The monoculture debate

The question of whether a Microsoft-based monoculture makes the world more vulnerable to catastrophic failure is interesting and complex. Following on his earlier essay on the subject, Ed Felten has published an excellent report of the debate at USENIX last week between Dan Geer and Microsoft’s Scott Charney. Here’s the gist:

“Geer went first, making his case for the dangers of monoculture. He relied heavily on an analogy to biology, arguing that just as genetic diversity helps a population resist predators and epidemics, diversity in operating systems would help the population of computers resist security attacks. The bio metaphor has some power, but I thought Geer relied on it too heavily, and that he would have been better off talking more about computers.

Charney went second, and he made two main arguments. First, he said that we already have more diversity than most people think, even within the world of Windows. Second, he said that the remedy that Geer suggests — adding a modest level of additional diversity, say adopting two major PC operating systems with a 50/50 market share split — would do little good. The bad guys would just learn how to carry out cross-platform attacks; or perhaps they wouldn’t even bother with that, since an attack can take the whole network offline without penetrating a large fraction of machines. (For example, the Slammer attack caused great dislocation despite affecting less than 0.2% of machines on the net.) The bottom line, Charney said, is that increasing diversity would be very expensive but would provide little benefit.”

More from the ‘You couldn’t make it up’ department

“There was only one way Microsoft could screw up its dominance among Web browsers, and by golly, those clever folks up in Redmond seem to have come up with it: Allow a neverending string of increasingly dangerous security flaws to scare users away. And when a government agency posts what amounts to a public service announcement on behalf of the competition, you can almost hear the self-destruct mechanism clicking down. Last week was particularly rough for Internet Explorer, with the disclosure of a nasty, data-snatching Trojan that exploited a combination of vulnerabilities that had gone unfixed for months. Then Microsoft issued a work-around that didn’t really solve the problem. Now comes word that there’s yet another hole through which this evil can creep. But IE still has a few things going for it, namely ubiquity and inertia. “Mozilla has shown itself to be a capable browser and has only gotten better with each release, but until something bad happens to more people, then the interest in moving to that is not going to be that high,” said Dennis Barr, IT manager at civil engineering consulting company Larkin Group Inc., in Kansas City, Mo.

That’s right — the perceptions are the problem: From Steve Ballmer’s annual State of the Empire memo to the Microsoft troops: ‘We must also work to change a number of customer perceptions, including the views that older versions of Office and Windows are good enough, and that Microsoft is not sufficiently focused on security.'”

Truly, you couldn’t make this stuff up. Thanks to Good Morning, Silicon Valley.