Microsoft, Monocultures, Security FUD & Other Fun 509
techiemac writes "Dan Geer, who has been mentioned on Slashdot before due to his warnings about Microsoft's "monoculture" has just been written up by AP for his warnings about the widespread use of Microsoft products and the serious security flaws that are being discovered. This story is quickly becomming big news (Yahoo is currently carrying it on their front page). For those who don't know, Dan Greer was fired from @Stake Inc for his criticism of Microsoft (they are a big client of @Stake Inc). " Somewhat related, there has been interesting reaction pieces on ORA and OSDN to a recent, some say ill-informed article run on DevX.
MS Open Source Is Fertile Ground for Foul Play (Score:5, Funny)
Re:MS Open Source Is Fertile Ground for Foul Play (Score:5, Interesting)
Re:MS Open Source Is Fertile Ground for Foul Play (Score:5, Interesting)
I think the better encouragement is not to *keep* the source code. It would be quite difficult for MS to "prove" that any given developer had seen the purloined source, barring the conspiratorial notion that MS is running false-flagged IRC channels and web sites and collecting evidence on who is grabbing it. But not keeping a copy of it (which would be illegal anyway), they remove the easiest proof that they have been tainted by it.
Re:MS Open Source Is Fertile Ground for Foul Play (Score:5, Funny)
Re:MS Open Source Is Fertile Ground for Foul Play (Score:4, Interesting)
Besides, if you want to see Microsoft code, use their Visual C++, and get the step into/step over keys backwards. It's easy to accidentally jump inside the cout statement, for example.
And anybody elses code? If you can read assembler, wait for it to GPF. At the college I work at, MSVC++ used to snag any crash and throw it up on the screen as x86 assembler code. (I seem to remember that happening to Netscape 4.x a lot.)
Re:MS Open Source Is Fertile Ground for Foul Play (Score:5, Informative)
Copyright is _NOT_ patent. You can read copyrighted work and then write something similar by yourself. Copyright does not protect ideas, structures, algorithms or data formats. Copyright protectes the actual code - copy/pasting or recopying Windows code into Free Software would be disastrous. Reading Windows source code to understand protocols or formats and then writing your own Free implementation is not.
Of course, you're not allowed to have windows source code at first, and you can be sued for having it. Not for writing source code with the knowledge you gained for it; the same way that reverse engineering is fordbidden in US, but if you use reverse to write Samba or a XFree driver, Samba or the driver will be legal. You can be sued if it's proven you used reverse, but your code will not.
Re:MS Open Source Is Fertile Ground for Foul Play (Score:5, Informative)
If absolutely nothing else, you can do the reverse engineering in the UK, where reverse engineering is explicitly allowed by law. The law even says that regardless of EULA terms, you can decompile software.
May be legal, but also stupid (Score:5, Informative)
To the letter of the law, that's true. However, there's also something called plagiarism which DOES NOT have to be a "cut-n-paste," but can be a situation in which I looked at your work and implemented my version in much the same way. That is a potentially illegal breach of copyright in software just as it is in school with papers.
As such, the best way to protect oneself from copyright violations is complete ignorance of anything one might potentially infringe. As you say, an implementation is not copyrightable, so if you have never seen someone eles's implementation, you're clean. Basically, proving you've seen someone else's code can be damaging if you get sued for violation. You don't want that. And there's no reason to make the first critical part of their case for them.
Of course, this is what makes copyright different than patent, as you say. Ignorance does not protect one from patent violations (although it can with regard to penalties, which can be trebled given intent, I believe). Ignorance aka "cleanroom implementation" DOES give complete immunity with regard to potential copyright violations.
I guess ... (Score:5, Funny)
Re:I guess ... (Score:5, Insightful)
Re:I guess ... (Score:5, Insightful)
(Heck, every Linux install has the potential to be a potentially new OS; my kernel is most likely the only kernel exactly like it in the world, as as I use gentoo, even a lot of the support programs are customized and potentially unique. I've tried five or six binary vulnerabilities that Linux programs are vulnerable to, and while several managed to crash my computer, not a single one of them has resulted in privilege escalation or anything meaningful, because my system is so different at the binary level from anybody else's. Even to the extent that Linux is a monoculture I've not suffered the price of living in a monoculture.)
