...that Greer's against monoculture but doesn't explore the effects of what would be needed to overcome that monoculture.
As outlined in the article (assuming anyone reads it), critics of Greer point out that simply adding a new OS into the mix (dare I say Linux?) wouldn't substantially help. You'd have a duoculture instead of a monoculture. How much more difficult would it be for hackers to create a devastating hack? It even extends beyond OS's. Apache has the majority market share for all web servers worldwide. What affect would a devastating Apache exploit have on such a near-monoculture? Nobody wants to say anything about that, though, because Apache represents the side of good and Microsoft is evil.
To truly achieve the technological equivalent of biodiversity, we'd need hundreds or thousands of OS's and differing applications. The complexity of trying to get all that crap to work together would be impossible, especially since convergence of any two app's/OS's would be actively discourages to prevent cross-pollination-type attacks.
It's all well and good to bash Microsoft's monoculture. I'm sure there are many here who'll do nothing but that. However, defining the problem is only the first step; you must present a practical, workable solution. Just saying "Linux will fix it all" simply replaces one monoculture with another. But I bet most people here haven't thought that far ahead.
When you consider that email and scripted web pages seem to be the most common source of virus entry, we probably don't need thousands of OS, but proabably a handful and a bunch or application choices. Basically what we have now but with a more even level of competition.
As a first step, I would suggest that everyone using MS operating systems stop using Outlook and IE.
As far as integration goes, I think HTML and HTTP, TCP/IP show how easy this can be if we can some up with standards for data formats an
As a first step, I would suggest that everyone using MS operating systems stop using Outlook and IE.
This alone would practically stop 95% of all Internet-based attacks aimed at Windows machines. Which again goes to show that it's not so much the OS that's at risk as it is the applications.
As far as integration goes, I think HTML and HTTP, TCP/IP show how easy this can be if we can some up with standards for data formats and transmission protocols.
I disagree. These protocols do very simple things an
I agree with your comments about security with the standards I mentioned. The point I was trying to get across (not clearly), was that platform neutral standards are a GOOD THING. While the current internet standards have their flaws, I don't think we can deny that they are the biggest reason for the economic/cultural success of the internet and not any specific OS or application. Meaning the web browser is important, not IE or Mozilla, etc.
Platform neutral is always a good thing, but it has a tendency to move slower (sometimes much slower) than any one vendor/developer could. What happens then? Well, if companies A through Y are all clinging to the standard, but company Z comes out with a new "killer" feature, companies A through Y could be in serious jeopardy of being upstaged by company Z. And it's not like it doesn't happen, because Microsoft is the penultimate example of it. Look at how the Internet is now arranged around the needs of
Which again goes to show that it's not so much the OS that's at risk as it is the applications.
Most of the problems with IE have come since it became so tightly integrated into the OS. Outlook is pretty well hooked in there as well. But you're right: browser and mail client monoculture are a big part of the problem as well.
Well, Outlook can be integrated, but if you don't buy Office it can't be.
As for IE, at least MS did something smart by disabling IE in the default install of Win2k3. The result? Win2k3 has had far fewer bugs and exploits than any other MS OS at this time in its development life cycle. Go check the bug rate for NT 4.0 and Win2k and you'll see it. Microsoft is improving. Maybe not as fast as we'd all like, but they're certainly moving closer to where we'd like them to be. Now if only they'd revise thei
OK, you get a B+ for successfully paraphrasing the Microsoft flack's comments.
But did you critically evaluate whether his argument that we'd need ridiculous numbers of OSes is sound? Ireland didn't need thousands of breeds of potatoes for its population to all survive the potato blight; a handful of still-viable varieties would have been enough to feed them.
Likewise, in an alternate universe where the desktop computer landscape today was a roughly even mix of Windows, Mac OS, Linux, BSD, OS/2, BeOS, and
OK, you get a B+ for successfully paraphrasing the Microsoft flack's comments.
