Lispian Random meanderings on whatever catches my fancy

Monoculture crosses my desk

It’s been a while since I read Dan et al’s original paper CyberInSecurity: The Cost of Monopoly. For whatever reason it’s crossed my desk again, but mostly because of Dan’s followup Monoculture on the Back of the Envelope.

To me the original paper was crucial for people to comprehend the issues that arise when a single system becomes so prevalent.

However, I think the issue is deeper than what’s presented in the papers. To me there’s a deeper issue in that IT and computers are beyond the ken of most people. This ends up creating massive security problems in that most people simply are unaware that their computers are vulnerable nor are they aware that they’ve been compromised. Unlike most of the technology we use computers are networked together into a larger whole, and therein lies the larger issue. In isolation a monoculture is immaterial but in a fully networked environment with owners of the various components unaware or unable to be unaware, we have a major issue. And this has been discussed, repeatedly, by various security experts.

But what must be noted is that if today, even if shops went to a split of 1/3 Windows, 1/3 OS X, and 1/3 Linux the same issue would exist that the authors express simply due to dynamics and scale. If you go from 1B Windows machines to 300M, it’s still a massive problem. 1% of a large number is enough to cause serious grief. Plus, if you look at the botnets they’re only a fraction of a percent of the world’s computers and look at the mess they cause.

Ultimately this seems to be boiling down to a problem wherein we have a very useful medium — the Internet — that allows us to do things we could only dream of 20 years ago. This self-same medium allows people to communicate but it also allows malware to easily communicate and replicate. The infection rate has climbed quickly as the interconnectivity has become more pronounced. And users, who are used to “normal” technology — televisions, phones, etc. — do not comprehend that what they have on their desk is not a restricted device but a general purpose computational device. That means someone with the skills can make that piece of equipment do surreptious things. However, the user, who only wants to surf the web, IM, do some Facebook, etc. — all for free, mind you — is unable or unwilling to comprehend the jeapordy said device provides to other users on the internet. And since so much is free in the computer world few are willing to purchase and maintain anti-malware software and hardware. For those willing to spend the money they often are incapable of correctly installing the software or hardware or do not maintain it long term.

Ultimately the problem is deeper and more insidious. Moving from a monoculture to a more heteregenous network structure is immaterial due to the scale of the internet. Instead, we must find transparent ways of securing the computers on the internet or, at the very least, allowing for quick and efficient isolation of malware infected computers.

Unfortunately, the latter quickly devolves into a rights issue with ISPs unwilling — and perhaps legally unable — to disconnect infected computers.

But it was interesting revisiting the monoculture debate. I just don’t think there’s an easy solution to it other than totally disconnecting, which to most is not a solution at all.

Comments are closed.

January 2009
« Dec   Feb »