LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Monoculture and security

Monoculture and security

Posted Nov 16, 2003 21:00 UTC (Sun) by dkite (guest, #4577)
Parent article: November CRYPTO-GRAM newsletter

Pete Lindstrom makes a good point, that if only half the desktops were Windows, then that
would bring the number of vulnerable desktops down to 300 million. And having government
control of the market wouldn't fix anything.

But what he misses are the costs of standardization. It is not so much a monoculture of
software, it is a monoculture of development process and focus. Security hasn't been an issue
for Microsoft until now. Unfortunately they own 95% of the desktop market. So all of us are
affected.

With a diverse culture of desktop (and other) software, each vendor would compete for
customers. The customers would be able to choose between any number of viable alternatives.
That is not the case at all right now, even within the Window's market. Is there a vibrant market
in email clients? Everyone needs one, there should be. When was the ILoveYou virus? Two,
three years ago? We all noted a stampede away from Microsoft products, umm, didn't we? To
what? Microsoft hasn't needed to respond to security threats because there was no
business threat. Three years ago, what else could someone use except Windows? Now there is
OSX, and the various linux desktops are very close to competitive. All of a sudden Microsoft's
focus is on security? Gee, what a coincidence.

To quote "To suggest that the risk is too great for a standard desktop is to suggest that the
20-year effort to standardize systems and support processes was a bad idea."

Yes it was a bad idea. Most of the issues in the article are worrying about software business
plans, rather than whether the stuff works or not. As Bruce Schneier makes clear again and
again, security is a state of mind rather than a bunch of hardware or software. Finally with some
competition in the marketplace, the state of mind is changing. Compare the desktop market
with the server market. IIS is insecure? Use Apache, Microsoft rewrites IIS.

If anything, this article showed me that it is the whole industry, customers and vendors, that
created the problem. Most everyone chose to go with the winner, and inevitably, we all lose.

What is funny about this whole thing is that the competition, the more secure software, the
answer to the dangerous monoculture has come from a bunch of guys writing stuff that they
like. For free. Could it be that some of the strong reactions in this debate come partly from
humiliation?

Derek

(Log in to post comments)

Monoculture and security

Posted Nov 17, 2003 12:55 UTC (Mon) by rknop (guest, #66) [Link]

The boat that has been missed on a lot of standardization is that it is *protocols and formats* that should be standardized, not specific systems and pieces of software.

Once upon a time, this was understood on the Internet. That's why we had things like ASCII, TCP/IP, SMTP, FTP, and (at least the pure form of) HTML. Open standards which anybody could implement, and indeed which a large number of very different systems did implement, and even different packages on the same system. There was no worry about anybody being able to receive E-mail from anybody else, anybody being able to connect to the network, or anybody being able to view a given web page, because they were all open standard formats which anybody could implement, and which had been diversely implemented.

With the desktop, though, we got this idea at compatability required monoclulture. That havning a well-defined format or protocol which anybody who implemented correctly could play with wasn't good enough, but rather that everybody had to be running exactly Microsoft Word, or exactly Microsoft Internet Explorer. I suspect Microsoft understood this full well, because it's pretty obvious to them that "standard as product" rather than "standard as protocol" was hugely in favor of somebody who believed that they could come out as "the winner" (as Microsoft has). But all the rest of us suffer.

If we could really get back to the idea of standards as protocol rather than standards as packages--- which requies open standards rather than closed, proprietary standards!--- then the incentives forcing us towards monoculture would evaporate. Microsoft would suffer, but all the rest of us would benefit greatly, including those who are currently Microsoft's customers.

And, yeah, if a fundamental flaw is identified in the protocol, then we all suffer the security problems of a monoculture. But, except for SPAM, all of the most serious security problems we have faced have been problems with packages and specific implementations (which may happen to be dominantly widespread) rather than a fundamental flaw in the underpinning protocol.

-Rob

Monoculture and security

Posted Nov 18, 2003 1:03 UTC (Tue) by XERC (guest, #14626) [Link]

A small quote from Micro$oft's private survay:

OSS projects have been able to gain a foothold in many server applications because of the wide utility of highly commoditized, simple protocols. By extending these protocols and developing new protocols, we can deny OSS projects entry into the market.

It's part of the 1. Halloween document.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds