Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Dan Geer's Monoculture Bomb Goes Off 308

Andy Updegrove writes "Three years ago, celebrated security expert Dan Geer lost his job at @stake when he co-authored a paper on the dangers that the Microsoft 'monoculture' represented for end-users. Last fall, he authored a similar warning in a Perspective piece he wrote for, applauding the action of Massachusetts in adopting OpenDocument Format, thereby reducing its vulnerability to the same type of risk. Four days ago, Dan's prediction came true, when users of Word (but not those that only trade files created in StarOffice, OpenOffice, or other ODF compliant software) began to be infected with the Backdoor.Ginwui virus - a malicious Trojan program that hitches a ride on bogus Word documents. In short, an object lesson that in IT, as in biology, those that exist in diverse gene pools are at a lower risk, both individually and collectively, from those that subsist in a proprietary monoculture."
This discussion has been archived. No new comments can be posted.

Dan Geer's Monoculture Bomb Goes Off

Comments Filter:
  • by yagu ( 721525 ) * < minus cat> on Wednesday May 24, 2006 @01:39AM (#15391944) Journal

    One time at work, I was working on code when a rumbling spread across the floor, up and down the building -- people were losing access to their machines, in our MAJOR CORPORATION! Some virus had invaded the corporate network, machines were in infinite recycle loops.

    Until the noise was loud enough, I hadn't noticed. I was working on my code on my linux box. And, it was code compatible to be used on the same project everyone else was developing on their Windows boxes. Interesting.

    Ultimately, the mono culture in my office got me too because of my dependency on shared drives running on infected Windows machines. It took at least one day to get machines half way back to normal.

    I hate Microsoft, but I think Geer's prediction, and point, are well made without blaming or pointing at Microsoft. I Unix or Linux monoculture could be susceptible to the same result (though I think with much more expended effort to achieve the same catastrophic result).

    • Unix or Linux monoculture could be susceptible to the same result

      Except with the gazillon of different Linux distribution - featuring each different versions and alternative applications How the hell can you reach a *mono* culture ?
      And that's only counting Linux-based open source operating systems. You also have the *BSD family, and new comers like opensolaris, etc.
      Now just add in the fact you can run linux an hell lot of different processors...

      Except if suddenly a unique disto - like, say, RedHat Enterpris

      • Except with the gazillon of different Linux distribution - featuring each different versions and alternative applications How the hell can you reach a *mono* culture ?

        Given the mass disk imaging techniques currently in use at many corporate sites in lieu of traditional installations, and given the ability for Linux sysadmins to lock down end user boxes so that only the central admins could install software, I could certainly see a "monoculture" being a very real possibility at a given site even when running Linux in a corporate context.

        Now, whether or not that monoculture represents the same kind of risk that a Windows monoculture does is a different question. :-) But there is still some risk.

    • [ /me buys Dan a $virtual-beer ]

      Suggest you install some Samba servers, and migrate the Windoze shares over for security + reliability.
  • by XanC ( 644172 ) on Wednesday May 24, 2006 @01:40AM (#15391946)
    proprietary is introduced at the end of the summary. It's something of a non-sequitur because up to that point, the discussion has been about monocultures, which looks like an orthagonal issue.

    It's not, of course, because if we standardize on an open document format and a crippling bug is discovered in, say, OpenOffice, there are many other programs that exist or could be written implementing the same functionality. Don't really have that option with Word.

    • [...] crippling bug is discovered in, say, OpenOffice, there are many other programs that exist or could be written implementing the same functionality. Don't really have that option with Word.

      Why isn't that an option with Word? Isn't that what OpenOffice is -- a program that was "written implementing the same functionality" ?

      • What's at the real heart of that issue is that Microsoft Word does not and never has interoperated with anything without reverse engineering or hacking. I have entire labs that, though converted from the ODT format to Microsoft Word, will not display any of my equation objects correctly and do not allow me to convert on a non-Math-Type-enabled machine.

