Dan Geer's Monoculture Bomb Goes Off

Andy Updegrove writes "Three years ago, celebrated security expert Dan Geer lost his job at @stake when he co-authored a paper on the dangers that the Microsoft 'monoculture' represented for end-users. Last fall, he authored a similar warning in a Perspective piece he wrote for CNETNews.com, applauding the action of Massachusetts in adopting OpenDocument Format, thereby reducing its vulnerability to the same type of risk. Four days ago, Dan's prediction came true, when users of Word (but not those that only trade files created in StarOffice, OpenOffice, or other ODF compliant software) began to be infected with the Backdoor.Ginwui virus - a malicious Trojan program that hitches a ride on bogus Word documents. In short, an object lesson that in IT, as in biology, those that exist in diverse gene pools are at a lower risk, both individually and collectively, from those that subsist in a proprietary monoculture."

Did any bombs go off...

When all the thousands of PHP/AWStats defacements were made last year [slashdot.org] as well? Or is the PHP/MySQL/Linux triad not considered a "monoculture"?

Re:Did any bombs go off...

what about PHP/Postgre/linux? or perl/mysql/linux? or PHP/mysql/solaris?

All the components are modular... if the mysql people slack off with security, you can drop them in favour of postgres, with practically no interruption and minimal retooling.

That's not how I would define "monoculture"

Re:Did any bombs go off...

what about PHP/Postgre/linux? or perl/mysql/linux? or PHP/mysql/solaris?

What you're implying is that people would be OK if they just switched to something else? And how is that different from Word? I can count the number of applications I've seen that are *truly* database and OS-agnostic. I'd like to see "everyone" switch phpBB or whatever from MySQL to Postgres in an afternoon. Too difficult... no different from switching from MS OFfice to OpenOffice, except probably in scale.

The vast majority of Linux distros come ship with Perl and Python. Is that not also a monoculture? If I were a virtus writer targetting Linux I don't think I'd run out of "monoculture" to exploit.

The ability to drop an asset that has become insecure is conversely proportional to your dependence on it. People create "monocultures" because they value convenience. Open source is not immune to that.

I'm sorry, did I read that correctly?

How in God's name would you switch a from MySQL to PostgreSQL to Oracle to MS SQL or to anything. Have you ever actually written a real database application?

Seriously, the amount of time spent switching between any of these system is drastic. For a typical, small database application, there is probably 20k-50k lines of stored procedures. All the different vendors have their own SQL proceedures.

How about securing the databases. I'd love to see how anyone could possibly say that the administration of a transition could possibly be an option. If your problem was MySQL security to begin with, how can you possibly suggest that switching to another database could be easy. The simple administration cost of securing a new server, especially with an existing dataset that was previously developed to be secured on another SQL server would be tremendous.

Switching between PHP and Perl, hehe come on now... I won't even bother wasting my time on this one.

Linux and Solaris.... if you have a security issue on one, you have a security issue on both. The fact is that the majority of security bugs that would be related to these is due to servers that are either not kept up to date or due to zero-day exploits. Both server systems are actively hacked and are high level targets for crackers. It doesn't matter which you use, you have to update both pretty much the same way, switching is a waste of time and money.

So, if you were to reason that the original posters comment was regarding the monoculture of PHP/MySQL/Linux, well I'll make it simple....

The open source community forces this crap down our throughts all the time, they love this solution, it works more or less. There are books on it. There are sections on Orielly's website dedicated to it. It's advertised regularly everywhere. This solution is chosen not specifically on its merits for simplicity/stability/security, but it chosen because it is relatively simple, relatively stable, and relatively secure, AND most importantly, it's Open Pop Culture.

I know a bunch of sales people that love to sell the hell out of the solution because it's fun to say LAMP. They don't know what it means, but they make up all kinds of neat new industry sales terms regularly to make them sounds like they have a clue... they don't. Oh, they also think P stands for PHP or Perl, not both. They don't understand how a letter can be variable.

So, before you put your 2 cents in, think first. Your rinky dink 50 line PHP scripts for changing passwords is not representative of a full mature system. In a real development work, we use features like stored procedures, complex views, server specific indexes. Also, just because your blog hasn't been hacked, don't think that just installing a new SQL server is actually going to secure anything, some of us have actually spent hundreds, if not thousands of hours just setting securities and permissions to different data sets.

The LAMP monoculture is real, it is there. Once you use it, you're locked into it. There is no transitioning from one to another.

Now if I misunderstood you and you really meant that Linux/MySQL/PHP itself wasn't a monoculture because you can choose different options when you're first starting... well ok, that may be true, but the majority doesn't. Perl rarely appears on the web anymore, the web is typically PHP, ASP, or JSP. I don't have exact numbers, but if you want to make me look like an idiot, post real numbers with reference that contradicts me. LAMPHP is a monoculture because it's used so often that lack of talent on the other solutions keeps it that way.

No go and try to sound like you know something somewhere else

Re:I'm sorry, did I read that correctly?

For a typical, small database application, there is probably 20k-50k lines of stored procedures. All the different vendors have their own SQL proceedures.

