WebMink
Simon Phipps's personal commentary

Self-Evident Monoculture

I commented recently that, while we can each take steps to prevent virus and worm attacks on our computer systems, the biggest threat we actually face is the fact that we have a computer monoculture.

Most of the world’s computers run Microsoft’s operating systems, thus most of the world’s computers are vulnerable to the same viruses and worms at the same time. The only way to stop this is to avoid monoculture in computer operating systems, and for reasons just as reasonable and obvious as avoiding monoculture in farming. Microsoft exacerbates this problem via a wide range of practices that lock users to its platform. The impact on security of this lock-in is real and endangers society.

Actually, I didn't write that - it's from the executive summary in the CCIA's new report, 'Cyber InSecurity' [PDF, 880k]. The (brave) authors include Bruce Schneier, who I respect greatly, and Daniel Geer, who @Stake (a Microsoft contractor) have shockingly summarily dismissed despite the fact that the report simply states the self-evident and makes recommendations that are just common-sense:

While appropriate remedies require significant debate, these three alone would engender substantial, lasting improvement if Microsoft were vigorously forced to:
• Publish interface specifications to major functional components of its code, both Windows and Office.
• Foster development of alternative sources of functionality through an approach comparable to the highly successful "plug and play" technology for hardware components.
• Work with consortia of hardware and software vendors to define specifications and interfaces for future developments, in a way similar to the Internet Society's RFC process to define new protocols for the Internet

These need some safeguards; the usual lack of good faith in which Microsoft approaches these things means they would probably try to turn each into a revenue and lock-in opportunity or to grow their monopoly.

Before the usual and inevitable cries of 'Microsoft-hater' are raised, can I make a plea to people to look at the issue here (and read John Lettice's take too). It's actually not based on an instinctive hatred of Microsoft - as Geer himself says:

"If the monoculture was all Linux, it would be just as bad"

It's a fact [huge page] that they have a monopoly, that it's resulted in a monoculture and that this provides a big, squishy target for the black hats no matter how hard they try to fix the bugs, and no amount of safe behaviour by customers is going to fix it. It's the facts that need addressing. Either every country has to become a police state or we need diversity.

[also posted to java.net]

posted at 5:30 PM (UK) | |