Monoculture Debate: Geer vs. Charney

Let’s suppose we got to a place where the market was 1/3 Microsoft, 1/3 Macintosh, and 1/3 Linux. Now suppose a worm is developed which only attacks one of these three operating systems, but is devastatingly effective and captures virtually 100% of those systems, using them as a basis to DDOS the entire Internet.

As you point out, current attacks have been extremely disruptive even with a tiny percentage of machines. With these kinds of attacks, you don’t need to take down 100% of the machines to take down the net. You only need a few percent. Beyond that point, it doesn’t make any real difference in either how fast the worm spreads or how effective it is.

It seems to me that in the situation above, we are actually three times more vulnerable than we are today, because now a flaw in any one of the three architectures is enough to bring the net to its knees. It will be three times easier for attackers to find such a hole if they can succeed with any of three different OSs.

Now, you might say that we would be better off, because at least we could still use 2/3 of the machines. But use them for what? Without effective internet connectivity, more and more our computers will be useless. Looking 10 or 20 years down the road we are going to be dependent on network connections for all but the most basic activities.

What we really need to do is to work on improving the security of the operating systems that have the highest degree of popularity, which is exactly what is happening, with the upcoming SP2 release of Windows XP. Doing this will do far more to improve security than moving towards a situation where we are vulnerable to flaws in a much larger number of designs.

I also was there. Afterwards, I realized that fire is a more useful analogy than infection. There are biological analogs, e.g. the relationship between biodiversity and fire ecology; manufacturing analogs, e.g. more or less flammable products; and maintenance and use analogs, e.g. firebreaks and firewalls.

You can consider a relative flammability rating for OS’s (e.g. Linux might be flammability 3, MS Windows 3.11 flammability 10). You can teach that add-ons and modifications affect flammability. You can teach the proper use and limitations of things like firewalls and firebreaks. The Internet connections stretch the analogy, but it is a kind of flammable connection between locations.

The analogy breaks down in that there are many kinds of security strengths and flaws, not the simpler temperature and chemical relationships that control the spread of fire. But the infection analogy is flawed in other ways.

It may also help more with the general public and legal understanding. Product flammability and its proper management is far more widely understood than infection or security management. People can understand the simplification that Windows is highly flammable and Microsoft is making changes to reduce its flammability. It is a reasonably accurate initial framework from which security related differences can then be explained. It also gets across the concept that security is a continuum, just like flammability, and that security has potentially significant tradeoffs. After all, most people accept a degree of flammability in their life and do not live in a home made only of metal and stone. Instead you manage flammability.

The monoculture argument is an extremely interesting thought exercise and an extremely simplistic scenario in reality, where there are many security options available and in use today that could limit the effect of any attack. (For example, I believe it was Andy Ellis of Akamai at Usenix Security ’03 who said that on average there are something like 12 hops between any two points on the Internet – 12 places to control/restrict/filter traffic). Considering that any attack is immediately translated into packets, slicing, dicing, and ginsu-ing the network provides ample opportunities for security, with assists from quarantining, firewalls, IDS/IPS, etc…

Re: Quarantining – Howard Schmidt brought up the notion of “car inspections” for PCs at a recent Qualys conference – a great idea in my opinion – one that doesn’t smack of class warfare like the Internet “driver’s license”. Just think, it could be regulated in real-time by the ISPs – got a junker/compromised PC, can’t get on the ‘Net.

The paper itself was a bit topsy-turvy anyway – consider that it made the argument that at some point patching makes software less secure, yet as a remedy Microsoft should make its source code readily available to external sources. Either contradictory or… interested in putting MS out of business.

Btw, through all of this, I think the underlying notion of “security” is interesting – I think “availability of the Internet” is a reasonable interpretation. As surely as diversity would make the Internet more secure/available (which I will stipulate but not yet concede) we make the success of individual attacks much more likely (lesser-skilled programmers, more lines of code, more components, more bugs // same number of hackers/code reviewers, fewer worms, more targeted attacks). I am generally more concerned about individual, targeted attacks against my high-value resources than I am the worldwide rash of Code Red.

Back to monoculture – I believe there are something like 90 million unique IPs on the ‘Net on average, with a total population of 600 million or so possible “users”. Does anyone know how many naked Windows systems there are on the ‘Net at any given time? or over time? I would love to know that number, which would be a much clearer indicator of whether the ‘Net could possibly be taken down by them. Even more interesting may be how many nodes Cisco routers manage on the ‘Net – a much more concerning scenario in my opinion given that they are more likely to be dispersed throughout the cloud rather than at the (more easily controllable) edge.

More on monoculture (from 11/03 column in Information Security Magazine):
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss205_art449,00.html

All this said, Microsoft software is still a problem to individual enterprises (even though MS gave us exactly what we wanted but it wasn’t what we needed). My solution to poor coding: Software Security Data Sheets for all developers that identify all services, APIs, shared libraries, resources used, security configurations, etc.. (what else should be here?) that 1) identify how a software application interacts in its environment; and 2) provides a ‘policy’ in system format that could be imported into a host-IPS solution (or whatever) and enforced immediately. Every developer should be able to define how his/her system interacts with its environment (shouldn’t they?). Certainly, there are third party tools available to tell you most of this stuff…

One theory of why life forms evolved sexual reproduction was to increase disease resistance, to keep the genes mixed up, so all members of a species would not be killed by the same disease or parasite at the same time.

The monoculture problem is not entirely separable from the unregulated monopoly that produces it, but owing to blanket warranty disclaimers, MS has little or no motivation to actually serve its customers, since they conquered you by force and own you lock stock & barrel. Oh, you’re dying of diseases? Pity.

No way is DDOS equivalent to having my hard drive wiped! All risks and costs must be broken out. Disinfecting machines, user down time, restoring from stale backups, patching, firewalls, subscriptions to anti-virus programs (that don’t find trojans, spyware, or ADS malware). Where’s the risk analysis? Without a taxonomy of all risks and costs, and how monoculture and its remedies impact them, the ‘debate’ will remain vapid.

I would not be surprised to wake up and read that 60% of all PCs had their HD’s overwritten, causing say $500+ billion in damage. We corporate captives, held in chains by MS, who are at risk of being wiped out by these many plagues and diseases, must foreswear allegiance to false gods, and put faith in whatever model will produce the most security evolution and diversity the fastest.

Right now we’re a bunch of sitting ducks, like Dodo Birds, who will become extinct as soon as some hacker takes off the gloves and unleashes a true doomsday worm (or a family of them). Don’t you find it amazing that that hasn’t already happened?