I love microsoft (Score:5, Funny)
MS is a competitive advantaget to those that compete with vendors providing MS based services. BTW my company does have MS servers, Linux servers and we are testing some new OS X server implementations to see if we can eliminate some of our admin tasks with their slick UI & tools.
Re:I guess ... (Score:5, Insightful)
Re:I guess ... (Score:4, Insightful)
That being said, I don't have that much of an issue with the Windows OS itself. Including it as another tool in IT's belt to be used in specific situations is a good thing to have.
The problem I have is the predisposition of Windows' advocates to have tunnel vision with respect to the use of said tools. IMHO, Windows is a square peg and every problem is a hole of varying shape that possibly needs to be modified to fit that peg. Couple this with a marketing engine that is second to none in the IT world, and you end up with the situation that Geer describes in which 95% of the desktops and perhaps 50% of the servers in the world are vulnerable to individual bugs and attacks. IOW, just one nasty bug can wipe out nearly the world's entire IT infrastructure because of the lack of genetic diversity.
Please note -- I'm not knocking Windows itself as an OS. As I mentioned before, it fits in certain situations. I am specifically targetting the misguided directions of our IT management, programmers, and the Microsoft marketing departments that have put us in this situation. This is yet another human problem -- not a technological one -- and one that could have been, and can yet be fixed.
Re:I guess ... (Score:3, Informative)
And here I thought all this time it was "No one ever got fired for choosing IBM".
Re:I guess ... (Score:5, Interesting)
Luckily, the climate is changing, but it is ever so slowly...
They still don't get it (Score:5, Insightful)
And they are wrong about "duoculture". Linux, having many parties behind it(many distros, different kernel versions) has much mure internal variety than all versions of Windows out there.
Re:They still don't get it (Score:5, Interesting)
And not only do they want us to run thier OS, they want to make sure you are integrating thier Office, and collaboration (think .net) programs.
To get the full value of Windows.
I think I got enough "full value" of windows on my users machine affected by Blaster last fall...
Re:They still don't get it (Score:5, Insightful)
KIDDING!!!
The article does miss a more important point that they do touch upon [sadly I'm siding with MSFT here...] is that "if you don't fence in the crops deer will eat it all".
A stupid windows user will be an even more stupid linux user. Sorry to tell y'all this. Them the breaks.
What's worse is distros like Redhat which feature binary updates are totally not scalable. Gentoo is one decent approach but requires a hell of a lot of patience to get going [and update when things like KDE pop up].
All in all, MSFT sucks for being slow with updates and for using proprietary standards. Most OSS sucks for being hard to configure [for newbies] and occasionally slow/tiresome to deal with.
So moral? Update as much as you can, don't run every binary you find, use a virus scanner [keep it up to date] and use a firewall. Heck even the stupid WinXP firewall is sufficient to protect users from most default settings virii [e.g. messenger virus, etc].
Tom
Re:They still don't get it (Score:5, Insightful)
Re:They still don't get it (Score:5, Insightful)
Realistically, this is only true if the stupid windows user adds himself to the admins group (or signs in as administrator) and the linux user does not. It's just as possible for someone to always logon as root in linux or to add root permissions to their daily-logon account in linux as it is to do the equivalent in Windows!
The only way your comment makes sense is if you're not distinguishing between the myriad versions of Windows that are out there. Windows 98, sure... you were able to easily spork the entire computer -- 6 years ago. Windows 2000 and XP give you all the power you need to not make your daily-logon account an admin by default.
Imagine the uproar on Slashdot if Windows apologists showed up here (every day) posting things like "Linux has a local root exploit" and provided a link to some Redhat 5.2 hack from 6 years ago. Come on.
Re:They still don't get it (Score:5, Insightful)
ARE THE SAME FUCKING THING ON A HOME PC.
As for modding the kernel you have to have root privileges to mod your
The truth is you have to login as root to admin then as your user to use it. hence the name "user". You can't admin a box from a non-root account without chmod 777 all of your dirs/files in which case what's the point?
So the clueless newb will either run linux as root or login as root and install everything they see under the sun [re: virii]
Thanks, you fail it.
