Wednesday, May 24, 2006

Monocultures in IT and Higher Ed

Introduction: We use lots of words from biology to help us think about technology. We say "virus," for a fast-spreading, self-replicating bit of destructive code. Now, we are talking about the dangers of mono-cultures and the desirability of diversity. We are not talking about susceptibility to illness or the need for tolerance of other cultures. We are talking about forming too tempting a target for hackers, and being too vulnerable as an organization if struck. Higher education tends to want to limit ourselves to ONE type of every thing because it makes it so much easier to support. We might want to consider the desirability of enforcing monoculturalism in the IT realm....

Dan Geer, a security expert, began warning in 2004 that if everybody uses the same software, they will create a big, fat target for hacker attacks. First, he lost his job at Microsoft, who did not want to hear such analysis. Then, he got another job, and went on to write an article link in the online journal Perspectives about how Massachusetts' decision to use open source word processing would avoid the risks posed by Microsoft Word's monoculture. On May 19, Geer's predictions came true, and a virus emerged in Word documents, passed from computer to computer as documents are traded. See blog post below, or linked in title.

Continued here:
The Standardsblog, by technology attorneys Gesmer, Updegrove, LLP of Boston, on May 23, noted

Monocultures and Document formats: Dan's Bomb Goes Off

Tuesday, May 23 2006 @ 06:17 PM EDT

Dan Geer is an extremely well respected security expert. When he worries about something, people listen.

One of the things he has worried - and warned - about is the danger represented by IT "monocultures" - the situation that arises when everyone uses the same software, for example, and therefore everyone shares the same vulnerability to a computer virus or other security threat.

Just as the word "virus" has been borrowed from biology and provides an apt and vivid descriptor for its IT analogue, so also does the word monoculture function: think of the consequences of Irish potato blight, or of the wiping out of the American Chestnut tree, which once numbered in the billions in the forests of the American East and is almost extinct as a mature species.

Well, last November, Dan wrote a perspective piece for, called Massachusetts Assaults Monoculture. In that article, he wrote:

As a matter of logic alone: If you care about the security of the commonwealth, then you care about the risk of a computing monoculture. If you care about the risk of a computing monoculture, then you care about barriers to diversification. If you care about barriers to diversification, then you care about user-level lock-in. And if you care about user-level lock-in, then you must break the proprietary format stranglehold on the commonwealth. Until that is done, the user-level lock-in will preclude diversification and the monoculture bomb keeps ticking.

As it happens, Dan's bomb went off a few days ago, with the breakout of the "Backdoor.Ginwui" virus, a malicious bit of code that Symantec introduced in an alert as follows:

It has been reported that Backdoor.Ginwui may be dropped by a malicious Word document exploiting an undocumented vulnerability in Microsoft Word. This malicious Word document is currently detected as Trojan.Mdropper.H.

The fact that Dan's expectation came true can hardly be a source of surprise. Indeed, the only curious aspect of the fulfilment of his prediction is that it took as long as it did to occur.

The reason, of course, is that hackers like targets that offer the most visible and dramatic results - and the bigger the better. If that target is unpopular (such as Microsoft), then again, so much the better. Thus it is that the more successful the software product, the more attractive it becomes. That's no criticism of Microsoft, or of any other vendor, but one of the regrettable costs of success.

Still, from the end-user point of view, it is an added burden on the value of the product in question. After all, it's one thing to have a target painted on your back and reap huge profits as a cost of doing business, and quite another to pay a premium price for a dominant product, and share the same risk without offsetting compensation.

It's also not a surprise that something as prosaic as a Word document should become the innocent carrier of a bit of malicious code. After all, stringent security policies (such as those my firm employs) already block jpegs, zip files and other vehicles known for problem code. But no one's policies automatically block all Word and Excell files, since those are what - for now at least - most people create, send and read (they do, of course, scan them for known viruses). This therefore elevates such files not only to the level of ideal vectors, but grants them the status of attractive challenges as well, capable of showcasing the chops of whatever hacker can succeed in employing them to pull off a high-profile assault.

All of which, as regular readers of this blog might assume, leads me to a conclusion that has something to do with ODF - a standard that is already supported by four major products, two of the proprietary persuasion (Sun's StarOffice and IBM's Workplace Managed Client) and two of the open source (OpenOffice and K Office) variety.

The risk profile between a monoculture and a diverse IT culture such as this is mathematically clear. By definition, even if ODF compliant products as a group were someday to trade marketplace shares with Microsoft Office, no individual user of any ODF compliant product would share the same degree of risk that every Office user has today, by reason of the fact that she would inhabit an IT culture with a much richer genetic pool. And no virus is likely to operate at the level of standardization at which these disparate products exist. As a result, just as a species with a diverse gene pool is likely to be able to withstand the assault of a new disease in far better form than a species of clones, so also would an IT environment based on multiple instantiations of ODF be more resilient than a monoculture of Office users, only more so.

Why more so? Because in nature, a virus isn't personal. No malign intelligence creates a natural virus to attack a specific target. But in the world of hackers, the opposite is the case.

The moral of the Dan's story, as well as the current reality of the Word Backdoor Ginwui virus is therefore clear: in IT diversity there is safety.

Another recent article I read spoke of the same monoculture problem as Apple computers begin to fall to virus attacks on their new Operating Systems which now are like those of DOS machines. They lost their diversity advantage that had always made them immune to such attacks, partly because they form a much smaller target. link here for a CNN version of a nice AP report. In brief, the report says

Among the other signs Macs are a growing target:

# The SANS Institute, a computer-security organization in Bethesda, Maryland, added Mac OS X to its 2005 list of the top-20 Internet vulnerabilities. It was the first time the Mac has been included since the experts started compiling the list in 2000.

# This week, SANS updated the list to warn against flaws in Safari, the Mac Web browser, which the group said criminals were able to attack before Apple could fix.

# The number of discovered Mac vulnerabilities has grown in recent years, with 81 found last year, up from 46 in 2004 and 27 in 2003, according to the Open Source Vulnerability Database, which is maintained by a nonprofit group that tracks security vulnerabilities on many different hardware and software platforms.

# Less than a week after Daines [Mac owner in the story] was attacked in mid-February, a 25-year-old computer security researcher released three benign Mac-based worms to prove a serious vulnerability in Mac OS X could be exploited. Apple asked the man, Kevin Finisterre, to hold off publishing the code until it could patch the flaw.

The Mac's vulnerability could also increase as Apple transitions to a product line that uses microprocessors made by Intel Corp., security experts said.

No comments: