The Software Monoculture 404
balster neb writes "CNET News.com has a piece titled 'Seeds of Destruction' on monoculture in software and its effect on security. The article talks about similarities between software attacks such as last year's MSBlast, and agricultural catastrophes such as the Irish Potato Famine. Isn't this another good argument against monopolies?"
Not just monopolies (Score:5, Insightful)
In a very near sighted way, yes. But we are talking about mono-cultures here, which is a bit more broad than that. And, something that the linux crowd will want to be wary of.
With all the momentum behind linux right now, it could soon find itself faced with the same problems MS is faced with. While I don't doubt the ability of the linux folks to find better solutions than MS did, it is still a concern that people should be aware of.
Re:Not just monopolies (Score:5, Insightful)
Re:Not just monopolies (Score:2)
Re:Not just monopolies (Score:5, Insightful)
Re:Not just monopolies (Score:2)
Re:Not just monopolies (Score:2)
Re:Not just monopolies (Score:5, Insightful)
So what you're saying is that there are a lot of operator errors? There are a lot of people who install software but then don't change the defaults to secure it. I've seen that happen with RedHat...if you don't install the patches right after you install it (and you allow it in the net), it gets hacked (this was back during version 7 I believe).
Same thing happens with Microsoft. It does become unsecure for the default install--the default settings. How long did people know about the RPC vulnerabilities before the first worms attacked it, and yet hardly anybody patched their boxes.
I'm not trying to make a case that Microsoft is as secure as Linux (not by a long shot), but while we have (uneducated) users operating their computers, no matter what the platform, exploits will be successful. I have run many Windows machines over the years, both workstation and server, and not once has one of the machines I'm responsible for been hacked or hit by a virus/worm. However, I have run Linux boxes before, and because I'm not as familiar with them, they have been exploited (remote root exploits--I had to give my machine up to the FBI for investigation, this was back when I worked at a government institution).
The best you can do is write secure apps, but people will always fail at some point because no one is perfect. Exploits will always exists, and many exploits will be discovered over time. But if you don't have the users updating to covers the holes in the software they are using, it doesn't matter which OS they use, or which culture it came from, they will be hacked. And I believe that even if Linux were to gain 90% overall marketshare, we would still see as many problems as we do with Microsoft because of the users.
Re:Not just monopolies (Score:5, Insightful)
sendmail: I don't even know how many root exploits there have been in the past 2 years, but I do know that a respectable percentage of MX'ers out there run it. For you folks on sendmail: qmail. Trust me on this one.
bind: Another of our more charming packages, that should have been replaced years ago due to multiple vulnerabilities. Again, no numbers, and I don't remember seeing any exploits in the past year ( I don't run it, so i don't pay as close of attention ), but this one was a popular attack vector at some point.
apache www: Fairly secure from my understanding, only mentioned here because it runs over half the websites out there. Ask yourself this: Name one other webserver for linux/*bsd. Most people can't.
So as you can see, the danger is there. Common software packages, commmon kernel, the potential is there.
Re:Not just monopolies (Score:5, Insightful)
Apache for Linux isn't the same as Apache for BSD isn't the same as Apache for Solaris isn't the same as Apache for Windows isn't the same as...
A worm that can exploit a vulnerability in Apache for BSD might simply crash Apache for Windows, be totally ineffective against Apache for Solaris, and have differing effects against Apache for Linux depending on what compiler was used. A worm that can exploit a vulnerability in a given version of IIS can attack all copies of that version, because all the copies are running from identical binary images on operating systems with identical memory layout schemes. In order to be a monoculture, a program needs to have more than just the source code the same.
Re:Not just monopolies (Score:2)
Linux email virus (Score:4, Funny)
-[ Attachment: virus.tar.gz 106k ]-
Installation instructions:
* Save the attached file. (In mutt, highlight the attachment and press s. In Evolution, right-click on the attachment and select Save As. For other mail readers, consult the manual page.)
* Uncompress the file in a new directory. (Open a terminal window and type tar xzf virus.tar.gz, or open the file in Karchiver, GUItar, EasyTar etc. See the tar and gzip HOWTO [tldp.org] for more information.)
* In the virus-0.11.2 directory, run the following commands:
./configure
make all
make install (run this as root)
Note: you will need to install gcc (the GNU C compiler) in order to compile the virus, along with the kernel headers for your system. See the GCC HOWTO [tldp.org] for more information.)
* Congratulations! The virus is now ready to run! Type virus at the command prompt.
* H4 |-|A i 0\/\/Nz3D y0O 5uC|eRR!!!!!!1
C|Net (Score:5, Funny)
Be it Famine or MSBlast (Score:5, Funny)
News for Nerds... Seed... Monoculture... (Score:2, Funny)
Monopolies (Score:4, Insightful)
You could use the same argument against "standards." But you wouldn't. Yes, if everything were made completely different from everything else, sure, it would be harder to mount large scale attacks against anything. You would have to tailor your exploit to all of the different architectures you are interested in. The downside of course is that you will have thousands of people constantly working on different designs for the same wheel. Promoting diversity within even a company like Microsoft would likely accomplish the same thing, but once again, would be highly impractical.
