Posted on 02/15/2004 9:59:24 AM PST by Willie Green
For education and discussion only. Not for commercial use.
CAMBRIDGE, Mass. (AP) -- Dan Geer lost his job, but gained his audience. The very idea that got the computer security expert fired has sparked serious debate in information technology. The idea, borrowed from biology, is that Microsoft Corp. has nurtured a software "monoculture" that threatens global computer security.
Geer and others believe Microsoft's software is so dangerously pervasive that a virus capable of exploiting even a single flaw in its operating systems could wreak havoc.
Just this past week, Microsoft warned customers about security problems that independent experts called among the most serious yet disclosed. Network administrators could only hope users would download the latest patch.
After he argued in a paper published last fall that the monoculture amplifies online threats, Geer was fired by security firm @stake Inc., which has had Microsoft as a major client.
Geer insists there's been a silver lining to his dismissal. Once it got discussed on Slashdot.org and other online forums, the debate about Microsoft's ubiquity gained in prominence.
"No matter where I look I seem to be stumbling over the phrase `monoculture' or some analog of it," Geer, 53, said in a recent interview in his Cambridge home.
In biology, species with little genetic variation - or "monocultures" - are the most vulnerable to catastrophic epidemics. Species that share a single fatal flaw could be wiped out by a virus that can exploit that flaw. Genetic diversity increases the chances that at least some of the species will survive every attack.
"When in doubt, I think of, `how does nature work?'" said Geer, a talkative man with mutton chop sideburns and a doctorate in biostatistics from Harvard University. (The interest persists in his hobby of backyard beekeeping.)
"Which leads you, when you think about shared risk, to think about monoculture, which leads you to think about epidemic. Because the idea of an epidemic is not radically different from what we're talking about with the Internet."
Geer isn't the first to argue that the logic of living viruses also applies to the computer variety, and that the dominance and tight integration of Microsoft operating systems and software makes the global computing ecosystem vulnerable to a cascading failure.
Geer's paper did little more than make the point with particular fervor - which only intensified when Geer was fired.
"The hoopla around him losing his job gave the story some extra frisson," said Internet security expert Bruce Schneier, a co-author of Geer's. "He got fired because @stake wanted to be nice to their masters. But it's like the Christian Church boycotting a movie - everybody wants to see it now."
Microsoft, which denies pressuring @stake to fire Geer, says the comparison between computers and living organisms works only so well.
"Once you start down the road with that analogy, you get stuck in it," said Scott Charney, chief security strategist for Redmond, Wash.-based Microsoft.
Charney says monoculture theory doesn't suggest any reasonable solutions; more use of the Linux open-source operating system, a rival to Microsoft Windows, might create a "duoculture," but that would hardly deter sophisticated hackers.
True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened.
Another difference: computers can be unplugged from the network and rebooted; organisms cannot.
The theory also has skeptics outside of Microsoft.
Security consultant Marcus Ranum has emphasized that many network threats have little to do with the vulnerabilites of monoculture. Planting three strains of corn offers insurance against some diseases, he notes, but without a fence, deer will eat all three.
But Ranum also says the monoculture story "would barely be news" if @stake "hadn't done a brilliant surgical marketing strike on its left foot by firing Dan."
At an October hearing of the House Government Reform Committee's technology subcommittee, Steven Cooper - the Homeland Security Department's chief information officer - was questioned about the federal government's vulnerability to monoculture.
Cooper acknowledged it was a concern and said the department would likely expand its use of Linux and Unix as a precaution.
The monoculture idea is also influencing how experts look for solutions to security problems.
Mike Reiter of Carnegie-Mellon University and Stephanie Forrest, a University of New Mexico biologist who has been gleaning lessons for computer security from living organisms for years, recently received a $750,000 National Science Foundation grant to study methods to automatically diversify software code.
Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring "benign mutations" that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses.
Geer - who continues to consult, lecture and work with a startup these days - believes monoculture theory points the way to possible solutions that are dramatic, and haven't always been followed. They would require, for example, banning from the Internet computers whose software hasn't been updated with the latest anti-virus patches.
Geer doesn't believe breaking up Microsoft is the answer, even though his paper was published by the Computer and Communications Industry Association, which aggressively backed the antitrust case that tried to split up the company.
But Geer says the company should disentangle its tightly integrated products, such as Microsoft Word and Outlook.
Microsoft contends, as it did during its antitrust trial, that the integration of those products is the heart of what it offers consumers.
Still, Microsoft's Charney doesn't entirely dismiss the idea of examining computer security through a biological lens. "Although biodiversity-monoculture issues may be more complex than people have been thinking about them, it does not mean you can't learn from it and draw some parallels," he said.
Geer calls such comments proof the idea is resonating.
"You see Microsoft talking about it," he said, "when before, they didn't."
Considerably less, I assure you (as an IT professional), than the time invested in making applications compatible with multiple platforms. Even many basic web pages had to have extra code written in them to handle browser compatibility.
If you've dealt with compatibility issues you know what I mean.
Diamond prices are supposed to be coming down soon...
Do you recommend everyone get a Mac? Because if they do, hackers will focus their attacks on THAT OS. Plain and simple.
Attacks will be focused on the most popular software packages because that's where they have the ability to do the most damage. If power=popularity=quality (etc), then whatever cream that rises to the top will suffer spoilage thanks to hacker efforts.
Soooo... saying Macs are great security-wise is like comparing WTC to your local Wal*Mart. One is simply a more appealling target.
meatloaf,
Thank you for that reply!!!
The Blue Screen of Death...initially, we were lulled in to a false sense of security because our first Windows 95 machine was an Acer Aspire P I 166MHz, purchased by our daughter.
AS fortune would have it, Acer had built their own Graphics User Interface called the Acer Computer Explorer for Win 3.1, and perhaps DOS prior to that.
We couldn't stand that GUI, so we always had the Acer start in Win 95 mode, with the Cloudy sky, etc.
But, here is the important part...apparantly, Acer built into their ACE software a Wizard, or a Deamon type program that handled the Interrupt generated by a General Protection Fault, and especially the Blue Screen of Death!!
A message would appear, informing of the problem, and an Amber colored Arrow would slowly move accross the taskbar from Right to Left, approaching the Start Button but bouncing off of it three or four times!!! The whole thing lasted no more than 20 seconds.
But, and here is the neat part, the system DID NOT FREEZE, and you didn't have to touch the Start Button...just do the EXACT same thing that caused the Blue Screen of Death and Voila!, no BSD, just continue processing!!!
In other words, Acer implemented a Operating System Supervisory Program that repaired Windows on THE FLY!!!
During that time, I acquired a Compaq Presario 4850 which had a Motherboard that was design defective, and the Blue Screens drove me nuts!!!
Well, the upshot of it all is that Acer dropped out of the desktop market in 1999.
My darghter acquired an iMac in 2000 in college and is happy with it!! The old Acer is still around, but with hard drive bearings on their last legs.
We would love to repair it, BUT having NEVER had to rebuild the System, we are missing Win 95 and the Code we would have to insert when starting Win 95 for the first time.
Why other Computer Manufacturers [or even Microsoft] never implemented that Repair on the Fly Supervisory program is beyond me.
Within two months I will have a 17" Flying Scaucer type iMac!!
UH HUH!!!!!
Right. Things were going so well at Apple that Jobs brought in Sculley to fix what didn't need fixing.
Sculley was brought in because Apple was losing market share big time.
Jobs got in trouble because he spent all the time doing the failed LISA and then was way late bringing out the MAC.
By that time it was way too late. Most of the Apple II people had dunped their apple II machines and gone to Microsoft.
It was 5 long disasterous years after the IBM PC came out before JOBS has anything close to being as good as the PC. When after 5 long years Jobs leap frogged the PC it was way too late in the game. Gates owned the world, and there was no way to win it back.
It was the time wasted on the disasterous LISA and then the long long time to do the MAC that had the whole world tied to the PC before the MAC even came out. The MAC was great but there was no way to amortize a MAC over a PC. Anyone with any business sense should have been able to see that. Jobs is just a poor buisness man compared to Gates.
From 1981 until 1986 Jobs sat with one thumb up his a$$ and the other one in his mouth. The only thing he ever did was change hands.
The Mac OS X was the result of a failure to do an original operating systme. OS X is just one more variant of UNIX based on the old Berkley code. It is not as good as LINUX. And when it was finally released it was just one more UNIX that was nothing special.
The Mac has a tiny share of the market. Mac people are like Liberarians trying to tell the world they are politically important. The MAC and its UNIX clone is yesterday.
Gates is paying many fortunes, He has the best there is... Men like Anders Hejlsburg are doing longhorn. They are coding it with an object oriented paradym that leaves the procedural UNIX in the dust. There is no way for Apple and its depleated inferior brain trust to be in the game tomorrow.
Apple started to lose the game in 1981 when they took years to equal the IBM PC.... It has been all down hill in sales since then.
The Big difference between GAtes and Jobs is both makes dicisions that ar wrong. As soon as it can be seen to be wrong Gates changes paths. Jobs sticks with wrong decisions. JOBS has way too much eqo to win. Jobs is a perfect example of the way companies go from 85 to 3 percent of the market.
Well said!
Chad Fairbanks
Longhorn SDK Team
Hate Capitalism much?
All you anti-MS people have such interesting views. Between the wishing Osama would bomb Microsoft, to this concept you're spouting here, I have to say that Anti-Microsoft people are, without a doubt, some of the most hate-filled individuals I've ever seen...
Got virus? I don't. Come to think about it, I don't contribute to MacAfee or Symantec either. I'll take the side road with little or no traffic thank you very much. The scenery is much better.
Interestingly, I've used DOS/Windows for over a decade, and have never, not once, been victimized by a Virus, Trojan, or worm. Ever. And I use no AV software.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.