[ISN] The ecology of computer viruses

From: mea culpa (jerichoat_private)
Date: Wed Apr 07 1999 - 16:16:11 PDT

  • Next message: mea culpa: "[ISN] Security Search Engine"

    Forwarded From: Aleph One <aleph1at_private>
         Who was vulnerable to Melissa? Only users
         and companies who'd standardized on a
         software "monoculture" -- like Microsoft's.
    By Jamais Cascio
    April 7, 1999 | I admit it: I am highly amused that a virus named after a
    topless dancer from Florida managed to bring the Internet to its
    (figurative) knees. I can be amused, since I wasn't affected by the virus
    in the least. Unlike the hapless users who found that a list of porn-site
    passwords had been sent from their machines to 50 of their nearest and
    dearest friends, I'm on a Mac, and I use Word Perfect and Eudora. 
    Although the press trumpeted Melissa as the worst Internet attack since
    the Robert Morris Worm, only computers running a particular combination of
    Microsoft software were vulnerable in any meaningful way. You had to be
    running Windows and Word 97 and Outlook e-mail. People who weren't just
    sat back and wondered what the fuss was all about. 
    For those of us who pay attention to such things, the fuss was, at its
    root, about organizations mandating a certain operating system, word
    processor and e-mail program for all of their users. Turns out that many
    of the places reporting an infestation of Melissa (and its variants) were
    corporations and government agencies that had enforced a single standard
    for computing within their confines. 
    This has become increasingly common. For reasons of efficiency, entire
    offices -- from receptionists to graphic designers to engineers -- are
    moved to a "standard" platform. Everyone in the company uses the same
    system, regardless of whether it's the right tool for the job; no platform
    or software diversity is allowed. 
    In biology, a local environment where only a single organism propagates is
    called a "monoculture." Usually found in agri-business, particularly
    forestry, monocultures are very efficient and profitable. An entire stand
    of trees in a "managed forest" will be of consistent size, wood type, even
    color, minimizing the waste and maximizing the profit from that acreage. 
    Sometimes the plants are cloned from a standard model. Trees that aren't
    the right "crop" for the area are eliminated, as they take up space and
    sap resources that would otherwise go to the desired species. 
    Natural monocultures are less common, but are not unknown. Extremely
    aggressive species, introduced into a region where their natural predators
    are unknown, can quickly overwhelm the ecological niches, driving the
    native competitors to the margins, or to extinction. 
    The problem with monocultures is that they are extremely sensitive to
    attack. Monoculture stands are identical plants with identical defenses. 
    Unlike a diverse stand of trees, a disease or infestation can rip right
    through a monoculture, leaving the entire forest worthless and dying. In a
    heterogenous stand, diseases and infestations can be stopped when they
    don't have an immediate host to jump to; in a monoculture, every adjacent
    tree is a new host, waiting and vulnerable. 
    The same can be said for computing environments. 
    Melissa took advantage of the fact that an increasing number of computers
    run the same set of Microsoft programs. From the virus' perspective, all
    of these computers had the same "biology" -- they were the same species.
    As long as the virus got passed from compatible host to compatible host,
    it could continue to propagate and thrive. The only way it would stop
    would be if it found itself on a host that wasn't compatible, that didn't
    have the right set of Microsoft programs. A Mac, for example, or a network
    using Lotus Notes, or a user with Word 5 instead of Word 97. 
    Heterogenous environments can be safer from infectious attacks because
    they don't provide a wealth of identical hosts through which a virus can
    replicate and spread. In a diverse ecology, each of the different species
    will have a different set of defenses and different kinds of
    vulnerabilities. This is not a new revelation;  for years, it was standard
    procedure in the aeronautics industry to have redundant pieces of flight
    software, in many cases written by entirely different teams, so that they
    wouldn't fail in the same way. 
    Admittedly, there are compelling reasons to standardize on a particular
    platform or a particular set of applications. It's a more efficient use of
    tech support time, especially as popular systems become increasingly
    complex and difficult to support. Standardizing on a given set of programs
    means not having to worry about incompatible file types. The deals
    Microsoft offers computer manufacturers also come into play: Why spend
    money for competing applications if consumers can get this software for
    Then there are the increasingly complex inter-application connections in
    Microsoft programs. In many situations, the intimate coupling of
    programming interfaces and dynamic libraries means that applications can
    work together tightly. But problems arise when this increasing software
    integration (reportedly, Windows 2000 will include Outlook as part of the
    operating system) comes with little or no security. A successful attack on
    one part of the computer opens up the entire machine, and then the entire
    The appalling aspect of the Melissa macro-virus is not that it got loose,
    but that it was possible at all. Why is it that a word processing document
    can grab a copy of your address book and send out copies of itself under
    your name without you even knowing about it? Who decided that swoopy new
    features and powerful inter-application commands should be added to a
    system without any thought of security? We should be grateful that the
    Melissa author chose only to be annoying, and not truly malicious. 
    Lest I be accused of gratuitous Microsoft-bashing, let me quickly
    acknowledge that an all-Macintosh or all-Unix environment would be nearly
    as vulnerable to monoculture attacks as an all-Windows office, if there
    were the same sort of aggressive development of Mac or Unix viruses. 
    The reality of the world, however, is that Microsoft has come to dominate
    a growing set of digital environmental niches. The relentless spread of a
    single platform, steadily incorporating more and more interrelated
    "features," marginalizes, pushes out and finally kills its ecological
    competition -- in turn creating the very monocultures that leave the
    software vulnerable to subversion. 
    Melissa's spread should not surprise us. Instead, we should take it as a
    friendly warning.  
    salon.com | April 7, 1999
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:22:05 PDT