        If every software had different implementations of the same ultimate functionality, then there would be no monoculture, as one man's implementation of somethi
        • If every software had different implementations of the same ultimate functionality

          Which is a rather ideal view. Software is always going to have varying degrees of functionality and that's going to make some "proprietary extentions" more desirable than others. Just some examples:

          UNIX -- Everything was standardized in the general sense, but there were so many implementation differences nobody really cares about the standard anymore.

          Web Browsers -- There's always another giant W3C standard you can implement i
    • there are many other programs that exist or could be written implementing the same functionality [emphasis mine]

      While I agree with you broadly, that "or could be written" is the real kicker. If viable alternatives don't exist or aren't widely adopted (eg Opera is a viable alternative to Firefox, but relatively few people use it), you're still going to have a huge proportion of users vulnerable.

      If a viable alternative does exist, then there's cost of switching to take into account - training users, getting s
    • It's not, of course, because if we standardize on an open document format and a crippling bug is discovered in, say, OpenOffice, there are many other programs that exist or could be written implementing the same functionality.

      A bug that allows access to the operating system would almost certainly not be in the document format specifications, but in the individual implementation. Therefore, of the many different programs implementing ODF, for example, only one or at worst a few would be subject to the bug.
  • by davidwr ( 791652 ) on Wednesday May 24, 2006 @01:51AM (#15391985) Homepage Journal
    You guys under 25 are too young to remember the Morris Worm [] but it's a good study in monoculture. Although it affected well under half of the internet-connected computers worldwide, at many institutions it had a disporportionate impact.

    Back in '88, Sendmail was to internet-mail-exchange what Outlook Express is to mail-clients today. Thanks to a bug in Sendmail and a bug in a student's project, email came to a grinding halt for several days at universities and other institutions worldwide.
    • by SerpentMage ( 13390 ) <ChristianHGross&yahoo,ca> on Wednesday May 24, 2006 @02:14AM (#15392072)
      Wow we are old ;) I was thinking of the same thing. What worries me about these types of assertions is that Linux is just as much a mono culture as Windows.

      At an OSCON talk, there was this business guy. His assertion was that if Apache were a company then they would be susceptible to monopoly rules like Microsoft should be.
      • Lets just hope the apache team dont start bundling firefix, with apache
      • But it's a source monoculture and not a binary monoculture. I think that matters - with a source monoculture, your attack worm has to have semantic information about where to drop its payload, while with binary monoculture the worm only needs to know a particular memory address. So its definitely safer as long as we have a diversity of compiled kernels, and I'm pretty sure that isn't going away.
      • Just count... (Score:3, Insightful)

        by DrYak ( 748999 )
        Just count how many distributions of Linux exist out there, each one using different combination of software versions, alternate software for a given task, compiled using different GCC versions, linked against different libraries... ...on how many different CPU and architectures you can run Linux... many other opensource kernels exist beside Linux.

        Are you sure the word "mono" still applies ?

        if Apache were a company then they would be susceptible to monopoly rules like Microsoft should be

        Except that M

    • by daivdg ( 930179 ) on Wednesday May 24, 2006 @03:59AM (#15392360) Homepage
      At the time of the Morris worm there was a Unix monoculture, but this was not because it was open source; it wasn't. Please don't confuse the two. Within the Linux community there is diversity, this is a great defence mechanism. Pick a particular type of application and look at how many separate implementations there are. Sure, Firefox is by far the most popular open source browser, but there's also KHTML and several others. Look at the office products and there's way more to choose from.
  • Evolution, ahem (Score:4, Interesting)

    by Dracos ( 107777 ) on Wednesday May 24, 2006 @01:51AM (#15391988)

    Given how easy it is to write MS Office malware, how long until a more advanced version of this worm can search a user's hard drive for other Word/Excel/Powerpoint/Visio documents, infect them, and wait for the next generation of itself to be transmitted?

    If the malware itself could change/adapt/evolve (ie, create new functionality within itself), then MS has essentially created a petri dish out of each install of Office.

    In other words, MS has created a true "software ecosystem".

