Windows - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Windows


IT Wrestles with Microsoft Monoculture Myopia



 By: Ryan Naraine
2006-09-10
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Windows story.


  Table of Contents:
  1. IT Wrestles with Microsoft Monoculture Myopia
  2. ' Its Getting Cheaper to '

Rate This Article:
Poor Best
IT Wrestles with Microsoft Monoculture Myopia
( Page 1 of 2 )

Three years after an influential report flagged the security risks of relying too much on Microsoft's Windows monopoly little has changed. Why? The economics of standardizing still trump security headaches.

When Microsoft announced in March 2006 that it would add code-scrambling diversity to make Windows Vista more resilient to virus and worm attacks, you could almost visualize a wry smile from Dan Geer.

Geer, a computer security guru with a doctorate in biostatistics from Harvard University, lost his job as chief technology officer of consulting company @Stake in 2003 after co-authoring a report that blamed Microsofts operating system monopoly and complex code base for the frailty of the Internet.

Exactly three years later this month, Geer insists that the risks associated with Microsofts virtual monoculture remain the same, but a quick glance at the future direction of the worlds largest software maker gives Geer a sense of "total vindication."

Indeed, three years ago on Sept. 24, Geer penned "CyberInsecurity: The Cost of Monopoly," a 25-page report he co-authored with a whos who of computer security experts, including celebrated cryptographer Bruce Schneier and intrusion detection systems specialist Rebecca Bace.

The crux of the report was that software diversity was core to securing the Internet.

The group cautioned that the only way to prevent "massive, cascading failures" was to avoid the Windows monoculture.

"Because Microsofts near-monopoly status itself magnifies security risk, it is essential that society become less dependent on a single operating system from a single vendor," the report said.

In many ways, Geers report was prescient, as Microsoft has become a huge target for hackers. Meanwhile, Microsoft has adopted some of the tactics recommended to diversify code.

"In just under three years, the idea went from something you can get fired for to a research priority for [the U.S. government] and a product plan at Microsoft," Geer, of Cambridge, Mass., said in an interview with eWeek.

"You look at what theyre doing with randomizing Vista and all the signs around virtualization, [and] its real vindication for us."

Resource Library:

He was referring to the addition of ASLR (Address Space Layout Randomization) to Windows Vista, a security feature that randomly arranges the positions of key data areas to prevent malicious hackers from predicting target addresses.

The technique, known as memory-space randomization, will block the majority of buffer overflow tricks used in about two-thirds of all worm attacks and, even more importantly, will effectively create software diversity within a single operating system.

Despite wide recognition that software diversity is important, progress is slower than expected.

Ten days after the Geer report garnered publicity, the U.S. House of Repre-sentatives held a hearing that included an interrogation of the Department of Homeland Security on the subject of monoculture, and the National Science Foundation, an independent federal agency, pumped $750,000 into a study on cyber-diversity for computer systems as a way to fend off malicious viruses, worms and other cyber-attacks.

The result? Despite all that talk, the DHS remains a Windows shop and Microsofts flagship operating system still commands a whopping 97 percent share of the desktop security market. Businesses dabble with alternatives such as Linux but remain tethered to Windows. Why?

Despite the initial hubbub over the report, businesses are betting that the costs associated with diversification are greater than the returns from implementing technology that could be more secure yet potentially harder to manage.

"We havent changed much. Id argue that were at even more risk today than we were in 2003," said Schneier, chief technology officer and founder of Counterpane Internet Security, in Mountain View, Calif. "We have a culture of ignoring serious warnings until its way too late."

Schneier, who did stints at the Department of Defense and Bell Labs, said the monoculture risk exists beyond the desktop. "Windows has pushed into mobile devices, into embedded systems, into noncomputer CPUs. The threat of that cascading failure is even truer today," he said.

Even though the argument made in the report remains as valid as ever, diversity has been elusive because, as Schneier put it, "monoculture is attractive because it is cheaper."

