[AktiviX] Warning: Microsoft 'Monoculture'

[Paul Mobbs]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.wired.com/news/privacy/0,1848,62307,00.html/wn_ascii

Warning: Microsoft 'Monoculture' 

Associated Press
WIRED: 12:57 PM Feb. 15, 2004 PT

CAMBRIDGE, Mass. -- Dan Geer lost his job, but gained his audience. The very 
idea that got the computer security expert fired has sparked serious debate 
in information technology. The idea, borrowed from biology, is that Microsoft 
has nurtured a software "monoculture" that threatens global computer 
security.

Geer and others believe Microsoft's software is so dangerously pervasive that 
a virus capable of exploiting even a single flaw in its operating systems 
could wreak havoc. 

 Just this past week, Microsoft warned customers about security problems that 
independent experts called among the most serious yet disclosed. Network 
administrators could only hope users would download the latest patch.

After he argued in a paper published last fall that the monoculture amplifies 
online threats, Geer was fired by security firm @stake, which has had 
Microsoft as a major client.

Geer insists there's been a silver lining to his dismissal. Once it was 
discussed on Slashdot and other online forums, the debate about Microsoft's 
ubiquity gained in prominence.

"No matter where I look I seem to be stumbling over the phrase `monoculture' 
or some analog of it," Geer, 53, said in a recent interview in his Cambridge 
home.

In biology, species with little genetic variation -- or "monocultures" -- are 
the most vulnerable to catastrophic epidemics. Species that share a single 
fatal flaw could be wiped out by a virus that can exploit that flaw. Genetic 
diversity increases the chances that at least some of the species will 
survive every attack.

"When in doubt, I think of, `how does nature work?'" said Geer, a talkative 
man with mutton chop sideburns and a doctorate in biostatistics from Harvard 
University.

"Which leads you -- when you think about shared risk -- to think about 
monoculture, which leads you to think about epidemic," he said. "Because the 
idea of an epidemic is not radically different from what we're talking about 
with the Internet."

Geer isn't the first to argue that the logic of living viruses also applies to 
the computer variety, and that the dominance and tight integration of 
Microsoft operating systems and software makes the global computing ecosystem 
vulnerable to a cascading failure.

Geer's paper did little more than make the point with particular fervor, which 
only intensified when Geer was fired.

"The hoopla around him losing his job gave the story some extra frisson," said 
Internet security expert Bruce Schneier, a co-author of Geer's. "He got fired 
because @stake wanted to be nice to their masters. But it's like the 
Christian Church boycotting a movie -- everybody wants to see it now."

Microsoft, which denies pressuring @stake to fire Geer, says the comparison 
between computers and living organisms works only so well.

"Once you start down the road with that analogy, you get stuck in it," said 
Scott Charney, chief security strategist for Redmond-based Microsoft.

Charney says monoculture theory doesn't suggest any reasonable solutions; more 
use of the Linux -source operating system, a rival to Microsoft Windows, 
might create a "duoculture," but that would hardly deter sophisticated 
hackers. 

 True diversity, Charney said, would require thousands of different operating 
systems, which would make integrating computer systems and networks nearly 
impossible. Without a Microsoft monoculture, he said, most of the recent 
progress in information technology could not have happened.

Another difference: computers can be unplugged from the network and rebooted; 
organisms cannot. 

The theory also has skeptics outside of Microsoft.

Security consultant Marcus Ranum has emphasized that many network threats have 
little to do with the vulnerabilites of monoculture. Planting three strains 
of corn offers insurance against some diseases, he notes, but without a 
fence, deer will eat all three.

But Ranum also says the monoculture story "would barely be news" if @stake 
"hadn't done a brilliant surgical marketing strike on its left foot by firing 
Dan."

At an October hearing of the House Government Reform Committee's technology 
subcommittee, Steven Cooper -- the Homeland Security Department's chief 
information officer -- was questioned about the federal government's 
vulnerability to monoculture.

Cooper acknowledged it was a concern and said the department would likely 
expand its use of Linux and Unix as a precaution.

The monoculture idea is also influencing how experts look for solutions to 
security problems. Mike Reiter of Carnegie-Mellon University and Stephanie 
Forrest, a University of New Mexico biologist who has been gleaning lessons 
for computer security from living organisms for years, recently received a 
$750,000 National Science Foundation grant to study methods to automatically 
diversify software code.

Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook 
are exploring "benign mutations" that would diversify software, preserving 
the functional portions of code but shaking up the nonfunctional portions 
that are often targeted by viruses.

Geer -- who continues to consult, lecture and work with a startup these days 
- -- believes monoculture theory points the way to possible solutions that are 
dramatic, and haven't always been followed. They would require, for example, 
banning from the Internet computers whose software hasn't been updated with 
the latest anti-virus patches.

Geer doesn't believe breaking up Microsoft is the answer, even though his 
paper was published by the Computer and Communications Industry Association, 
which aggressively backed the antitrust case that tried to split up the 
company.

But Geer says the company should disentangle its tightly integrated products, 
such as Microsoft Word and Outlook.

Microsoft contends, as it did during its antitrust trial, that the integration 
of those products is the heart of what it offers consumers.

Still, Microsoft's Charney doesn't entirely dismiss the idea of examining 
computer security through a biological lens. "Although 
biodiversity-monoculture issues may be more complex than people have been 
thinking about them, it does not mean you can't learn from it and draw some 
parallels," he said.

Geer calls such comments proof the idea is resonating.

"You see Microsoft talking about it," he said, "when before, they didn't." 

==========

"We are not for names, nor men, nor titles of Government, nor are we for
this party nor against the other but we are for justice and mercy and
truth and peace and true freedom, that these may be exalted in our nation,
and that goodness, righteousness, meekness, temperance, peace and unity
with God, and with one another, that these things may abound."
(Edward Burroughs, 1659 - from 'Quaker Faith and Practice')


Paul Mobbs, Mobbs' Environmental Investigations,
3 Grosvenor Road, Banbury OX16 5HN, England
tel./fax (+44/0)1295 261864

email - mobbsey at gn.apc.org
website - http://www.fraw.org.uk/mobbsey/index.html



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQFAMjjktEaNwM05jx0RAh/JAKCXk1bPpjNdqZfO24kPgVfYLS/3lwCfU6rd
KpQsjRUKXJ1v6+Aw3qRjiRA=
=nyQa
-----END PGP SIGNATURE-----