Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Microsoft Linux Business Security

Microsoft, Monocultures, Security FUD & Other Fun 509

techiemac writes "Dan Geer, who has been mentioned on Slashdot before due to his warnings about Microsoft's "monoculture" has just been written up by AP for his warnings about the widespread use of Microsoft products and the serious security flaws that are being discovered. This story is quickly becomming big news (Yahoo is currently carrying it on their front page). For those who don't know, Dan Greer was fired from @Stake Inc for his criticism of Microsoft (they are a big client of @Stake Inc). " Somewhat related, there has been interesting reaction pieces on ORA and OSDN to a recent, some say ill-informed article run on DevX.
This discussion has been archived. No new comments can be posted.

Microsoft, Monocultures, Security FUD & Other Fun

Comments Filter:
  • by anandpur ( 303114 ) on Monday February 16, 2004 @08:49AM (#8293123)
    Now part of MS Windows source code is open on Internet so is "MS Open Source Is Fertile Ground for Foul Play"
    • by syn3rg ( 530741 ) on Monday February 16, 2004 @08:52AM (#8293138) Homepage
      I hope no FOSS developers look at that source. It could "taint by association" -- which makes me wonder if that wasn't the real reason for the release. MS now realizes the fight is over source code. By releasing (through an agent: Mainsoft) the source they can now claim injury if similar methods appear in FOSS.
      • by swb ( 14022 ) on Monday February 16, 2004 @09:12AM (#8293271)
        You're totally right, but it'll be hard for a lot of people to not look at it. I say this tongue in cheek, but people will slow to look at a car wreck -- why not the "Windows" source code? Plus these are highly curious people.

        I think the better encouragement is not to *keep* the source code. It would be quite difficult for MS to "prove" that any given developer had seen the purloined source, barring the conspiratorial notion that MS is running false-flagged IRC channels and web sites and collecting evidence on who is grabbing it. But not keeping a copy of it (which would be illegal anyway), they remove the easiest proof that they have been tainted by it.
      • by Kilobug ( 213978 ) <le-mig_g&epita,fr> on Monday February 16, 2004 @10:19AM (#8293831)
        As I said in the news about the source code leakage, this is a false fear, the same one MS uses about the GPL "do not read GPL code or you'll never be able to write commercial code afterwards".

        Copyright is _NOT_ patent. You can read copyrighted work and then write something similar by yourself. Copyright does not protect ideas, structures, algorithms or data formats. Copyright protectes the actual code - copy/pasting or recopying Windows code into Free Software would be disastrous. Reading Windows source code to understand protocols or formats and then writing your own Free implementation is not.

        Of course, you're not allowed to have windows source code at first, and you can be sued for having it. Not for writing source code with the knowledge you gained for it; the same way that reverse engineering is fordbidden in US, but if you use reverse to write Samba or a XFree driver, Samba or the driver will be legal. You can be sued if it's proven you used reverse, but your code will not.
        • by Anonymous Coward on Monday February 16, 2004 @11:00AM (#8294251)
          Reverse engineering is NOT illegal, you just have to do it carefully. Various companies do it ALL THE TIME. You have one group decompile the program or take apart the device. They then write a specification for the device based on what they learned (bonus points if it's a school). This specification is given to a middle layer which then passes it on to the programming team. The programming team writes code to match the spec they got from the middle layer. The code is no different from what they would write if the spec was simply made from scratch, in fact, the programming team is never told that they're working from a reverse engineered spec. All you have to do is make sure that no one from the decompile team has contact with anyone from the programming team and you're good to go.

          If absolutely nothing else, you can do the reverse engineering in the UK, where reverse engineering is explicitly allowed by law. The law even says that regardless of EULA terms, you can decompile software.
        • by Mr. Underbridge ( 666784 ) on Monday February 16, 2004 @11:39AM (#8294672)
          Copyright is _NOT_ patent. You can read copyrighted work and then write something similar by yourself. Copyright does not protect ideas, structures, algorithms or data formats. Copyright protectes the actual code - copy/pasting or recopying Windows code into Free Software would be disastrous. Reading Windows source code to understand protocols or formats and then writing your own Free implementation is not.

          To the letter of the law, that's true. However, there's also something called plagiarism which DOES NOT have to be a "cut-n-paste," but can be a situation in which I looked at your work and implemented my version in much the same way. That is a potentially illegal breach of copyright in software just as it is in school with papers.

          As such, the best way to protect oneself from copyright violations is complete ignorance of anything one might potentially infringe. As you say, an implementation is not copyrightable, so if you have never seen someone eles's implementation, you're clean. Basically, proving you've seen someone else's code can be damaging if you get sued for violation. You don't want that. And there's no reason to make the first critical part of their case for them.

          Of course, this is what makes copyright different than patent, as you say. Ignorance does not protect one from patent violations (although it can with regard to penalties, which can be trebled given intent, I believe). Ignorance aka "cleanroom implementation" DOES give complete immunity with regard to potential copyright violations.

  • I guess ... (Score:5, Funny)

    by fewnorms ( 630720 ) on Monday February 16, 2004 @08:51AM (#8293132)
    ... the old adage "No one ever got fired for choosing Microsoft" is true after all. Look what happens when you actually try speaking ill of the beast...
    • Re:I guess ... (Score:5, Insightful)

      by banzai51 ( 140396 ) on Monday February 16, 2004 @09:33AM (#8293424) Journal
      Wonder how Slashdotians will feel when they fully explore the anti-monoculture philosophy and realize it means keeping Microsoft rather than eliminating it and creating a new monoculture?
      • Re:I guess ... (Score:5, Insightful)

        by Jerf ( 17166 ) on Monday February 16, 2004 @10:14AM (#8293791) Journal
        OpenBSD, FreeBSD, NetBSD, OS X, varients of Linux so dissimilar they are just barely the same operating system, revived BeOS, the HURD, and the continuing divergence of existing operating systems and potential availability of new ones (Plan 9 may have largely failed but where it failed others can succeed (hint: driver support)) is an odd definition of "new monoculture".