    • Patent Pending (Score:2, Insightful)

      by davidwr ( 791652 )
      In other words, MS has created a true "software ecosystem".* **

      *Patent Pending
      ** "Software Ecosystem" is a trademark of Microsoft Corporation
  • For end users?! (Score:3, Insightful)

    by hlee ( 518174 ) on Wednesday May 24, 2006 @01:55AM (#15392005)
    I wouldn't want to be a sys admin in a company that had to support OpenOffice, MS Office, StarOffice, XYZOffice. Or had to support Windows (XP, 2000, 2003), Linux, OSX, and *ix. Can you imagine the headache of getting all of them to play nice with each other on a daily basis? There's something to be said about standardization.

    On the other hand, if the sys admin has backups and servers distributed across Windows, Linux, OSX and whatever platforms, that would make sense.

    I mean I can understand the argument that diversity can add a certain degree of robustness, but it also raises the level of complexity of that environment, and that complexity comes with a cost that can be easily more expensive than dealing with the occasional severe threat.
    • Re:For end users?! (Score:4, Informative)

      by misleb ( 129952 ) on Wednesday May 24, 2006 @03:10AM (#15392244)
      In my many years of experience managing heterogenous environments (Windows, Mac OS, Linux, FreeBSD desktops and servers), I have not found complexity to be a problem at all. What happens is that you miss out on some more advanced features that you might get from going all Microsoft or all Apple. For example, you can't effectively run Exchange and get all of the features that a lot of end users seem to like. Users get accustomed to using more generic protocols like IMAP and POP for email and maybe some web based calendar system that you install.

      In many ways a heterogeneous environment is actually LESS complex than a homogeneous environment. You either end up using very simple, common protocols or you isolate your users. Put the Windows users on a Windows server and Mac users on an OS X server, for example, which isn't necessarily a bad thing. Usually Mac and Windows users have different organizational roles anyway and the LInux users don't like the Mac and Windows users. Everyone is happy. ;-)

      Seriously, it isn't bad. And people are happy using the desktop of their choice. But sometimes I guess you really need the kind of "features" that only a monoculture can bring. It's a trade off, for sure.

    • I wouldn't want you to be the sysadmin either.

      Sysadmin's rarely support end-user applications. We usually only support the servers and OSes.
  • by Sycraft-fu ( 314770 ) on Wednesday May 24, 2006 @01:56AM (#15392007)
    I mean the ultimate objective behind OpenDocument is to obtain a monoculture in the document formats. That different things implement it isn't relivant. Why? Well most likely they'll be refernce code and documents to do that, and most likely people will follow those most of the time (why reinvent the wheel?) and thus if a bug happens, most things will be venurable. You see this with things like the libpng bug that affected so much software.

    So, why tolerate this? Well because I for one don't want to have to play with interoperability nightmares. I want a single document format I can share, I want standards in how computers operate so I don't have to relearn everything every time I sit at a new workstation.

    The magic of computers is really their ability to share information, and for that to work effectively, standards have to develop and prevail. I do not want to work in a world where my word processor has 150 different save formats and I have to pick the right one depending on the instution with which I'm communicating. I do not want a world where there are 50 different previlant microarchitecutres and no software runs on more than a handful, and so on.

    We have to accept that we can have diversity only to a degree. There has to be common grounds. Yes, those are going to be potential points for an infection to pass. Well, that's unfortunate, but it's simply something we need to live with if we want easily interoperable computers.

    Just breaking things in to a "duoculture" wouldn't really solve much. I mean lets say we achive that with Linux, 50% Linux, 50% Windows. Ok fine, what happens now, in additon to exploits that happen to affect both, is that stuff still spreads, just among it's subset, or malicious authors start making viruses have dual payloads that execute the right one on the right platform.

    To really have any significant effect, you'd have to have hundreds of different types all mixed together that were minimally interoperable. For example Linux running Wine to use Win32 programs does no good, now it executes the same code and thus is venurable in the same way.

    Trying to avoid common systems and formats for security may be valid in an isolated, secure environment but it just doesn't work in computing at large. We want interoperable computers and we strive for it (well, some companies like to try and stand in the way of that). That, by necessity, means that there's more possible vector for infection. Hell, when you get down to it, we could really clean all this up by eliminating the TCP/IP monoculture. If every organization used their own proprietary network, then it'd be real hard for an infection to spread outside an organization. However I hardly think that's the answer.

    To me his peice seems like just so much anti-MS rehetoric. He's pushing ODF, which is a standard intended for interoperability, intended to create a document format monoculture. Yes, any word processor could use it, but like I said, that doesn't really gain you anything. He seems to be pushing for switching from one to another, rather than pushing for real fragmentation.
    • This is the very reason we need to have open standards. If the standard is robust and exploit-proof, then the only exploits will be in the implimentations. Many different implimentations eliminates the monoculture problem.

      From time to time we discover standards have holes in them. When the holes are serious, such as a fundamental flaw in a cryptography standard, it must be abandoned. However, most of the time the holes can be worked around or the standard can continue albeit with reduced functionality,
      • The original TCP/IP standards had holes which were initially patched by vendors, or customers for source-licensed code, turning off functionality until the standards could be revised.

        I don't think he was talking about flaws in TCP/IP itself, but more the general point that if your were only on an IPX network, you would be immune to TCP/IP-based attacks. Which is true, but not a good enough reason to not use TCP/IP.
    • The problem isn't a data monoculture. Standard formats for data are great things! But in computers, monocultures of operating systems and executables, particularly automatic and insecure ones like those rife on Windows and Outlook and Office, are dangerous things. I doubt you'll be seeing a file that infects OpenOffice users on load on Windows, Mac, and *nix machines.
      • Unless it's a vulnerability in the spec. But yes, fully-open specs are exactly what the doctor ordered, as it would solve most of the problem.
      • For example, look at the list on the libpng problem I noted ( I mean my god, that's a ton of platforms. Windows, MacOS, multiple linuxes, multiple browsers, etc. The problem is that they all implemented PNG and for somplicity, they were all using reference code to do it. Thus the exploit, found in that code, applied to all of them.

        I'm not saying that's not harder to exploit than a bunch of systems 100% the same, I'm saying it's still a problem. If you REALLY want
    • He's not talking about a document format monoculture, he's talking about an application monoculture. Sure, document format monocultures come with their own dangers, but they're more like transmission mediums than points of failure. It's like the difference between sharing someone's language and sharing their DNA.

      Viruses and other nasties generally rely upon faults in program implementation to infect and wreak havoc. Generally speaking, document formats are without fundamental flaws to exploit. And if th
    • Well, if I understand both those biology and computer monoculture things correctly, than you do not have to have completely different "implementations". As with everything, we're not going to do X amount of work which will result in 100% of the problem solved - it will be more like "we do this Y and we mitigate the risk by say 60%, we do Z and we lower the risk by another 20%, etc.".

      Lets elaborate. I start by limiting following ideas into a) PCs and b) people (homo sapiens). Then I follow by making analogy

  • by sentientbrendan ( 316150 ) on Wednesday May 24, 2006 @02:08AM (#15392048)
    if it has happened before. There have been numerous scripting exploits in word...

    Also, predicting a security vulnerability in ANY piece of software is like predicting rain. It is *going* to happen, it is not impressive at all, and proves nothing when it happens.

    It would in fact probably stop the flow of viruses if most computers all ran different operating systems (if there was no 90% majority of any system), software etc. I think this is fairly obvious.

    One thing to consider though is that it would also have additional costs associated training for most companies. Also, in terms of operating systems, no majority platform makes it more difficult for developers to make a profit since everyone is feeding off a tiny segment off the market.

    The unices have survived by adopting source level compatibility to broaden their effective market share, and above all by specializing. Apple has also survived by pandering to specific markets (education, graphics artists, home users) at the expense of other markets (business). The problem with having no majority operating system is that you can no longer build a general purpose computer that does everything. Instead one must dual boot, which is what linux users have done for a long time and what mac users are doing now that they can. Now, multi booting isn't the worst thing in the world, but it is an inconvenience.

