Is the fear of the monoculture genuine?

Is the fear of the monoculture genuine?

Summary: I have a very simple question forthose who either propagate or agree with the concept that monoculture is dangerous. If an organization was running all Linux on their desktops and servers, would you tell them that they have a big monoculture problem and they should immediately convert half of their desktops and servers to Windows XP and Windows 2003 in the name of cyber diversity?

SHARE:
TOPICS: Security
49

I have a very simple question forthose who either propagate or agree with the concept that monoculture is dangerous. If an organization was running all Linux on their desktops and servers, would you tell them that they have a big monoculture problem and they should immediately convert half of their desktops and servers to Windows XP and Windows 2003 in the name of cyber diversity? I would put money on the table that 9 out of 10 monoculture opponents would not.It's no secret that the Washington-based anti-Microsoft lobby group CCIA is really more concerned about a Microsoft culture than a monoculture. The fact that this is so transparent leaves me wondering why we are stillusing the word "monoculture" when we all know that "monoculture" is simply code language for "MS-Culture." Why not call it what it is and say "we're concerned about the MS-Culture" instead of "we're concerned about Monoculture?"

Monoculture is being singled out because it is seen as one of the key advantages of the incumbent -- which in this case is Microsoft. The efficiencies of monoculture are so obvious that few organizations actually try to deviate from it. You would behard-pressed to find a single CIO or IT Director whowould go against the grain and choose to double their desktop complexity and associated support costs.

Rob Enderledid a superb column defending monoculture in general (never mind the title "In defense of the Microsoft Monoculture") because either a pure Linux monoculture or a pure Microsoft monoculture would be preferable to a multi-OS environment. Our own John Carroll did an even more in-depth look at the issues back when the whole debate began.Even ignoring the efficiency gains of a monoculture, it could reasonably be argued that a monoculture is more secure than a mixed environment if you define "secure" as the fight against penetration rather than a system's survivability. Real cybercriminals are not interested in bringing your system down in order to get their name on some script kiddy scoreboard website; they want to penetrate your system so they can steal information. For example, if you ran an e-Commerce portal on both Microsoft IIS and Apache, you would be vulnerable to both IIS and Apache vulnerabilities rather than vulnerabilities from a single platform. You would increase the chance that someone could hack in and steal credit card numbers.

The biggest problem with security is not the next great unknown threat that might bring down a monoculture. The real danger is that organizations simply don't spend the time to patch the known vulnerabilities let alone implement best practices for security. It's silly that we still even entertain the idea that monoculture is dangerous when we know that the CCIA probably doesn't even mean it to begin with.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

49 comments
Log in or register to join the discussion
  • Wrong monoculture

    A local monoculture has advantages. For instance, it lets me water the whole garden uniformly rather than worry about some of the plants being underwatered at the same time others are overwatered (likewise pH and nutrients.)

    On the other hand, it's a bad idea to reduce net diversity to the point that an entire nation (think Ireland) is vulnerable to a single pathogen. This is especially true when the lack of diversity raises the overall risk of a dangerous pathogen reaching critical epidemiological propogation.

    So, somewhere between my 8-computer home network and India you get to the point of diminishing returns for uniformity. Most of the papers that I've seen attacking monoculture are directed at larger organizations than the usual handful-of-admins shop.

    Would I replace some large percentage of Unix machines with something else? Sure, in a large enough organization. Whether that "something else" would be Microsoft systems is another question; part of being a large shop is having a diversity of needs such that the benefits of diversity increase as the costs decrease.

    VMS, for instance. Now [b]there's[/b] a secure operating system.
    Yagotta B. Kidding
    • That's all I'm saying

      Not only are localized monocultures good because of the efficiencies gained. I would argue that it is more secure for an organization to standardize on a single platform (regardless of vendor) rather than multiple platforms. On the other hand, that doesn't preclude other companies or organizations from choosing alternate platforms. For example, Microsoft doesn't dominate the data center. However, because localized Monocultures (as far as the desktop is concerned) do have a tendency to spread to a global level, the CCIA is strategic in their offensive against the Monoculture as a whole as a way to eat away at Microsoft.
      george_ou
      • Organization?

        [i]I would argue that it is more secure for an organization to standardize on a single platform (regardless of vendor) rather than multiple platforms.[/i]

        Even from a narrow security point of view, at some point the liabilities of a weak platform (which increase with scale) outweigh the advantages of uniform administration (which decrease with scale.)

        Add the other benefits of using the right tool for the job, and it becomes very difficult to justify imposing lockstep uniformity the entire organization regardless of size. The "United States Government" is an organization, but it's hard to justify the assertion that the NSA is better off being required to use the same software as the rangers of the Forest Service.
        Yagotta B. Kidding
        • Just answer this then

          If the Government chose to standardize on all Linux instead of running on a Linux and Windows platform, which would be more secure? I doubt that you would suggest the second option and therefore I doubt your sincerity in the concept of Monoculture.
          george_ou
          • OK

            [i]If the Government chose to standardize on all Linux instead of running on a Linux and Windows platform, which would be more secure?[/i]

            If I parse that correctly, I'd say that an across-the-board Linux adoption by the USG would be a Bad Idea. From a security standpoint it would be marginally more secure than a mixed system, since diversity would be offset by lousy Microsoft security. However, on a utility level it would be a lower value proposition.

            The administrative costs of diversity would be minor at that scale, and the benefits of "the right tool for the job" would outweigh them.
            Yagotta B. Kidding
          • Linux is an OS bonehead!

            Who makes IIS? Who makes SQL Server? Who makes IE? And what platforms do they run on?
            That is a mono culture.

            Who makes Apache? Who makes MySQL? Who makes PostgreSQL? Who makes Opera? Who makes Firefox? Who makes KDE? The list goes on and on.

            Linux is one part of the puzzle in which anything else can be added on top of.

            Not even close to a monoculture. Get this through your skull.
            poocow666
          • IIS and MSSQL don't dominate

            It's funny you mentioned IIS and MSSQL since they?re not market share leaders. Like I said before, MS doesn't dominate the data center so it's strange that you keep using the word Monoculture to describe IIS and MSSQL.
            george_ou
          • FUD Monger

            I describe the entirety of their tools as a monoculture not just one. That's what a monoculture is.

            - You use a desktop made by microsoft to..
            - connect to a server made by Microsoft running...
            - a web server made by Microsoft using...
            - a database made by Microsoft to deliver a webpage to ...
            - a browser made by Microsoft running on...
            - the desktop made by Microsoft

            That is a monoculture. Mono=one.

            In comparison...

            - A linux desktop can use a Mozilla browser, to connect to a Linux server running Apache, MySQL and PHP with Sendmail, etc etc.

            Now if you still retain the brainpower to count, please feel free to tell me how many vendors are involved in this scenario? Is it more than one?

            Hence not a monoculture. Now if Linux made all those apps, then you would have a point. But as it is, you are just spreading FUD.
            poocow666
  • Your focus is poorly aimed and too narrow...

    Yes, a monoculture is bad, I don't care what kind of spin you try to put on it to the contrary.

    The "efficiencies" you speak of aren't real if you compare them to a true multi-culture of computing. In that environment, we could all exchange data freely, and be able to change our OS without buying all new software. Just like I can buy a new TV or VCR without changing my cable provider. It just works.

    Software companies would then have to actually compete on features and price rather than simply tell customer what they were going to do, how they were going to do it, and how much crap they were going to have to put up with if they want to use their computers.

    Wanna take a guess at what would happen to prices, security and support levels for software? You can bet your Microsoft-loving arse that nobody would be paying hundreds of dollars to have a word processor and a spreadsheet on their desktop. Nor would they have to prove over and over that they bought it.

    THAT would by far overshadow any petty "efficiency" brought on by a monoculture, which by the way is just another word for monopoly.

    Your focus is on one company. You offer up an example of one company using multiple OS's, etc. This might indeed be idiotic. After all, you would likely need to hire extra staff to deal with the various configs.

    However, if one takes a moment to look at the broader picture rather than the needs and greeds of Microsoft, it is easy to see how multiple OS's and multiple brands of desktop software dotted throughout the business world would create competition, innovation and lower prices. Exactly what Microsoft and their shills fear most.
    shawkins
  • It's the choice, stupid!

    How many flavors of Linux are there? Now how many flavors of Windows are there? God, I swear George. You get more stupid by the day.

    Monoculture applies to one companies products that only work with their products. Linux works with lots of different products; Apache works on alot of different platforms; mysql runs on various platforms; etc etc. They aren't even close to a monoculture and your attempt to apply it to them means you haven't a clue what mono-culture even means.

    Seriously George, quit the day job and go back to McDonalds. I can hear your night shift burger flipping job calling. And yes... I do want fries with that.
    poocow666
  • Interesting points

    I never thought about the "app/platform diversity leaves you open to holes in more than one app/platform" angle. Cost is another thing that gets ignored by the anti-monoculture crowd, something I discussed in a series on the CCIA report (upon which Bruce Schneier had included his name, don't know how much of a part he had in authoring it, though). Others (Tim Mullen, I think) have mentioned the complexity problems in multi-app/platform environments. It's a lot harder to maintain that network, which could lead to MORE security issues, not less.

