The AP ran a story this weekend, captured by Yahoo [yahoo.com], talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.
Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).
Just the facts, Mam
I found it intriguing that, as the AP article mentioned:
"Steven Cooper, the Homeland Security Department's chief information officer... acknowledged [monoculture] was a concern and said the department would likely expand its use of Linux and Unix as a precaution."
Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia [secunia.com] and their product listing [secunia.com]. Doesn't anyone care that Solaris 9 [secunia.com] had more advisories (42) in 2003 than Windows 2000 Server [secunia.com] (36)? Doesn't it scare anyone that, while Windows XP Home edition [secunia.com] had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 [secunia.com] had 186!
Doesn't Open Source claim [devx.com] to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?
Missing the forest for the trees
Take a look at this, also from the AP article:
"Mike Reiter of Carnegie-Mellon University and Stephanie Forrest, a University of New Mexico biologist who has been gleaning lessons for computer security from living organisms for years, recently received a $750,000 National Science Foundation (news - web sites) grant to study methods to automatically diversify software code.
Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring "benign mutations" that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses."
Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension [sun.com]. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.
Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)
Miopic Intelligence
Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is self-maintaining, self-cleaning and always changing. No good or bad, just the way it is (unless of course, you're one of the organisms destined for cleaning).
How does this differ from computer viruses? Choice. Without getting theological, biology evolves without thought; there is no such thing as a coordinating strategy for doing something that wouldn't have otherwise happened naturally. Computer viruses, on the other hand, are man-made. They are imagined, planned, manufactured and deployed with malicious intent. The designers have made a conscious decision to do something widely recognized as bad.
Dan Geer's culture is that of flowing electrons. It has nothing to do with socio-economic diversities, geopolitical bents or why 27 year old boys who can't find a date would rather simulate guerilla combat from the confines of their childhood bedrooms. His views are, much like those of a typical radio talk show host, are miopic, prejudiced and, at the very worst (and quite possibly more dangerous) subjective.
The culture that we should focus on is that of the people responsible for software. Microsoft has taken the initial step to change their internal culture. Their mandate to write more secure software is a good step. You may call it mere marketing, but as long as it actually churns out safer software, then who cares - we all win. We all still wait, with baited breath, to experience the result of their efforts. If they fail in this, if Longhorn has even a single critical advisory within its first six months, then Microsoft is doomed.
Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia and their product listing. Doesn't anyone care that Solaris 9 had more advisories (42) in 2003 than Windows 2000 Server (36)?
Doesn't it scare anyone that, while Windows XP Home edition had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 had 186!
Doesn't Open Source claim to have a better
You mention the higher number of security "holes" in various *nix vs MSFT software. If you have a server array with a mix MSFT, Unix, Linux, Mac OS X and such, you're not going to be competely taken down by cracker running an exploit against one OS. And if you have fail-over structured properly, you shouldn't see any disruption to service if a machine is successfully compromised. That is the case against a monoculture. Diversity, not absolute security.
Tangentially, I agree that biology is a poor metaphor
In defense of Dan Geer's analysis: Biological Systems have been in the making for 500 million years, and predicated upon 4.5 billion years of mechanical evolution. Computers are qute a recent phenom and it is sheer hubris to disregard the complexity of the biological - mechanical - digital interfaces.
My interpretation of Dan Geer's article was the 95% reliance on the Microsoft monoculture had created a fragile ecosystem. Every aspect of R&D, Support, Distribution and Product EDUCATION is now controll
Maybe you can't buy happiness, but these days you can certainly charge it.
Which Culture? (Score:4, Interesting)
Monoculture or Diversity?
The AP ran a story this weekend, captured by Yahoo [yahoo.com], talking about Dan Geer and his thoeries of how the Microsoft Monoculture endangers computer security. I have concerns.
Although I know this won't fend off the zealots who just need to speak their mind, else their puny little heads explode off of their shoulders, atrophied from lack of lifting their hands any higher than a keyboard, I offer this caveat: What I'm about to present is merely philosophical rambling, curious wonder, nothing more than an innocent what if. It is, in no way, intended to offer an argument, solution, opposition, or anything else that would offend (other than those puny headed, shoulderless freaks).
Just the facts, Mam
I found it intriguing that, as the AP article mentioned:
Why hasn't Mr. Cooper, the media, and suposed security experts who promote U/Linux as a safe alternative, acknowledge that U/Linux also have their share of security advisories? Take a look at Secunia [secunia.com] and their product listing [secunia.com]. Doesn't anyone care that Solaris 9 [secunia.com] had more advisories (42) in 2003 than Windows 2000 Server [secunia.com] (36)? Doesn't it scare anyone that, while Windows XP Home edition [secunia.com] had 32 advisories, Red Hat 9 had more than twice as many with 72? Debian 3 [secunia.com] had 186!
Doesn't Open Source claim [devx.com] to have a better development model by throwing more eyeballs at the source code, thereby eliminating - or minimizing - security flaws earlier?
Missing the forest for the trees
Take a look at this, also from the AP article:
Are these people frickin bonkers? We're barely capable of securing the simplest SMTP and FTP services. Software is already beyond our comprehension [sun.com]. What makes us so arrogant as to assume we can write software that makes other software more secure - without breaking it, without opening unforseen security breaches? We are decades away from being that intelligent.
Of course, on the plus side of this approach, as software gets more complicated, it will be too obfuscated for the Puny Heads to understand and, therefore, will be a great deterrent for attacks! (Yeah, sarcasm)
Miopic Intelligence
Dan Geer likes to compare the information world to that of biology, equating computer viruses with biological viruses. I have one problem with this way of thinking. Biological viruses simply exist, have always existed and will always exist. They don't have an agenda. They don't have malicious intent. They aren't scheduled or targeted. They are nature. It's the way the system works. The global ecosystem is self-maintaining, self-cleaning and always changing. No good or bad, just the way it is (unless of course, you're one of the organisms destined for cleaning).
How does this differ from computer viruses? Choice. Without getting theological, biology evolves without thought; there is no such thing as a coordinating strategy for doing something that wouldn't have otherwise happened naturally. Computer viruses, on the other hand, are man-made. They are imagined, planned, manufactured and deployed with malicious intent. The designers have made a conscious decision to do something widely recognized as bad.
Dan Geer's culture is that of flowing electrons. It has nothing to do with socio-economic diversities, geopolitical bents or why 27 year old boys who can't find a date would rather simulate guerilla combat from the confines of their childhood bedrooms. His views are, much like those of a typical radio talk show host, are miopic, prejudiced and, at the very worst (and quite possibly more dangerous) subjective.
The culture that we should focus on is that of the people responsible for software. Microsoft has taken the initial step to change their internal culture. Their mandate to write more secure software is a good step. You may call it mere marketing, but as long as it actually churns out safer software, then who cares - we all win. We all still wait, with baited breath, to experience the result of their efforts. If they fail in this, if Longhorn has even a single critical advisory within its first six months, then Microsoft is doomed.
Re:Which Culture? (Score:1, Informative)
Re:Which Culture? (Score:1)
Tangentially, I agree that biology is a poor metaphor
Re:Which Culture? (Score:1)
My interpretation of Dan Geer's article was the 95% reliance on the Microsoft monoculture had created a fragile ecosystem. Every aspect of R&D, Support, Distribution and Product EDUCATION is now controll