The solution is really smarter users. They have to know what a root account means and how to use it properly otherwise you need automation which we know is often exploitable.
Tom
Re:They still don't get it (Score:3, Insightful)
Comment removed (Score:4, Funny)
i hate this ... (Score:5, Insightful)
This is such utter bollocks I can't even handle it.
The reason integration is difficult is because it is made difficult by those who do it.
It has nothing whatsoever to do with 'operating systems'. It seems to me that 'operating systems' don't mean what they used to mean
Nowadays, it seems that an "OS" == "all the crap I think I'm gonna need one day, bundled into a single directory structure".
If the OS is doing its job then integration is not impossible, it is 100% feasible and easy.
An OS which doesn't do its job, doesn't allow integration. Its very telling to me that Microsoft choose to redefine the task of an OS rather than actually make their OS do the job its supposed to do.
Integration between OS's is supposed to be easy. That is what an OS is all about, after all. Maybe someone should tell that to the 'gurus' from Redmond that mouth off about operating systems all day long
Re:They still don't get it (Score:4, Insightful)
sPh
Re:Apple's worse (Score:5, Insightful)
Yeah, and we all know how many awful hardware vulnerabilities there have been in recent decades... :p
dropped floppies and non-USB interfaces much later, only after they were not that useful anymoreExcept that you're ignoring the chicken-v-egg problem. USB did not become ubiquitous until after Apple forced the issue. No one else had the balls to say "screw dumb serial ports, USB is better". GUI, 3.5", CD-ROM, PnP, etc... Apple intentionally drives technology forward, even when many people are kicking and screaming to stay behind.
Meanwhile, none of this has anything to do with security and monocultures.Re:Apple's worse (Score:4, Interesting)
because only complete morons say that.
Serial ports have their place and will be here for a really long time. I dare you to config a cisco router or switch with your USB port. or dare you to configure any of the middle to high end home automation equipment out there with your USB port.
USB is excellent for low-performance high bitrate data transfers.. firewire beat's it to hell for performance needs (ever wonder why you can't get high end DV cameras with USB?) and RS232/RS485 serial is better than anything that USB or firewire can do for low speed high reliability.
apple did NOT force the adoption of USB... the explosion of cheap usb products by the release of cheap usb interface chipsets.
Re:Apple's worse (Score:5, Interesting)
PC manufacturers dropped certain technologies when they were finally perceived not to be useful any more.
Apple can act as the gentle motivational herder, because they have complete control over their flock, as long as they make sure they replace the things they phase out with generally superior technologies, and they have (floppy > email, legacy ports > USB).
PC manufacturers have no choice, as there is less unity and it is human nature to be wary of new things, and to want to stick to what is tried and tested. In this scenario where it is impossible to move the flock forward as a whole (as the direction of the industry is dictated by many) it must first be shown and proven that the newer technology is superior.
So I would hardly call this scenario a 'blunder' on Apple's behalf! Quite the opposite in fact - I'm sure it was of great benefit to both Apple and their users to make a swift concerted step forward.
Once... (Score:5, Funny)
Interesting spin ... (Score:5, Interesting)
True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened.
Really? Could someone more familiar with Microsoft and their products kindly give me examples?
One word... (Score:3, Funny)
What Microsoft doesn't want is *Standards* (Score:5, Insightful)
Look at the automobile - tons of competing car companies making different cars, but they all have some standardized equipment customized in a little different way not to radically change the entire experience. Open standards would kill Microsoft (or at least knock them off their behemoth perch), and they know it.
It's sort of the idea that Federal action is better than State action - why worry about 50 different actors doing their own thing (hint: innovating) when the federal government can just fiat whatever they want.
Matt Fahrenbacher
Open Standards can kill MS anyway (Score:5, Insightful)
Re:Interesting spin ... (Score:5, Interesting)
USB comes to mind but I think Apple beat them to it?