        (Heck, every Linux install has the potential to be a potentially new OS; my kernel is most likely the only kernel exactly like it in the world, as as I use gentoo, even a lot of the support programs are customized and potentially unique. I've tried five or six binary vulnerabilities that Linux programs are vulnerable to, and while several managed to crash my computer, not a single one of them has resulted in privilege escalation or anything meaningful, because my system is so different at the binary level from anybody else's. Even to the extent that Linux is a monoculture I've not suffered the price of living in a monoculture.)
      • by BoomerSooner ( 308737 ) on Monday February 16, 2004 @10:18AM (#8293819) Homepage Journal
        They keep all the focus on hacking their POS operating system and help my mac and linux servers avoid the amount of attacks that would happen if they didn't exist.

        MS is a competitive advantaget to those that compete with vendors providing MS based services. BTW my company does have MS servers, Linux servers and we are testing some new OS X server implementations to see if we can eliminate some of our admin tasks with their slick UI & tools.
      • Re:I guess ... (Score:5, Insightful)

        by telbij ( 465356 ) on Monday February 16, 2004 @10:19AM (#8293830)
        Linux/Unix hardly runs a risk of becoming a monoculture, it's too easy to specialize. Regardless, talking about eliminating Microsoft is meaningless. If they get knocked back to 50% marketshare then their quality will improve and we won't need to hate them so much. The problem is the monopoly, the symptom is the software.
      • Re:I guess ... (Score:4, Insightful)

        by southpolesammy ( 150094 ) on Monday February 16, 2004 @11:44AM (#8294716) Journal
        [Disclaimer: For the record, I'm a Solaris bigot and a Linux zealot.]

        That being said, I don't have that much of an issue with the Windows OS itself. Including it as another tool in IT's belt to be used in specific situations is a good thing to have.

        The problem I have is the predisposition of Windows' advocates to have tunnel vision with respect to the use of said tools. IMHO, Windows is a square peg and every problem is a hole of varying shape that possibly needs to be modified to fit that peg. Couple this with a marketing engine that is second to none in the IT world, and you end up with the situation that Geer describes in which 95% of the desktops and perhaps 50% of the servers in the world are vulnerable to individual bugs and attacks. IOW, just one nasty bug can wipe out nearly the world's entire IT infrastructure because of the lack of genetic diversity.

        Please note -- I'm not knocking Windows itself as an OS. As I mentioned before, it fits in certain situations. I am specifically targetting the misguided directions of our IT management, programmers, and the Microsoft marketing departments that have put us in this situation. This is yet another human problem -- not a technological one -- and one that could have been, and can yet be fixed.
    • And here I thought all this time it was "No one ever got fired for choosing IBM".

      • Re:I guess ... (Score:5, Interesting)

        by fewnorms ( 630720 ) on Monday February 16, 2004 @09:52AM (#8293604)
        And here I thought all this time it was "No one ever got fired for choosing IBM".
        You are correct of course, but I think the saying should be changed to "No one ever got fired for choosing $MONOPOLY", which would be true. From personal experience I can tell you people in my enviroment actually have been fired for suggesting/choosing a hardware/software solution which is not industry standard and 10 times more expensive.
        Luckily, the climate is changing, but it is ever so slowly...
  • by archeopterix ( 594938 ) * on Monday February 16, 2004 @08:51AM (#8293133) Journal
    Microsoft, which denies pressuring @stake to fire Geer, says the comparison between computers and living organisms works only so well.

    "Once you start down the road with that analogy, you get stuck in it," said Scott Charney, chief security strategist for Redmond, Wash.-based Microsoft.

    Charney says monoculture theory doesn't suggest any reasonable solutions; more use of the Linux (news - web sites) open-source operating system, a rival to Microsoft Windows, might create a "duoculture," but that would hardly deter sophisticated hackers.

    True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened.

    Microsoft still want us to believe that the only way to integrate is to run One System (theirs) everywhere. They don't get (more precisely: don't want to) common open standards and protocols.

    And they are wrong about "duoculture". Linux, having many parties behind it(many distros, different kernel versions) has much mure internal variety than all versions of Windows out there.

    • by DangerSteel ( 749051 ) on Monday February 16, 2004 @08:59AM (#8293179)
      >>Microsoft still want us to believe that the only way to integrate is to run One System (theirs) everywhere. They don't get (more precisely: don't want to) common open standards and protocols.

      And not only do they want us to run thier OS, they want to make sure you are integrating thier Office, and collaboration (think .net) programs. To get the full value of Windows. I think I got enough "full value" of windows on my users machine affected by Blaster last fall...

    • by tomstdenis ( 446163 ) <tomstdenis&gmail,com> on Monday February 16, 2004 @09:01AM (#8293196) Homepage
      You could argue all the levels at which windows boxen are patched counts as "diversity" ;-)

      KIDDING!!!

      The article does miss a more important point that they do touch upon [sadly I'm siding with MSFT here...] is that "if you don't fence in the crops deer will eat it all".

      A stupid windows user will be an even more stupid linux user. Sorry to tell y'all this. Them the breaks.

      What's worse is distros like Redhat which feature binary updates are totally not scalable. Gentoo is one decent approach but requires a hell of a lot of patience to get going [and update when things like KDE pop up].

      All in all, MSFT sucks for being slow with updates and for using proprietary standards. Most OSS sucks for being hard to configure [for newbies] and occasionally slow/tiresome to deal with.

      So moral? Update as much as you can, don't run every binary you find, use a virus scanner [keep it up to date] and use a firewall. Heck even the stupid WinXP firewall is sufficient to protect users from most default settings virii [e.g. messenger virus, etc].