Re:Monopolies (Score:3, Interesting)
Re:Monopolies (Score:3, Insightful)
Re:Monopolies (Score:2)
We could make a more general argument against not standards, but Bad standards. Think of SMTP versus SSH.
Re:Monopolies (Score:5, Insightful)
No you couldn't. IIS and Apache both implement the HTTP standard, but only one of them was vulnerable to Code Red et al.
Avoiding a monoculture doesn't mean making everything as different as possible. It means that one implementation of a standard shouldn't monopolise the marketplace. If anything, open standards promote this, as you are free to use differing implementations rather than the single implementation that can handle a particular proprietary format or protocol.
Actually, yes, standards are susceptible. (Score:3, Insightful)
We got a TTL field, a clean-up of the Ack response, and a reorganization of the old email-handoff architecture - but it still ended up costing a comparable amount of time and resources to deal with as any other hack.
HTTP, like any technical standard monoculture, is also susceptible to legal problems - just as linux is. The [object] debacle is going to cost more than just mic
Re:Monopolies (Score:3, Interesting)
What a misinformed arrogant ass. Tell me what is in FTP or DNS that allows for root exploits for those running implementations of those standards. What? You mean there is nothing in the standard that is inherantly insecure? You mean you are confusing systems that aren't encrypted and equating them to systems that aren't secure?
Yes people can intercept data from those implementations. But oh, you can run them through a secure tunnel a la ssh. Oh, you mean y
"De Facto" standards (Score:5, Insightful)
A "De Facto" standard is really not a standard at all. It's just an implementation that happens to gain critical mass.
In (economic) theory, such an implementation should be the Darwinian best; in theory the best product always wins. However, we know from engineering experience this is almost always untrue. Another way to put this is that fitness to reach monopoly status is not necessarily fitness for the tasks and uses to which we'd like to put a thing.
The advantage of real standards over "de facto" standards are that they designed to allow multiple competing implementations, avoiding the monoculture problem. The other advantage is that that they are "designed" rather than just happening.
The disadvantage of standards over "de facto" standards is that the standards process is less agile at the outset.
Re:"De Facto" standards (Score:3, Insightful)
No. The concepts behind natural selection almost alway hold true.
The problem is that it's not the case that "the best product always wins", the way you're thinking of it.
You probably evaluate "best" based on several metrics like performance, price, configurability, etc.
The problem is that your assumptions are wrong
You're being silly (Score:4, Insightful)
You talk about the difficulty of diversity in an extremely exaggerated and unrealistic manner as a solution against standards and monoculture, when the realistic solution is neither.
In real life, you have competing *standards*. DVD-R and DVD+R. Blueray and HD-DVD. uPnP and Zeroconf. POP and IMAP. And often times, in real life, you don't settle for *one* standard, you accept multiple. Of course there are exceptions, like HTTP and BIND or TCP/IP protocols, but your argument has no bearing on reality otherwise.
So you then talk about diversity being impractical, without supplying any logic whatsover. You just assume because encouraging *no* standards is impractical, that diversity is impractical. They are different.
Support multiple standards, support open standards, and their implementation is not impractical, highly or otherwise. That is the whole reason standards exist!
Use different hardware and OSes to protect a company is not 'highly impractical' NetBSD on x86 for firewalls. Solaris on Sparc for servers. Linux on Itanium for compute nodes. OS X on PPC for desktops.
This is *natural* because each environment and tool have different strengths and weaknesses. It's like having multiple tools in a tool chest!
You wouldn't use Linux and Itanium for *everything*. Nor would you use OS X on PPC, or Solaris on Sparc. Nor *should* you use Windows on x86. It makes you too vulnerable and weak, and you sacrifice the strengths of each platform and environment!
Diversity to the point of uselessness? (Score:4, Interesting)
The study of networks, and scale free networks, has been applied to virus vaccination, and I do believe those results apply equally to the internet, or any other network. You don't need to immunize everyone, and you don't need to make all network nodes different, you just need to immunize hubs, and you just need to vary and protect vital hubs.
Here's a thought exercise: If you had 3 lans at work (one wireless, and two wired), you don't need to diversify every network to protect the entire place; You only need to protect three internal firewalls, three routers, one external firewall, and three DHCP machines to effectively protect up to 750 machines. Even better of course is the fact that all 750 machines don't have to be identical, since there will be the odd Linux server, Mac desktop or laptop for the graphic folks, and perhaps a Sun workstation or two here and there.
So it's not like you'd have to diversify to uselessness at all; just intelligently.
Standards are good (Score:3, Interesting)
Open specifications
With multiple implementations
On multiple platforms
This is what published standards allow.