Re:Interesting spin ... (Score:5, Interesting)
Let's start a bit earlier... can you say
mouse
GUI
5 1/4" floppies
cd-rom
post-script printing
true-type/open-type
Firewire
and the list goes on
Re:Interesting spin ... (Score:5, Funny)
Another interesting spin ... (Score:5, Insightful)
Re:Interesting spin ... (Score:4, Insightful)
- Samba [samba.org]
- FreeDOS [freedos.org]
- WINE [winehq.com]
- The XBOX Linux Project [sourceforge.net]
- Ximian Evolution [ximian.com]
- Open Office [openoffice.org]
- Mozilla [mozilla.org]
- etc...
Think about it: If Microsoft produced superior products and didn't try to "0WN" you, a lot of those wouldn't exist.WRONG! stop the lies (was Re:Interesting spin ...) (Score:4, Informative)
Yeah, without Microsoft products, Al Gore couldn't have invented the internet.
I see my mission now.. to reply to every post with this lame ass joke with information about how it is NOT TRUE. You've heard of snopes.com, the Urban Legends Reference Pages? Please read this article [snopes.com] before posting this lie. The proper joke would be, "Al Gore says he took the initiative in creating the Internet!". While certainly a poor choice of words for Mr. Gore even in context of the interview, he did not claim to invent the Internet.
That goes for you too, moderators. This cliche is certainly not +5 Funny and you know it.
I hope he's wrong ... (Score:5, Insightful)
Re:I hope he's wrong ... (Score:4, Insightful)
Re:I hope he's wrong ... (Score:3, Insightful)
>is NO WARRANTY with the software.
And that would matter HOW, if the law of a country would say otherwise? In many countries one simply can't get away from responsability through contract terms like that.
Re:I hope he's wrong ... (Score:5, Informative)
I work as a consultant in Health IT and I'll give you 5 that I've found in my travels.
1. Pharmacy systems
2. Allergy interaction checking systems
3. Dietary system, wrong or delayed diets can kill a patient
4. Workstations in the ER that have access to critical applications and patient charts
5. Workstations that communicate with the ambulence and med chopper teams
Re:I hope he's wrong ... (Score:4, Insightful)
You will likely find them doing things like maintaining records of drug allergies, insurance coverage, etc. If those systems fail, people will hopefully fall back on manual records (assuming they exist in an accessable format), but that will introduce delays in treatment and admissions, which might well indirectly result in deaths.
Re:I hope he's wrong ... (Score:4, Informative)
http://www.salon.com/tech/feature/2003/12/16/bl
Re:I hope he's wrong ... (Score:5, Insightful)
But this is just foolish. Doesn't Microsoft explicitly say that Windows is not to be used for critical systems? There are special (i.e., non-mainstream) operating systems which are expressly designed for use in critical systems so that the problems caused by worms, etc. doesn't happen. If someone dies because of a Windows worm, it's the fault of the programmer who made a bad choice of the embedded system.
Open for exploit (Score:5, Insightful)
Then a viral attack that affected only this particular breed of potato struck. Within less than a year, whole crops failed, the economy collapsed as people literally starved to death.
Yet, other breed of potatos were completely unaffected. It wasn't the reliance on potatos that was to blame, it was the reliance of one strain of potatos that was Irelands achilles heel.
That is our economys achilles heel, Windows.
Re:Open for exploit (Score:5, Funny)
Re:Open for exploit (Score:3, Informative)
Remember, there was lots of food being grown in Ireland during said famine; but it was being exported to England.
Re:Open for exploit (Score:5, Interesting)
Yet, other breed of potatos were completely unaffected. It wasn't the reliance on potatos that was to blame, it was the reliance of one strain of potatos that was Irelands achilles heel.
And the next year, the Irish planted the same crop. Why? Because that's all they could afford - the English were taxing them to death.
Great Microsoft quote (Score:5, Funny)
One you start down the road with it, you get stuck in it. Sounds like a perfect description of the lock-in aspects of their products, though I think "Roach Motels for your data" is catchier.
not the first time... (Score:5, Informative)
Fan-Out is the Killer (Score:3, Insightful)
Even if Linus drives Microsoft products into the minority, infections would still quickly reach Microsoft machines (or machines of any leading platform). Furthermore, under non-monoculture conditions, the dilution of virus writers on any one platform would probably be matched by the dilution of anti-virus resources on that platform. Even under non-monoculture conditions, we'll still have fast-spreading infections.
Connectivity is the real driver of infection.
Re:Fan-Out is the Killer (Score:4, Funny)
It's Outlook. (Only about 30% joking)
Re:Fan-Out is the Killer (Score:5, Insightful)
If I have a Windows box and a Linux box sitting side by side, each able to perform all the critical functions of the other, then a virus has to effect them both at the same time for me to lose functionality. When Blaster hits the Windows box I'm free to take it offline to clean it up. Vice versa for a *nix worm. Personally I add a Mac into the mix for three way security.
This doesn't mean I can't get hit by a virus. It means that a virus can't take me down. And that's the point. Not that infections don't spread, but that infections are genetically specific. Your email worm targeted at a Windows address book, can't even find the address book on my Linux box. The mutt exploit is worthless against my Windows box. The Mac just keeps chugging along, mostly because no one cares to waste time writing a virus for a system even more obscure than Linux (That would be OS8 for those Mac heads about to pounce on me for saying that Macs are popular).
Resilience through diversity, not absolute immunity.
KFG
For those who don't know... (Score:3, Informative)
Dan Greer was not fired because he criticized Microsoft. He was fired because he published his opinions about the Microsoft monoculture without making it clear that those were his personal opinions and not those of @Stake.
Re:For those who don't know... (Score:5, Informative)
Hah! (Score:5, Insightful)
Diversity != incompatibility. One standard, many implementations. What the M$ guy says is pure FUD.
Re:Hah! (Score:3, Insightful)
Migration from Microsoft (Score:3, Insightful)
unsound refutation from MS (Score:5, Insightful)
This neglects that fact that Linux itself has internal diversity that makes it less vulnerable to "disease".
It's also not necessary to have "thousands of different operating systems" to gain some resilience. If (for example) half of all computers were Type A and the other half Type B, the rate of transmission of type-specific malware would be slowed dramatically. It wouldn't prevent pandemics, but it would slow them down.
Hate to admit it... (Score:4, Interesting)
True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened
It's hard enough to get Novel - Mac's - PC's - Windows Servers - And SGI computers all playing nicely in a true heterogeneous environment. I couldn't imagine the nightmare if I had another 2-3 other OS's to integrate.
Re:Hate to admit it... (Score:3, Informative)
Re:Hate to admit it... (Score:5, Insightful)
As long as basic services are needed, I don't see any problem at all. Use NFS, use SAMBA, use CUPS -- use your protocol of choice where you get clients for all platforms. So far no problem.
We're running Macs, Windows, Linux, BSD, different incarnations of Solaris, Irix, HP-UX, yet even some embedded stuff like vxWorks. No problem to share drives or print to shared printers. No problem to send and receive emails, surf the web.
And all without nightmares.
The problem is not monoculture... (Score:3, Interesting)
Would the IT world be a more stable, reliable & secure place if 95% of the world's comptuer ran OpenBSD?
The problem is crappy software, not closed source commercial software.
It is the general crappiness of commercial software (and the lethargic rates of bug fixes) that have led to the popularity of open source.
The real problem is... (Score:5, Interesting)
Microsoft made a conscious decision, a long long time ago, to make sure that everything in its Office applications (starting with Word) would be scriptable with VBA. And that the VBA scripts would have access to the entire underlying OS.
At the time, it made perfect marketing sense: the king of word processors was Word Perfect, and it offered advanced scripting functions. Microsoft had to duplicate this functionalities if it wanted to kick WordPerfect ass and establish Windows and Word as the desktop champions. And it worked -- when was the last time you used WordPerfect on your PC?
The only problem is, of course, that Windows security (3.x was a single user, single task operating system) was absolutely broken from the very beginning. After all, if you are the only user on your machine, you don't need a lot of security, do you? Wrong. You may need a different kind of security, but you still need some sort of framework to protect your resources. Windows never provided any kind of security at all.
Then came the Internet. And, with it, a virus transmission vector of incomparable speed. The rest, as they say is history. Microsoft never bothered to create proper security and, because it completely ignored the Internet before 1995 (remember the Gates memo?), they were caught unprepared by the hordes of yahoos who write VBA viruses. VB is easy to use, viruses are easy to program in VB and, thanks to MS stupid decisions, they were allowed to run wild.
In effect, most users and sysadmins are, today, paying the price of a marketing decision: Microsoft decided to design VBA, all the while ignoring the research that proved that application scripting needed to be severely limited and controlled. Emacs LISP scripts and shell files in the UNIX world were prohibited a loooooong time before VBA was even created.
They kicked a competitor out of the field and, in doing so, created more problems for themselves (and for us!) than they solved...
Re:The real problem is... (Score:5, Funny)
(At the risk of being modded -1, Overly-Literal)
10:37pm, yesterday.
Re:The real problem is... (Score:3, Insightful)
When writing for the then upcoming NT5, we were supposed to assume that there would be very limited access by non-OS software to anything n the \windows\ directories. Judging by the ease that some VB scripts running in the IE browser use ActiveX to o
Re:The real problem is... (Score:5, Insightful)
And Microsoft's goal (gaol) of backwards compatibility ensures that these misfeatures will stay in the infrastructure indefinitely. I realized this yesterday when cleaning spyware off a friend's Windoze box.
Windows has so many legacy interfaces for loading programs at boot like win.ini, autoexec.bat, ect. that no longer have a pratical purpose, are easily exploitable, are are in a word, "cruft". Their OS is full of this cruft, and it will continue to become more so, as long as Microsoft continues their indiscrimate adding of features without regard to security.
The monoculture threat is real (Score:4, Informative)
Monoculture not just a Microsoft phenomenon (Score:4, Interesting)
If anything, the ease of code reuse inherent in Open Source software makes monoculture easier to achieve.
I suppose it's wrong to mention... (Score:5, Interesting)
As outlined in the article (assuming anyone reads it), critics of Greer point out that simply adding a new OS into the mix (dare I say Linux?) wouldn't substantially help. You'd have a duoculture instead of a monoculture. How much more difficult would it be for hackers to create a devastating hack? It even extends beyond OS's. Apache has the majority market share for all web servers worldwide. What affect would a devastating Apache exploit have on such a near-monoculture? Nobody wants to say anything about that, though, because Apache represents the side of good and Microsoft is evil.
To truly achieve the technological equivalent of biodiversity, we'd need hundreds or thousands of OS's and differing applications. The complexity of trying to get all that crap to work together would be impossible, especially since convergence of any two app's/OS's would be actively discourages to prevent cross-pollination-type attacks.
It's all well and good to bash Microsoft's monoculture. I'm sure there are many here who'll do nothing but that. However, defining the problem is only the first step; you must present a practical, workable solution. Just saying "Linux will fix it all" simply replaces one monoculture with another. But I bet most people here haven't thought that far ahead.
We suggest you reboot... (Score:5, Insightful)
And now, here is the "Chief Security Strategist" for MS saying (regarding the monoculture analogy) "Another difference: computers can be unplugged from the network and rebooted; organisms cannot."
So, is he really implying (God I hope not) that most exploits can be solved by unplugging the computer from the network and rebooting???
I hope not, and maybe its just the way the AP story was written, but it sure sounds like a dismissal of most of the Windows security flaws.
The trouble with diversity (Score:5, Interesting)
However, diversity of computers fosters a much higher learning curve to a machine that is already far more complex than 80% of the people using them understand. I'm a proponent of unity in the field of computers in that the UI of any OS should be the same as EVERY OTHER UI. This promotes a uniform learning curve for everyone so that learning one machine or OS does not restrict a person to that particular product or platform for life.
People want to learn as much as they need to - and not have to constantly relearn it - in order to do the things they want to do with the computer. Imposing 'bio-diversity' on the operating systems of the world will only create sub-monocultures between which comparability issues and cross learning would be difficult for most to handle unless the UI for each system is essentially the same.
I'd REALLY like to see Linux be available to anyone without having to have any knowledge of Unix protocols, have the same driver support and always be able to run ANY program regardless of the original OS requirements without having to constantly tweak everything into compliance. If anyone knows a way of doing this, or if it's already been done and you know how, PLEASE post it here.