      Tom
      • by passthecrackpipe ( 598773 ) * <.passthecrackpipe. .at. .hotmail.com.> on Monday February 16, 2004 @09:12AM (#8293273)
        Dude, you must have ducked the last time somebody started swinging the old cluebat around. "Them's the breaks" indeed.... a stupid windows user makes for a very good linux user. You fail, just like MS, to differentiate between machine user and machine admin. While a stupid windows user has full admin access out of the box to all his settings, config, hardware setup etc. a linux user does not. Simply by virtue of most of the distro's making a point of creating a seperate root account during setup, and explaining why, ensures you shield the user from the most common types of mayhem (s)he can create. The "stupid" user has to really go out of his/her way to actually screw things up bigtime, something they usually don't really set out to do.
        • by overturf ( 193264 ) on Monday February 16, 2004 @10:34AM (#8293966)
          > While a stupid windows user has full admin access out of the box to all his settings, config, hardware setup etc. a linux user does not

          Realistically, this is only true if the stupid windows user adds himself to the admins group (or signs in as administrator) and the linux user does not. It's just as possible for someone to always logon as root in linux or to add root permissions to their daily-logon account in linux as it is to do the equivalent in Windows!

          The only way your comment makes sense is if you're not distinguishing between the myriad versions of Windows that are out there. Windows 98, sure... you were able to easily spork the entire computer -- 6 years ago. Windows 2000 and XP give you all the power you need to not make your daily-logon account an admin by default.

          Imagine the uproar on Slashdot if Windows apologists showed up here (every day) posting things like "Linux has a local root exploit" and provided a link to some Redhat 5.2 hack from 6 years ago. Come on.
        • by tomstdenis ( 446163 ) <tomstdenis&gmail,com> on Monday February 16, 2004 @11:32AM (#8294608) Homepage
          "machine user" and "machine admin"

          ARE THE SAME FUCKING THING ON A HOME PC.

          As for modding the kernel you have to have root privileges to mod your /boot or your /lib/modules dir [or at least it SHOULD be root only otherwise what's the point?].

          The truth is you have to login as root to admin then as your user to use it. hence the name "user". You can't admin a box from a non-root account without chmod 777 all of your dirs/files in which case what's the point?

          So the clueless newb will either run linux as root or login as root and install everything they see under the sun [re: virii]

          Thanks, you fail it.

          The solution is really smarter users. They have to know what a root account means and how to use it properly otherwise you need automation which we know is often exploitable.

          Tom
    • i hate this ... (Score:5, Insightful)

      by torpor ( 458 ) <ibisum@@@gmail...com> on Monday February 16, 2004 @09:20AM (#8293334) Homepage Journal
      different operating systems, which would make integrating computer systems and networks virtually impossible.

      This is such utter bollocks I can't even handle it.

      The reason integration is difficult is because it is made difficult by those who do it.

      It has nothing whatsoever to do with 'operating systems'. It seems to me that 'operating systems' don't mean what they used to mean ... in the good ol' days, an "OS" was all you needed in order to get some basic work and programming done on some hardware.

      Nowadays, it seems that an "OS" == "all the crap I think I'm gonna need one day, bundled into a single directory structure".

      If the OS is doing its job then integration is not impossible, it is 100% feasible and easy.

      An OS which doesn't do its job, doesn't allow integration. Its very telling to me that Microsoft choose to redefine the task of an OS rather than actually make their OS do the job its supposed to do.

      Integration between OS's is supposed to be easy. That is what an OS is all about, after all. Maybe someone should tell that to the 'gurus' from Redmond that mouth off about operating systems all day long ...
    • by sphealey ( 2855 ) on Monday February 16, 2004 @09:56AM (#8293639)
      True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened.
      While the first part of Charney's statement makes for an interesting discussion starter, the second part is absolutely side-splitting. Could Microsoft finish adding the basic capabilities of Multics, TOPS-20, and Netware 3.11 into its systems before it starts claiming ownership of all innovation in computer technology? Please?

      sPh

  • Once... (Score:5, Funny)

    by flewp ( 458359 ) on Monday February 16, 2004 @08:54AM (#8293148)
    Once I thought I had mono. They took a culture and it turns out I just had Windows.
  • Interesting spin ... (Score:5, Interesting)

    by Anonymous Coward on Monday February 16, 2004 @08:55AM (#8293151)
    ... on why the Microsoft monoculture is so important; from the AP article:

    True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened.

    Really? Could someone more familiar with Microsoft and their products kindly give me examples?

    • One word... (Score:3, Funny)

      by snake_dad ( 311844 )
      Clippy!
    • by Ghoser777 ( 113623 ) <fahrenba&mac,com> on Monday February 16, 2004 @09:02AM (#8293204) Homepage
      Really. Look at all the Linux. BSD, and the other *nix distros and all the software that runs between them on different platforms with different packaging systems. I think it's messy at best, but in a world with more than one *major* operating system, the solution is standards.

      Look at the automobile - tons of competing car companies making different cars, but they all have some standardized equipment customized in a little different way not to radically change the entire experience. Open standards would kill Microsoft (or at least knock them off their behemoth perch), and they know it.

      It's sort of the idea that Federal action is better than State action - why worry about 50 different actors doing their own thing (hint: innovating) when the federal government can just fiat whatever they want.

      Matt Fahrenbacher
      • by newdamage ( 753043 ) on Monday February 16, 2004 @09:37AM (#8293470) Homepage Journal
        In the long run (think the next 10-25 years), Microsoft will be forced to go along with open standards or get left behind as Open Source picks up more momentum. As IBM, Novell, large countries, and other big gorillas put their weight behind Linux and Open Source, the standards they use could become "the standard". This isn't going to happen likely anytime soon, but it definately has to start with the corporate world. If XYZ Inc. decides to use Open Office and Linux to save money (and we know businesses aren't doing anything radical to save money these days), and suddenly their employees must use it, guess what software package could end up on their home computers? As I said, it's not going to be a fast process, but it is possible.
    • by Airconditioning ( 639167 ) on Monday February 16, 2004 @09:03AM (#8293212) Journal
      If Microsoft decides to support a product, piece of hardware, or whatever out of the box with their next version of Windows, that piece of technology starts to become very popular. That technology then gets refined and maybe, later on an integral part of a computer system.

      USB comes to mind but I think Apple beat them to it?
      • by Anonymous Coward on Monday February 16, 2004 @09:12AM (#8293272)
        USB comes to mind but I think Apple beat them to it?

        Let's start a bit earlier... can you say
        mouse
        GUI
        5 1/4" floppies
        cd-rom
        post-script printing
        true-type/open-type
        Firewire
        and the list goes on
    • by gmuslera ( 3436 ) * on Monday February 16, 2004 @09:04AM (#8293219) Homepage Journal
      Antivirus could be considered an information related technology?. All a market that could been starving and barely advanced without the gentle Microsoft colaboration.
    • by frankie ( 91710 ) on Monday February 16, 2004 @09:56AM (#8293636) Journal
      My favorite quote on the topic came from Wired [wired.com]. Marcus Ranum [google.com] thinks Geer's message would have been mostly ignored by the public at large, except for @stake's "brilliant surgical marketing strike on its left foot by firing Dan".
    • by killmenow ( 184444 ) on Monday February 16, 2004 @10:23AM (#8293863)
      Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened.
      Really? Could someone more familiar with Microsoft and their products kindly give me examples?
      Well, look at it this way, without Microsoft, we probably wouldn't have any of the following: Think about it: If Microsoft produced superior products and didn't try to "0WN" you, a lot of those wouldn't exist.
  • by Anonymous Coward on Monday February 16, 2004 @08:56AM (#8293158)
    As much as I dislike the company, there are too many critical systems that are relying on Windows Servers. The release of a kernel crippling virus or worm could result in loss of human life.

    • by tb3 ( 313150 ) on Monday February 16, 2004 @09:13AM (#8293287) Homepage
      I call bullshit. Give me one example. The Windows EULA specifically says that there is NO WARRANTY with the software. Who would be stupid enough to run a mission-critical, not to mention life-critical system on such a shaky foundation?
      • by Pofy ( 471469 )
        > The Windows EULA specifically says that there
        >is NO WARRANTY with the software.

        And that would matter HOW, if the law of a country would say otherwise? In many countries one simply can't get away from responsability through contract terms like that.
      • by Anonymous Coward on Monday February 16, 2004 @09:34AM (#8293430)
        I call bullshit. Give me one example.

        I work as a consultant in Health IT and I'll give you 5 that I've found in my travels.

        1. Pharmacy systems
        2. Allergy interaction checking systems
        3. Dietary system, wrong or delayed diets can kill a patient
        4. Workstations in the ER that have access to critical applications and patient charts
        5. Workstations that communicate with the ambulence and med chopper teams

      • by andreMA ( 643885 ) on Monday February 16, 2004 @09:34AM (#8293432)
        "Life critical" is relative. You're not going to find Windows running air traffic control systems, controlling raadiation exposure for cancer patients, or operating switches on a railway.

        You will likely find them doing things like maintaining records of drug allergies, insurance coverage, etc. If those systems fail, people will hopefully fall back on manual records (assuming they exist in an accessable format), but that will introduce delays in treatment and admissions, which might well indirectly result in deaths.

      • by GoofyBoy ( 44399 ) on Monday February 16, 2004 @09:45AM (#8293538) Journal
        "the Slammer worm knocked out 911 emergency telephone service in Bellevue, Washington."

        http://www.salon.com/tech/feature/2003/12/16/bla st er_security/index_np.html
    • by Radon Knight ( 684275 ) on Monday February 16, 2004 @09:17AM (#8293310)
      there are too many critical systems that are relying on Windows Servers.

      But this is just foolish. Doesn't Microsoft explicitly say that Windows is not to be used for critical systems? There are special (i.e., non-mainstream) operating systems which are expressly designed for use in critical systems so that the problems caused by worms, etc. doesn't happen. If someone dies because of a Windows worm, it's the fault of the programmer who made a bad choice of the embedded system.

  • Open for exploit (Score:5, Insightful)

    by downix ( 84795 ) on Monday February 16, 2004 @08:58AM (#8293174) Homepage
    A great example of what can/will happen with the Microsoft monoculture can be found in the potato blight of Ireland. For those that lack any historical reference here, Ireland had a booming population due to the introduction of a nice, hardy breed of potato. For years, everything was going great, everyone had food, the potato became the staple of the diet. Everyone ate potatos, it is estimated to have been between 20-40% of all food consumed during this period.

    Then a viral attack that affected only this particular breed of potato struck. Within less than a year, whole crops failed, the economy collapsed as people literally starved to death.

    Yet, other breed of potatos were completely unaffected. It wasn't the reliance on potatos that was to blame, it was the reliance of one strain of potatos that was Irelands achilles heel.

    That is our economys achilles heel, Windows.
  • by Anonymous Coward on Monday February 16, 2004 @08:58AM (#8293178)
    "Once you start down the road with that analogy, you get stuck in it," said Scott Charney, chief security strategist for Redmond, Wash.-based Microsoft.

    One you start down the road with it, you get stuck in it. Sounds like a perfect description of the lock-in aspects of their products, though I think "Roach Motels for your data" is catchier.
  • by ThaReetLad ( 538112 ) <sneaky@blueRABBI ... minus herbivore> on Monday February 16, 2004 @09:00AM (#8293191) Journal
    This is not the first time that A. Russell Jones has made controversial claims about Linux on DevX. At the end of august last year this [slashdot.org] story was run here on /. where he claimed that there should be a standard desktop for Linux.
  • by G4from128k ( 686170 ) on Monday February 16, 2004 @09:01AM (#8293198)
    It's not just monoculture that makes viruses spread so quickly. The fact that any computer can send something to any computer is bad. The fact that any computer can send something to so many computers is terrible.

    Even if Linus drives Microsoft products into the minority, infections would still quickly reach Microsoft machines (or machines of any leading platform). Furthermore, under non-monoculture conditions, the dilution of virus writers on any one platform would probably be matched by the dilution of anti-virus resources on that platform. Even under non-monoculture conditions, we'll still have fast-spreading infections.

    Connectivity is the real driver of infection.
    • by goon america ( 536413 ) on Monday February 16, 2004 @09:48AM (#8293573) Homepage Journal
      It's not just monoculture that makes viruses spread so quickly.