    The last and most problematic issue of having no majority operating systems is drivers. One might think that hardware manufacturers would be most likely to be forced to write their drivers for multiple systems, instead of just windows as they do now, but this is not realistic. A no majority operating system is going to be an environment with lots of highly specialized operating systems. Makers of uncommon hardware are still going to only support one platform, the one on which their hardware is used. If you need to use two specialized gadgets, you are probably going to need to set up two different computers, or dual boot.

    Possibly multiple operating systems could adopt the same driver model, but I have to ask why that isn't happening right now when it is already advantageous for linux and others. Right now the only operating capable of using foreign drivers that I know about are freedos and reactos (using DOS and windows NT drivers respectively of course). Frankly, it would be a big boon for the desktop market and others if linux or freebsd could use stock windows drivers... but I suspect there are some technical problems with this. Linux developers have always quoted as a reason for not maintaining binary compatibility with drivers that they didn't want to impose arbitrary restrictions in the kernel. My suspicion is that compatibility with windows drivers, if technically feasible at all, would have performance issues for linux. Would someone more familiar with the kernel and the windows driver model care to comment?
    • FreeBSD can use windows network drivers - look up the appropriately named "project evil".


    • Frankly, it would be a big boon for the desktop market and others if linux or freebsd could use stock windows drivers... but I suspect there are some technical problems with this.

      Big boon? Short-sighted users and developers may think so. It is difficult to get hardware documentation from some major vendors (NVIDIA, for instance), and embracing binary drivers certainly does not help at all.

      So what does the Linux crowd do? Join OpenBSD in pressuring hardware vendors to release hardware documentation? Oh

    • [i]Also, predicting a security vulnerability in ANY piece of software is like predicting rain. It is *going* to happen, it is not impressive at all, and proves nothing when it happens.[/i]

      Predicting a security vulnerability is like predicting rain. It's going to happen. Some will get wet.
      But this is more like predicting a storm resulting in catastrophic landslides killing millions, as result of mass replacing natural varied environment with monoculture plantations on slopes of mountains over cities. It's no
    • The problem with having no majority operating system is that you can no longer build a general purpose computer that does everything.

      Er such a computer does exist, and is used every day by millions of people, and lots of OSes work just dandy on it. Oh and you're taking away from the underlying fact that a corporate monoculture breeds laziness and inefficency; par example, MS with all its billions and thousands of developers, developers, developers, should be lashed with a paddle for not getting everythi

  • From an organizational point of view (be it a company, a government department, whatever), while it's true that a monoculture introduces security risks, a 'polyculture' introduces other problems - complexity in terms of patch administration, help desk, staff training, desktop imaging, license compliance, etc etc. This is precisely why organisations generally standardise on a single product + version - regardless of the underlying format.

    Switching to an open format (eg ODF) does not imply a polyculture, it j
  • Uhmm (Score:5, Insightful)

    by NitsujTPU ( 19263 ) on Wednesday May 24, 2006 @02:23AM (#15392096)
    from those that subsist in a proprietary monoculture.

    Actually, that would be a "monoculture," not just a proprietary one. If everybody ran Linux and such a vulnerability existed, the same thing would happen.
    • Re:Uhmm (Score:5, Insightful)

      by Vo0k ( 760020 ) on Wednesday May 24, 2006 @02:52AM (#15392185) Journal
      If everyone was running the same distro of Linux in the same config.

      If I pick Qmail, I'm immune to Sendmail holes. If I pick KOffice, screw OOo bugs. Many Apache exploits hit my webserver running on Boa. If Firefox is compromised, I can pull out Galleon. If I get a Thunderbird exploit, Pine ignores it.

      Microsoft is a very deep-reaching monoculture. Not just Windows. You can expect the Windows computer will run MS Office, cooperate with Exchange through Outlook or Outlook Express, use MSIE for the web, the webserver will be IIS, the database will be MSSQL or Access (and predictable which where), so you get lots of machines running all the same software. In case of Linux, thanks to multitude of choices the users have, there is no monoculture, each install is custom-made.
    • by Tom ( 822 )
      If everybody ran Linux and such a vulnerability existed, the same thing would happen.