Monopolies tend to produce:
Closed specifications
With single implementations
On single platforms
which is why they're easier targets for exploits.
Note that most of the modern scripting languages occupy an intermediate point here, since they tend to have a single implementation which effectively is the specification. Perl/Ruby/tcl are like that. Python i
a labrynth (Score:4, Interesting)
Now, interestingly enough, I suspect we are heading for an era of fewer such standards! Communication is already in flux due to encryption; my encrypted discussion with another person will appear as complete jibberish when intercepted, like when the Japanese intercepted US Navy transmissions that were actually clear-text conversations between North American Indians working in the radio room. As for locks...what happens when homes lose their locks in favor of AI, and simply recognize who can come in and who cannot? It is much harder to crack a system that is watching you while you attempt to crack it. After all, the house could simply kill you if it had the right weaponry. At the least, it would not be as gullible as a lock.
OK...my point approaches. Think for a moment about the shifting stairways and jumping rooms (well there was one at least in the last book) in the fabled Hogwarts School of Witchcraft and Wizardry. Ignore for a moment all the spellcraft going on...just look at what you could do with the architecture...can you imagine trying to take that place with a SWAT team? What route would they storm through? What alternates would they plan? What if things started moving even faster during a suspected attack? Further, what if the students and staff knew the rules and could function well enough regardless? An assault would not even bear the attempt. Given a similar kind of approach to software (and it really is just an approach, not magick at all) the best defensive strategy in OSs would be to have them randomize themselves on-the-fly. Most binaries could afford a certain amount of NOP space inserted. During final compile a "deviantC++" compiler could randomly insert busy loops or security trips or even totally bogus code, like whole other apps laying around already (games come to mind) and have them jumped over by properly executing code. We have plenty of RAM on our systems and generally an excess of CPU cycles; let 50% or more of binary be lines of random or calculated diversion codes. And let the code move itself around!
We're so accustomed to the idea of optimizing code. We even reuse code and data objects and this is seen as a virtue and at present it is. But we could quickly decide that times have changed and it is no longer a virtue. My machine no longer has just 640K RAM, guys, and it has enough spare CPU to run Setiathome. I'm willing to sacrifice some of my slack for an OS and apps that gleefully rewrite themselves every few minutes. If that became very common then the notion of exploiting a computer remotely via known vuls would become a quaint memory of a primitive era in technology.
And now I will hustle my butt over to the USPTO to patent this scheme for the financial benefit of my heirs. Remember, you read it here first.
Not a good connection (Score:5, Insightful)
Re:Not a good connection (Score:3, Informative)
* Farms were split between all of the children resulting in smaller and smaller pieces of land, which only potato (-e if you're Dan Quale) farming produced enough food to feed the families.
* 8 million people on the island (currently around 5.5m) dropped to under 3 after the famine.
* Best land was taken by mainly absentee landlords. (btw. 1845 was a bumper year for Wheat etc. Much more food was exported that year than usual)
tom.
Re:Not a good connection (Score:3, Insightful)
Potatoe was a very common spelling. If you went to the grocery store prior to that incident there is a good change that all the "potatoes" you bought would be spelled with that e. I'm given to understand that in England they spell the word color with a u (colour). Don't ask why, I don't know that. I'd argue that either answer is correct given that both spellings are common.
Then again I can't spell very well myself, so I'm not allowed in this arguement.
Re:Not a good connection (Score:2)
I don't understand why you draw a difference. It is either possible or will soon be possible to design a virus to attack a certain plant. Releasing such a virus into a monoculture will devastate it.
Nature's answer is biodiversity.
Re:Not a good connection (Score:5, Insightful)
However, the "monoculture" policy of having an entire population's survival depend on a single crop WAS deliberate. The policy was just as "socially constructed" as a monopoly. Therefore, the connection between the two is a good one.
Loss of life... (Score:5, Insightful)
Re:Loss of life... (Score:4, Interesting)
BTW: this is a great article, great to show the PHBs that perhaps having a diversity of platforms is better than "standardizing" on one. Standardizing on one platform, be it Windows, Linux, MacOS X or even Amiga, is bad policy and potentially dangerous.
Let's do both (Score:2, Funny)
Kierthos
Network Worms and Monoculture (Score:2, Interesting)
He basically concluded that we could not launch counter worms (like ones that would patch vulnerable Windows systems). The best solution was to diversify the OS we have our servers running on. A worm can spread in a matter of minutes as the creator of the worm usually chooses a set of powerful vulnerable machines as his first hit.
Some OS like to keep
How do you make the correlation??? (Score:3, Insightful)
Excuse me, but how can you compare a biological occurrance to a technological occurrance? There are too many variables in the biological virus. Or can you in fact make a definite comparison?
Saying people created viruses Microsoft didn't expect to deal with is bogus. That's a cop-out.
Microsoft was well aware of many of it's security holes. It's been going on for years.
