LWN: Comments on "November CRYPTO-GRAM newsletter"

Monoculture and security

XERC — Tue, 18 Nov 2003 01:03:12 +0000

A small quote from Micro$oft's private survay:

OSS projects have been able to gain a foothold in many server applications because of the wide utility of highly commoditized, simple protocols. By extending these protocols and developing new protocols, we can deny OSS projects entry into the market.

It's part of the 1. Halloween document.

Monoculture and security

rknop — Mon, 17 Nov 2003 12:55:54 +0000

The boat that has been missed on a lot of standardization is that it is *protocols and formats* that should be standardized, not specific systems and pieces of software.

Once upon a time, this was understood on the Internet. That's why we had things like ASCII, TCP/IP, SMTP, FTP, and (at least the pure form of) HTML. Open standards which anybody could implement, and indeed which a large number of very different systems did implement, and even different packages on the same system. There was no worry about anybody being able to receive E-mail from anybody else, anybody being able to connect to the network, or anybody being able to view a given web page, because they were all open standard formats which anybody could implement, and which had been diversely implemented.

With the desktop, though, we got this idea at compatability required monoclulture. That havning a well-defined format or protocol which anybody who implemented correctly could play with wasn't good enough, but rather that everybody had to be running exactly Microsoft Word, or exactly Microsoft Internet Explorer. I suspect Microsoft understood this full well, because it's pretty obvious to them that "standard as product" rather than "standard as protocol" was hugely in favor of somebody who believed that they could come out as "the winner" (as Microsoft has). But all the rest of us suffer.

If we could really get back to the idea of standards as protocol rather than standards as packages--- which requies open standards rather than closed, proprietary standards!--- then the incentives forcing us towards monoculture would evaporate. Microsoft would suffer, but all the rest of us would benefit greatly, including those who are currently Microsoft's customers.

And, yeah, if a fundamental flaw is identified in the protocol, then we all suffer the security problems of a monoculture. But, except for SPAM, all of the most serious security problems we have faced have been problems with packages and specific implementations (which may happen to be dominantly widespread) rather than a fundamental flaw in the underpinning protocol.

-Rob

Monoculture and security

dkite — Sun, 16 Nov 2003 21:00:28 +0000

Pete Lindstrom makes a good point, that if only half the desktops were Windows, then that
would bring the number of vulnerable desktops down to 300 million. And having government
control of the market wouldn't fix anything.

But what he misses are the costs of standardization. It is not so much a monoculture of
software, it is a monoculture of development process and focus. Security hasn't been an issue
for Microsoft until now. Unfortunately they own 95% of the desktop market. So all of us are
affected.

With a diverse culture of desktop (and other) software, each vendor would compete for
customers. The customers would be able to choose between any number of viable alternatives.
That is not the case at all right now, even within the Window's market. Is there a vibrant market
in email clients? Everyone needs one, there should be. When was the ILoveYou virus? Two,
three years ago? We all noted a stampede away from Microsoft products, umm, didn't we? To
what? Microsoft hasn't needed to respond to security threats because there was no
business threat. Three years ago, what else could someone use except Windows? Now there is
OSX, and the various linux desktops are very close to competitive. All of a sudden Microsoft's
focus is on security? Gee, what a coincidence.

To quote "To suggest that the risk is too great for a standard desktop is to suggest that the
20-year effort to standardize systems and support processes was a bad idea."

Yes it was a bad idea. Most of the issues in the article are worrying about software business
plans, rather than whether the stuff works or not. As Bruce Schneier makes clear again and
again, security is a state of mind rather than a bunch of hardware or software. Finally with some
competition in the marketplace, the state of mind is changing. Compare the desktop market
with the server market. IIS is insecure? Use Apache, Microsoft rewrites IIS.

If anything, this article showed me that it is the whole industry, customers and vendors, that
created the problem. Most everyone chose to go with the winner, and inevitably, we all lose.

What is funny about this whole thing is that the competition, the more secure software, the
answer to the dangerous monoculture has come from a bunch of guys writing stuff that they
like. For free. Could it be that some of the strong reactions in this debate come partly from
humiliation?

Derek

pocket knives and box cutters : doesn't improve airline security, even after 9/11.

neoprene — Sun, 16 Nov 2003 17:17:05 +0000

"People who think otherwise don't understand what allowed the terrorists
to take over four planes two years ago. It wasn't a small knife. It
wasn't a box cutter. The critical weapon that the terrorists had was
surprise"

Surprise was clearly a _part_ of the recipe for taking Control of the Airplane.
Deadly force along with the commonly held beleif of the average Joe (that letting hijackers do want they want will lead to safety for the rest of the people and that hijackers won't use an Airplane like a Kamikaze missile) is what gave the hijackers Control of the Airplane. Once those notions were dismissed, the passengers on airplane no.4 took control back from the hijackers. As everyone should know by now the reason for plane no.4's "failure" was the willingness of the passengers to sacrifice their lifes to save others, likely a doctrinal surprise to the hijackers. The plane crashed perhaps because there were no pilots left to fly the plane or automatic systems to keep the plane flying. I bet a few people wished they'd brought parachutes. Timely media coverage together with use of cell phones was also part of why their plan failed on No.4.
Will hijackers learn from these mistakes? I should think so.
Airplanes full of passengers, cabin crews, and cell-phones would now be identified as obstacles. One could venture to guess future hijackers will avoid repeating those mistakes. And of whatever airport security is looking for, bring something/soembody they are not looking for. Perhaps avoid passenger airliners altogether.

The real reason for wars and conflicts are the clashing of ideas and financial/economical interests. Lack of understanding and respect for other people/nations could lead to repetition of history. Solving your "problems" with war is a very risky business and could lead to very undesirable consequences and should only be undertaken when other avenues have been exhausted, i.e. diplomacy, trade negociations, treaties, foregn aid, learning languages and cultures, propaganda, time and patience, et cetera have failed.

Winning the War is difficult, winning the Peace is much harder, maybe impossible.