      It's Outlook. (Only about 30% joking)

    • by kfg ( 145172 ) on Monday February 16, 2004 @10:01AM (#8293681)
      The question is not so much how fast a virus spreads, but what percentage of the computer population is affected at any one time, and what function does that percentage play in the workings of the whole.

      If I have a Windows box and a Linux box sitting side by side, each able to perform all the critical functions of the other, then a virus has to effect them both at the same time for me to lose functionality. When Blaster hits the Windows box I'm free to take it offline to clean it up. Vice versa for a *nix worm. Personally I add a Mac into the mix for three way security.

      This doesn't mean I can't get hit by a virus. It means that a virus can't take me down. And that's the point. Not that infections don't spread, but that infections are genetically specific. Your email worm targeted at a Windows address book, can't even find the address book on my Linux box. The mutt exploit is worthless against my Windows box. The Mac just keeps chugging along, mostly because no one cares to waste time writing a virus for a system even more obscure than Linux (That would be OS8 for those Mac heads about to pounce on me for saying that Macs are popular).

      Resilience through diversity, not absolute immunity.

      KFG
  • by cperciva ( 102828 ) on Monday February 16, 2004 @09:06AM (#8293234) Homepage
    For those who don't know, Dan Greer was fired from @Stake Inc for his criticism of Microsoft

    Dan Greer was not fired because he criticized Microsoft. He was fired because he published his opinions about the Microsoft monoculture without making it clear that those were his personal opinions and not those of @Stake.
    • by Anonymous Coward on Monday February 16, 2004 @09:28AM (#8293375)
      If you read the paper that was published, listened to any of the news accounts (including the conference call press conference), and read CCIA's disclaimers, you would know that he made it perfectly clear that this was something he was doing on his personal time, and had nothing to do with @stake. He went pretty far to disclaim any @stake connection to the paper.
  • Hah! (Score:5, Insightful)

    by arvindn ( 542080 ) on Monday February 16, 2004 @09:06AM (#8293237) Homepage Journal
    True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible.
    But this is exactly what open source buys you! The diversity of thousands of operating systems. Several distros, several versions of each, custom configurations, choices in every application space... put all these together and you increase diversity a thousandfold. Easily. There's really a powerful analogy between open source and biological structures, because the code is out there in the wild. Splitting, mutating, recombining. Forking, patching, merging. No two systems are exactly alike. A software ecosystem. Enormous complexity and diversity, enormous robustness and strength, extremely high rate of progress. Linus often makes analogies to evolution when explaining kernel hacking. That's no coincidence.

    Diversity != incompatibility. One standard, many implementations. What the M$ guy says is pure FUD.

    • Re:Hah! (Score:3, Insightful)

      by AndroidCat ( 229562 )
      When (if?) Linux takes over the desktop, do you think all the Magic Box users aren't going to converge on one distro? What happens when all the stores stock a Big Blue Penguin distro (example), new software works out of the box for it, all the support shops expect it, all the Linux for Total Fscking Morons books assume it, and all the arguments about UI libraries are moot? Some people will continue to download distros and compile, but will that be a larger number than it is now?
  • by millahtime ( 710421 ) on Monday February 16, 2004 @09:07AM (#8293239) Homepage Journal
    As is usual the US is slow at change. We are stuck in our was and that is especially true for the government. Were there are many places in the world that realize the problems with M$ and are migrating to alternatives it's big news here. We (US) are being slow to wake up and realize the truth. But, that is how the US works.
  • by tverbeek ( 457094 ) on Monday February 16, 2004 @09:09AM (#8293253) Homepage
    [MS mouthpiece] says monoculture theory doesn't suggest any reasonable solutions; more use of the Linux open-source operating system, a rival to Microsoft Windows, might create a "duoculture," but that would hardly deter sophisticated hackers.

    This neglects that fact that Linux itself has internal diversity that makes it less vulnerable to "disease".

    It's also not necessary to have "thousands of different operating systems" to gain some resilience. If (for example) half of all computers were Type A and the other half Type B, the rate of transmission of type-specific malware would be slowed dramatically. It wouldn't prevent pandemics, but it would slow them down.

  • Hate to admit it... (Score:4, Interesting)

    by Zordas ( 596510 ) on Monday February 16, 2004 @09:11AM (#8293264)
    but this is true..

    True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened

    It's hard enough to get Novel - Mac's - PC's - Windows Servers - And SGI computers all playing nicely in a true heterogeneous environment. I couldn't imagine the nightmare if I had another 2-3 other OS's to integrate.

    • I don't think the point is to try to integrate multiple different OS's in a single organization. The point is that each organization can standardize on a different OS, so that an attack aimed at a particular OS only affects those organizations which are using that OS, which is ideally a minority of all organizations. The internet is already an integrated network of many different OS types. The only thing needed for interoperation is TCP/IP and XML.
    • by Angstroem ( 692547 ) on Monday February 16, 2004 @09:30AM (#8293389)
      It's hard enough to get Novel - Mac's - PC's - Windows Servers - And SGI computers all playing nicely in a true heterogeneous environment. I couldn't imagine the nightmare if I had another 2-3 other OS's to integrate.
      Now you make me curios. What is your definition of playing nicely together?

      As long as basic services are needed, I don't see any problem at all. Use NFS, use SAMBA, use CUPS -- use your protocol of choice where you get clients for all platforms. So far no problem.

      We're running Macs, Windows, Linux, BSD, different incarnations of Solaris, Irix, HP-UX, yet even some embedded stuff like vxWorks. No problem to share drives or print to shared printers. No problem to send and receive emails, surf the web.

      And all without nightmares.

  • by Anonymous Coward on Monday February 16, 2004 @09:12AM (#8293270)
    The problem is crappy software.

    Would the IT world be a more stable, reliable & secure place if 95% of the world's comptuer ran OpenBSD?

    The problem is crappy software, not closed source commercial software.

    It is the general crappiness of commercial software (and the lethargic rates of bug fixes) that have led to the popularity of open source.
  • by Noryungi ( 70322 ) on Monday February 16, 2004 @09:13AM (#8293286) Homepage Journal
    I have thought about this whole monoculture thing recently, and here is my take on it...