There are parallels, but... (Score:2, Insightful)
The big difference wrt computer security is that we *do* know better and are still failing to get it right! The phone "Phreaks" from decades past should have taught us a lesson (not to mention the telco's o
BIND is also a Monoculture (Score:5, Insightful)
Most DNS servers run either ISC BIND, or a package based on BIND source. Although I am a hostmaster and respect BIND, I often wonder if this isn't one of the reasons that DNS is such a prime hacker target.
It seems clear that even with this example of an open-source program (although it's not GPL), groups prefer to avoid the cost of development at the expense of security (via the same monoculture argument). I've asked DNS appliance vendors this question (while they're trying to sell me on their product's security), and it's clear that they've never seriously considered the issue.
Not the same (Score:4, Insightful)
The difference here is that we have US Customs doing its best to stop people bringing forigne species over. If US Customs did things like Microsoft, they would hand out culture dishes to exicute your Windows Script code on and implant your cultures into the environment w/o asking the end user.
It's funny how a company can leave holes in everything, let people get used to being insecure, then tout fixing the problems as an innovation [microsoft.com].
Same Argument Applied to Standards (Score:5, Insightful)
And yes I'm playing devil's advocate, but it's a slow morning
Re:Same Argument Applied to Standards (Score:3, Insightful)
Yes, it would be. However, consider that if many people implemented TCP/IP independently, one of them might have realized that the protocol is flawed. If we all just borrowed BSD TCP/IP code without even reading it, we would be approximately as vulnerable as a proprietary protocol.
Gimme a dman break (Score:2)
Give it up already.
Re:Gimme a dman break (Score:2)
Only if you can defend the contrary. Arguments, please?
Re:Gimme a dman break (Score:3, Informative)
MSBlast: affected computers were unusable until patched.
There's one. Comparing computer problems to real-world situations where death is involved is a mistake (aka: a fucking joke.) Just like the comparison of Windows to automobiles.
Yes (Score:2, Interesting)
With the good comes the bad.
Not at all (Score:5, Insightful)
The presence of a monopoly *guarantees* a standard, but does not guarantee compatibility. Microsoft can (and has, accidentally) broken compatibility between various versions and flavors of it's various programs.
The absence of a monopoly does not have any bearing on standards or compatibility. It is, in fact, preferred for there to be a standard in the absence of monopoly; witness the DVD standard, the CD standard, the various interface standards...? It means that people can talk and interact sanely when no one individual has control.
If you mean diversity argues against standards and compatibility? I don't think that holds either.
Philips, Panasonic, Samsung, Sony, IBM, Apple, Dell, RCA, Aiwa, and Kenwood all adhere to the CD standard, and thus a CD that can play in one can play in all, without there existing a monoculture or a monopoly. The same holds true of paper, nails, DVDs, and many other things. Of course some products are crappier than other products, which affect compatibility and quality, but it's not due to lack of monoculture, since Microsoft decisively also has crappy products and crappy quality as well.
Diversity means competition.
Last I recalled, competition meant progress, and growth, as well as strength and robustness. If one product/method/attempt fails, then another can succeed. If one is suboptimal, and alternative may be optimal.
In a monoculture, none of that applies. You can't have difference without choice, you can't have competing theories without choice, you can't have flexible strengths without choice.
You just have no choice.
Glossing over the heart of the matter... (Score:5, Insightful)
Most of it, however, was intended for export to England.
To liken the conditions of the software industry to the Irish Potato(e) famine is ridiculous. To whom or what is the industry beholden to? If we cannot produce code will we starve to death? Is someone occupying our cities and towns, threatening our lives if our code fails to compile? I'm not Irish, (though I do like potatoes), but please think again before you make analogies such as these.
Sig Hire!
Not a new argument (Score:2, Informative)
This isn't really a new argument. Marcus Ranum's web site [ranum.com], for example, contains a counterargument, links to articles discussing arguments for and against, a link to the paper by Dan Geer that brought the monoculture argument into the limelight, and some sarcastic comments on the new monoculture study that the C|Net article mentions. ("$750,000 to sit around and whine about Microsoft? How do I get a gig like that?!")
May be but ... (Score:2)
There is still no substitution for good (that is with the security in mind) programming practices. And of course readily available information about vulnerabilities.
I think it matters not that much if you have 90% boxes on the net running windows (God forbid, really!) and 10% of "others". Or it breaks down different way. Nmap [insecure.org] does very good job identifying remote operating system nowdays. So for a persistent and dedicated cracker it should not matter that much if you have a "monoculture" or big veriety o
what are you talking about? (Score:3)
Potato famine fallacy. (Score:5, Informative)
It is a common misconception that the disease known as late blight, caused by the Oomycete (Phytophthora infestans) "caused" the Irish potato famine. Yes it is true that the Irish were growing only a few varieties of potato (monoculture), but the REAL reason was the socio-economic structure put in place by those bastard English. Essentially, most of the Irish farmers (which was damn near everyone), "rented" the land from rich English landowners. This meant that they grew vegetables, wheat, etc. to pay for the rent, and grew potatoes for food because they stored well. Late blight reduces crop yield both before harvest (lost foliage) and after harvest (tuber rot), and by removing potatoes as a food source, the Irish began starving. The English did nothing to help the them during this time. In fact, the rental system stayed in place throughout the whole famine.
