Not Good vs. Evil, but Mono vs. Poly
Submitted by doc on Mon, 08/15/2005 - 13:39.
I'm not one for Microsoft bashing. In fact, the current cover story in Linux Journal (the one that features my very face) is focused on the remarkable leadership of Kim Cameron and Microsoft in next-generation identity services.
But sooner or later conversation comes around to viruses and other ills that are visited almost exclusively on the operating systems that are run almost exclusively on corporate desktops. Namely, Microsoft's.
That's what Mike Warot worries about in Windows Apocalypse Now, which he worries may be too verbose.
I don't think he is. Not if what he worries about is a possible victory of evil over good. Evil being the bad guys who seem determined to destroy personal computing (or to make it annoying beyond human endurance), and good being the IT professionals who labor constantly to protect users and their employers from what the bad guys are doing.
Here's how Mike puts it:
There is a problem here, widely known as the day zero problem. For practical purposes, there are an essentially infinite number of vulnerabilities in the computer systems we use. A growing number of tools are availble to automate the process of mining for a new flaw to exploit. Tools are usually included for creating a program to exploit the flaw. This new program is called an exploit.
To utilize an exploit, it is then necessary to find target systems which are vulnerable. This requires some form of scanning of the internet address space, and may also include sending emails, queries to DNS or Web servers, as well Google or other search engines. This activity is the first point at which it is possible to react to a threat, if detected.
Once targets have been found, the flaw is exploited, and the target system compromised. This is the second point at which the threat may be detected. Worms may then use the compromised system to futher search and compromise other systems. This is usually done as part of the exploit, and no human involvement is necessary once the exploit has been launched.
There are many complex factors that determine the extent and speed of which an exploit can then propagate across the internet. The discussion of these factors is outside my area of expertise. I am certain, however, that there are two opposing groups working on trying to shift these numbers to their advantage. I'll simplify it down to good, and evil.
It seems to me, based on ancedotal evidence, that the good guys are smart, but they have to be careful. They have to worry about niceties such as preventing false positives, testing, quality control, etc. Testing is good, and necessary, but it's also a delay, and it's got define lower limits.
The lower limit seems to be somewhere between 24 hours and 2 weeks, depending on who you ask, and how you measure. Meanwhile the bad guys can work on things at their leasure, and deploy at will. They are well aware of most of the efforts expended to keep our systems secure, and have worked to build ways around them. A well funded evil person can test his exploit against the latest detection methods commercially available, without fear of discovery.
As much as I want to avoid the analogy, it's a war. Both sides have to test their weapons, but the good guys have to do the testing while the clock is running. Unfortunately, they don't have 2 weeks like they used to. The window for testing is getting smaller, and will, at some point even become negative, due to the other delays inherent in the system.
The recent signs from my users tell me that time is running out. The virus signatures aren't keeping pace. We've not solved the issue, and it's going to come back to us, full force, very soon.
It's pro forma in the open source community where I work to blame Microsoft, to call it "The Evil Empire" and to otherwise assign to it the qualities of evil which, as Mike points out, properly belong to those whose motives and methods undeniably qualify for the label. However one might impugn Microsoft for its behavior as a company, it has done more than any other company to make computing useful to human beings. There are countless millions (billions? could be) of people for whom computing is understood and practiced on terms and in ways defined by Microsoft.
The problem, I think, is less about Microsoft than it is about monoculture. What we have on desktops today is monocultural to an extreme that makes massive unprotectable vulnerabilities inevitable, regardless of the responsible company's motivations.
My recommendation to companies like Mike's is to start introducing polyculture to corporate desktops. Start using other desktop operating systems and applications that are compatible with, though not identical to, Microsofts.
At LinuxWorld Expo last week, the press (excuse me, media) room featured a bank of Linux workstations for the first time. All of them ran Knoppix, a variety of Linux that runs off a CD. What's most remarkable about Knoppix is that it looks and works in ways that are nearly identical to Windows. I'm sure the workstations that ran Knoppix in that room were normally Windows machines. But all it took to make them temporarily run Linux was that one CD. And it worked fine.