Yes, but it's mostly Oracle developers who use stored procedures. I know because I had training in Oracle, both basics and some of the more advanced administration courses. Oracle training puts a lot of emphasis on stored procedures, you are taught PL/SQL from the start and never allowed to forget it.

I recently moved a project that had a MS-Access front-end accessing an Oracle DB into a "LAPP", that is, Linux, Apache, PHP, Postgres. In this project I can say that, definitely, rewriting all the PL/SQL procedures from scratch in PHP was quicker than migrating it to the equivalent Postgres stored procedures. However, that's because the system itself suffered a lot of functional redesign, it wasn't just a matter of transplanting it unaltered.

In the end, I believe that Oracle itself is a dangerous monoculture. Oracle is too complex for anyone to understand well in its entirety. In large Oracle systems there are some very specialized DBAs, for instance people who do nothing but take care of backup and recovery. Over-specialized admins are a weak point for security exploits. I think Oracle is protected by the same thing that protected VMS: obscurity. If Oracle came installed in each PC hackers would sooner or later devise ways to break it.

I saw it happen long ago

One time at work, I was working on code when a rumbling spread across the floor, up and down the building -- people were losing access to their machines, in our MAJOR CORPORATION! Some virus had invaded the corporate network, machines were in infinite recycle loops.

Until the noise was loud enough, I hadn't noticed. I was working on my code on my linux box. And, it was code compatible to be used on the same project everyone else was developing on their Windows boxes. Interesting.

Ultimately, the mono culture in my office got me too because of my dependency on shared drives running on infected Windows machines. It took at least one day to get machines half way back to normal.

I hate Microsoft, but I think Geer's prediction, and point, are well made without blaming or pointing at Microsoft. I Unix or Linux monoculture could be susceptible to the same result (though I think with much more expended effort to achieve the same catastrophic result).

Disk Imaging + Single Company = easy monoculture.

Except with the gazillon of different Linux distribution - featuring each different versions and alternative applications How the hell can you reach a *mono* culture ?

Given the mass disk imaging techniques currently in use at many corporate sites in lieu of traditional installations, and given the ability for Linux sysadmins to lock down end user boxes so that only the central admins could install software, I could certainly see a "monoculture" being a very real possibility at a given site even when running Linux in a corporate context.

Now, whether or not that monoculture represents the same kind of risk that a Windows monoculture does is a different question. :-) But there is still some risk.

Sudden new point at the end

proprietary is introduced at the end of the summary. It's something of a non-sequitur because up to that point, the discussion has been about monocultures, which looks like an orthagonal issue.

It's not, of course, because if we standardize on an open document format and a crippling bug is discovered in, say, OpenOffice, there are many other programs that exist or could be written implementing the same functionality. Don't really have that option with Word.

LOL, what?

Object lesson? I think you mean an 'abject lesson' but I could be wrong. Of course, I could predict that some virus will infect Microsoft in the future too. And that a much lesser used format will not be affected. I suppose I could blog about it. Then when it happens, I could blog some more about it, saying how smart I was. Maybe I'd misuse the word 'irony' too as in "isn't it ironic that Microsoft got infected when linux didn't"... It would be a web-trifecta...

Open-source monoculture just as risky

You guys under 25 are too young to remember the Morris Worm [wikipedia.org] but it's a good study in monoculture. Although it affected well under half of the internet-connected computers worldwide, at many institutions it had a disporportionate impact.

Back in '88, Sendmail was to internet-mail-exchange what Outlook Express is to mail-clients today. Thanks to a bug in Sendmail and a bug in a student's project, email came to a grinding halt for several days at universities and other institutions worldwide.

Re:Open-source monoculture just as risky

Wow we are old ;) I was thinking of the same thing. What worries me about these types of assertions is that Linux is just as much a mono culture as Windows.

At an OSCON talk, there was this business guy. His assertion was that if Apache were a company then they would be susceptible to monopoly rules like Microsoft should be.

Re:Open-source monoculture just as risky

At the time of the Morris worm there was a Unix monoculture, but this was not because it was open source; it wasn't. Please don't confuse the two. Within the Linux community there is diversity, this is a great defence mechanism. Pick a particular type of application and look at how many separate implementations there are. Sure, Firefox is by far the most popular open source browser, but there's also KHTML and several others. Look at the office products and there's way more to choose from.

Evolution, ahem

Given how easy it is to write MS Office malware, how long until a more advanced version of this worm can search a user's hard drive for other Word/Excel/Powerpoint/Visio documents, infect them, and wait for the next generation of itself to be transmitted?

If the malware itself could change/adapt/evolve (ie, create new functionality within itself), then MS has essentially created a petri dish out of each install of Office.

In other words, MS has created a true "software ecosystem".

For end users?!

I wouldn't want to be a sys admin in a company that had to support OpenOffice, MS Office, StarOffice, XYZOffice. Or had to support Windows (XP, 2000, 2003), Linux, OSX, and *ix. Can you imagine the headache of getting all of them to play nice with each other on a daily basis? There's something to be said about standardization.

On the other hand, if the sys admin has backups and servers distributed across Windows, Linux, OSX and whatever platforms, that would make sense.

I mean I can understand the argument that diversity can add a certain degree of robustness, but it also raises the level of complexity of that environment, and that complexity comes with a cost that can be easily more expensive than dealing with the occasional severe threat.

Re:For end users?!

In my many years of experience managing heterogenous environments (Windows, Mac OS, Linux, FreeBSD desktops and servers), I have not found complexity to be a problem at all. What happens is that you miss out on some more advanced features that you might get from going all Microsoft or all Apple. For example, you can't effectively run Exchange and get all of the features that a lot of end users seem to like. Users get accustomed to using more generic protocols like IMAP and POP for email and maybe some web based calendar system that you install.

In many ways a heterogeneous environment is actually LESS complex than a homogeneous environment. You either end up using very simple, common protocols or you isolate your users. Put the Windows users on a Windows server and Mac users on an OS X server, for example, which isn't necessarily a bad thing. Usually Mac and Windows users have different organizational roles anyway and the LInux users don't like the Mac and Windows users. Everyone is happy. ;-)

Seriously, it isn't bad. And people are happy using the desktop of their choice. But sometimes I guess you really need the kind of "features" that only a monoculture can bring. It's a trade off, for sure.

-matthew

The problem is we NEED monoculture to a degree

I mean the ultimate objective behind OpenDocument is to obtain a monoculture in the document formats. That different things implement it isn't relivant. Why? Well most likely they'll be refernce code and documents to do that, and most likely people will follow those most of the time (why reinvent the wheel?) and thus if a bug happens, most things will be venurable. You see this with things like the libpng bug that affected so much software.

So, why tolerate this? Well because I for one don't want to have to play with interoperability nightmares. I want a single document format I can share, I want standards in how computers operate so I don't have to relearn everything every time I sit at a new workstation.

The magic of computers is really their ability to share information, and for that to work effectively, standards have to develop and prevail. I do not want to work in a world where my word processor has 150 different save formats and I have to pick the right one depending on the instution with which I'm communicating. I do not want a world where there are 50 different previlant microarchitecutres and no software runs on more than a handful, and so on.

We have to accept that we can have diversity only to a degree. There has to be common grounds. Yes, those are going to be potential points for an infection to pass. Well, that's unfortunate, but it's simply something we need to live with if we want easily interoperable computers.

Just breaking things in to a "duoculture" wouldn't really solve much. I mean lets say we achive that with Linux, 50% Linux, 50% Windows. Ok fine, what happens now, in additon to exploits that happen to affect both, is that stuff still spreads, just among it's subset, or malicious authors start making viruses have dual payloads that execute the right one on the right platform.

To really have any significant effect, you'd have to have hundreds of different types all mixed together that were minimally interoperable. For example Linux running Wine to use Win32 programs does no good, now it executes the same code and thus is venurable in the same way.

Trying to avoid common systems and formats for security may be valid in an isolated, secure environment but it just doesn't work in computing at large. We want interoperable computers and we strive for it (well, some companies like to try and stand in the way of that). That, by necessity, means that there's more possible vector for infection. Hell, when you get down to it, we could really clean all this up by eliminating the TCP/IP monoculture. If every organization used their own proprietary network, then it'd be real hard for an infection to spread outside an organization. However I hardly think that's the answer.

To me his peice seems like just so much anti-MS rehetoric. He's pushing ODF, which is a standard intended for interoperability, intended to create a document format monoculture. Yes, any word processor could use it, but like I said, that doesn't really gain you anything. He seems to be pushing for switching from one to another, rather than pushing for real fragmentation.

Safety in IT "Diversity" Sham

This notion of IT "Diversity" being the end all and be all for information security is a sham.

Extend the same logic to the freeway. If we had even more brands, models, and geek knobs to choose from, would our traffic safety improve one bit more than where it is today?

Security quality is security quality. Don't confuse security quality with market forces.

it's not much of a prediction

if it has happened before. There have been numerous scripting exploits in word...

Also, predicting a security vulnerability in ANY piece of software is like predicting rain. It is *going* to happen, it is not impressive at all, and proves nothing when it happens.

It would in fact probably stop the flow of viruses if most computers all ran different operating systems (if there was no 90% majority of any system), software etc. I think this is fairly obvious.

One thing to consider though is that it would also have additional costs associated training for most companies. Also, in terms of operating systems, no majority platform makes it more difficult for developers to make a profit since everyone is feeding off a tiny segment off the market.

The unices have survived by adopting source level compatibility to broaden their effective market share, and above all by specializing. Apple has also survived by pandering to specific markets (education, graphics artists, home users) at the expense of other markets (business). The problem with having no majority operating system is that you can no longer build a general purpose computer that does everything. Instead one must dual boot, which is what linux users have done for a long time and what mac users are doing now that they can. Now, multi booting isn't the worst thing in the world, but it is an inconvenience.

The last and most problematic issue of having no majority operating systems is drivers. One might think that hardware manufacturers would be most likely to be forced to write their drivers for multiple systems, instead of just windows as they do now, but this is not realistic. A no majority operating system is going to be an environment with lots of highly specialized operating systems. Makers of uncommon hardware are still going to only support one platform, the one on which their hardware is used. If you need to use two specialized gadgets, you are probably going to need to set up two different computers, or dual boot.

Possibly multiple operating systems could adopt the same driver model, but I have to ask why that isn't happening right now when it is already advantageous for linux and others. Right now the only operating capable of using foreign drivers that I know about are freedos and reactos (using DOS and windows NT drivers respectively of course). Frankly, it would be a big boon for the desktop market and others if linux or freebsd could use stock windows drivers... but I suspect there are some technical problems with this. Linux developers have always quoted as a reason for not maintaining binary compatibility with drivers that they didn't want to impose arbitrary restrictions in the kernel. My suspicion is that compatibility with windows drivers, if technically feasible at all, would have performance issues for linux. Would someone more familiar with the kernel and the windows driver model care to comment?

My Defense - Not Running As Admin

This stuff is so silly ... if you're using your box correctly, and not running as admin, this whole thing is meaningless and amusing.

all the same

Over specialization breeds weakness, Its slow death.

Too much of the one thing is bad, Diversity is good!

Monoculture reduces complexity

From an organizational point of view (be it a company, a government department, whatever), while it's true that a monoculture introduces security risks, a 'polyculture' introduces other problems - complexity in terms of patch administration, help desk, staff training, desktop imaging, license compliance, etc etc. This is precisely why organisations generally standardise on a single product + version - regardless of the underlying format.

Switching to an open format (eg ODF) does not imply a polyculture, it just doesn't preclude it. Chances are that a given organisation will standardise on a software tool to work with that format; they'll still be a monoculture and (theoretically) subject to the same risks.

Having said all this, I agree on the statement that publically owned documents should avoid proprietary formats. That's a no-brainer.

Uhmm

from those that subsist in a proprietary monoculture.

Actually, that would be a "monoculture," not just a proprietary one. If everybody ran Linux and such a vulnerability existed, the same thing would happen.

Re:Uhmm

If everyone was running the same distro of Linux in the same config.

If I pick Qmail, I'm immune to Sendmail holes. If I pick KOffice, screw OOo bugs. Many Apache exploits hit my webserver running on Boa. If Firefox is compromised, I can pull out Galleon. If I get a Thunderbird exploit, Pine ignores it.

Microsoft is a very deep-reaching monoculture. Not just Windows. You can expect the Windows computer will run MS Office, cooperate with Exchange through Outlook or Outlook Express, use MSIE for the web, the webserver will be IIS, the database will be MSSQL or Access (and predictable which where), so you get lots of machines running all the same software. In case of Linux, thanks to multitude of choices the users have, there is no monoculture, each install is custom-made.

How is this news?

It's news if a worm doesn't exploit a large piece of monoculture software (a.k.a. MS Windows or Word). This same story could have been rewritten with the same words, just exchanging virus names for almost any virus. News would be a terrible virus exploiting a less wide-spread piece of software, like the blackice firewall software and the witty worm a few years ago.

Interesting

I use Word on four computers, and I haven't seen this infection.

Hmm, maybe because unlike in biology, we can easily fix computers without years of clinical trials. and research studies.

Diversity Doesn't Stop Viruses - Empirically

The whole concept that diversity somehow protects from viruses is ludicrous. It may stop a universal outbreak by limiting it to some subset of the population, but if you are part of that vulnerable population, a virus is no less devastating. Empirically, when there *was* a diversity of computer operating systems, viruses *still* ran rampant. Think about the late 1980s. There were substantial populations of MSDOS, Commodore, Apple, Macintosh, Amiga, Atari, etc. computers around. Most people here are probably too young to remember but there were a lot of viruses in those days too. It is not the evil Microsoft monoculture that brought about viruses. They pre-existed that by a long while.

I would go so far as to predict that a diverse culture of computer operating systems would actually *increase* the damage viruses can do. Sure, a single virus couldn't take down everything at once, but there would also be far fewer resources thrown at stopping any given virus. Antivirus software would have to be written and maintained for each platform. Security vulnerabilities would have to be patched for each platform. Each time you diversify the culture, you increase the amount of redundant work needed to keep the entire population safe. Fewer resources means more vulnerabilities and slower response times. That, in turn, would mean more viruses doing damage in the real world.

Re:Diversity Doesn't Stop Viruses - Empirically

... but if you are part of that vulnerable population, a virus is no less devastating.

How is this different from biology? The poor moose in the herd who isn't immune to spongiform encephalopathy isn't protected by the diversity of his herd-mates.. but the herd as a whole is. The analogy does hold.

Your point about multiple architectures dividing the attention of the antivirus community might be true to some extent -- but on the other hand, there might just be more jobs for people writing antivirus programs for all those extra operating systems.

It isn't ludicrous that diversity protects us, as a whole community, from viruses. Some may be hit, but the rest can keep computing. That's the point.

Computer epidemics are different!

The "monoculture" argument draws upon the analogy between epidemics among living things and computer epidemics. But it is a false analogy.

An epidemic keeps propagating if, on average, an infected subject infects more than one target. If it infects less than one, the next "generation" will be smaller than the previous one, etc. The number of infected targets depends on how many contacts the subject has, and how many of these get infected.

For human infections, an infected subject contacts family members, maybe schoolmates and coworkers. On average, it takes more than a simple casual contact to get infected. So, the number of contacted targets is small. If enough are vaccinated, or otherwise invalid, the average number of infected targets drops below 1, and the epidemic stops. The interesting result is that the infection stops before every potential target is infected. A typical infection affect a city or a province, and then stops.

Computer infections are very different. A virus infected computer can contact thousands of other computers. Even if many are protected, chances are than many more than 1 in a thousand will be infected. Computer viruses can spread very fast!

Diversifying with two or three brands of software will maybe minimize the results, but cannot stop such infections before all vulnerable machines are infected. To limit the infection to "a city or a state" when a sick machine contacts thousands of otehrs, something like 99.9% of the machines must be either "different" (diversity) or "vaccinated" (anti-virus,etc). Unless you are ready to manage diversity by running a thousand different brand of software, the anti-virus route looks much more realistic.

-- Louarnkoz

easy

It's easy to predict what has happened thousands of times before. It's hard to predict the future.

Too many variables left out

Is the problem that we have a monoculture, or is it the quality level of that monoculture, or is it that we don't have barriers and quarantines to limit damage?

Thought experiment #1: you have a choice of a diverse world where Apple, Microsoft, Sun and everyone else has written their own sshd, or a monoculture world where everyone runs OpenSSH. Which would you choose?

Thought experiment #2: how worried would you be about monoculture if the operating system on 95% of computers were OpenBSD? SELinux?

Thought experiment #3: before malware enters your body it has to run the gamut of being stuck to mucus and swept out, being sneezed out or coughed out, being hammered by natural antibiotics, being dropped in acid, and potentially being expelled from the digestive tract if found to be toxic. Do our computers have an equal or similar level of protection against unfriendly programs?

Right idea, completely wrong situation!

This particular vulnerability was discovered when it was attempted to be used on a highly specific target. This was not your typical 0-day worm or anything, not even close. Targeted attacks will use any vector they can to get in - it may as well have been Winamp or any other program.

Causality at work?

So which came first again?

The chicken or the egg?

I predict

I predict that because of ... monoculture... whatever... err microbiology, nanoparticles and so on, a virus for Vista will be created.

That's it. In one year Slashdot will write about me and my amazing prediction came true, how the hell I can be so smart to ever guess this coming?!

What I never understood

Isn't it the MS Product Management culture?

You have a PM who is measured on sales. Sales by now are hugely upgrades. The only way to motivate upgrades is new features. So you introduce them, whether they are really needed or wanted, or not. They are then heavily used by the salespeople, before the sale, selling to people who are not the end users of those features.

And so it comes about that IT buys, and what the ordinary user thinks of as a glorified on screen typewriter actually becomes, via Word macros, a powerful if flawed programming language, and what the end user thinks of as a document becomes a program that can wipe his hard drive or change anything at all on his machine it chooses.

This is not about mono culture versus poly. If you had twenty different PMs behaving like this across the whole industry, it would be as bad or worse. Its about feature driven business models in areas where the buyer is not a sophisticated end user of the products. IT buys Office. What does IT really know about using Word to write? Hosts of features can be sold to IT that could never be sold to the people who use the stuff....

Signs of the apocalypse

First we hear about our beloved, albeit cloned bananas at risk of going extinct, now Apples and Windows lemons are in danger... it's all over folks. Get out your tin foil and wrap your fruit up tight.

Yeah for competition

Big corporations love stability. They love consistency. They fear the unknown. They love going with the de facto standard, and keeping it standard across the board. So while people may argue against monoculture, don't expect it to change in big corporate environments.

And MAYBE part of the reason Word is being infected with worms, isn't some side-effect of monoculture and the lack of software diversity, but rather a result of hackers almost solely targeting Microsoft products.

Reasons other than diversity

The other reason for the attack being a Word only is down to the number of copies of Word which are used day to day compared to the alternatives. As Star Office/Open Office etc become more popular the number of attacks will increase.

The same thing is true for Firfox, the browser with the biggest market penetration is the one which will suffer the attacks.

not so new

Four days ago, Dan's prediction came true ...for the 200th or so time. Remember Outlook? The corporate mail system monoculture? At home, it might have 20% or so of the market, but it's big with business users.

True, the Word thing is more nifty, because people don't expect it, and it's not a macro virus. But even so, this is hardly the first time MS users get bitten exactly because they are MS users.

For real research on the subject

While I do enjoy someone writing a think piece on the idea of the dangers of a mono-culture. This work has been throughly research by Stephanie Forrest ( http://www.cs.unm.edu/~forrest/ [unm.edu] ) at the university of new mexico via the sante fe institue and the complex systems program at the University of Michigan. For anyone that wants to acutally learn more about the application of immunization models to computer security, I suggest you check out her research.

