“Dan Geer lost his job, but gained his audience. The very idea that got the computer security expert fired has sparked serious debate in information technology. The idea, borrowed from biology, is that Microsoft Corp. has nurtured a software ‘monoculture’ that threatens global computer security,” Justin Pope reports for The Rapid City Journal. “Geer and others believe Microsoft’s software is so dangerously pervasive that a virus capable of exploiting even a single flaw in its operating systems could wreak havoc.”
“Just this past week, Microsoft warned customers about security problems that independent experts called among the most serious yet disclosed. Network administrators could only hope users would download the latest patch,” Pope reports. “After he argued in a paper published last fall that the monoculture amplifies online threats, Geer was fired by security firm (at)stake Inc., which has had Microsoft as a major client.”
“Geer isn’t the first to argue that the logic of living viruses also applies to the computer variety, and that the dominance and tight integration of Microsoft operating systems and software makes the global computing ecosystem vulnerable to a cascading failure,” Pope reports. “Geer’s paper did little more than make the point with particular fervor – which only intensified when Geer was fired.”
“‘The hoopla around him losing his job gave the story some extra frisson,’ said Internet security expert Bruce Schneier, a co-author of Geer’s. ‘He got fired because (at)stake wanted to be nice to their masters,'” Pope reports.
Full article here.
MacDailyNews Take: A monoculture is risky, but only really risky when the culture decides, for some daft reasons, to coalesce around a flawed element – in this case, Microsoft Windows. Arguably the worst-designed Mac OS Classic-clone, the Windows OS is broken and IT people who chain their operations solely to Gates’ OS/Office products should be called upon to explain the reasons for making such a costly mistake. And, no, “job security” is not a valid reason, IT folks.
You know, I have no problem with their being multiple different operating systems and although I’m partial to Mac OS X, I still believe there should be alternatives. Windows is the 800 pound gorilla right now but if we’re going to be “dependant” on one OS lets at least make sure it’s secure. I’m still baffled, as I’m sure many of you are, how people continue to let Microsoft continue to leave open holes in their OS and yet not get off without a penalty. I seriously believe that Congress needs to step in and start levying fine on the OS manufacturers for their major security flaws. It’s the only way to change their behaviour. Otherwise, we’re just going to keep getting hit with virus after virus and nothing more will be done with the exception of waiting 200 days for a patch.
Matt,
You’re “baffled” that people continue to let MS off the hook and Congress does nothing in the face of all of this loss and waste of time? Follow the money, my boy, follow the money. That path always tells the truth. You think shareholders or even people with thousands invested in MS-centered home computing garbage are going to admit there’s something wrong?
What’s actually amazing is that it took so long for anyone – with a medium with which to speak through – to actually give voice to the fact that ‘genetic diversity’ in an ICT environment is desirable in some cases.
When I started in this business back in the mid-Eighties, my mentor drummed into me that the quality of application or solution drives the choice of platform, now we seem to work on the basis of ‘Wait until solution_vendor$<>”Microsoft” ‘ or ‘If platform_requirement$<>”Windows 2000″, goto next solution’.
Whilst there are many businesses where a commitment to homogeneity makes sense – particularly very small businesses with relatively simple requirements – the idea of building a 250-seat business that shackles itself and its competitive advantage to the MS yoke is simply not credible. After all, how can you be different when you’re just the same?
I think that using the term �monoculture� is not appropriate for the current state of Microsoft�s problems. Microsoft�s error is its design of its operating system not its ubiquitousness.
The use of genetical terms in describing Microsoft�s failures may be clever, but not accurate. For example, it is unlikely that we will ever have the term �transgressive segregation� linked with OS development.
The real problem is that the windows zombies just can’t imagine things being different. No, seriously, they really don’t understand that there are OSs out there that work, aren’t riddled with security holes, and aren’t bloody annoying to use! That’s why BillyG keeps repeating the same bull about it being just about market share. The zombies can easily believe that. After all, all computers and OSs have to be just like Wintel, right?
I have a feeling that when Schloghorn finally ships, it will be nearly as rock solid as OS X. I can’t believe that a company as hell bent on dominating everything would not take this opportunity to introduce the types of security that we enjoy via UNIX (true admin access, default ports closed, limited autoexecuting scripts, etc.) They are doing a major overhaul on the trash heap we know as Winblows and have the opportunity to do it right.
They need a classic environment so they can isolate the f#cked-up code that currently exists, and finally leave it behind (like OS 9).
While most of us here would never use it even if it were secure, we will be down to arguing over the more fluffy topics such as appearance, ease of use, etc. They have really already solved the instability problems. Thank God that Apple has a 4+ year head start. They need to use what time is left to make progress on the brain-dead corporate types.
DrDude, I’m sure they are. One of the things they are trying to do with Shlonghorn is move away from the old windows APIs, and of course in doing that they could fix many of the problems they have now (like the whole thing being fundamentally flawed). The question is, how capable are M$ programmers of pulling it off. They aren’t exactly known for their “clean” coding.
The other thing is, if they move towards managed code to aid security, how big would the performance hit be and would people be willing to shell out for something slower?
DrDude:
No doubt that Microsoft must present a better OS than it currently offers. Then again, Linux and, perhaps, some other OS will capture an increasingly larger percentage of the PC market. This competition will drive the development of better operating systems for all machines including Macs.
Microsoft will not die, but it will likely have less of market share. And Apple? I reckon that in 4 more years OS 10.3.x will be discussed in historical terms. Whatever the improved Apple OS will be it will have first originated from people who truly �think different�.
