Debunking the computer monoculture myth

When "monoculture" is just another way of saying "I hate Microsoft," security falls by the wayside

Ever since Dan Geer was fired in 2003 from @stake.com for being an author of a paper on negatives of a computing monoculture, I’ve seen article after article recommending that administrators do away with their computer monocultures as a way of minimizing or defeating malware and hackers.

A computer monoculture is a paradigm that says if all your computers are of one type or OS platform, you are more at risk for malicious attack due to all the commonalities the attacker can use.

There is some truth to that argument, but any good idea is bound to be polluted and convoluted by the retellers. For one, many authors promoting the idea of eliminating computer monoculture are actually thinly veiling their dislike of anything Microsoft. When you ask them whether everyone should run Linux computers instead, they usually go real quiet for a few seconds and then either say yes and go on about the myriad of different Linux distros available or -- rightly -- say no. But it still took them a few seconds to answer with a straight face. (Even Dan Geer was against Linux monocultures.)

Second, many people think that if the computer monoculture went away, so too would hackers and malware. That's a generalization. Saying something could be minimized, or even decreased, is different than saying that it would eliminate the risk completely.

For most companies, adopting a noncomputer monoculture means picking up computer platforms that are new to the company’s administrators. If I’m a 20-year Windows veteran, trying to learn Linux quickly isn’t likely to make the environment safer overall.

A friend of mine, upset with Microsoft’s ISA (Internet Security and Acceleration) server firewall, decided he wanted to run OpenBSD and PF (OpenBSD’s Packet Filter firewall) at work, after seeing it running at my house. I, too, threw out all my other network firewalls after they insisted on doing things I told them not to do -- such as blocking ports and packets I told them not to block. OpenBSD with PF does exactly what you tell it to do -- “keep it simple stupid” type of stuff.

But installing and configuring OpenBSD isn’t simple for the first-time user. My friend was stumped -- he is one of those guys who has installed Linux a few times but has never run it beyond a few days before giving up. He has read my columns about how secure OpenBSD is, watched me configure PF a few times, and decided it was the solution for him. It took him months to get it up and working.

He had OpenBSD up for about four months when I first dropped by to take a look at a particular problem he was having. It was only then that I learned he had no firewall working the whole time -- he had made a misconfiguration mistake, and compounded the original error by not testing his firewall.

In his attempt to spread to a different, more secure, platform, my friend made his company weaker overall. Ah, but that’s what’s great about the computer world: Make a major mistake like that, and you never do it again.

Advising administrators to get out of a monoculture environment assumes that they already have the necessary expertise with the new platform or that they can hire what they need. It assumes that the apps they are running now can run on the new platform, which many times isn’t the case. And the biggest assumption of all is that your computing monoculture is expensive to maintain and is getting hacked and exploited all the time. It ignores the fact that many companies I work with haven’t had a worm outbreak or hacker event in more than two years -- and the security is automated with a few clicks of a mouse from a central location.

Of course, security is always a cost-benefit trade-off. A good system administrator does the math: Does the increased cost of supporting multiple platforms offset the cost of the security issues caused by a computing monoculture?

But let’s go further. Assume the entire world did away with its computing monocultures. Everyone is running varying percentages of Windows, Linux, Unix, BSD, OS X, Solaris, AS/400, and the like. Would that stop hackers and malware?

It’s my contention that it wouldn’t cause but a ripple in the grand scheme of things because hackers and malware always go to what is popular. In a non-monoculture world, people would still have to talk, and compute, with other people. This means my application would have to talk to your application.

Let’s face it, the monopoly isn’t Windows, it’s Microsoft Office. Your users might let you replace Windows XP with Ubuntu Linux, but only as long as their e-mails and file attachments are readily exchanged with everybody else they need to communicate with. If they can't read their file attachments for a day, you’re probably out of a job.

In a non-monoculture computer world, the apps would become even more cross-platform and ubiquitous. It’s already happening. XML is the data interface savior of the world. Adobe PDFs are soon to be replaced by OpenDocument-formatted files. With OpenDocument, no matter what platform you make your document on, it can be read by any other platform that supports it -- and OpenDocument is royalty-free. Adobe’s PDF format is beautiful, but you can’t create PDFs for free.

Cross-platform threats aren’t new by any measure. Even in recent years, during the heydays of macro viruses, there were many cross-platform threats that could infect DOS, Windows, and Apple computers simultaneously. Last month a demonstration virus called Lindose showed that a single malware program could infect Windows and Linux executables at the same time.

And if you think patching Windows is hard, try keeping up with several OSes. I sometimes curse out loud because of all the mailing lists I have to track and all the tools I have to use to make sure my systems are patched. I’m pretty sure that, as the number of platforms increases, the amount of consistent, thorough patching decreases.

So after all the hard work, effort, money, and maybe somebody’s blood, switching from a computer monoculture to something else wouldn’t stop hackers and malware. It might slow them down a bit for a while, but it wouldn’t stop them for long.

A noncomputer monoculture isn’t necessarily a bad thing; I say pick the right tool and platform for the job. Learning new platforms and expanding your knowledge is a good thing. But let’s make sure we state the benefits of a non-monoculture correctly. For some environments, it might work. For many others, it would be a lot of additional expense and effort to end up with the same problem -- or worse.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies