Friday, September 17, 2010

Issues with the monoculture

A few years ago, there was a brief blip when people started to talk about a major security issue in modern computing being "the monoculture". Part of this was a response to the anti-monopolist lawsuits against Microsoft, plus an attempt to explain why Microsoft's operating systems received so much attention from hackers, and non-Microsoft operating systems barely any.

The issue is this: if everyone runs the same operating system, then anyone who writes virus or worm that exploits a fault in that operating system will find their virus or worm impacts virtually everyone. There are two angles to this:

  • From the point of view of a victim, the consequences of a monoculture can be devastating. A single virus can destroy a business's ability to function, as every employee's personal computer becomes infected and non-functional, as well as the computers belonging to their suppliers (and clients.)
  • From the point of view of the hacker, spreading the virus becomes merely a step of finding a mechanism to identify other computers, as it's guaranteed that those computers can be infected.
The discussion died down for a variety of reasons. Ironically, many of those who would benefit from the argument refused to accept it because it meant accepting their own chosen, non Microsoft, platforms were just as flawed as Windows. A case in point is Mac OS X. Mac OS X has always had security holes. Earlier versions, up until a point release of 10.3, actually were so insecure that all a programmer had to do to "deliver" malware to a user was to ensure a website they browsed to sent it. Safari would, automatically, without the user's involvement or say so, by default download and unarchive the "application", and its mere presence on the user's disk would "install" it. To get it to run,all you had to do was ensure the application was associated with a common file extension or two, so that the next time the user clicked on that type of file, it would open. This was something the hacker/programmer could do, they didn't need the user to do anything.

Now that particular hole (which was open for years, undermining the notion that Mac OS X was ever built by anyone who considered security a priority) has been fixed, but holes still pop-up. Mac OS X has, since its release, had security updates delivered automatically every month or so. These updates would be, by definition, unnecessary if Mac OS X was already secure. Yet many Apple enthusiasts, to this day, didn't and don't accept the idea that Mac OS X might be insecure. The fact no virus has hit OS X users has been used as evidence of this.

But in actual fact, the reason Mac OS X hasn't been hit by a virus has been because it has such a comparatively small market share, in any community of users. Now, that last bit takes some explaining.

Back in the 1980s, viruses were common and were successful on a range of platforms, even platforms that weren't particularly popular. MS DOS had many, but so did the Commodore Amiga and the Atari ST, both of whose market shares were dwarfed in comparison to the PC. Part of the reason for this had to do with the "networks" at the time. Networks, in the 1980s, generally consisted of people swapping disks with one another. Those disks were intended for a single platform - people didn't expect a disk for a Mac to even be readable by an Amiga or PC. Largely because, without special software, they weren't. So while Macs might have had a small market share, Mac viruses were successful because they were monocultures within the networks they belonged to. As were Amigas and STs.

Fast forward to today, and that's not the case. Someone who writes a virus for a Mac will find that the vast majority of machines their virus "hits" will be unable to run it. Worse, if they use something like the old "Disguise an executable as a JPG and email it to everyone" trick that plagued users during the late 1990s and early 21st Century, they'd find that Mac users would be warned pretty quickly by all the non-Mac users who would receive the corrupt JPG. The fact the virus would attempt to infect uninfectable computers would makes alarms ring.

So, anyway, the point here is not to analyze Mac security holes, but explain why standardizing on a single platform has negative implications for any business. By standardizing on a single platform, regardless of what that platform is, you do many things that will negatively impact your security:
  • You significantly improve a viruses' chance of success by ensuring the majority of machines it will hit can be infected.
  • You reduce the likelihood of early warning and detection, by ensuring that viruses don't attempt (and fail) to infect machines they weren't built for.
  • You ensure that any virus that hits your organization will have a devastating, crippling, affect on your business.
Moving away from the monoculture tends to scare many system administrators. Licensing seems easier if everyone uses the same platform (although it can also be much more expensive), and certain tools work better with specific platforms. Still, much of that is changing. Apple is doing its best to ensure Mac OS X fits transparently into organizations that are primarily based upon Windows, and while Ubuntu seems to lack a community of developers that understand, say, domain-based security, it is at least moving in the right direction.

There's certainly no reason to prevent your users from using the right tools for the job, and by doing so, you also help make your own network more robust, and you become a better Internet citizen. The right choice is choice.

No comments: