I recently came across, due to a
Slashdot post, an
editorial by Jeff Duntemann that blames all our current problems with security, specifically within Microsoft products, on the monoculture surrounding it; stating that if something else became as widely used as a product Microsoft makes it too will suffer the same security flaws. On the surface this is a fairly sound argument, but when you take it apart piece by piece you can clearly see how faulty it is.
The first point brought up in the editorial points to Internet Explorer and how its 90% hold on the market makes it easier for viruses to spread. This is true, no one can deny it. All software has flaws. Humans are not perfect and therefor software is not perfect either. But as humans we have the ability to plan ahead; if it looks like its going to rain, we bring an umbrella to work. So if there is a potential for something to happen as far as a software bug, why not bring along an umbrella? Now, while we’re on the rain and umbrealla metaphor, lets look at what an umbrella does. Quite simply an umbrella reduces the affact that rain has on something. The key being reduces. There is still potential, but this minimalizes the risk of the rain doing any serious damage .
Tools and methods exist to reduce the damage done by flaws. Microsoft has started to tout how Windows usually gets less anual security alerts than Linux does. And in all its spin and flashy marketing campaign it can easily decieve unknowing people as to how secure their product is. The fact is, most, if not all, of the security alerts found in Windows are critical, while only a handful per year (if not less) are found within Linux.
And, of course, the most common response to this is something along the lines of ‘well, linux would have as many critical flaws found if it had a larger user base.’ There is some truth to this, no doubt more would be found, but if we look at an area where a non Microsoft product has a larger user base and we see the same results as where Microsoft is the monoculture in an area that should tell you something. Apache, an FOSS (Free Open Source Software) web server, is the most popular web server out there. And, because of this it gets more security alerts than Microsoft’s IIS. But as stated above they are minimal alerts, as opposed to the severe alerts that arise for IIS. And, most of those Apache servers are run on Linux, Unix, or BSD, all of which are closely related. So why aren’t there more critical problems in these systems?
Lets take a look at a bank vault. Everyone, for the most part, knows how a vault works and could find a way to break in. But as we all know from movies and books, simply breaking into the vault itself is not the hard part, its getting around the other security measures thats hard, as well as getting out safely with loot in hand. Those systems are the umbrellas of the vault.
Another good example is the process the US Treasury goes through when making the printing plates for money. No one person knows how to draw the entire plate, it is broken up into parts, one person knowing how to do only one segment.
Within a network, say your business network, the guy that gets office supplies doesn’t need total access to the network system. He will never need them at his current position, so why give it to him? Why should a website be able to use your web browser to modify your system? The most obvious answer is that it shouldn’t. And in Unix based systems (Linux and BSD to name the most common) it isn’t allowed, unless the user allows it. So, why then, is it allowed in Windows?
Why is this primary design flaw allowed to continue at the expense of the public? This simple question is much larger and more serious than any blame that the editorial lays on C/C++. Problems are absolute. But they are not absolutely un-controlable.
For those of you who do not know of the technique I was mentioning above, its commonly refered to as ‘Sandboxing’, along with the reasons behind why its dangerous to ever run an application that connects to another computer from an account that has admin privleges.
In short, you don’t give a kid a loaded gun and hope that he doesn’t shoot himself, so why does Microsoft do this with its software? Thats the end of my rant, most likely it doesn’t fully address the editorial in question, but that doesn’t matter much to me, more important is the idea that monoculture is soley responsible for the current problems with security in the IT world.
