Monoculture or Mass Hysteria?

by Steve Mallett

Related link: http://news.oreillynet.com/pub/n/Monoculture-Mass-Hysteria



On the subject of recent reports of how dangerous a software monoculture can be: "As seductive as it is to root for David against Goliath, the fact is: Microsoft is not the only 'monoculture' in the digital world. Protocols and open APIs are an example of a necessary monoculture; it would be difficult to describe the web, for example, without HTTP as a common interface. Or DNS. And so on. Linux is increasingly a monoculture. Linux is seen as 'the Microsoft alternative', and as such, is almost by definition a monoculture. Apache, like Linux, is one of the core applications constituting the web’s backbone. Should we kick Linux and Apache out or reduce their exposure in favor of IBM AIX, say, and Lotus Domino, just because these are not Microsoft and not Linux? We don’t think so."

Does this add up to you?


8 Comments

anonymous2
2003-10-15 07:41:50
monoculture & monopoly
First it was people with absolutely no grasp of economics holding forth on what was and wasn't a monopoly (e.g. Apple is a monopoly because only Apple sells Apple Macs, err, no, sorry) now we get people trying to tell us that multiple independant implementations of a standard protocol, running on different hardware platforms are just as much of a monoculture as Microsoft's bit-for-bit (and bug-for-bug) identical code compiled for one architecture?


I'm slightly worried that anyone would be so devious as to wrap such obvious lies with perfectly reasonable sounding appeals to weigh the evidence and consider the costs and benefits of diversity.


It reminds me of Creationist Scientists who claim they just want to teach kids about competing 'scientific' theories and avoid the 'dogma' of evolution.


Chilling.


Also, anything that links to Rob Enderle's words without heaping scorn upon that rent-a-quote is suspect from first principles. See http://enderle.iwethey.org/

spaceman
2003-10-15 07:57:09
monoculture & monopoly
Where's the link to Rob Enderle?
anonymous2
2003-10-15 09:23:37
monoculture & monopoly
5th Paragraph:


"A few analysts have leapt to Microsoft’s defense on the subject as well. In these politically correct times arguing against diversity is often not the best way to win friends and be popular, but Rob Enderle makes the case [here] that diversity is not always a good thing."


Where [here] links to: http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=15202192

anonymous2
2003-10-15 09:55:11
monoculture & monopoly
>now we get people trying to tell us that multiple independant implementations of a
>standard protocol, running on different hardware platforms are just as much of a monoculture as
>Microsoft's bit-for-bit (and bug-for-bug) identical code compiled for one architecture?


I mostly agree with you on this point though even protocols can have vulnerabilities, or exploitable weaknesses at least, that aren't significantly ameliorated by difering implementations. Your choice of router at the moment doesn't make all that much difference to your vulnerability to a DOS attack, for example. But this is rather incidental to the point that all-linux or all-apache environments are just as much monocultural as all-windows and all-IIS environments.


There's nothing devious about weighing evidence, and nothing inherently wrong with disagreeing about a particular relative cost or benefit.



Simon Hibbs

anonymous2
2003-10-15 10:41:33
monoculture & monopoly
An argument from that link about why a Microsoft Monoculture is more secure than a heterogeneous environment:


"This is the big problem with the diversity recommendations I've seen. If they had been implemented as recommended they would have had little impact on the Swen virus [...] and would likely increase the exposure for other types of threat.


For example, if a virus targeted Microsoft Office and an enterprise deployed Apple systems running Office, for compatibility reasons, that enterprise would probably be damaged by the attacks."


Does that example of how heterogenous system are more vulnerable make sense on any level?

anonymous2
2003-10-15 12:26:05
monoculture & monopoly
"There's nothing devious about weighing evidence, and nothing inherently wrong with disagreeing about a particular relative cost or benefit."


I didn't say there was. Pretending to so while peddling an ideology is the problem I refer to. I thought my analogy made this clear.


Also your statement about all-Linux versus all-MSFT and all-IIS versus all Apache is false since the fact that they can be run on many different architectures (and Apache on different OSs on each architecture) immediately reduces their homogeneity.

simonstl
2003-10-15 15:22:03
DNS
DNS has come back to bite us a lot of times. I really _wish_ there was an alternative to the current ICANN/Verisign/minions mess. When it started out, DNS was one of many. As DNS became more important, names became commodities. That's turned into some pretty ugly stuff.


HTTP still has plenty of competition, and even TCP has UDP. IP is about the only thing I don't mind having as a monoculture, since it's designed for distributed responsibility from the ground up.

GerardM
2003-10-16 09:09:21
Open Source as a monopoly
When an open source application has a substantial marketshare, it would seem to be a monopoly. There is however one big differentiator; given that open source comes with the source code ANYONE can scratch their itch. When a vulnerability is found, there may be many patches written for the same problem and one patch will be the dominant one.


With proprietary monopolistic software users are reliant on the good services provided by the manufacturer of their software (for service they have to go to their supplier..).


Given the amount of long known vulnerabilities in Microsoft's products and given the lack of service (Hebrew in MS/Word for Macintosh for instance) the arguments against the Microsoft monopoly are easy to find.


Compare this to Open Source monopolies, where you find new communities springing up supporting products where the old do not function. The monopoly is one of the product involved and not at the same time a monopoly of persons in control on the format of the product. Linus said in a recent interview; you can take the Linux source, compile it, call it Barbara and you have a new GPL operating system.


Thanks,
Gerard