If I didn't know better, I'd say that's a derogatory comment. Not a good way to start off your response if you want to be taken objectively.
But did you critically evaluate whether his argument that we'd need ridiculous numbers of OSes is sound? Ireland didn't need thousands of breeds of potatoes for its population to all survive the potato blight; a handful of still-viable varieties would have been enough to feed them.
Neither is parroting a PR-crafted argument from the company that stands to lose most from an avoidance of monoculture.
Or whining that I made a derogatory comment about it.
Ooooooohhhh...testy, testy. Did I disturb that carefully balanced chip that was resting on your shoulder?
By the way, it's not parroting when you're coming up with intelligent comments on the relevant issue. But it does seem you most definitely don't like it when someone exposes and uncomfortable truth to you. Maturity issues, I pre
While the core product is the same, the fact that it runs on dozens of OSs alone makes for a lot of difference. For many low-level attacks, offsets will be different, or compiler flaws exist on one system, but not another.
This is partly true for the windos world as well. Some of the attacks we've seen recently require slightly different code for XP and NT, for example.
Yes, it runs across more platforms, but the core code across all of them is strikingly similar. Most Apache exploits to date have been completely cross-platform exploits, meaning that it really is more of a monoculture than you might think. No slam against Apache, by the way, but it's the truth.
Yes, it runs across more platforms, but the core code across all of them is strikingly similar.
Actually not even that is true, apache 1.3.x and 2.0.x are very different (and currently you can still buy aomething with one or the other from all major Linux vendors).
Most Apache exploits to date have been completely cross-platform exploits, meaning that it really is more of a monoculture than you might think.
Err, I don't think so. I have seen ones that had a table of different "known" offsets for F
OK, let's continue to misunderstand my comment in the most Apache-favorable way, shall we? I never said a damned thing about 1.3 vs. 2.0. Duh! It's rather obvious that these two are strikingly different versions of the same program. But that's not what I was saying and I think you know that. If you don't you're denser than I thought.
Now, once again, with feeling: the Apache 1.3 core code on any platform is strikingly similar to the Apache 1.3 core code on any other platform. The same thing goes for
but you forget to mention that apache is much more secure than IIS. think back a few years. IIS (3?) had a flaw that would let you run any command (eg format) if you just typed it in at the end of the url - ah the good old days. ok, back to today, linux and *bsd's are secure from the ground up. windows is secure from the top down. which is more secure?
but you forget to mention that apache is much more secure than IIS.
This is an assertion that cannot be backed up. I've had NT 4.0 webserver that have run years without compromise, and I've seen poorly-run Apache systems that were hacked within 30 minutes of going live. You can say that Apache is much more secure than IIS by default, but an experienced administrator can secure any box, even an IIS one.
It all comes down to knowing what you're doing and which platform you're more familiar with. I'd rathe
And Apache has never had any such flaw? I beg to differ. Apache has suffered several root-access flaws during its development. All of them are now patched, but they did exist. You can say the same thing about IIS 3, IIS 4, and so on.
Your ignorance of the facts kind of paints you as an anti-MS zealot. Perhaps you should try reading up on that which you're so adept at criticizing.
The only problem with your analogy is that apache (Like most OSS) has at least 2 versions and normally many more, which are currently in widespread usage. Also the fact that different vendors patch at different times, and have varying configs. If an exploit is found in apach 2.0.48, great but maybe I'm still running 2.0.47 and the bug was just introduced, maybe I'm running version 1 still, this diversity of versions creates alot of diversity in the unix world (not to mention each vendor has their own vers
The only problem with your analogy is that apache (Like most OSS) has at least 2 versions and normally many more, which are currently in widespread usage.
Just like Windows has maintained dual code bases with the Win9x series and the WinNT/2K/XP/2K3 series. That doesn't change anything. And even the NT-based kernels are significant variations on one another (at least as significant as the kernel or various Apache versions).