Monoculture?!

Monoculture?! Try bad coding and bad management. There's plenty of propietary software out there that is excellent and secure, it's just done properly.

Birds of a Feather Flock Together

"One of the reasons that birds feed in flocks is that it means more eyes to watch for danger. Most of the time, at least one member of the flock will see the hawk coming and sound the alarm." - Hawks at the Feeder [birdwatchersdigest.com]

The moral is obvious: living in a "proprietary monoculture" can reduce your risks.

Why not filter out Word macros at the mail server?

The symantec description doesn't provide enough detail to be sure, but like everyone else I'll assume that this attack is enabled by a Word macro exploit.

Word macros included in .doc files have been around for over a decade now, and the closest thing I've ever seen to a legitimate use of them is to write self-propagating viruses. (in fact, I once received a CD from Microsoft - the original "wolfpack" cluster server beta - that had macro viruses in its .doc files. Gave the virus scanner a fit when it couldn't scrub the files...)

It seems that in all this time *someone* could have taken the effort (granted, a large one even with the libraries out there for dealing with Office file formats) to write a filter to strip macros from Word documents. Then install this filter in all your mail servers, and voila - no more word macro viruses.

Of course the easiest solution would be for MS to remove the ability to include macros in Word documents entirely, and require them to be saved to and read from a separate, executable file type. (e.g. one of the existing VBscript file types, like .vbe or .vbs) But that's been an obvious solution for a decade, and they haven't done it yet, so I wouldn't hold my breath.

Cultures...

I think some of you guys have the "mono-culture" thing all wrong.

I believe the notion that formats and standards developed by a group of people with an intellectual mono-culture are more likely to have flaws than, say, formats and standards developed and maintained by many.

This has nothing to do with the fact that the formats and standards themselves are a mono-culture.

Some here would be implying that the basic design of a dog is wrong, simply because dogs are similar- in that they all have 4 legs. This is just silly- we should be looking at the diversity of the dog's gene pool, and the power of this ability to improve the dogs resilience, longevity, etc.

Yes, interoperability is critical, but...

From this, we learn the lesson that we don't have to have a single vendor in order to have universal interoperability. This funny thing called "open standards" allows numerous different vendors to interoperate with each other. And then apps live and die by how user friendly they are and how well they support the standards.

breaking monoculture part II

How about this to break monocultures?

Give every processor a different instruction set. So if you want code to run on a particular machine, it has to be compiled for that particular machine. In practice that's likely to mean compiled on that machine. Then there's next to no chance of "foreign" code {viruses, worms, trojans, whatever} running on your machine.

This would mean it would be very difficult to sell closed source software, but that's no great loss IMHO. Remember, before Windows, software for the various Unix versions and VAX/VMS often was supplied in source form but without a licence permitting distribution. And anyway, the lack of source code never prevented anyone from copying Windows or Office.

Factually wrong analogies

From the article: "Examples are as plentiful as they are sad: Consider the virus that brought on the Irish potato famine".

*Viruses* had nothing to do with the Irish potato famine. While there were many factors for the famine, many of them political, the pathological reason was the *fungus* Phytophthora infestans.

A failure in the hypothesis.

The "monoculture bomb" analogy only goes so far before failing. When we're talking about corn or something like that, obviously a specific engineered disease could cause widespread devastation. But in the computer world, viruses can do far more insidious things than just shut down a network, and a polyculture might actually make that easier.

Let's say you've got a hacker who wants access to a file on your network that a bunch of users have access to. In this case, the hacker isn't trying to infect ALL the computers; any one of them will do. In this case, a polyculture actually HURTS security, becuase the hacker only has to find one flaw in any of the many different applications people are running. Can't hack his way into Word? That's okay, some nerd in the office is running StarOffice and he can find a backdoor for that. Or whatever.

Not to mention, in a monoculture it's easier to standardize training and security. The security guys in an all-Windows place only need to keep up with the (legion) Windows vulnerabilities out there. In a polyculture environment, they have to know about Windows vulnerabilities PLUS Linux, Mac, and all sorts of other vulnerabilities, because one compromised computer can mean a whole lot of lost information.

Nature has made a monoculture...

... at the level of DNA. Discuss and explain differences between infrastructural and higher -level monoculture. Are turing-equivalent devices a monoculture? Von Neuman architectures? The C-oriented architectures of todays machines? Is monculture *always* a bad idea? Should we design systems based on economic principles (which usually like monocultures due to economies of scale) or biological principles (which may lead to more robust systems)?

The thing that amazes me is that there are *so* many interesting issues that this view of computer systems raises and the best that the collective wisdom (such as it is) of the net can come up with is a bunch of mindless Linux advocacy and Windows counter defense. In general, any discussion of this topic without also recognizing systems other than Windows and Linux is missing the point.

Have a nice day!

four days ago?

Word viruses have been around for at least 8 years, and the Microsoft Word monoculture for longer than that. How is this new?