Re:Potato famine fallacy. (Score:3, Insightful)
The socio-economic structure at the time can be likened to corporate addiction on Microsoft products. Because of the large investment in Word format documents and interoperability needs, your company is stuck with Office and Windows (unable to plant other varieties of potatoes). This monoculture is easily taken down by a single attacker, as we've seen several times now.
The attack would not have been possible if there was true diversity in both cases. Diversity would've been possible if
For whom the potato tolls. (Score:3, Insightful)
I seem to recall that the Queen donated 10 pounds to Irish Famine Relief. Of course, that was also how much she gave to her favorite animal shelter...
Your point is well-taken, but it has some uncomfortable consequences. Consider that most people on this planet don't get enough to eat. They're not as badly off as the potato-dependent Irish, but they're still pretty badly off. And, like the Irish, they're not starving because there's no food to fee
Re:For whom the potato tolls. (Score:3, Insightful)
Re:Potato famine fallacy. (Score:3, Informative)
My point could be summarized as:
1. The English steal all the land.
2. The Irish need a place to grow food and "rent" land from the English.
3. The English get all the "good" food.
4. The Irish resort to depending on potatoes.
5. A "fungus" kills the potatoes.
6. The Irish starve.
7. The English don't raise a finger to help.
8. MORE Irish starve, and they begin to emmigrate.
9. New Yor
Do Some Research (Score:3, Informative)
You should do some research before spouting off, then admitting you know nothing. Ireland was a victim of classic Colonialism - the natives' land was forcibly seized and they were converted from self-sufficient communities into tenant farmers. They were told they had to pay "rent" to live on the land that
It's a freedom problem, not a monoculture one (Score:2)
The famine was due to the British, not potatoes (Score:4, Informative)
To make my point very clear: British theft of Irish land and the systematic exclusion of the Irish from all occupations except farming and laboring meant that the only crop which was high-yield enough to be viable on the tiny plots of land left to the Irish was the potato.
All during the famine Ireland exported corn grown on the landlord-owned estates to Britain.
I realize that this isn't the central point of the post, but the phrasing implies a foolish choice on the part of those who suffered from the forced monopoly.
Re:The famine was due to the British, not potatoes (Score:2)
Re:The famine was due to the British, not potatoes (Score:2)
I was unaware of varieties of potatoes resistant to Phytophthora infestans being available at the time. Could you provide a reference for that?
Your argument seems to insist on ignoring one contributing factor (structural constraints in choice of crop imposed from without) and focusing on another (lack of diversity in crop). That seems partial, especially when there's reason to believe that the "monoculture" would not have occured without the structural constraint. In other words the English misrule was
Re:The famine was due to the British, not potatoes (Score:3, Informative)
Monoculture vs. Organic (Score:2, Interesting)
We're not biased (Score:2)
Yeah, there is: biodiversity actually exists.
Hidden risks in agriculture (Score:5, Interesting)
Seriously, though, agriculture is a risky proposition. Prior to European conquest of Africa, the natives largely existed as hunter-gatherers. As such they tended to just eke out an existence on what little food they could find. Also, humans naturally become infertile when they're not fed enough, so during a time of scarcity the population stabilized itself, with the standard very-young and very-old dying off.
The Europeans brought agriculture to Africa. (I'm talking large-scale, tied-to-one-patch-of-dirt agriculture here.) This has upset the "natural balance" by creating subsistence farming. People do tremendously well during good years, but are devastated that much more when a drought comes along. The population swells greatly due to the static nature of life and the need for people to work the farms. Those same populations are routinely eviscerated by famine every decade or so. (Not to mention the social problems as formerly nomadic people have been lumped together in aribtrarty boundaries drawn by their conquerors.) For some reason Sally Struthers seems to think the solution to this problem is to provide more food. It's a short-term fix but it's also a vicious cycle.
Agriculture can bring tremendous profit and clearly supply much more food than the hunter-gatherer lifestlye. But the risks are greater, too, especially once your society becomes dependent on large-scale farming. I saw on Discovery channel the speculation that years of poor harvests led to the extincion of some Middle American people around 1200 AD. (Mayans? I can't remember.) In modern times, we see these risks introducing themselves in new ways, such as mad cow disease, brought about by imposing a cannibalistic diet on cows, which in turn happens because of market pressures to keep producing cheaper meat for an increasing number of increasingly hungrier (to the point of obesity) population. Something has to give. We are also seeing the depletion of natural fish stocks, and the "latest study" says that farmed fish contain much more mercury and PCBs than wild fish.