"Its hard and its expensive [to diversify]. Yes, its less secure, but you only have to support one thing when you embrace monoculture. It always boils down to economics," he said.

Geer said there are two options available to government and enterprise security systems: Embrace monoculture and get consistent risk management because everything is the same, or run from monoculture in the name of survivability.

"Today, were relying on picking up the pieces," Geer said, adding that its much cheaper for a CEO to invest in anti-virus, anti-spyware, anti-spam and patch management solutions.

"Weve committed all our eggs to a basket named patch management, or were looking to virtualization to help wipe and reinstall after [malware] infection," he said.

For Andre Gold, director of information security at Continental Airlines, monoculture and security became a hot topic in 2003 after the SQL Slammer worm disrupted operations at the Houston air carrier.

Vista RC1 tests show that the migration path may be rocky. Click here to read more.

"From a pure-play security perspective, we had to answer that question. Do we want to diversify to keep things running when another attack came along or stay with the monoculture and invest in securing it," Gold said in an interview with eWeek.

"It came down to economics. Its not easy to click your fingers and say, Windows is a liability; lets just switch. You soon realize you have to spend even more to get specialized staff for each computing environment," Gold said.

Several CISOs (chief information security officers) interviewed by eWeek echoed Golds sentiments, stressing that budgeting considerations always play into security decision making.

"I cant spend my entire budget trying to diversify and not have resources to secure them all. Thats not practical," said one security executive affiliated with a high-profile financial institution.

Golds situation rings true for John Pescatore, an analyst at Gartner, in Stamford, Conn. "The cost of ownership skyrockets because of diversity," Pescatore said. "The economics says to standardize, standardize, standardize."

Next Page: Its getting cheaper to deal with a single platform.





  Reader Comments: IT Wrestles with Microsoft Monoculture Myopia
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Windows Articles          >>> More By Ryan Naraine
 