    Anyway, great blog post (though be prepared for the pitchfork mob wearing penguin suits).
    John Carroll
    • Yeah, I do recall you writing about it

      Ah, sorry I forgot that you did a great series on Monoculture a while back. I now remember reading it back then. I should put a link to that in the original blog.

      http://comment.zdnet.co.uk/other/0,39020682,39116965,00.htm

      I'm glad I'm able to add something to the discussion. The point being that security should be looked at from a penetration perspective rather than a survivability perspective. The whole survivability issue is a non-issue as far as the monoculture argument goes because if you look at it from an Internet infrastructure perspective (DNS, SMTP, routing), Microsoft does not dominate. Sure it would be great if half of the root DNS servers of the world would not run on BIND, but it makes absolutely zero sense to support two desktop images.

      Thanks John.
      george_ou
      • Tragedy of the Commons

        [i]The whole survivability issue is a non-issue as far as the monoculture argument goes[/i]

        Your argument is from efficiency in a single-organization perspective, which is specifically only valid if the organization is too small to affect the proliferation of pathogens. Get out to the Internet-as-a-whole point and diversity (or its lack) [b]does[/b] directly affect the proliferation of pathogens, and the Schnier (et al) arguments kick in again.

        Interestingly enough, at the lowest levels in an organization diversity also becomes a benefit. When one of the perennial malware outbreaks comes along with its associated patchfests, all of the Microsoft machines in the building go down for a while. It's a [u]good[/u] thing then to have your four-day-runtime job on a Unix box that won't have to restart, because that tape-out window won't move.

        Don't badmouth survivability. My department alone has saved several millions by "surviving" malware outbreaks, far more than any incremental administrative costs (which are far from certain anyway.)
        Yagotta B. Kidding
        • What makes you think you're the only one to survive?

          In the organizations that I have been involved with who have standardized on Windows, they have not had any significant down time due to worms other than one or two systems here and there. Those organizations spent their money on other more effective security measures such as Network IDS, implementing personal firewalls, gateway level anti-virus for SMTP/HTTP/FTP. Don't assume cyber diversity is the only way to "survive".
          george_ou
          • Not the only way

            [i]Don't assume cyber diversity is the only way to "survive".[/i]

            Nope -- but it works.

            Again, don't diss survivability. It might be better to avoid the attack altogether, but sometimes that's not an option.
            Yagotta B. Kidding
          • You avoid it all together with personal firewalls

            If you harden your overall infrastructure, you're far more ahead of the game than relying on the obscurity of diverse code. Not to mention it's cheaper to support a single standardized platform.
            george_ou
  • Linux isn't a monoculuture

    What you don't understand is that under, for example, Mandrake 10, on a fresh install, I have 7 kernels to choose from on bootup.

    Plus I can recompile my kernel in a variety of different ways.

    Viruses often depend on the system stack being configured in a VERY SPECIFIC way to exploit a bug in the stack. Just a slight change can make it impossible for a particular virus to run on that machine.

    If Windows gave you the ability to boot into multiple kernels and to recompile the kernels, you could do that with Windows as well.

    With Linux, it's pretty easy to customize your kernel, and it's getting so easy to do, it will soon be very easy for your mom to make her own customized kernel without even realizing she's doing it. This is because the source is available and can be recompiled.

    You may scoff at this and say it's impossible, but it isn't. Microsoft .NET byte code may make it possible for Windows to do something similar, we'll see when we get Longhorn out.
    garbage
    • How many people know how to compile kernels?

      There seems to be a disconnect here. What makes you think that a typical desktop support team is ready to support and recompile seven different kernels? What makes you think a normal user knows how to recompile a kernel or care to learn?
      george_ou
      • The kernel is only a piece of the puzzle

        Windows has everything tied in and all it's pieces work only with their operating system. It does not GIVE you a choice!

        Linux is all about choice. The open source movement is all about choice. I can grab easily 10 different current versions of Linux that do things differently. Can I grab 10 different current versions of Windows? No. Can I remove the browser from Windows? No.

        Without even recompiling, I can do ALL these things. I can make choices. And the security is based upon the choices I make not default choices made by the manufacturer which I cannot control at all.

        Go back to Microsoft you shill.
        poocow666
        • On avereage it takes about ten posts to get stupid

          I occasionally read these forums to view current thinking. I'm always amazed at the religious fervor and mindless namecalling. Probably part anonimity--otherwise nice people feel free to be nasty. Probably part intolerance due to insecurity about your own beliefs. But from the outside of the debate it simply looks shameful--and consistently stupid by the tenth post.
          billbab