    Microsoft made a conscious decision, a long long time ago, to make sure that everything in its Office applications (starting with Word) would be scriptable with VBA. And that the VBA scripts would have access to the entire underlying OS.

    At the time, it made perfect marketing sense: the king of word processors was Word Perfect, and it offered advanced scripting functions. Microsoft had to duplicate this functionalities if it wanted to kick WordPerfect ass and establish Windows and Word as the desktop champions. And it worked -- when was the last time you used WordPerfect on your PC?

    The only problem is, of course, that Windows security (3.x was a single user, single task operating system) was absolutely broken from the very beginning. After all, if you are the only user on your machine, you don't need a lot of security, do you? Wrong. You may need a different kind of security, but you still need some sort of framework to protect your resources. Windows never provided any kind of security at all.

    Then came the Internet. And, with it, a virus transmission vector of incomparable speed. The rest, as they say is history. Microsoft never bothered to create proper security and, because it completely ignored the Internet before 1995 (remember the Gates memo?), they were caught unprepared by the hordes of yahoos who write VBA viruses. VB is easy to use, viruses are easy to program in VB and, thanks to MS stupid decisions, they were allowed to run wild.

    In effect, most users and sysadmins are, today, paying the price of a marketing decision: Microsoft decided to design VBA, all the while ignoring the research that proved that application scripting needed to be severely limited and controlled. Emacs LISP scripts and shell files in the UNIX world were prohibited a loooooong time before VBA was even created.

    They kicked a competitor out of the field and, in doing so, created more problems for themselves (and for us!) than they solved...
    • by tverbeek ( 457094 ) on Monday February 16, 2004 @09:23AM (#8293349) Homepage
      when was the last time you used WordPerfect on your PC?

      (At the risk of being modded -1, Overly-Literal)

      10:37pm, yesterday.

    • The sad part is that the underlying security in the NT family isn't that bad--if it's allowed to do it's job. It must really suck to keep working on ways to tighten security at MS, and then have marketing whine about "ease of use" and override design decisions.

      When writing for the then upcoming NT5, we were supposed to assume that there would be very limited access by non-OS software to anything n the \windows\ directories. Judging by the ease that some VB scripts running in the IE browser use ActiveX to o

    • by FuzzyBad-Mofo ( 184327 ) <fuzzybad AT gmail DOT com> on Monday February 16, 2004 @10:29AM (#8293925)

      And Microsoft's goal (gaol) of backwards compatibility ensures that these misfeatures will stay in the infrastructure indefinitely. I realized this yesterday when cleaning spyware off a friend's Windoze box.

      Windows has so many legacy interfaces for loading programs at boot like win.ini, autoexec.bat, ect. that no longer have a pratical purpose, are easily exploitable, are are in a word, "cruft". Their OS is full of this cruft, and it will continue to become more so, as long as Microsoft continues their indiscrimate adding of features without regard to security.

  • by Anonymous Coward on Monday February 16, 2004 @09:14AM (#8293291)
    The benefit of linux, bsd, and other non-microsoft OS's come from the variety of services run. Microsoft's OS's have to run many services and modules that other OS's can leave to the discretion of the operator. For instance, I can run an old version of linux with no services and its safe. I can run any number and variety of servers. Microsoft seems to have to do it one way and one way only with all these modules that have to be running.
  • by cperciva ( 102828 ) on Monday February 16, 2004 @09:15AM (#8293295) Homepage
    As easy as it is to point to Microsoft as an example of monoculture, Open Source software is equally at fault here. Take "deflate" encoding as an example: How many different implementations are there? What fraction of deflate-using applications use an implementation other than zlib?

    If anything, the ease of code reuse inherent in Open Source software makes monoculture easier to achieve.
  • by prisoner-of-enigma ( 535770 ) on Monday February 16, 2004 @09:16AM (#8293296) Homepage
    ...that Greer's against monoculture but doesn't explore the effects of what would be needed to overcome that monoculture.

    As outlined in the article (assuming anyone reads it), critics of Greer point out that simply adding a new OS into the mix (dare I say Linux?) wouldn't substantially help. You'd have a duoculture instead of a monoculture. How much more difficult would it be for hackers to create a devastating hack? It even extends beyond OS's. Apache has the majority market share for all web servers worldwide. What affect would a devastating Apache exploit have on such a near-monoculture? Nobody wants to say anything about that, though, because Apache represents the side of good and Microsoft is evil.

    To truly achieve the technological equivalent of biodiversity, we'd need hundreds or thousands of OS's and differing applications. The complexity of trying to get all that crap to work together would be impossible, especially since convergence of any two app's/OS's would be actively discourages to prevent cross-pollination-type attacks.

    It's all well and good to bash Microsoft's monoculture. I'm sure there are many here who'll do nothing but that. However, defining the problem is only the first step; you must present a practical, workable solution. Just saying "Linux will fix it all" simply replaces one monoculture with another. But I bet most people here haven't thought that far ahead.
  • by emtboy9 ( 99534 ) <jeff AT jefflane DOT org> on Monday February 16, 2004 @09:17AM (#8293311) Homepage
    You know, there was, at one time, a long running joke about Microsoft tech support. The answer to any problem, according to MS support (and I heard this directly from them on more than a few occasions) was "We suggest you reboot to fix this problem" OR, Shut up and re-install.

    And now, here is the "Chief Security Strategist" for MS saying (regarding the monoculture analogy) "Another difference: computers can be unplugged from the network and rebooted; organisms cannot."

    So, is he really implying (God I hope not) that most exploits can be solved by unplugging the computer from the network and rebooting???

    I hope not, and maybe its just the way the AP story was written, but it sure sounds like a dismissal of most of the Windows security flaws.
  • by rqqrtnb ( 753156 ) on Monday February 16, 2004 @09:18AM (#8293314)
    Without a doubt, online security is a major concern. The idea of monoculturism may be applicable to the computer industry due to the prevalence of MS operating systems. This, of course, assumes everyone has the same version of an MS operating system, with a single, universal exploitable flaw. The fact that not everyone has the exact same operating system nor the exact same component and software configuration tends to undermine the argument of 'monoculture' somewhat more.