Seems to me that's a pretty easy way to test how well users would take to living in a corner of desktop culture where worries are about work, rather than about the latest expoits by computing's truly bad guys.
InvisiPost!
Hi Doc -
I logged in and posted a comment to this article 2+ days ago, but it is still not visible. I'm guessing it's stuck in a moderation queue or something.
Heck of a thing when anonymous posts take priority over those by logged-in users!
Thinking ...
Mike has some points, but his worries worry me. It's the continued Chicken Little stance which is just too simplistic for our times. The negatives accentuated; the positives ignored.
He identifies spam, phishing, and viruses - then plunges right into his definition of the 0day problem. But these are radically different annoyances with radically different defences. Spam sucks, yeah, but it's just an annoyance, and at the present moment, the cure is becoming worse than the disease. Spam filters are now so aggressive that they're all too often eating up the mail we wanted to receive, and lowering confidence in the email system as a whole. Phishing, on the other hand, isn't really an issue approachable by Mike's 0day thinking, in that it's not really a system vulnerability - it's a human vulnerability. Both of these problems could be solved with 'net-wide identity enforcement of some kind, but too many people fear the implications of that.
Then we come to viruses - which are what Mike is really talking about in the quoted 0day paragraphs. Ignoring those viruses which are really only taking advantage of human vulnerabilities and looking at the ones which exploit system/software flaws, Mike mentions that it's possible to automate the flaw-detection process, then insinuates that the good guys are constrained by the time it takes them to test their responses (patches). But what Mike is forgetting is that the good guys have the edge here if they choose to use it, since they have the software long before the bad guys can ever see it (ie before it's released). And during that time they can run the same automated tools against it. Not only that, the good guys have more resources than the bad guys can bring to bear.
So why did viruses become such a problem? Basically, because the depth & breadth of the threat weren't realized soon enough. The need for security testing was seen - but not well enough to justify the increased development costs of actually running comprehensive security tests. And so it wasn't done for far too long. That trend is reversing. Such a reversal can't happen overnight - there's a lot of code which has to be revisited, a huge userbase providing a lot of inertial drag, and finally the need to train people and build the tools. But it is undeniably happening.
Maybe we're just in a lull, but think back over the past year or so. Haven't the number of serious virus outbreaks on Windows systems lowered dramatically?
Also don't forget that while monoculture has disadvantages, it has advantages as well. A polyculture of systems on an organization's desktops is bound to have problems of it's own, and those will have costs.
Last, a short response to the two comments already here. Forgetting the fact that your comments have zero bearing on the point Doc raised - do you believe Microsoft (or any other former criminal) is incapable of reform? Do you beleive they should not have the chance to try?
-http://adminfoo.net
Maybe Microsoft gets bashed for a reason?
A common online annoyance: articles that attempt to extend a friendly hand to Microsoft as "just another company" -- and studiously, delicately, avoid any mention of Microsoft's defining trait: its criminal record.
Come on, Doc, you're certainly free to dispute just how bad the company's actions are, and whether other businesses don't engage in the same behavior, and so on, but please don't tiptoe around Microsoft's illegal business activities and hope that the audience won't notice. A company that willingly spits upon US law deserves a good dose of bashing.
Sorry for using the space to let off steam. Anyway, the points about mono- vs polyculture are well taken. Long before we came up with those fancy terms, we employed the venerable warning "don't put all your eggs in one basket". It's still sage advice.
No, the problem is Microsoft.
No, the problem is Microsoft. Any company which has behaved as Microsoft has over the years deserves the title of "Evil Empire". This is not to say that I disagree with your comments on the monoculture, but Microsoft really has behaved as a criminal, and been found guilty of these behaviors in various courts of law. The fact that Bush and Ashcroft walked away form the case doesn't change that fact.