The monoculture debate

The question of whether a Microsoft-based monoculture makes the world more vulnerable to catastrophic failure is interesting and complex. Following on his earlier essay on the subject, Ed Felten has published an excellent report of the debate at USENIX last week between Dan Geer and Microsoft’s Scott Charney. Here’s the gist:

“Geer went first, making his case for the dangers of monoculture. He relied heavily on an analogy to biology, arguing that just as genetic diversity helps a population resist predators and epidemics, diversity in operating systems would help the population of computers resist security attacks. The bio metaphor has some power, but I thought Geer relied on it too heavily, and that he would have been better off talking more about computers.

Charney went second, and he made two main arguments. First, he said that we already have more diversity than most people think, even within the world of Windows. Second, he said that the remedy that Geer suggests — adding a modest level of additional diversity, say adopting two major PC operating systems with a 50/50 market share split — would do little good. The bad guys would just learn how to carry out cross-platform attacks; or perhaps they wouldn’t even bother with that, since an attack can take the whole network offline without penetrating a large fraction of machines. (For example, the Slammer attack caused great dislocation despite affecting less than 0.2% of machines on the net.) The bottom line, Charney said, is that increasing diversity would be very expensive but would provide little benefit.”