Great point Bo’ster. I bet that while Scloghorn is due out in 2 years, it will take them another 2-3 years to make it humm (like W3.0, like OS X 10.0, etc.).
But on topic here, the brain-dead IT types will then have another reason to stick with M$ by saying that it will soon get better and it would cost too much to swich when a viable M$ upgrade is just arround the corner.
Just trying to be realistic.
Dude,
You are correct sir, the insanity will continue…
A lot of Windows users are passive users, they’ll use whatever’s thrown at them for cheep, and since they don’t know any better, they’re afraid of change. My Mother didn’t even want to change from Win98 to WinXP, claiming that Win98 (which is a single tasking, single user, technology outdated OS) was perfect�what she meant was: 98’s what she knows, and she’s afraid to change that. Thankfully a lot of the hardware in her new Laptop wouldn’t work with Win98.
Other Windows users like having great knowledge over something that breaks down often, making them valuable to others.
Microsoft paid SCO millions for something. What do you think they bought? There will be a lot of Linux hidden under the hood of Longhorn. Microsoft doesn’t code, it steals or buys what it needs.
Al:
Morning meeting in Redmund.
Bill: “Whatever it takes, lads, whatever it takes. Buy, beg, borrow, or steal. I don’t care. I just want an OS that works! Wake up, Ballmer! Are you people listening?”
(Interruption): “Mr. Gates, there’s a Mr. Jobs on line one, a Mr. Ashcroft on line two, and a Mr. Monti on line three”
Bill: “Oh, #$%#!”
MacDailyNews Take: A monoculture is risky, but only really risky when the culture decides…to coalesce around…Microsoft Windows.
It sounds like MDN agrees with this theory only insofar as it hurts Windows. You know, if OS X were the only OS, then there would still be a risk of cascading failure. Just because the risk isn’t obvious right now doesn’t mean it doesn’t exist.
No, Kenny, no. All OS’s are not the same. That is why they are called different.
Meat: What the heck does that mean?
Simple, Kenny. Microsoft and Apple have designed two dissimilar operating systems. Microsoft’s OS is full o’ holes. Apple’s is not. It’s Apples and oranges, get it?
What’s baffling is the Homeland Security’s insistence on using Windows. They should change their name to Homeland Insecurity or maybe Homeland Secutity Holes and Patches. It only signifies how much clout MS has in the US politics (aside from Court of Appeals) with the money they spent for lobbyists and politicians. If these people just cared a drop about the US security, they would drop Windows like a brick. But they don’t. Money matters more than the nation and the people. Money can buy patriotism.
Nobody:
Sec. Ridge told Bill to give him “the best durn computer operating system you guys have or else I’ll get my buddy Ashcroft to lock your sorry butt up for some antitrust violation or whatever”. Bill complied.
Wait, wait.
Bill called Sec. Ridge and offered him “the best durn computer operating system we have and maybe you can get Ashcroft off my sorry butt and have him forget about those nasty antitrust violations or whatever”. Ridge complied.
Either way it still stinks.
meat: try to stay with me on this, okay? I made a comment about the monoculture theory, and out of nowhere, you reply with “No, Kenny, no. All OS’s are not the same. That is why they are called different.”
Your reply was senseless. Perhaps you meant that reply for someone else. It has no bearing on my post at all.
And, of course, when I take the bait and ask what you meant, you say “Simple, Kenny” and post more painfully obvious nuggets of wisdom.
Thanks for the OS count. Did everyone get that? Meat says there are two different OSes. I, for one, will take his word for it.
Everyone–including the original Greer report–knows that the monoculture problem could apply in theory to any OS. But the reality is that it applies only to MS. In addition, as the report states (I recommend it–it’s readable), MS has taken damaging actions to promote the monoculture. And lastly, those who say OS X would be less of a problem are right: an OS X monoculture too would be bad, but not AS vulnerable as Windows. That’s a valid point. No need to pick fights when both sides of the issue are correct.
Feb 16, 04 | 10:07 am
I think that using the term �monoculture� is not appropriate for the current state of Microsoft�s problems. Microsoft�s error is its design of its operating system not its ubiquitousness.
The use of genetical terms in describing Microsoft�s failures may be clever, but not accurate. For example, it is unlikely that we will ever have the term �transgressive segregation� linked with OS development.
And, thank you very much for agreeing that Windows and OS X are two distinct and different operating systems. No sarcasm intended.
Nagromme: That’s true. It wouldn’t be as bad with OS X, at least not the way things stand now. Microsoft’s actions to promote the monoculture are doubly damning considering the security problems of Windows.
meat: You’re weird. Live in your own little world, and prosper.
Kenny:
I’m sorry that I came on to strong for ya. My fault, I apologize. Forgive me?
I hope that you mean wierd in a nice sort of way. And what sort of world would I be living in anyway?
Okay, meat. Let’s make up.
What set me off is that I made a comment about the monoculture theory, and your response seemed condescending. It also didn’t tell me what you were talking about.
After reading your re-post of your previous comment, I think you were saying that the monoculture theory is stupid, and that an OS X world would not be dangerous.
These are valid comments, but I didn’t make the connection in your response. Also, I seem to be in the mood to chew on some asses. Sorry I flipped out.
Now, in response to your comment, I have no idea what monoculture and “transgressive segregation” mean in biologist’s terms, but I know that most metaphors can’t be taken very far. I also know that Geer was trying to get people’s attention, so he probably chose a metaphor that would grab people.
I think this theory probably resonates with corporate types. They diversify so that all their eggs won’t be in one basket, and that philosophy could and should apply to their computing eggs.
What do you think about that?