violation.
What you claim *may* be true for code like WINE or Samba, which has to work very closely with Windows, but I'd imagine those developers long ago got careful about what code they inserted and what they exposed themselves too. It'd be harder for something like Sendmail or another application which which is written to follow a public spec or standard.
"Big News" Fueled by a Slashdotting? (Score:4, Interesting)
Now, that didn't happen in this case, as the story was already on the front page before Slashdot linked it. But it could happen, no?
Re:They still don't get it (Score:3, Interesting)
I'm speaking from an IT perspective, if I could switch all the people I support from windows to linux
Linux can be made to be idiot proof and beyond.
Linux can be dumbed down so a 2 year old can use it. I know, I have a 2 year old living with me, after I log him in he can use the mouse and click on the 4 different icons on the desktop (the only 4 accessible things to him) to hear the 4 seseme street characters sing.
Windows is dumbed down to the kindergarten level. Even if you're an IT wizard using XP, you're using an interface written for a 5 year old.
Re:MS Open Source Is Fertile Ground for Foul Play (Score:3, Interesting)
Windows does what it was designed to do very well: be an operating system for the masses. Its headaches are caused by managerial nearsitedness and monopolistic practices. Disclaimer: IANA microsoft employee, or even a windows programmer, I run linux and develop cross-Unix (HP,SUN,Linux) software, but still I feel somebody has to give Microsoft developers some credit.
Re:I guess ... (Score:3, Interesting)
That problem is over-inflated here on Slashdot. Microsoft has proven time and time again that they cannot simply make a monopoly out of everything it touches. (XBOX, PocketPC, UltimateTV, etc...) Worse, their popular products have deficiencies that the OSS Community has addressed. Their biggest enemy isn't Microsoft, it's lack of awareness. Follow IBM's lead: Get some commercials on TV. Start a "Advertise Linux" fund. Get the PHBs out there who sign expense checks to understand that it's not just some hobbyist project that couldn't possibly be taken seriously like Microsoft's business products.
Don't be so quick to dismiss what I'm saying. Microsoft is creating opportunities left and right for you guys (blaster, MyDoom, etc), and you're doing a terrible job of taking advantage of them.
Re:average windows users (Score:1, Interesting)
Quite often they ask if I have problems like they've experienced (spyware/malware toasting their computer), and I tell them no, but then I use Linux and it's not prone to these problems. Several have asked for a linux install, so I gave them a dual boot option to test it out.
Re:They still don't get it (Score:2, Interesting)
Too bad the first user that signs in is an admin by default in XP Professional. Quite a few programs I've run across won't work unless you're signed in as an administrator.
Giving yourself root permissions (at least on OpenBSD) still requires you to use sudo or su to execute a command using those permissions.
*shrug*
Monocultures can be beneficial (Score:3, Interesting)
The first issue is that many elements of the whole in some computer systems have the same degree of access. Perhaps half of the workstations at a company run Linux and half Windows. If all of them have roughly the same tasks (as opposed to devoting Windows to web browsing and Linux to email reading), then a compromise of *any* of them allows a compromise of all the important data. Many security systems are weakest-link -- if one element can be compromised, the whole system falls. In this case, all having a polyculture does is expose more weaknesses, reducing the security of the system as a whole.
The second element is somewhat similar -- most computer networks have some degree of trust relationship between members. It may be something explicit, like having IP-based rsh auth (though that's a bit of an old problem) or allowing access to various intranet Web pages to any internal computers. It may be just allowing a compromised computer to sniff a network that other computers pass traffic over. In this case, a compromise of one member of the network provides an attack vector against the other members of the network. Again, a polyculture exposes more weaknesses, weakening the security of the system as a whole.
Third, there are security management issues. Most medium or large computer networks have someone or some group with some degree of responsibliity for computer security. That group usually has finite resources and budget. Much of their effort can generally be replicated across similar members -- for example, securing a plaintext authentication in Windows means a fix that just has to be replicated across all members in the network. If their time and money must be spread across multiple types of members, they are less able to spend resources on any one group, and each type of member may be less well managed.
Fourth, most networks do not follow a "Russian doll" approach, where a potential cracker must compromise first one computer, then another computer, then another computer to get in to the network proper from the outside. In such a scenerio, making each of the dolls different does improve security, since a cracker must compromise all, rather than just one, system. It's pretty common to just have a NATted network with all hosts inside at roughly the same level of internal access, however.
Overall, I *do* think that it's a good idea to move away from "Microsoft only" on computer networks. Competition tends to improve products, and Microsoft has a poor security track record (and doesn't focus on security very well). However, if an CIO has the sole goal of improving security, and has the choice of rolling out Linux or rolling out Kerberos on existing Windows boxes, I'd have to say that rolling out Kerberos is probably going to do more for security.