Re:The trouble with diversity (Score:4, Insightful)
Solution: Multi-OS Boxes (Score:5, Informative)
On high-reliability systems (Space Shuttle [gvsu.edu] & X-29 [nasa.gov] flight controls), multiple redundant subprocessors attempt to compute the same answer. If the subprocessors get different answers, the majority-rules and the system logs the exception. If each processor ran independent code, then exploits of any one codebase would be detected and disinfected. A multi-system with one exploited/infected codebase would continue running while ignoring the output of the infected subprocessor.
The system would still have some vulnerabilties. Simultaneous attack on a majority of the codebases might succeed in redefinig the majority to suit the malware. Also, codebase independence is very hard. More than likely several codebases might share the same fault (e.g. a buffer overrun bug). Attacks on the overseer/majority-rules system might also succeed. Finally, if the standard has an exploit (e.g., decrypting WiFi WEP), then all codebases implementing the standard are vulnerable.
The biggest downside is bloat and cost. But at least it would give people a reason to buy the latest greatest chips from Intel, AMD, IBM, etc.
Some things the DoD and others do... (Score:5, Informative)
Anyway, something the DoD and others have done for some time is to have triple barriers for certain things like firewalls. So instead of having the same firewall product and system all over the place, for each firewall, you have a series of 3 systems: one is a "hardware" firewall (an appliance basically), followed by two different firewall products running on two different architectures. This way a single flaw on one firewall or system will not comprimise overall security.
They also turn the IT infrastructure into compartments, each walled out with firewall groups. So you have one compartment for front-end servers, one for desktop users, one for your data, etc.
Yeah it adds to complexity, but this is what the paranoid types do to give themselves peace of mind.
At least get the name right: (Score:4, Informative)
-dave
ahh, the irony... (Score:5, Insightful)
Comment removed (Score:5, Interesting)
Limited Genetic Diversity (Score:5, Interesting)
Diversity is great... (Score:5, Insightful)
M$ tight integration could cause more harm ... (Score:5, Interesting)
Last week a client of mine wanted me to do some work on his computer and to remove M$ IM on WinXP. You try it, it will tell you that WinXP depends on some functionality of IM. What? The OS needs this crummy application you can get for free somewhere? If that is really true, then no wonder their system is so freaking vulnerable to all kinds of things.
just about anyone who write large software knows that u have make it modular design and if possible striving independent modules as possible to reduce risk and propagation of faults. consider this, even after the trial, M$ still continues to bind unrelated OS functionality with applications. Apps and OS services are completely different.
while M$ tries to give you a big bloated piece of software with OS and THEIR apps tightly integrated. look at what the people doing micro-kernels are doing. they are trying to make the kernel as simple as possible (hence easier to debug, understand, etc.). Then, the OS services are just apps (again, very independent form each other--though they may use the services provided by the other). but their is no need for that particular app, just any app providing that service.
The Wall has been Breached (Score:5, Interesting)
The best way they can disentangle their products is to force Microsoft to publish their protocols, so others can build competitive products that can integrate cleanly.
Perhaps their software should be declared an "essential service", much like teachers and hospital workers here in Canada. When teachers/medical workers strike for too long, the government steps in and says "get back to work, you're essential to our functioning as a culture".
The bottom line is Bill Gates and his minions are liars and can't be trusted. They comply to every defeat dealt to them with their middle finger raised, and then go right back to abusing their position in the marketplace. The only rules Billy plays by are his own, and the only reasonable way to deal with him is to be unreasonable in demanding he comply.
DevX article author is a tool (Score:5, Insightful)
OTOH, with any closed source system, you have no code review. You have no chance to spot a security hole, purposeful or not. With CS, you simply have no chance.
Let's review: with OS, you have the opportunity for exposure, but also the opportunity to catch it. With CS, you have no opportunity to know anything. Sounds like the old free markets argument to me. The only person who would really support the CS position is an uniformed tool.
Word of the Day: frisson (Score:4, Interesting)
frisson
n : an almost pleasurable sensation of fright; "a frisson of
surprise shot through him" syn: shiver, chill, quiver,
shudder, thrill, tingle
Overall, this is one of the best written articles I've read in quite some time. The author lets the intelligence of his sources shine clearly. And it's always nice to learn a new word.
is not monoculture, is evolution. (Score:5, Insightful)
connected to Internet in the world?
A: IPV4
Q:What is the single mail protocol used by all
computers connected to the internet?
A: SMTP
Q:What is the single protocol used to search the
Internet and exchange most information over the
Internet?
A: HTTP
According to evolution, diversity is the
consequence of adaptation.
Specialization, Mutation, Adaptation.
Adaptation is the
consequence of a changing environment. A
changing environment is the consequence of a
finite amount of resources and competition.
The Internet in it's current stage resources are
plenty and competition is little.
Internet is currently in the specialization
stage. The Internet has not being forced(YET) to
depart from it's standard protocols (mutate) to
survive an attack.
Forcing diversity (by mandate rather of natural
competition) not only makes the system less
robust, it slows down evolution.
Re:is not monoculture, is evolution. (Score:4, Insightful)
Simulation (Score:5, Insightful)
My paper on worm propagation [lemuria.org] from last year (just updated with some more data) shows very clearly what a monoculture does.
I assumed 40 mio. vulnerable systems in it and showed how a malicious worm can wipe them out in minutes.
Some of the advisories that eeyes still has on the unpublished list estimate 300 mio. vulnerable systems.
We've been talking about flash and warhol worms for years now. With each passing day I'm more surprised that it hasn't happened, again.
Nothing new (Score:5, Interesting)
Which Culture? (Score:4, Interesting)
Monoculture or Diversity?
The AP ran a story this weekend, captured by Yahoo [yahoo.com], talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.
Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).
Just the facts, Mam
I found it intriguing that, as the AP article mentioned:
Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia [secunia.com] and their product listing [secunia.com]. Doesn't anyone care that Solaris 9 [secunia.com] had more advisories (42) in 2003 than Windows 2000 Server [secunia.com] (36)? Doesn't it scare anyone that, while Windows XP Home edition [secunia.com] had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 [secunia.com] had 186!
Doesn't Open Source claim [devx.com] to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?
Missing the forest for the trees
Take a look at this, also from the AP article:
Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension [sun.com]. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.
Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)
Miopic Intelligence
Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is s
"Big News" Fueled by a Slashdotting? (Score:4, Interesting)
Now, that didn't happen in this case, as the story was already on the front page before Slashdot linked it. But it could happen, no?
Re:Rememebr folsk the def for monoculture (Score:5, Funny)
Re:These reporters are a little bit confused... (Score:5, Insightful)
Specifically, overflow attacks like to jump the program to the buffer they have written, or a copy thereof. And in that buffer the code needs to reuse existing imports (library calls) so that they can do bad things. If everything moved around during load, exploitation would be harder. Then again, so would processing a core dump
personally, I think there is a better solution, stop using 'buffer overflow' languages like C, C++. Anything else: perl, python, java, C# is more secure. Why are all our systems built on such a foundation of instability?
Re:These reporters are a little bit confused... (Score:5, Insightful)
What's nonfunctional code doing in there in the first place? I've lost count of the number of times someone has posted on LKML, "I'm removing frobnicate_foo() because I just rewrote the last place that calls it and it's not needed anymore," or, "I just realized that nothing calls x() anymore, so here's a patch to remove it."
Re:WARNING! (Score:4, Informative)
The integration of the browser's ability to directly run code in Windows is the big hole that Microsoft has failed to fix. Integration of user software, such as Outlook or Office, directly to the operating system makes Windows the virtual equivalent of a petri dish for the internet and giving every 11 year old hacker the ability to cripple corporate networks globally.
Re:cant deny msoft does good things also (Score:5, Insightful)
What has microsoft actually created that anyone is intested in?
The browser? no Netscape developed that.
Graphic interface? No Xerox and Apple developed that
digital music? no MP3 and Napster developed that
Plug and Play? no Apple developed that
desktop publishing? once again Apple
multitastking? Unix
desktop video? Amiga
DOS? bought from another company
Perhaps MS developed some business apps, but I suspect that eveything in the Office suite was developed by some one else first.
Please give me some examples of any tech, that is worthwhile, that MS pioneered. I think virii and adware are the only techs that MS truly owns.
Comment removed (Score:5, Insightful)
Comment removed (Score:4, Insightful)