I liked the CNet article a lot; they could have mentioned SQL Slammer's apparent role in the blackouts last year. I guess that hasn't been explicitly proven and overty recognized, it would probably be too costly to Microsoft's share value, and by extension the economy, and by extension Bush's reelection strategy.
So what's the answer? (Score:4, Insightful)
Secondly, the ubiquitous nature of the Internet is the single biggest reason behind it's success. While I agree that the "genetic makeup" of the Internet may also be its weakest link, I have to ask, "What's the alternative?"
Look at how the Internet, much like the telephone, has made communication so much more efficient. It has opened channels across the world, across socio-economic cultures, across demographic diversities that have never been accessible before - at least to the average Joe/Jane. This would have been impossible if, say, every country was forced to use its own network transport layer. Sure, Cisco would love it - they'd be able to sell country-specific routers to automate the traffic translations. They'd make a fortune!
Is the article suggesting that we create multiple network infrastructure to obfuscate malicious interrogation? If so, how could it be done without public standards - which would defeat the purpose anyway?
The article's viewpoint is short-sighted. The answer is not to mutate the DNA of the Internet (Ethernet/TCP/IP/etc), but rather to enhance its perimeter defenses, such as SMTP. That protocol itself is way to vulnerable. Outlook is a fine product; I doubt anyone would argue that. But look how much it's been [editorially] attacked recently because it's based on an ancient protocol and has been jerryrigged to overcome the security holes of its communication layer.
I don't know, maybe I'm rambling, but the article irked me. Just a bad day I guess.
Macintosh and French Wine (Score:4, Funny)
MacOS X is then a graft of the macintiosh experience on top of good ol unix. Just like the french vineyards are French vines grafted onto american trunks and roots due to the fact a fungus ate all the french roots.
weakest link (Score:4, Funny)
Sure, but if I did an independent study I'd be thrown in jail under the Patriot Act and no one would hear from me again.
Never seen slashdoy so united in an opinion (Score:3, Funny)
i've been reading all the posts so far, and all of them appear to be in agreement.
i'm not sure i've seen this level of agreement even over the SCO case. Once in a while you at least get a decent troll on the SCO topics.
I feel like it's my duty as a concerned citizen to pick up the slack here, so um . .
the software monoculture is in every way exactly identical to the potato famine. in fact, it's so similar that i'm not sure they are different things. damn the irish and and their isecure monoculture. damn it.
in other news, i think my pc might have SARS.
Reminds me of an argument I had... (Score:4, Funny)
Basically his reply was that I shouldn't depend on one particular means of getting my e-mail. To which I replied "What do you think switching to Exchange/Outlook is doing?"
Point, me.
More like politics.. (Score:2)
its what you like to believe, some say a zillion party democracy (Like most of Europe) is the best way to handle things, some say a two party system is best (The US, in practice).
Some even think one of those "Great Dictator's" is the best. Them silly really.
peace
"/Dread"
Depends... (Score:2)
Does diversity end if the code goes unused? (Score:5, Interesting)
A biological population can experience genetic bottlenecks. For example, everyone in Iceland is practically genetically identical, since they are descended from a group of about a few dozen (already closely related) Vikings.
The potatoes in Ireland where a similar example. Not only was everyone growing potatoes - all of these potatoes were descended from a small number of potatoes brought over from the New World. The original population of New World potatoes were genetically diverse - but the potatoes brought to Ireland were all especially susceptible to the fungus that brought on the Irish Potato Famine, so it was catastrophic.
You can also get a genetic bottleneck in an entire species. The few surviving Andean condors probably only represent a fraction of the genetic diversity the Condor had at the height of its population. The diversity is gone forever.
The same is not true for rarely used, or even completely unused, software. If some disaster befalls us that makes other operating systems useless, we can resurrect OS/2 Warp even if not a single installation remains anywhere in the world.
On the other hand, without a population of OS/2 Warp installations, OS/2 Warp cannot evolve. It exists in a form of stasis that, over time, may render OS/2 inviable, in much the same way that environmental changes might drive the andean condor all the way to extinction (while it might have survived with the genetic diversity that the species has already lost.)
Your Government Dollars at Work (Score:4, Interesting)
With Linux emerging as the platform of choice for scientific applications, I would imagine NASA has had to have changed this policy, so I would like to hear from some NASA people what the current policies are.
One thing is clear, open source is being demonized by people with vested interests, and are trying to pass actual laws along the lines of "This is Godless and Communistic." I personally think open source is a really good fit for OS and language design. These are foundations on which everything else rests. Without open source you don't know if what you are building lies over a fault line or an artisian well.
I'm sure Microsoft is cutting deals behind closed doors with various governments about putting in code to "track the bad guys". It's not just a matter of having stuff in there you don't know about, but having it steal your processor cycles, and having unintended interactions. And since it's black box and probably DRM, it will probably become illegal to deactivate it. And since you can't rip it out, or should even know it's in there, someone comes along with a real killer virus exploit that turns on your own DRM against you.
