sakrilege

According to this CNN report, Software Monoculture, a security expert postulates an idea that monoculture is undesireable in the computer arena. There are those who contend otherwise.In nature, diversity is good. We humans tend not to like diversity. Globalization is an example. But also, when SARS broke out it was the monoculture of WHO that helped prevent the spread.

DNAunion

Huh? I think you misused the term monoculture there.

BioBeing

As linux becomes more popular, no doubt it will get more viruses. So the Microsoft guy does have a point. And a duo-culture may not prevent a virus from wiping out everything, but it has to be at least a bit better than a monoculture, right? Of course, we could also mention some other operating systems that got swept under the rug by MS - OS/2 apparently showed a lot of promise, but was obliterated by the monoculture that is MS. OS X is Unix based now, so that could fall under the linux category, but how about FreeBSD? I'm sure there are others out there...

Competition is good for consumers - it keeps companies on their toes, and prices down. Monoculture = monoploy, which is bad for us.

DNAunion

No, �by the �monopoly� that is MS�. Monoculture != monopoly

No, monoculture != monopoly.

You are wrongly equating the business concept of a monopoly with the vulnerability concept of a monoculture.

The person whose article is being discussed didn�t make news by calling Microsoft a monopoly�that�s old hat and everyone knows that MS is a �monopoly�. He made news by recognizing and stating something new, or at least not widely known: that having a computer population devoid of diversity, possessing basically only a single �OS genome� so to speak, puts us all at risk of having a single virus take down all computing systems.

sakrilege

I used the term monoculture in reference to WHO, which may not be totally correct. I was trying to convey that a single focus organization can be very effective at dealing with a problem like SARS as opposed to each country having to deal with it alone.

Corona688

I think this is unlikely... a great many security holes in Windows come from obscure "hidden features" that are exploited as they are discovered, like the shared-networking flaw that Blaster abused so mercilessly. And there are endless numbers of viruses that abuse Outlook's scripting features to forward itself to everyone in your contact list. And I've personally encountered a virus that abuses the scripting features in Word to seamlessly insert itself into every word file you open.

These viruses aren't "cracking into" systems. They're using systems that've been there all along. Linux has no such "hidden features".. there may be flaws that can be taken advantage of but unauthorized access can be blocked any step of the way. It sure doesn't bend over and welcome it the way Windows seems to!

fishbulb

There is some merit to the argument that, as a system becomes more widely used, people will try harder to find and exploit vulnerabilities. But the fact remains that it is very easy to find and exploit vulnerabilities in Windows: many worms and trojans simply use actual, intentional features of Windows (and the other two parts of the triumvirate of insecurity: Outlook and Internet Explorer, and their sidekick, MS Office) to do their damage. Obviosuly, Microsoft didn't intend for malicious email worms to spread themselves using Outlook and Windows scripting features, but they were well-aware of the potential for abuse of such features and yet decided that the convenience was worth the vulnerability. Linux is built around a more robust and security-conscious model and so doesn't have as many designed-in weaknesses. Both Linux and Windows also contain bugs and unintentional vulnerabilities, but the design of Linux makes it harder to exploit any such vulnerabilities and tends to limit the damage that can be done, whereas a disturbing number of Windows exploits give an attacker complete control over a machine. Lastly, Linux vulnerabilities tend to be acknowledged and fixed quickly--usually within 24 hours of being reported. Microsoft's last critical update was for a vulnerability that was first reported over six months ago, and it is not unusual to have to wait weeks or months for a vulnerability to even be acknowledged, let alone fixed.


It does more that limit the worst-case scenario: it also slows down the rate of infection. If only 50% of machines are Windows machines then half of all infection attempts fail automatically because of incompatible target systems. This not only means fewer infected machines, it means fewer machines trying to infect other machines too. If you slow down the rate of infection, you stand a chance of figuring out what is going on and putting a stop to it before the worm reaches maximum saturation. These days, most Windows worms take anywhere from a few hours to a few days before they have infected just about every machine that they are going to infect. By the time the antivirus companies have a filter for the worm, it has already done pretty much all the damage it is going to do anyway. Running Linux (or any other non-vulnerable system) not only prevents me from being infected by a Windows worm, it may buy other Windows users enough time that measures can be taken to protect them from being infected too.

sakrilege

As a case in point to MIcrosoft's attitide, I just recently installed the latest version of Outlook on my work machine (the mandated standard ). It has logic for handling suspected junk email and routes them to a Junk Mail folder. By default, the preview pane is enabled in the Junk Mail folder. This is just stupid and asking for trouble. I don't think the existance of the features is the problem, but it is the fact that they were all on by default until recently and there was no warning or clearly written explanation of the harm that could be done.

simian

Forgive my ignorance here (I do used Suse Linux as a secondary OS), but isn't there some potential for some Linux OSes to open up the same sort of holes MS has, in the name of making the OS easier to use? In fact, isn't that one of the complaints about Lindows?

Simian

fishbulb

Sure. It is possible to configure any system to be insecure. Most major Linux distributions are configured so that services and features that have potential security implications are disbled by default, which means that they can't bite you unless you deliberately enable them, but it is entirely possible to release a Linux distribution that has all sorts of insecure features enabled by default.

It would be hard to match the sheer number of vulnerabilities present in a default Windows install because the Windows kernel supports to many more insecure features than the Linux kernel. Many Windows insecurities are unique to the design of Windows itself and the way it allows applications to communicate with each other and with the operating system. Nonetheless, it is possible to ship a Linux system that is full of ready-to-exploit vulnerabilities, and the Linux-based systems that attempt to emulate Windows are probably particularly at risk of emulating Windows-style vulnerabilities.

Ultimately, it requires a certain amount of knowledge and willingness to learn to use any network-connected computer in a safe and sane manner. Most people, unfortunately, have been lied to about how easy it is to use a computer safely and effectively. It isn't rocket science, but it isn't as simple as point, click, and drool either.