x}r㶲s\@♵M=Ҕlc-/K3ΤN"!1Ej/Y?_v8x %L'cK@7Fw?H9wur56%SE}"I{C(`RϩIzNڶ? }~mksu;{#|6%߽w *s=NN5K&OxgMlM1eck`p,FcwM5d{=B ~5;6(CJep$ZwvH~Th⻶eMGaoF w*Nuol9 Q!)*X^P~FD;ǎ5~r 5{a_;U'i3[<$C5nCUVekV6^;s9ȹ׳z$fRvn8Gd`jI:@*"4C6S!p55\`p)jHZ6tG,> H>P7sIzV@daS/*! lpa+j)y'C<ΠE[Uֶg5]q;ܹcglZENX*o~cn!LjXE&sؗCYͼaF3l˸;4 HSKVUBX)ڑ^rӽm˙?X8N_zJY4E].;gW9~`h-v$ Eess^_wDUJ`Z. G$_::~\B^,9@FI?j|%R+ i٥zd$Y3)2,ԐY;~K~6/NM퓳Nl,aR422V,]鮘FȏwAժu|qӹluoz{MZϝvY;i Ok*}kCp=['^=:$?LmrG=.iTj{C{r&޺t|9!9Io 'gs`HBm۲ܾ̑\R yka(7f`X@7? eR2|&r* ߱n^S'G5ǯhVj5V0z[PĿ G/<@'L[w p3Z&9T23=MH#k 3!RBʼĿIK _VPJB-)\Dh+ԌTwIQQ#w=^f/\R@1Al8{ØWҽTwsQ iغ\48?]7+De., s5-wfzaZTpx3nO]u/{]t0*>cq4Y`A-. 8ǹ:oo:jr-6_)Ab/*5U95|Qnl :2X jX1nґ>σutSOgG|JMk>uI< EC#ɠ:ڴ{\gV4!>F&MЀ wG|hx:,,Abχ&a`M?FAтMz>tT;]|2Zw9ܻ-L&wz JCˋF0P6xBe^~}¢1O[>ȁ=`Mtև &QsnPBfx?ɜ+) %@FHHt"AђF *4 gscX"K"'ǏA7;.VKŤ\*y"Jm':ݱ;PKRx&,S,BV-KᗄPf%i2mhƪń(VFNl(0Vf) .z*Hp0ѿy6yBfOx;r+kF3UʝWRVy'g|)WNyVc$C V6_2˧L)Esr:w'e?ZĿL?ͺz+YF^u 9R@{4 m 246@Ȱ\k_X5QW(:,)T ŠaYl`cy1Csz QIZеہ`5s7\Pe_M}dҶlߪ%M*GV+WbzgܲK()mʥʫ;qg@4-=f~oy:L'lф0ې l1ZJ[Y*,b3)4j+zF of`׆ K ؈㌑ҵ3KwEeﴽJM.bFd>n '[arShfh:l<}6:Hy5՝5̆RP՘Iڏ9&_G5 k^ˣ6Wȵm>2躢΍GƱ4g3t%ra9h9& ֐ziDe˜,Za秺 #ؚyewPz?19r]ilu0q`(1Z3:uV*[O;$!WTͶwAQ O1kM8vهE1Ǿ{E; F:7a/)cpIl_\À<ׇ>B SL@ΧrE\ ~1~1UŠP=I) ]`u0$VT!rBs=?w2_!挮t!VBLQQT*8+ :?#UQ@H3jw4'8M??5YoN(voܮ;KG~g^Ol^Lcv"O`V$O,p2HU>XC}`/cҧ8PĺU0UESUG+[+]>F]h!.־ X@P A6+8SӞ-5Z,Y~B)'؁-_k9oE`9^R˶SL*H@8u<|[\Y3 Q|7z0bƏQajY[ ສTjՂʾ_N+^t m(5# #2qgrh)h-f5Z54};`[ k欭h+,s Jb+ʹV(EcYUzrulFYdgEU)XW<N~7-="JL7Ϧ<sƃ~w"y@*FZuG "BN7x^oxP@<ৣjZ)o ƗɘBÜb+>A֌M:+ls0USfyr;Wk*k`=z{Ǻq;ɭ-YE8&}+琩gsC/ ܒ; k@X'V-(7ϙ40p2^=](lYVj嬙fwr£: ߀&?\@qccAHNow07$pkj fS))r*H+ů 3Fˁ; _.7qDzGRUe@5ỵV3C e 4v=.EЋv}cLB.Mo 4yQFkoZ,+eeHS/ JU-A^Mo6=IT\SGQ>4{Ic#&a\kxkc}Z"FRnTbPQKJBЛgQ!VAɂ]AӀM\r8khs)p}/O&PFzMʵL]8TV<^ۋ953ק~@Lf@= P3&tƝ7/1Tcn?