Tragedy of the Commons: Market Failure (Score:3, Interesting)
Monocultures in nature (Score:4, Funny)
The implications for internet security are clear: we have to teach computers to have sex. Luckily there are plenty of training videos [nebraskacoeds.com] available on the internet. I've been doing my bit for the future of network security by downloading these videos and showing them to my PC - I recommend you do the same.
Re:YES! (Score:5, Insightful)
Then again, AFAIK, Windows is not leading on the server side, but perhaps somebody can correct or confirm that ?
This is from the article: Being the top species in the information chain means more attention from the malicious coders.
On the desktop, MS is definately "top of the information chain", so naturally more attention will be brought their way.
Re:YES! (Score:5, Interesting)
On the desktop, MS is definately "top of the information chain", so naturally more attention will be brought their way.
Apache is the top web server, running over 2/3 of the sites on the Internet. Why is it that Microsoft's IIS, at less than 20% of web sites, is the one that keeps getting exploited?
Re:YES! (Score:4, Insightful)
The other part, is assuming Linux has only stolen share from other UNIX vendors, Linux webservers would still account for fewer actual computers on the internet compared to Windows machines. Linux servers are also not always uniformly exploitable with the differences between compiler, libc, and kernel versions and patches. For Windows servers, you only have two or three flavors of Windows you need to worry about, and all you have to do is make one (legitimate) http request to find out which one. Linux/Apache sites will tell you which version of Apache is running, and maybe what distribution of Linux it's running on, but won't tell you what kernel version is running, what glibc is installed, what compiler was used. For that, you'd have to guess, so the list of possibly exploitable machines gets smaller.
I wish Netcraft would do a new machine survey, so we could put this one to rest, but I havne't seen one since June 2001.
Re:YES! (Score:3, Funny)
Well, there's sendmail.
Oh, wait. Err... well, there's BIND.
Umm.... well, OK, not really.
-Esme
Re:YES! (Score:5, Interesting)
Apache on Linux, BSD and Solaris hosts significantly more web sites than IIS on Windows does, and has for several years longer. Which combination is more prone to being abused by viruses and worms?
Sendmail, hosts an order of magnitude more e-mail transactions than Exchange does. Which gets less press for it's holes because it runs on a platform that gets exploited so often people expect the worm of the week to attack?
The applications that get the worst rap for security problems are the ones with the most users, Internet Explorer, and Outlook (any variation). The fact that they happen to run on the same basic platform as the SQL server and IIS web servers do, should provide sufficient evidence that the alternatives running on other platforms would _tend_ to be more secure.
That does not prevent problems from being possible in a Linux monoculture, or a BSD monoculture. It just suggests that the underlying structure is more secure, and less likely to be a significant source of security problems for e-mail and web browser clients running on top of them.
-Rusty
Sorry to bust your myth but (Score:3, Interesting)
to say that "[Microsfot] SQL Server [...] has an archetecture that virus and worm writers have been able to exploit" is simply pathetically desprate misleading of the audience. Here is why.
The Slammer worm [cert.org] has used a vulnerability [cert.org] that was NOT an architectural design flaw across the product. It was a simple stack buffer overflow in an implementation of the SQL Resolution Service.
On a seemingly unrelated topic, here [cert.org] is a plethora of buffer overflow vulnerabilities of Oracle from some time ago. How much m
Re:YES! (Score:3, Informative)
There's that evolutionary aspect to it in the long term (less desirable species die off), but more importantly diversity leads to resistance. If, for example, your web site runs on both Windows and Linux servers, and an exploit against either one cannot take down your entire site.
Re:YES! (Score:3, Funny)
That's right. They stole it fair and square. Per-Processor licensing was introduced in 1988, and illegal.
Re:YES! (Score:5, Informative)
[oversimplification] Back in the day, Windows was a popular operating system. Not the only popular one, but popular enough that an OEM who didn't offer Windows pre-installed was going to lose a lot of business. MS basically said that the OEM would pay them $fee for every processor sold, regardless of the OS installed, or else the OEM would not be allowed to sell Windows machines at all. Most OEMs recognized that they couldn't afford the hit they'd take if they couldn't sell Windows, so they agreed to this devil's deal. And then, since they were paying for the darned thing anyway, they installed Windows on all of their machines. [/oversimplification]
This is how to turn a merely successful product into a monopoly, while making a lot of enemies as a free bonus!
Re:YES! (Score:3, Informative)
Re:YES! (Score:3, Insightful)
. . . what I just don't understand is why did these OEMs agree to this? Collectively couldn't they have had some leverage against Microsoft in a business sense?
You really expect companies who are trying to cut each other's throats to band together against a company they need to deal with on an individual basis? At least one company did complain about Microsoft's tactics; it was Gateway, IIRC.
Re:YES! (Score:3, Insightful)
You're quite welcome.
what I just don't understand is why did these OEMs agree to this? Collectively couldn't they have had some leverage against Microsoft in a business sense?
You'd think so, wouldn't you? I suspect it was partly a sense of "everybody else is doing it," i.e., going along with the herd, and partly simple reluctance to get into an ugly battle with what was, even then, an extremely powerful company. I suspect that MS could have outlasted any collect
Did you miss the trial? (Score:3, Interesting)
#2. Check the DR-DOS history. See how Microsoft used bogus "error" messages against competitors.
#3. Check the Netscape trial. See how Microsoft used OEM contracts against competitors.
DUH! Did you MISS the part where Microsoft was found GUILTY of ILLEGAL LEVERAGING their MONOPOLY?
Yes, if Linux gained more desktop space there WOULD BE FEWER VULNERABILITIES. Just take a look at how much market share Apache has a
Re:Did you miss the trial? (Score:3, Informative)
I agree that Apache has proven to be a more secure webserver than IIS.. Which isn't to [internetnews.com] say [securityfocus.com] that [securityfocus.com] it's [securityfocus.com] trouble-free [securityfocus.com] though.
Re:Did you miss the trial? (Score:3, Insightful)
A couple things:
On point #1:
1. DOS does not equal windows
2. MacOS, UNIX, AmigaOS, BeOS, Solaris, etc. Operating systems have competed, and lost (so far). Is it because Microsoft practices illegal monopolistic crap? That certainly is likely to be a contributing factor. But so do other businesses that fail.
On #2: Want to help us out and
Re:Did you miss the trial? (Score:5, Informative)
Check back to the 1995 Consent Decree. DOS won out initially fair and square (DOS cost $100, CP/M cost $200, so people chose DOS). But when Windows came out, Microsoft's licensing agreements stated that if you wanted to include DOS or Windows on any computer you sold, you would have to pay Microsoft for both products for every system you sold, *even if it didn't include MS software*. That is the sole reason that Windows ever became popular. You would occasionally see computers running GEOS or OS/2 in stores, but not very many because of the need to pay for two OS's. The government eventually investigated Microsoft for illegal leverage of a monopoly. The result was the 1995 Consent Decree, but by then the damage had been done and the government action was too little, too late.
2. MacOS, UNIX, AmigaOS, BeOS, Solaris, etc. Operating systems have competed, and lost (so far). Is it because Microsoft practices illegal monopolistic crap? That certainly is likely to be a contributing factor. But so do other businesses that fail.
See above. Bad business decisions were factors too, but by far the largest factor was Microsoft's illegal leverage of their monopoly.
As to DR-DOS and the bogus Microsoft error messages, here's the basic story. After DR-DOS was good enough to compete with MS-DOS, Microsoft began making their products try detecting DR-DOS. If they detected it, the program would print a random error message and return you to a DOS prompt. The most notable program to do this was Windows 3.1. I'm not sure if this is correct, but I seem to recall reading in a magazine that the code to check for DR-DOS was encrypted, and that Microsoft would attempt to disable any debugger that might be running before decrypting the code, making it very difficult to figure out what the code was doing.
Regarding the Netscape trial, Microsoft's contracts with OEMs prevented them from loading Netscape onto computers they sold.
Proof only exists in mathematics. (Score:3, Insightful)
It can never be "proven" because there is no way to know that every possible bug has been found.
All that can be shown is statistical evidence.
Re:Did you miss the trial? (Score:3, Insightful)
I used both CP/M and DR-DOS and remember being rightfully pissed off as the slapjob that was MS-DOS took over. Unfortunately, I think the greater blame falls on Killdall's head as he had the OS IBM wanted and the opportunity license it, but blew it. Big time.
Re:Did you miss the trial? (Score:3, Informative)
"...IBM's president John Opel, and Bill Gates' mother both served on the board of the United Way."
Random internet search on the subject:
http://ieee.cincinnati.fuse.net/reiman/01_1999.ht m l [fuse.net]
But I don't think that alone should belittle the success of Bill Gates, few people make it big without some help along the way. Bill Gates happened to know something about computers, happened to get his hands on a lucrative contract and most importantly, knew to throw everything into it, and how to milk it for all
Complainer! (Score:3, Insightful)
Actually, Apache Runs the Web (Score:2, Insightful)
Granted, it could be Window/Apache, it's most likely Linux/Apache.
Re:YES! (Score:3, Interesting)
Genetic diversity does not prevent disease, but it does reduce the effect one disease has on a population. This is the analogy I believe was being drawn. Imagine a virus wiped out (not just crashed) an OS. If all computers in the world were that OS, all c
Re:Stating the obvious? (Score:2)
Only half correct... (Score:3, Insightful)
"Plain old capitalism" is exactly what the railroad robber barons did in the 1800s. And it is one reason that anti-trust laws exist today. It is not legal to use "industry leadership" in one area whether it's railroads or operating systems to create monopolies in areas where you are not the best player but just the richest or most powerful (due to dominan