If an exploit is found in apach 2.0.48, great but maybe I'm still running 2.0.47
Actually, there's research and literature that examines how big an "N" you need in N-version software diversity for survivability, and it isn't thousands; in fact, many operational high-reliability systems actually only use two versions of software (the space shuttle's computers are built this way as are some aircraft systems). So the comment of needing thousands of OSes really isn't true.
I've been surprised at how much heat and how little light (as in research light) has been applied to this argument. Da
Actually, Apache isn't a monoculture because it doesn't have all of the install base.
Every figure I see talking about Apache puts it at 2/3 the market, with IIS taking up the other 1/3. Of course, that doesn't count the fun variations that all those apps have. Add on that many are running other lesser-known servers, and that the 2/3rds figure is really probably closer to ~2/4ths, and it becomes even less of a "monoculture."
You can't really put Apache and Windows in the same "monoculture" box because you'd
Maybe you can't buy happiness, but these days you can certainly charge it.
I suppose it's wrong to mention... (Score:5, Interesting)
As outlined in the article (assuming anyone reads it), critics of Greer point out that simply adding a new OS into the mix (dare I say Linux?) wouldn't substantially help. You'd have a duoculture instead of a monoculture. How much more difficult would it be for hackers to create a devastating hack? It even extends beyond OS's. Apache has the majority market share for all web servers worldwide. What affect would a devastating Apache exploit have on such a near-monoculture? Nobody wants to say anything about that, though, because Apache represents the side of good and Microsoft is evil.
To truly achieve the technological equivalent of biodiversity, we'd need hundreds or thousands of OS's and differing applications. The complexity of trying to get all that crap to work together would be impossible, especially since convergence of any two app's/OS's would be actively discourages to prevent cross-pollination-type attacks.
It's all well and good to bash Microsoft's monoculture. I'm sure there are many here who'll do nothing but that. However, defining the problem is only the first step; you must present a practical, workable solution. Just saying "Linux will fix it all" simply replaces one monoculture with another. But I bet most people here haven't thought that far ahead.
Re:I suppose it's wrong to mention... (Score:1)
When you consider that email and scripted web pages seem to be the most common source of virus entry, we probably don't need thousands of OS, but proabably a handful and a bunch or application choices. Basically what we have now but with a more even level of competition.
As a first step, I would suggest that everyone using MS operating systems stop using Outlook and IE.
As far as integration goes, I think HTML and HTTP, TCP/IP show how easy this can be if we can some up with standards for data formats an
Re:I suppose it's wrong to mention... (Score:2)
This alone would practically stop 95% of all Internet-based attacks aimed at Windows machines. Which again goes to show that it's not so much the OS that's at risk as it is the applications.
As far as integration goes, I think HTML and HTTP, TCP/IP show how easy this can be if we can some up with standards for data formats and transmission protocols.
I disagree. These protocols do very simple things an
Re:I suppose it's wrong to mention... (Score:1)
Re:I suppose it's wrong to mention... (Score:2)
Re:I suppose it's wrong to mention... (Score:2)
Most of the problems with IE have come since it became so tightly integrated into the OS. Outlook is pretty well hooked in there as well. But you're right: browser and mail client monoculture are a big part of the problem as well.
Re:I suppose it's wrong to mention... (Score:2)
As for IE, at least MS did something smart by disabling IE in the default install of Win2k3. The result? Win2k3 has had far fewer bugs and exploits than any other MS OS at this time in its development life cycle. Go check the bug rate for NT 4.0 and Win2k and you'll see it. Microsoft is improving. Maybe not as fast as we'd all like, but they're certainly moving closer to where we'd like them to be. Now if only they'd revise thei
Re:I suppose it's wrong to mention... (Score:2)
But did you critically evaluate whether his argument that we'd need ridiculous numbers of OSes is sound? Ireland didn't need thousands of breeds of potatoes for its population to all survive the potato blight; a handful of still-viable varieties would have been enough to feed them.
Likewise, in an alternate universe where the desktop computer landscape today was a roughly even mix of Windows, Mac OS, Linux, BSD, OS/2, BeOS, and
Re:I suppose it's wrong to mention... (Score:3, Interesting)
If I didn't know better, I'd say that's a derogatory comment. Not a good way to start off your response if you want to be taken objectively.
But did you critically evaluate whether his argument that we'd need ridiculous numbers of OSes is sound? Ireland didn't need thousands of breeds of potatoes for its population to all survive the potato blight; a handful of still-viable varieties would have been enough to feed them.
All a
Re:I suppose it's wrong to mention... (Score:2)
Neither is parroting a PR-crafted argument from the company that stands to lose most from an avoidance of monoculture.
Or whining that I made a derogatory comment about it.
Productivity would almost certainly be similarly reduced due to lack of high-level interoperability between these disparate platforms.
Kind of like driving productivity has suffered from the va
Re:I suppose it's wrong to mention... (Score:2)
Or whining that I made a derogatory comment about it.
Ooooooohhhh...testy, testy. Did I disturb that carefully balanced chip that was resting on your shoulder?
By the way, it's not parroting when you're coming up with intelligent comments on the relevant issue. But it does seem you most definitely don't like it when someone exposes and uncomfortable truth to you. Maturity issues, I pre
Re:I suppose it's wrong to mention... (Score:3, Insightful)
While the core product is the same, the fact that it runs on dozens of OSs alone makes for a lot of difference. For many low-level attacks, offsets will be different, or compiler flaws exist on one system, but not another.
This is partly true for the windos world as well. Some of the attacks we've seen recently require slightly different code for XP and NT, for example.
Re:I suppose it's wrong to mention... (Score:2)
Re:I suppose it's wrong to mention... (Score:2)
Actually not even that is true, apache 1.3.x and 2.0.x are very different (and currently you can still buy aomething with one or the other from all major Linux vendors).
Err, I don't think so. I have seen ones that had a table of different "known" offsets for F
Re:I suppose it's wrong to mention... (Score:2)
Now, once again, with feeling: the Apache 1.3 core code on any platform is strikingly similar to the Apache 1.3 core code on any other platform. The same thing goes for
Re:I suppose it's wrong to mention... (Score:1)
Re:I suppose it's wrong to mention... (Score:3, Insightful)
This is an assertion that cannot be backed up. I've had NT 4.0 webserver that have run years without compromise, and I've seen poorly-run Apache systems that were hacked within 30 minutes of going live. You can say that Apache is much more secure than IIS by default, but an experienced administrator can secure any box, even an IIS one.
It all comes down to knowing what you're doing and which platform you're more familiar with. I'd rathe
Re:I suppose it's wrong to mention... (Score:1)
think back a few years. IIS (3?) had a flaw that would let you run any command
Re:I suppose it's wrong to mention... (Score:2)
Your ignorance of the facts kind of paints you as an anti-MS zealot. Perhaps you should try reading up on that which you're so adept at criticizing.
Re:I suppose it's wrong to mention... (Score:2)
Re:I suppose it's wrong to mention... (Score:2)
Just like Windows has maintained dual code bases with the Win9x series and the WinNT/2K/XP/2K3 series. That doesn't change anything. And even the NT-based kernels are significant variations on one another (at least as significant as the kernel or various Apache versions).
If an exploit is found in apach 2.0.48, great but maybe I'm still running 2.0.47
thousands of OSes aren't required (Score:1)
I've been surprised at how much heat and how little light (as in research light) has been applied to this argument. Da
Re:I suppose it's wrong to mention... (Score:1)
Every figure I see talking about Apache puts it at 2/3 the market, with IIS taking up the other 1/3. Of course, that doesn't count the fun variations that all those apps have. Add on that many are running other lesser-known servers, and that the 2/3rds figure is really probably closer to ~2/4ths, and it becomes even less of a "monoculture."
You can't really put Apache and Windows in the same "monoculture" box because you'd