How is this different

From the millions of Windows-only trojans, viruses, etc.? Yeah, the most fruitful target will attract the most exploits (and also the most investment in countermeasures). The thesis was obvious, and this Word-only trojan is hardly the first demonstration of it.

Heck, it had already been well-demonstrated when it was first suggested.

OTOH, the biological analogy is flawed in many ways, most notably that computer systems don't reproduce themselves, and therefore the central risk associated with a monoculture (that a single hazard will reduce the population to below where it is reproductively viable) doesn't exist.

That neither the target systems nor the exploits evolve in the darwinian sense is also a critical difference which makes the dynamics radically disanalogous.

Simple logic applies to everything

If you generalize things enough then you can make almost any rule apply to fields that it wouldn't normally apply to. Of course diversity makes it harder to write viruses and spyware, but at the same time forcing diversity upon the computer industry might also make virus writers write multi-platform viruses. The motivation of evolution and that of a virus writer should not be compared since once is based on natural selection and the other is based on the conscience choice. It's not that non MS programs don't have exploits it just that most malicious programmers are not interested in writing a virus for openoffice or linux. The comparison is really not valid at all beside that of saying DUH diversity can be advantageous. Unlike the real world however diversity in the computer field leads to confusion, lowered productivity and much harder administration. Must a person make up a catchy phrase to claim credit for knowing that MS would get hit first my virus writers? I think anyone who knows anything about viruses already knew this information over a decade ago. This really isn't news just a fancy way of saying I told you so. Open document standards are a great idea, but it's not as big a disadvantage to MS as you would think. The competitions products simply are not that great. All MS has to do is make legacy products like Office 2000 work with open document standards to include diversity while excluding competitors.

Why lawyers should not pretend to be tech experts

I think that the folks over at Consortiuminfo need to hire some real life tech experts

http://rjdohnert.wordpress.com/2006/05/24/monocult ures-and-document-formats-dans-bomb-goes-off/ [wordpress.com]

Duh!

Duh!

chicken little

Crap, the sky is falling. Again.

Microsoft's "Work-Around" Announced!

Use Word in SAFE MODE!

I'm not kidding...TechTarget reported that this morning in one of my security emails...

Microsoft expects scores of millions of office workers to reboot their systems into Safe Mode to write a document until they offer a fix next month...

Standards & Monoculture

If everyone technology adhered to the same standard, be it ODF, ECMAscript (javascript), tcp/ip, etc., would that constitute an equally vulnerable, just not proprietary, monoculture too?

Instigated Prophecy?

Did it happen because it was foreseen or because his ideas sowed the seeds?

correct grammar

those that exist in diverse gene pools are at a lower risk, both individually and collectively, from those that subsist in a proprietary monoculture."

s/from/than

Re:Stupid Analogies

In IT, as in biology, those that exist in diverse gene pools are at a lower risk, both individually and collectively, from those that subsist in a proprietary monoculture

Just because your analogy "sounds right" doesn't make make it a valid thesis. The fact is that computers are not biological organisms and "viruses" don't work the same way. And if you take the analogy for anything more than a mild curiosity, it really exposes your underlying idiocy.

They do actually work in similar ways.

Not to mention it completely ignores the economic factors which created the "monoculture". It's cheaper for society to buy anti-virus than to support multiple OSes, and the analogists just have to deal with that. Computers are tools. Period.

ecological factors create monocultures in biological species as well. economic and ecological come from similar roots and differ only with nomos and logos, the law and the word. There isn't that much separating the two, and in fact, a famous greek book equated called laws with The Word (btw, I'm an atheist).

And how exactly does yet another word virus suddnely prove this theory? It's not like there haven't been many since the paper was published.

This is more than a mere macro virus. As I understand it, it exploits a vulnerability that isn't simply a macro that you have to get asked permission to run.

Re:Stupid Analogies

Just because your analogy "sounds right" doesn't make make it a valid thesis. The fact is that computers are not biological organisms and "viruses" don't work the same way. And if you take the analogy for anything more than a mild curiosity, it really exposes your underlying idiocy.

Just because you say that biological organisms and "viruses" don't work the same way, doesn't make it a valid thesis. If you can't explain how, for the purposes of the discussion, the two differ, then you are really just exposing your inate idiocy.

Not to mention it completely ignores the economic factors which created the "monoculture". It's cheaper for society to buy anti-virus than to support multiple OSes, and the analogists just have to deal with that. Computers are tools. Period.

I'm not sure what being "tools" has to do with the rest of your statement, but your assertion that it is cheaper for society to buy anti-virus (software?) than to support multiple OSes is hanging out there just dangling in the wind. You got anything besides your ass to back up that claim?

And how exactly does yet another word virus suddnely prove this theory? It's not like there haven't been many since the paper was published.

Wait, wait, wait. Now you say there is lots of proof for this theory, the one you've been claiming is false up until now? If there are so "many" cases since the paper was published, doesn't that mean that this "anti-virus" really doesn't work so well?

Re:Stupid Analogies

Hi! I have a helpful link [wikipedia.org] for you.