ºe$I`\&LXt Z:LT)OLJZZ$|p`F"{qT2N {4{RYԹl>$#.[RO50osV=(; J@c䆷G$bw}\ɾ3zV^5[隿ð Oa區wsѼй_>w!#r޹lK^+΃ G y!KBV<'ux6i)qڎ7M ,#LkC2Ȱ J_ƥ{j_sf녨kZ ^k5WE.'27Le8ZFp~[_aY,d"0. Wtzc}E9,׀zB*Λ_i%D[( `E/Щ cAHFrI'zRG>gIəO/PIQ):*9Q{_akѷo9Aߐ>O1Ok7tExW(kh,UbsZ;LdNlp jwz`ySr4/E/p]Zin} zsH&iR'DZ3pu*h hwl)~ڲOCT䵤 g[YUHN~@)!\8)Dz@0QH吜ZC>?j^wZyr@gq?Klظ2U(sXsw{{eB s?݁CO6r=ICo6OG2M .`Y #z} D{O,ikn;;=?P.zZĩUrcc䰎Ml3,LjDžܳbt n4kҼ?5L0c,H~ ;#|$~>xFM{uS棏G 95gy V7N{m,da3foc_; ?-l-8tǠCR#K1&$Z^VP**sᔤ˞CȔXN GXd1 0d&zvA JGs`̞xqK7׷bRco}|}& ~ ]=PI=w)~=Ғ(r_&ZDNp5Q {qI9.t}?,J`\Ty^v} l$>?G{o[#D:*pctOxcZy‡i襶<?v79wBf#AVާA3!rHn&1jM:?jG~U":})}S_ZJʺsmbV-v\0B;kg!cϽGPty.W`"N_nQVJJ1I&AQ\3./[䂟1یx8gGOةKCD4['oaJL]_@!?Kx1Xes w^\W&rZ7FʗnT. Ie!bdO:]<|ȶ'!4~ 8F@)"$nH7v| MQʒRTm<_GiOx (ǔe &Tt[`~0 '^\')O1DoJ' Hx 8 "3l[ŝK,NT@l~ҹ>S_T ", nHYD>C{pAO-1mlWoGQIնeK0&f6IU*ŖFQ>' wy.pd\cR[oi&ҕk?n(PJRW(N' (.n ~.wb N0S~ &۳Ki7ԅDPaLEGRI)&%b"^; a;ڦ&g۞Csމxڶ]yq؟P \fXu薖3^l q܈WcS\9r28ċK~yGyGyGyG{Ga*󽣱| 'izJ<?Rŗ~DmKLKJ#H 0_Sr0T}fAomc !._& yc?ffq2E'6Nݒ^qziH]K%M1 `QH=v]FϺiK:˟HZXa4!-l` $l{H -|%,4dj-9RwCG"pgxDꂵ +XsF|5<ځm0< <z2"F@$1lw65⼗QҿT4bNuM7F oҁ2g8t=gwVK]y=M#X.yM€x3_@' < t{Jk/x6-P;(ȫ.DclD>~=Z$XPc[`غꖜP~m% };*R޲mkLooq-@/-DİZILn{&/fK.}11JR[h\SPppC˧s3,!?q@h:k hhڼ"/>1RזKU֏!B2#!9#OUo{6.ƭUmŁy;]^NcJ0j+y}o -k}'\NDwXGJgʋ΄i>J!,c/;%{_#$Ւڳx (/Fbj\=Ϫe3zՃ(W3w<I|/CANsIWGcyaW[)=h%'Ge^Z+8+AcWJWSlíawMgL?冱KjoAL=y2;ML{m"moJ QXkvmYo9$V֌f*IRso ZߦRm_mau.^%K/{lȪhֲFwt)]۬R2ײwbp, L˺ټy3у z( ƗY'd/ [IHgc;wFp8e[Y@l , '%g0:k҃>?w}̡ç;2`z?b_7s/K{~i[ {T_ݷ8!:N̫9شd=IF E#(hILÑBu}sTaz##Dxt~68>ċ_{VA'я"Szvh/$UhZP_Be7lW-TsZ.Wfz`Nu_ZՔV-`{dE=*9F_Xc>=6g`zEd#usg楒V1Iۺg?#n8,֐K&O=LkG J6_K>pI '0cˡWqb\oj(&F;]Lc oB0޻K{IV^YC70ڱJ R 9?SRmF ΝNzcD̋:Z s ʒ2?+ 6Ƕl[va|Duv,d3}$g;~  A"ͨa8TJo[ J,+s\1oiy8>*1fD+9m!W1h?,`LW<00t+P̲jNT\OpY=XCE3 cL _\}­BA*o[ȺexxJ"r[-jYbߓ}L`߄>8G/ :{ᛂrPZ-0Fd>hTHґu /a<$wzS4mԓFG)׀gxBW7˽}D['鍀I+62sjDl/ /uhߴsrپ靷u=<DϏLp@XT#Aߑ7ŝЀH bߣ j6$EuE)di4y»'#aHCX rTtQ:..( oIYP,(ϏB5DSJTmn$T,:݅sO2Ni0q4:Lma`t.t?OgGA~2?t:&Zf5KޝQ>ɖàzEQp#ߛSg0Y"*[7ΥiEZ<& .ycI 8^yN4X+M 7,X2|;{xbRU+J)|U3ʰLXUK7)^ ;ee= =M蕴B^Ȉq~/w4 :>1's;1h^]!k$6}:\w%9nwoo;urҽrڹl_]w.ƩL·_s}e |Q)Xl 5e9š6u\ «.Y3U94dG_0}4ew$; UjUzu7M&6yBfuljŵNN|vuI5#'uƼ6~I>sNMo )n}>e;MjV}QyxQ?fd_C&pj3 ݌rР(?@ |OPi}Y'8/rN+g:NF?r/Pe}9?π]"c|. /E|E}/>/2 ϋ D3(?@?2/"2c|/A~.32cnF _?2 ޿x:z/PO_23*>g9~7P~U{7MF77$)cf5pvJEsQ^53T}~)P5(ge3Vڍna{Ar!ge_/C@/qsum%R+ ]Q%=-{[I2n@Kȣ_xi +{ zH2 r hxVydb bye?VPw;]CҤ]j.{%])W[O'ikr(%s<2g!gs=* t=}HcTHD1KAF0_wͣ,I5;HT/3y˘'ԎnOAr}n7}Fn_x`bdrOkr>u"[~|^YlفGhO WY-Jbġ${z?fc&Hy>j~h|Z/OUq4 5%p&!H81 H-L{HN08 a箩-gWCtJ# ۘn~oc0ts`ƎIn6J墦 V˕R;~O;F" A,$&T$`vXJ D`q9#Tx|Demƫ9 C8b{hDŽ[ɖ(=^?&Gu^ŗ1 {7/Mu/*{_۱ Ccf@p b/[{z5(hWs`sͫFbЦ!%Kva[F0m|whG25<>Mqgq%B4;Po.@cmc߻C{ ,x u0/o T zgɄB΄[W騿CsR%u Lv;Qk`Q{erÄ#6O 5U"yO|w `ؼFՋpO`wBybh]$bMaMc񶑧5,l$9=ASh4ϛW5EX"-zGmw,Rw2G$YIm,XoOT*L[ |IK:AM6_w,-YݨoˊLsӃG3RVVХIyH,݈ AQ6+yJ>? T|- 5\6$DR }J0~N:]v0N@9DEPީx:'c.,s(ŬBSd=)O?7'[nI 5E`1l4aeh 3 <ձ wO`7@#>Ƌrd{Gov.H|n4~Uf2{M{:o90kn>7Q$L{yݟ 9@/7A{~ r@c],ngn`Cl .3.O]& hWa! e71KLP`O3&gw6G-hXGx kok3gzϷ;<v7͇OVe؋$v/-ǬvJ^S.u 7tleb @J܊ D73D*k}X^c 0У,*0}shՆGXƸ[[) qy6`;Щ0DM.vj]nJQXƺa#®u4mvщ߉ {&**kWȅnTLx囤9mAU  =[=܋;ɾ Yf+3sƫRdGB Lnl^^kti( aaɗX0 'Ɣ ϰO" sWmxDh\N#K1E~2ZU9sm j׺Wx/yc|>[zw00jPo%hw2b59#ʧ3N~q 0X+.9 wҝX{yB(O}y9rC*gꙺUN'ώ7z_a}B=FBl4*7·y:?C[7nyq˖VQ)ZNN`XfչuK+_1ZF-<#@5̺J"<&/)FҢpL\岞Ԕb}{7 p6JL?-۔̡9MR"GZi/%!zR4էr0>_֊V&|Z2c{͵N_ lM*,