LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Monoculture and security

Monoculture and security

Posted Nov 17, 2003 12:55 UTC (Mon) by rknop (guest, #66)
In reply to: Monoculture and security by dkite
Parent article: November CRYPTO-GRAM newsletter

The boat that has been missed on a lot of standardization is that it is *protocols and formats* that should be standardized, not specific systems and pieces of software.

Once upon a time, this was understood on the Internet. That's why we had things like ASCII, TCP/IP, SMTP, FTP, and (at least the pure form of) HTML. Open standards which anybody could implement, and indeed which a large number of very different systems did implement, and even different packages on the same system. There was no worry about anybody being able to receive E-mail from anybody else, anybody being able to connect to the network, or anybody being able to view a given web page, because they were all open standard formats which anybody could implement, and which had been diversely implemented.

With the desktop, though, we got this idea at compatability required monoclulture. That havning a well-defined format or protocol which anybody who implemented correctly could play with wasn't good enough, but rather that everybody had to be running exactly Microsoft Word, or exactly Microsoft Internet Explorer. I suspect Microsoft understood this full well, because it's pretty obvious to them that "standard as product" rather than "standard as protocol" was hugely in favor of somebody who believed that they could come out as "the winner" (as Microsoft has). But all the rest of us suffer.

If we could really get back to the idea of standards as protocol rather than standards as packages--- which requies open standards rather than closed, proprietary standards!--- then the incentives forcing us towards monoculture would evaporate. Microsoft would suffer, but all the rest of us would benefit greatly, including those who are currently Microsoft's customers.

And, yeah, if a fundamental flaw is identified in the protocol, then we all suffer the security problems of a monoculture. But, except for SPAM, all of the most serious security problems we have faced have been problems with packages and specific implementations (which may happen to be dominantly widespread) rather than a fundamental flaw in the underpinning protocol.

-Rob

(Log in to post comments)

Monoculture and security

Posted Nov 18, 2003 1:03 UTC (Tue) by XERC (guest, #14626) [Link]

A small quote from Micro$oft's private survay:

OSS projects have been able to gain a foothold in many server applications because of the wide utility of highly commoditized, simple protocols. By extending these protocols and developing new protocols, we can deny OSS projects entry into the market.

It's part of the 1. Halloween document.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds