September 26th, 2003, 04:19 PM
CyberInsecurity: The Cost of Monopoly
Rather than integrate this with the existing discussion on @Stake's decision (http://www.antionline.com/showthread...hreadid=248965) I thought might be worthwhile to discuss some of the points brought up by the PDF paper CyberInSecurity.
The points that are brought up as the problem are:
I have to admit to agreeing to a lot of this (as I use it as part of my arguments about why MS still has flaws -- mainly the furtherence of "ignorant" users). But MS isn't the only bad guy on that front. Recently Linux distributors, namely RH and SUSE, have also been perpetuating this with their "more friendly" versions.
- Our society's infrastructure can no longer function without computers and networks.
- The sum of the world's networked computers is a rapidly increasing force multiplier.
- A monoculture of networked computers is a convenient and susceptible reservoir of platforms from which to launch attacks; these attacks can and do cascade.
- This susceptibility cannot be mitigated without addressing the issue of that monoculture
- Risk diversification is a primary defense against aggregated risk when that risk cannot otherwise be addressed; monocultures create aggregated risk like nothing else
- The growth in risk is chiefly amongst unsophisticated users and is accelerating.
- Uncorrected market failures can create and perpetuate societal threat; the existence of societal threat may indicate the need for corrective intervention
On the other side of this is the ultimate ROI, aka costs. It certainly costs more to diversify in that you'll need more specialized admins for specific products and it tends to cost more than if it's integrated with existing products.
I'm curious as to what others think. (try not to make this into a Linux/Unix vs MS debate -- that's just old).
September 26th, 2003, 04:45 PM
Examinine this with a biological anaology:
Taking the scenario of a business that operates good software control and policies they keep their monoculture systems 'fully patched & up to date with AV'
This business is mitigating it's risk of cascade failures by ensuring that each node in the monoculture is exposing zero or very few known vunerabilities.
This strategy will keep them safe unless they are the first people to have an exploit against a unkown vunerability.
Using a 'herd mentality' to mitigate this risk by ensuring your monoculture is the most popular worldwide monoculture is an acceptable strategy - Hopefully if there are lots of people using the same thing someone else will get clobbered first and based on their experiences everyone else will be okay.
This strategy does not scale up - why?
Non expert users who do not keep up to date expose vunerabilities. If there are enough of them then any problem is more likely to spread based on it's virrulence - Herd immunity is low since not enough of the herd are immune to the problem
So why doesn't the provider of the monoculture simply do the job of keeping up to date for all the users?
There would be an outcry for one about loss of control or tales of patches breaking more than they fix.
Is the real reason that this doesn't/wouldn't work because there is too high a percentage of the monoculture not bought & paid for? As such the automated service of being kept up to date would reveal to the providers of the monoculture who is using the software without a license and is this is the real reason behind the outcry?
There are other strategies out there to mitigate your risk that are viable and free, open source monoculture works very well.
In theory because the software is open, both the attackers and the defenders can see for themselves any vunerabilities and are on a level playing field on expoit vs patch.
Since (by & large) there is no provider of this monoculture and hence there are many more people evolving the monoculture and so evolution to overcome the threat is quicker (Survival of the fittest works well and an anolgy here too - the best/most secure distros will preveail).
The monoculture is free, and there is little reluctance to patch for financial reasons.
Since the monoculture is also open source, reluctance to patch because it may break things is reduced,
Could this be why open source is slowly winning the race for survival?
- Not a single mention about the 'old' debate.
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com