|| ||Leon Brooks <leon-AT-cyberknights.com.au>|
|| ||Rob, are you actually paid to do this?|
|| ||Sat, 11 Oct 2003 19:53:01 +0800|
> Two high-profile organizations recently argued that diverse
> environments are inherently more secure than "monoculture"
> (read: Microsoft-only) environments.
...and from other sources:
> The report's authors said the report was a reflection of their own
> views [...] "I wouldn't put all of the blame on Microsoft," Schneier
> said, "the problem is the monoculture."
From the horse's mouth, the security problem harped on in the report is
explicitly the monoculture, not the Microsoft. So you've started on a
misconception. Do you recover from this?
> These arguments were put forward by Gartner
Er... what? Gartner are hardly known for being critical of Microsoft, in
fact they've got an informal reputation for being on Microsoft's cheer
squad, if anything.
As if to underscore their reluctance to injure or offend such a
lucrative and dominant source of income, Gartner speak as little as
possible to Microsoft, as such, limiting themselves to Windows. I
believe this to be a mistake, since the majority of reported
vulnerabilities on desktop PCs have been in Microsoft applications
other than the OS - such as Outlook, Internet Explorer or IIS.
They also make it plain, regardless of motives, that their primary
concern is the lack of diversity, and I quote:
> By spreading critical business functions across multiple desktop
> platforms or by maintaining key operating groups on separate
> platforms, you can enhance your ability to keep at least some of your
> key personnel and processes functioning and communicating during
> an attack.
Perhaps Gartner have realised that there is an issue here that they need
to be seen to be addressing?
Two strikes against Rob. But you go on to say:
> separately, a panel hosted by the anti-Microsoft Computer &
> Communications Industry Association.
Also wrong (third strike), at least in origins: the report now filtered
through CCIA was originally released by the diverse group of security
consultants through security firm @Stake - and it seems that @Stake are
so pro-Microsoft that Dan Geer, then @Stake's CTO, was fired over the
This brings to mind an interesting statement from President of the
Vermint Library Association:
If you have to worry about what your reading list might look like to
an FBI agent, you might decide to censor yourself and not read what
you really want to read. And the moment you have to think about
those kinds of decisions, then you are no longer truly free.
To be sure, Microsoft are not the FBI - but the principle is exactly the
The whole set of premises that you justify your article by are
completely wrong. This essentially makes it worthless. But even if the
raison d'etree had been sound, you also muck up the content:
> We have yet to see a cost/benefit analysis that supports the
> conclusion that a heterogeneous computing environment lowers
> the overall threat level of a corporation, or that it is the most cost
> effective of the choices available to you.
A Microsoft-aimed worm took out one large local ISP's mail service for a
day, and kept it lagged for about 3 days this last week. A consultant I
work with lost an AUD$2000 job and probably also all future work from a
customer becasue they were unable to receive their email.
I haven't even seen a guesstimate of how much this kind of damage
eventually adds up to be, to say nothing of a cost/benefit study, and
we're not even dreaming about one not paid for by Microsoft.
Then several of your recommendations, while plausible ont the surface,
carry additional risks.
> Locking down desktops so users cannot make changes and viruses and
> worms can't install themselves and run.
Unfortunately, the vast majority of recent viruses and worms don't
require much if any user intervention. Several Outlook vulnerabilities
haven't even required the user to read email in order to propagate the
Locking users down too firmly may actually prevent individual users from
implemeting many of the safety measures you prescribe. Think about the
analogy of being trapped inside a burning house by your security
> Implementing additional security products, such as virus software
> and firewalls.
Funny, but everything competing with Microsoft (ie, OS X, Linux, FreeBSD
et al) comes with effective firewalling software and so far hasn't
needed anti-virus software (and without a major paradigm shift, never
In addition, most of these run on diverse platforms, which makes binary
intruders so much less effective. Granted that Windows will soon have a
significant number of Hammer and IA-64 users in addition to the current
IA-32 monoculture, but it's a little late in the game, and one has to
ask in the light of their abandonment of Alpha, PPC and MIPS
architectures whether Microsoft would have adopted Hammer or IA-64 this
early in the absence of stiff competition from Linux and friends.
> Deploying Windows on alternative hardware. For example, "PC blades"
> centralize the processors, memory and storage of PCs in a datacenter,
> while the display, keyboard and mouse are at the user's desktop.
Who needs specialised hardware? Do this today, for free, on existing
hardware and run any legacy apps under WINE or Win4Lin. The
restrictions these translation layers place on bizarre network
operations alone should help your security enormously. And I do know
from practical experience that apps die about half as often under
Win4Lin as they do run natively, as well as running roughly twice as
Using Linux mounted readonly and running no services for the outliers
should cut down a *lot* on network vulnerability. Make them diskless
and fanless for amazing reliability. Running those on a variety of
architectures involves very little extra cost.
In fact, contra to your assertions, the safest and most economical
approach is usually to evict all Microsoft software from your network.
If you want pretty, replace it with Macs; if you want functional for
minimal cost, use X11 on Linux, FreeBSD or any of the others.
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Committee Member, Perth Linux User Group
http://slpwa.asn.au/ Committee Member, Linux Professionals WA
http://linux.org.au/ Committee Member, Linux Australia
Comments (2 posted)
Page editor: Jonathan Corbet