Re:Stupid Analogies

Here's the definition of the word "Analogy" from Dictionary.net: A resemblance of relations; an agreement or likeness between things in some circumstances or effects, when the things are otherwise entirely different. Thus, learning enlightens the mind, because it is to the mind what light is to the eye, enabling it to discover things before hidden.

Yes, computers aren't biological organisims and "viruses" don't work the same way, but the concept is still the same - that's what makes it an analogy. Diversity increases security. It's not exactly a new idea, and I think calling someone an idiot for saying so especially when you have given no sort of evidence is just stupid.

Robust discussion

>underlying idiocy

We shouldn't put people on pedestals above all criticism, but Dan Geer has earned the right to have people at least offer some evidence when they accuse him of "idiocy".

Incidentally, Kephart and White have used biological epidemiological math to model the spread of malware, as have Williamson and Leveille. Actual researchers are finding the pathogen analogy [albany.edu] fruitful.

This discussion could not be complete without a car analogy.

Analogies are like cars. Sometimes they're buggy or unsuited for the job but if you test them carefully they can be superb tools.

Re:Stupid Analogies

The fact is that computers are not biological organisms and "viruses" don't work the same way.

In certain areas, they do and the analogy is quite valid. For example, worm propagation on the Internet [lemuria.org] very closely resembles biological population growth models.

While computers and biological organisms are indeed very different critters, on the systems level (i.e including their environments) there are many similarities.

Re:Stupid Analogies

As an interesting coincidence, I was reading an article by Marcus J. Ranum today, entitled The Monoculture Hype [ranum.com]. Among other things, Marcus criticises bad analogies:

Analogies are dangerous verbal tools. Basically, they treat the listener as a patsy by presenting a carefully constructed world-view that is tailored to explain and prove the analogist's point, while omitting everything that would argue against it. While the concept of "monoculture" is an attractive analogy for a security problem, it ignores the simple truth that we could just as easily talk about the actual problem in its real context without resorting to cute analogies. For example, if you take the CCIA paper and rewrite it into a pure computer security conceptual framework, I think the authors' argument might read something like: "Microsoft's products suck; they are insecure. Everyone keeps buying Microsoft's products anyhow, which makes the situation worse rather than better. There is a very real danger that if everything relied on sucky products then we'd all be vulnerable all the time and some cataclysmic software chernobyl is more likely to happen." It happens I agree with that statement. But if you avoid the analogies and pseudoscience and pose the problem in the terms I did above, then you've avoided intellectually painting yourself into a corner and you can ask the interesting questions such as: "how can we reduce the suckiness?" "are we applying the wrong market forces?" "what alternatives are better?" etc. In fact, these questions are so obvious (and profound) that asking them around most seasoned security experts will generate a tired "well, DUH!" as a response. I think, honestly, that the CCIA authors' reliance on analogy helped them catapult a "well, DUH!" anti-Microsoft whine into a major whitepaper. Professionally it's good for them, but for the industry, intellectual honesty is better in the long run.

It's a good read.

Re:Stupid Analogies

The fact is that computers are not biological organisms and "viruses" don't work the same way.

I'd argue that in Windows World the virus model in biological organisms is fairly accurate. An infected cell starts producing more virus that in turn infect other hosts. And that model is unique to Windows, unless your Linux boxes are really poorly configured.

Computers are tools in the sense they are machines but you won't see my chainsaw pick up a virus then go off on a tagent and try to infect the lawn mower.

Suggesting the monoculture model is more efficient from a management standpoint is one of those ideas that seems true but doesn't really hold up in real life. The fatal flaw being it assumes all elements in a mixed OS system require the same amount of administrative oversight and that's simply not the case. I have LAMP stack applications that will run for months at a time without any administrator oversight.

Put that in your TCO pipe and smoke it. ;)

Re:Stupid Analogies

Not to mention it completely ignores the economic factors which created the "monoculture". It's cheaper for society to buy anti-virus than to support multiple OSes, and the analogists just have to deal with that. Computers are tools. Period.

Linux and BSDs are developed by volunteers who take pleasure, are free-as-in-freedom, and most of the times are free of monetary cost.

Corporations (like Redhat) make money from this model too, and they give back to the community. It works nice. Simple users are not oblidged to comply with the monetary cost.

Windows cost money to all. Anti-virus cost money to all. A computer jammed from a virus/trojan/malware cost money to all.

RTFDictionary Re:Stupid Analogies

Just because your analogy "sounds right" doesn't make make it a valid thesis. The fact is that computers are not biological organisms and "viruses" don't work the same way.

Analogy [m-w.com]: resemblance in some particulars between things otherwise unlike : SIMILARITY b : comparison based on such resemblance.

Explain how, by expressing a ressemblance between things otherwise unlike, he invalidates his analogy.

Not to mention it completely ignores the economic factors which created the "monoculture".

And also explain how these economic factors invalidate the analogy. Do use examples of agroeconomic factors pertaining to crop monocultures while doing so (I expect the word "locust" to make an appearance in this explanation).