      Maybe, maybe not. Remember that many exploits (such as buffer overflows) are sensitive to the precise binary version you use. The ancient ssh exploits, for example, required different parameters depending on their target (i.e. Debian, Redhat, etc. - often even different for different releases).

      So if everyone ran Linux, then most likely there would still be 5+ major distributions in 10+ release versions. Plus a lot of people
    • I guess your remark is just linguistic. 'Proprietary monoculture' is an pleonasm. When stuff is opensource, stuff will diversify. There will always be stubborn people thinking they can do it better, or at least different. Any succesfull OSS program has many forks. For every single task on your PC, there are a hoggilion different OS-apps available. In the small Linux-world, more wordprocessors are in active use than in the 20 times bigger Windows-world.

      'Propietary monoculture' is only a pleonasm. Nothing to
  • I use Word on four computers, and I haven't seen this infection.

    Hmm, maybe because unlike in biology, we can easily fix computers without years of clinical trials. and research studies.
  • by Thornkin ( 93548 ) on Wednesday May 24, 2006 @02:41AM (#15392152) Homepage
    The whole concept that diversity somehow protects from viruses is ludicrous. It may stop a universal outbreak by limiting it to some subset of the population, but if you are part of that vulnerable population, a virus is no less devastating. Empirically, when there *was* a diversity of computer operating systems, viruses *still* ran rampant. Think about the late 1980s. There were substantial populations of MSDOS, Commodore, Apple, Macintosh, Amiga, Atari, etc. computers around. Most people here are probably too young to remember but there were a lot of viruses in those days too. It is not the evil Microsoft monoculture that brought about viruses. They pre-existed that by a long while.

    I would go so far as to predict that a diverse culture of computer operating systems would actually *increase* the damage viruses can do. Sure, a single virus couldn't take down everything at once, but there would also be far fewer resources thrown at stopping any given virus. Antivirus software would have to be written and maintained for each platform. Security vulnerabilities would have to be patched for each platform. Each time you diversify the culture, you increase the amount of redundant work needed to keep the entire population safe. Fewer resources means more vulnerabilities and slower response times. That, in turn, would mean more viruses doing damage in the real world.
    • by ArghBlarg ( 79067 ) on Wednesday May 24, 2006 @03:25AM (#15392287) Homepage
      ... but if you are part of that vulnerable population, a virus is no less devastating.

      How is this different from biology? The poor moose in the herd who isn't immune to spongiform encephalopathy isn't protected by the diversity of his herd-mates.. but the herd as a whole is. The analogy does hold.

      Your point about multiple architectures dividing the attention of the antivirus community might be true to some extent -- but on the other hand, there might just be more jobs for people writing antivirus programs for all those extra operating systems.

      It isn't ludicrous that diversity protects us, as a whole community, from viruses. Some may be hit, but the rest can keep computing. That's the point.
    • While you are right that each subset of the population would still be vulnerable to their own viruses, there is one key point to keep in mind. The rate of infection of new hosts increases geometrically with the percentage of suceptible hosts. A windows virus in an all windows environment spreads like wildfire, because nearly every infection attempt will succeed and continue propgating the virus. In a mixed environment, the rate will be much lower, because the infected hosts will either (a) blindly pick t
  • by louarnkoz ( 805588 ) on Wednesday May 24, 2006 @02:41AM (#15392153)
    The "monoculture" argument draws upon the analogy between epidemics among living things and computer epidemics. But it is a false analogy.

    An epidemic keeps propagating if, on average, an infected subject infects more than one target. If it infects less than one, the next "generation" will be smaller than the previous one, etc. The number of infected targets depends on how many contacts the subject has, and how many of these get infected.

    For human infections, an infected subject contacts family members, maybe schoolmates and coworkers. On average, it takes more than a simple casual contact to get infected. So, the number of contacted targets is small. If enough are vaccinated, or otherwise invalid, the average number of infected targets drops below 1, and the epidemic stops. The interesting result is that the infection stops before every potential target is infected. A typical infection affect a city or a province, and then stops.