    However, diversity of computers fosters a much higher learning curve to a machine that is already far more complex than 80% of the people using them understand. I'm a proponent of unity in the field of computers in that the UI of any OS should be the same as EVERY OTHER UI. This promotes a uniform learning curve for everyone so that learning one machine or OS does not restrict a person to that particular product or platform for life.

    People want to learn as much as they need to - and not have to constantly relearn it - in order to do the things they want to do with the computer. Imposing 'bio-diversity' on the operating systems of the world will only create sub-monocultures between which comparability issues and cross learning would be difficult for most to handle unless the UI for each system is essentially the same.

    I'd REALLY like to see Linux be available to anyone without having to have any knowledge of Unix protocols, have the same driver support and always be able to run ANY program regardless of the original OS requirements without having to constantly tweak everything into compliance. If anyone knows a way of doing this, or if it's already been done and you know how, PLEASE post it here.
  • by G4from128k ( 686170 ) on Monday February 16, 2004 @09:19AM (#8293325)
    One solution to the monoculture problem is multi-OS architectures in which a single process is executed on multiple independent codebases within each box.

    On high-reliability systems (Space Shuttle [gvsu.edu] & X-29 [nasa.gov] flight controls), multiple redundant subprocessors attempt to compute the same answer. If the subprocessors get different answers, the majority-rules and the system logs the exception. If each processor ran independent code, then exploits of any one codebase would be detected and disinfected. A multi-system with one exploited/infected codebase would continue running while ignoring the output of the infected subprocessor.

    The system would still have some vulnerabilties. Simultaneous attack on a majority of the codebases might succeed in redefinig the majority to suit the malware. Also, codebase independence is very hard. More than likely several codebases might share the same fault (e.g. a buffer overrun bug). Attacks on the overseer/majority-rules system might also succeed. Finally, if the standard has an exploit (e.g., decrypting WiFi WEP), then all codebases implementing the standard are vulnerable.

    The biggest downside is bloat and cost. But at least it would give people a reason to buy the latest greatest chips from Intel, AMD, IBM, etc.
  • by ChrisRijk ( 1818 ) on Monday February 16, 2004 @09:22AM (#8293343)
    What's certainly true is that there's a lot more to having good security than getting rid of the monoculture problem. Probably the most important thing is to care about security from the start...

    Anyway, something the DoD and others have done for some time is to have triple barriers for certain things like firewalls. So instead of having the same firewall product and system all over the place, for each firewall, you have a series of 3 systems: one is a "hardware" firewall (an appliance basically), followed by two different firewall products running on two different architectures. This way a single flaw on one firewall or system will not comprimise overall security.

    They also turn the IT infrastructure into compartments, each walled out with firewall groups. So you have one compartment for front-end servers, one for desktop users, one for your data, etc.

    Yeah it adds to complexity, but this is what the paranoid types do to give themselves peace of mind.
  • by daveaitel ( 598781 ) on Monday February 16, 2004 @09:26AM (#8293364) Homepage Journal
    It's Dan Geer.

    -dave
  • ahh, the irony... (Score:5, Insightful)

    by di0s ( 582680 ) <cabbot917@Nospam.gmail.com> on Monday February 16, 2004 @09:26AM (#8293367) Homepage Journal
    If I remember my computer history, wasn't Microsoft the alternative to the IBM monoculture? Now that IBM has embraced FOSS, they're the alternative to the Microsoft monoculture...
  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Monday February 16, 2004 @09:30AM (#8293390)
    Comment removed based on user account deletion
  • by Phoe6 ( 705194 ) on Monday February 16, 2004 @09:32AM (#8293403) Homepage Journal
    Nature deals with breakdowns in a complex system with evolution, and a very important part of evolution is the extinction of particular species. It's a sort of backtracking mechanism that corrects an evolutionary mistake. The Internet is an ecology, so if you build a species on it that is vulnerable to a certain pathogen, it can very well undergo extinction. By the way, the species that go extinct tend to have limited genetic diversity. -Atrributed to Bill Joy - Had preserved in my Blog [blogspot.com] Dan Greer's writings bear the same too.
  • by andih8u ( 639841 ) on Monday February 16, 2004 @09:39AM (#8293484)
    Diversity can help keep viruses and such from spreading, but it can also be a hindrance. If linux had some standardization where all of the distros all used the same directory structure, package management, etc, it would be a lot easier for companies to write software for it. Now the best they can do is write the software and hope someone else will port it over, or spend time porting it to .RPM, .DEB, etc etc. With windows you don't ever run across cascading dependency nightmares, and every software company knows how to write their software for it. Yes, you should be able to compile linux packages from source without any problems, but when you're talking about trying to get home users to accept linux more, making them compile packages from source definately isn't the way to do it.
  • by verrol ( 43973 ) on Monday February 16, 2004 @09:42AM (#8293507) Homepage Journal
    than good. yes, this is not a new idea, but the fact that M$ continues to do it is to me, evidence that they are not serious about security.

    Last week a client of mine wanted me to do some work on his computer and to remove M$ IM on WinXP. You try it, it will tell you that WinXP depends on some functionality of IM. What? The OS needs this crummy application you can get for free somewhere? If that is really true, then no wonder their system is so freaking vulnerable to all kinds of things.

    just about anyone who write large software knows that u have make it modular design and if possible striving independent modules as possible to reduce risk and propagation of faults. consider this, even after the trial, M$ still continues to bind unrelated OS functionality with applications. Apps and OS services are completely different.

    while M$ tries to give you a big bloated piece of software with OS and THEIR apps tightly integrated. look at what the people doing micro-kernels are doing. they are trying to make the kernel as simple as possible (hence easier to debug, understand, etc.). Then, the OS services are just apps (again, very independent form each other--though they may use the services provided by the other). but their is no need for that particular app, just any app providing that service. .v
  • by Ridgelift ( 228977 ) on Monday February 16, 2004 @10:10AM (#8293749)
    "But Geer says the company should disentangle its tightly integrated products, such as Microsoft Word and Outlook."

    The best way they can disentangle their products is to force Microsoft to publish their protocols, so others can build competitive products that can integrate cleanly.

    Perhaps their software should be declared an "essential service", much like teachers and hospital workers here in Canada. When teachers/medical workers strike for too long, the government steps in and says "get back to work, you're essential to our functioning as a culture".

    The bottom line is Bill Gates and his minions are liars and can't be trusted. They comply to every defeat dealt to them with their middle finger raised, and then go right back to abusing their position in the marketplace. The only rules Billy plays by are his own, and the only reasonable way to deal with him is to be unreasonable in demanding he comply.
  • by tizzyD ( 577098 ) * <tizzyd&gmail,com> on Monday February 16, 2004 @10:11AM (#8293752) Homepage
    I mean really, come on. Only a fool would not know that open source has the capacity for foul play. But with the eyes of the crackers come the eyes of the police, or in this case, the moderators. So, with a simple code review, you can spot an issue. With OS, you have a chance.

    OTOH, with any closed source system, you have no code review. You have no chance to spot a security hole, purposeful or not. With CS, you simply have no chance.

    Let's review: with OS, you have the opportunity for exposure, but also the opportunity to catch it. With CS, you have no opportunity to know anything. Sounds like the old free markets argument to me. The only person who would really support the CS position is an uniformed tool.

  • by ronmon ( 95471 ) on Monday February 16, 2004 @10:14AM (#8293783)
    "The hoopla around him losing his job gave the story some extra frisson," said Internet security expert Bruce Schneier, a co-author of Geer's.

    frisson
    n : an almost pleasurable sensation of fright; "a frisson of
    surprise shot through him" syn: shiver, chill, quiver,
    shudder, thrill, tingle

    Overall, this is one of the best written articles I've read in quite some time. The author lets the intelligence of his sources shine clearly. And it's always nice to learn a new word.
  • by cabazorro ( 601004 ) on Monday February 16, 2004 @10:21AM (#8293841) Journal
    Q:What is the single protocol used by all computers
    connected to Internet in the world?
    A: IPV4
    Q:What is the single mail protocol used by all
    computers connected to the internet?
    A: SMTP
    Q:What is the single protocol used to search the
    Internet and exchange most information over the
    Internet?
    A: HTTP
    According to evolution, diversity is the
    consequence of adaptation.

    Specialization, Mutation, Adaptation.

    Adaptation is the
    consequence of a changing environment. A
    changing environment is the consequence of a
    finite amount of resources and competition.
    The Internet in it's current stage resources are
    plenty and competition is little.
    Internet is currently in the specialization
    stage. The Internet has not being forced(YET) to
    depart from it's standard protocols (mutate) to
    survive an attack.

    Forcing diversity (by mandate rather of natural
    competition) not only makes the system less
    robust, it slows down evolution.
  • Simulation (Score:5, Insightful)

    by Tom ( 822 ) on Monday February 16, 2004 @10:27AM (#8293899) Homepage Journal
    I know it's a stupid thing to /. yourself, but here we go:

    My paper on worm propagation [lemuria.org] from last year (just updated with some more data) shows very clearly what a monoculture does.

    I assumed 40 mio. vulnerable systems in it and showed how a malicious worm can wipe them out in minutes.
    Some of the advisories that eeyes still has on the unpublished list estimate 300 mio. vulnerable systems.

    We've been talking about flash and warhol worms for years now. With each passing day I'm more surprised that it hasn't happened, again.

  • Nothing new (Score:5, Interesting)

    by jkabbe ( 631234 ) on Monday February 16, 2004 @10:51AM (#8294157)
    Monoculture (or, the problems associated with it) are not a new concept. When I was studying at U of Mi in 1992-93 (or thereabouts) we discussed the internet worm in my system administration class. The instructor pointed out that U of M was only moderately affected because of the variety of Unix systems comprising the network. The lesson was that a diverse network makes one less succeptible to attack affecting a single platform.
  • Which Culture? (Score:4, Interesting)

    by smccto ( 667454 ) on Monday February 16, 2004 @11:07AM (#8294315)

    Monoculture or Diversity?

    The AP ran a story this weekend, captured by Yahoo [yahoo.com], talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.

    Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).

    Just the facts, Mam

    I found it intriguing that, as the AP article mentioned:

    "Steven Cooper, the Homeland Security Department's chief information officer... acknowledged [monoculture] was a concern and said the department would likely expand its use of Linux and Unix as a precaution."

    Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia [secunia.com] and their product listing [secunia.com]. Doesn't anyone care that Solaris 9 [secunia.com] had more advisories (42) in 2003 than Windows 2000 Server [secunia.com] (36)? Doesn't it scare anyone that, while Windows XP Home edition [secunia.com] had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 [secunia.com] had 186!

    Doesn't Open Source claim [devx.com] to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?

    Missing the forest for the trees

    Take a look at this, also from the AP article:

    "Mike Reiter of Carnegie-Mellon University and Stephanie Forrest, a University of New Mexico biologist who has been gleaning lessons for computer security from living organisms for years, recently received a $750,000 National Science Foundation (news - web sites) grant to study methods to automatically diversify software code.

    Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring "benign mutations" that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."

    Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension [sun.com]. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.

    Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)

    Miopic Intelligence

    Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is s

  • by breadbot ( 147896 ) on Monday February 16, 2004 @11:24AM (#8294511) Homepage
    This story is quickly becomming big news (Yahoo is currently carrying it on their front page).
    I wonder how many stories get elevated to "big news" by being Slashdotted:
    1. Publish Story
    2. Link to it from Slashdot
    3. Yahoo's automatic pull-the-most-popular-up algorithm puts it on the front page
    4. Everybody else notices it too

    Now, that didn't happen in this case, as the story was already on the front page before Slashdot linked it. But it could happen, no?

"Gotcha, you snot-necked weenies!" -- Post Bros. Comics

Working...