With Microsoft controlling 95% of the computer operating system business, has this created a “monoculture” that is ripe for disaster? Surely this latest round of virus troubles emphasizes the vulnerability of the system:
- Dan Geer lost his job, but gained his audience. The very idea that got the computer security expert fired has sparked serious debate in information technology. The idea, borrowed from biology, is that Microsoft Corp. has nurtured a software “monoculture” that threatens global computer security.
Geer and others believe Microsoft’s software is so dangerously pervasive that a virus capable of exploiting even a single flaw in its operating systems could wreak havoc.
Just this past week, Microsoft warned customers about security problems that independent experts called among the most serious yet disclosed. Network administrators could only hope users would download the latest patch. [AP]
If you haven’t already, please do so – it only takes a minute.
- In biology, species with little genetic variation — or “monocultures” — are the most vulnerable to catastrophic epidemics. Species that share a single fatal flaw could be wiped out by a virus that can exploit that flaw. Genetic diversity increases the chances that at least some of the species will survive every attack.
“When in doubt, I think of, `how does nature work?'” said Geer, a talkative man with mutton chop sideburns and a doctorate in biostatistics from Harvard University. (The interest persists in his hobby of backyard beekeeping.)
“Which leads you, when you think about shared risk, to think about monoculture, which leads you to think about epidemic. Because the idea of an epidemic is not radically different from what we’re talking about with the Internet.”
….Charney says monoculture theory doesn’t suggest any reasonable solutions; more use of the Linux open-source operating system, a rival to Microsoft Windows, might create a “duoculture,” but that would hardly deter sophisticated hackers.
True diversity, Charney said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible. Without a Microsoft monoculture, he said, most of the recent progress in information technology could not have happened.
Another difference: computers can be unplugged from the network and rebooted; organisms cannot.
The theory also has skeptics outside of Microsoft.
….Mike Reiter of Carnegie-Mellon University and Stephanie Forrest, a University of New Mexico biologist who has been gleaning lessons for computer security from living organisms for years, recently received a $750,000 National Science Foundation grant to study methods to automatically diversify software code.
Daniel DuVarney and R. Sekar of the State University of New York-Stony Brook are exploring “benign mutations” that would diversify software, preserving the functional portions of code but shaking up the nonfunctional portions that are often targeted by viruses.
Geer – who continues to consult, lecture and work with a startup these days – believes monoculture theory points the way to possible solutions that are dramatic, and haven’t always been followed. They would require, for example, banning from the Internet computers whose software hasn’t been updated with the latest anti-virus patches.
And making sure every idiot with a computer and an Internet connection knows not to open email attachments from people they don’t know, or during a virus siege like over the last couple of weeks.
Beyond that, if they can make email compatible, why can’t they make operating systems compatible? Or is it that they (Microsoft, Apple) don’t want to? I don’t know enough about the technical side of this to offer any intelligent input. why can we have any number of railroad companies running on the same tracks and not any number of operating systems that can do likewise? What do our coder friends think?