    Computer infections are very different. A virus infected computer can contact thousands of other computers. Even if many are protected, chances are than many more than 1 in a thousand will be infected. Computer viruses can spread very fast!

    Diversifying with two or three brands of software will maybe minimize the results, but cannot stop such infections before all vulnerable machines are infected. To limit the infection to "a city or a state" when a sick machine contacts thousands of otehrs, something like 99.9% of the machines must be either "different" (diversity) or "vaccinated" (anti-virus,etc). Unless you are ready to manage diversity by running a thousand different brand of software, the anti-virus route looks much more realistic.

    -- Louarnkoz

    • The analogy is not neccessarily false when you introduce the factor of human interaction into the equation. Since computers are operated by humans, and very large percentage of malware depends on human interaction, the lack of enough potential hosts can indeed make the spread of certain types of malware impossible.

      For example, if a person must open up a email attachment and execute some bad code in order to get infected and spread the worm further, potential targets are a large factor in the ability of the
    • The idea if diversification is threat mitigation. If one part of the company is down with a virus, the rest of the company can continue as normal; instead of telling everyone in the city to stay inside, you tell, for example, people with red hair to stay inside. Everyone else is unaffected and can continue normally. Yes, you may be at risk from more vectors, but each individual vector is less threatening to the continued survival of the system as a whole. It's simple business continuity practices, really.
  • easy (Score:2, Informative)

    by m874t232 ( 973431 )
    It's easy to predict what has happened thousands of times before. It's hard to predict the future.
  • by Beryllium Sphere(tm) ( 193358 ) on Wednesday May 24, 2006 @03:01AM (#15392209) Homepage Journal
    Is the problem that we have a monoculture, or is it the quality level of that monoculture, or is it that we don't have barriers and quarantines to limit damage?

    Thought experiment #1: you have a choice of a diverse world where Apple, Microsoft, Sun and everyone else has written their own sshd, or a monoculture world where everyone runs OpenSSH. Which would you choose?

    Thought experiment #2: how worried would you be about monoculture if the operating system on 95% of computers were OpenBSD? SELinux?

    Thought experiment #3: before malware enters your body it has to run the gamut of being stuck to mucus and swept out, being sneezed out or coughed out, being hammered by natural antibiotics, being dropped in acid, and potentially being expelled from the digestive tract if found to be toxic. Do our computers have an equal or similar level of protection against unfriendly programs?
    • Well... if everyone ran OpenBSD, there would certainly be some "user-friendly" tricks to make certain procedures earier. Like running programs directly from an email client. Or perpaps there would popup warez-sites for OpenBSD, where you could download the new "cr4ck patch 4 Ph0t05h0p".

      OpenBSD is secure *by default*. OpenBSD is not secure if subjected to braindead users, who thinks they know better or just dont care, as long as they dont have to type a password.

      Yeah.. I do think a diverse environment will
  • I predict that because of ... monoculture... whatever... err microbiology, nanoparticles and so on, a virus for Vista will be created.

    That's it. In one year Slashdot will write about me and my amazing prediction came true, how the hell I can be so smart to ever guess this coming?!
  • by Budenny ( 888916 ) on Wednesday May 24, 2006 @03:11AM (#15392247)
    Isn't it the MS Product Management culture?

    You have a PM who is measured on sales. Sales by now are hugely upgrades. The only way to motivate upgrades is new features. So you introduce them, whether they are really needed or wanted, or not. They are then heavily used by the salespeople, before the sale, selling to people who are not the end users of those features.

    And so it comes about that IT buys, and what the ordinary user thinks of as a glorified on screen typewriter actually becomes, via Word macros, a powerful if flawed programming language, and what the end user thinks of as a document becomes a program that can wipe his hard drive or change anything at all on his machine it chooses.

    This is not about mono culture versus poly. If you had twenty different PMs behaving like this across the whole industry, it would be as bad or worse. Its about feature driven business models in areas where the buyer is not a sophisticated end user of the products. IT buys Office. What does IT really know about using Word to write? Hosts of features can be sold to IT that could never be sold to the people who use the stuff....
  • by Enderandrew ( 866215 ) <[enderandrew] [at] []> on Wednesday May 24, 2006 @03:23AM (#15392280) Homepage Journal
    Big corporations love stability. They love consistency. They fear the unknown. They love going with the de facto standard, and keeping it standard across the board. So while people may argue against monoculture, don't expect it to change in big corporate environments.

    And MAYBE part of the reason Word is being infected with worms, isn't some side-effect of monoculture and the lack of software diversity, but rather a result of hackers almost solely targeting Microsoft products.

    • "And MAYBE part of the reason Word is being infected with worms, isn't some side-effect of monoculture and the lack of software diversity, but rather a result of hackers almost solely targeting Microsoft products."

      The fact that Microsoft's products are targeted _is_ a direct effect of the monoculture that exists. If Word was used by 20% instead of 95% it wouldn't be such a nice target, and if it was to be targeted the effect wouldn't be as severe, and the rate of witch it spreads wouldn't be as fast.
  • The other reason for the attack being a Word only is down to the number of copies of Word which are used day to day compared to the alternatives. As Star Office/Open Office etc become more popular the number of attacks will increase.

    The same thing is true for Firfox, the browser with the biggest market penetration is the one which will suffer the attacks.
  • by Tom ( 822 )
    Four days ago, Dan's prediction came true ...for the 200th or so time. Remember Outlook? The corporate mail system monoculture? At home, it might have 20% or so of the market, but it's big with business users.

    True, the Word thing is more nifty, because people don't expect it, and it's not a macro virus. But even so, this is hardly the first time MS users get bitten exactly because they are MS users.
  • by erwejo ( 808836 ) on Wednesday May 24, 2006 @03:57AM (#15392353)
    While I do enjoy someone writing a think piece on the idea of the dangers of a mono-culture. This work has been throughly research by Stephanie Forrest ( [] ) at the university of new mexico via the sante fe institue and the complex systems program at the University of Michigan. For anyone that wants to acutally learn more about the application of immunization models to computer security, I suggest you check out her research.
  • "One of the reasons that birds feed in flocks is that it means more eyes to watch for danger. Most of the time, at least one member of the flock will see the hawk coming and sound the alarm." - Hawks at the Feeder []

    The moral is obvious: living in a "proprietary monoculture" can reduce your risks.
  • by Theovon ( 109752 ) on Wednesday May 24, 2006 @07:54AM (#15392949)
    From this, we learn the lesson that we don't have to have a single vendor in order to have universal interoperability. This funny thing called "open standards" allows numerous different vendors to interoperate with each other. And then apps live and die by how user friendly they are and how well they support the standards.
  • by Jonathan ( 5011 ) on Wednesday May 24, 2006 @08:30AM (#15393100) Homepage
    From the article: "Examples are as plentiful as they are sad: Consider the virus that brought on the Irish potato famine".

    *Viruses* had nothing to do with the Irish potato famine. While there were many factors for the famine, many of them political, the pathological reason was the *fungus* Phytophthora infestans.
  • by ZombieRoboNinja ( 905329 ) on Wednesday May 24, 2006 @08:44AM (#15393148)
    The "monoculture bomb" analogy only goes so far before failing. When we're talking about corn or something like that, obviously a specific engineered disease could cause widespread devastation. But in the computer world, viruses can do far more insidious things than just shut down a network, and a polyculture might actually make that easier.

    Let's say you've got a hacker who wants access to a file on your network that a bunch of users have access to. In this case, the hacker isn't trying to infect ALL the computers; any one of them will do. In this case, a polyculture actually HURTS security, becuase the hacker only has to find one flaw in any of the many different applications people are running. Can't hack his way into Word? That's okay, some nerd in the office is running StarOffice and he can find a backdoor for that. Or whatever.

    Not to mention, in a monoculture it's easier to standardize training and security. The security guys in an all-Windows place only need to keep up with the (legion) Windows vulnerabilities out there. In a polyculture environment, they have to know about Windows vulnerabilities PLUS Linux, Mac, and all sorts of other vulnerabilities, because one compromised computer can mean a whole lot of lost information.

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984