Forwarded From: Aleph One <aleph1at_private> http://www.salon.com/tech/feature/1999/04/07/melissa/index.html Who was vulnerable to Melissa? Only users and companies who'd standardized on a software "monoculture" -- like Microsoft's. By Jamais Cascio April 7, 1999 | I admit it: I am highly amused that a virus named after a topless dancer from Florida managed to bring the Internet to its (figurative) knees. I can be amused, since I wasn't affected by the virus in the least. Unlike the hapless users who found that a list of porn-site passwords had been sent from their machines to 50 of their nearest and dearest friends, I'm on a Mac, and I use Word Perfect and Eudora. Although the press trumpeted Melissa as the worst Internet attack since the Robert Morris Worm, only computers running a particular combination of Microsoft software were vulnerable in any meaningful way. You had to be running Windows and Word 97 and Outlook e-mail. People who weren't just sat back and wondered what the fuss was all about. For those of us who pay attention to such things, the fuss was, at its root, about organizations mandating a certain operating system, word processor and e-mail program for all of their users. Turns out that many of the places reporting an infestation of Melissa (and its variants) were corporations and government agencies that had enforced a single standard for computing within their confines. This has become increasingly common. For reasons of efficiency, entire offices -- from receptionists to graphic designers to engineers -- are moved to a "standard" platform. Everyone in the company uses the same system, regardless of whether it's the right tool for the job; no platform or software diversity is allowed. In biology, a local environment where only a single organism propagates is called a "monoculture." Usually found in agri-business, particularly forestry, monocultures are very efficient and profitable. An entire stand of trees in a "managed forest" will be of consistent size, wood type, even color, minimizing the waste and maximizing the profit from that acreage. Sometimes the plants are cloned from a standard model. Trees that aren't the right "crop" for the area are eliminated, as they take up space and sap resources that would otherwise go to the desired species. Natural monocultures are less common, but are not unknown. Extremely aggressive species, introduced into a region where their natural predators are unknown, can quickly overwhelm the ecological niches, driving the native competitors to the margins, or to extinction. The problem with monocultures is that they are extremely sensitive to attack. Monoculture stands are identical plants with identical defenses. Unlike a diverse stand of trees, a disease or infestation can rip right through a monoculture, leaving the entire forest worthless and dying. In a heterogenous stand, diseases and infestations can be stopped when they don't have an immediate host to jump to; in a monoculture, every adjacent tree is a new host, waiting and vulnerable. The same can be said for computing environments. Melissa took advantage of the fact that an increasing number of computers run the same set of Microsoft programs. From the virus' perspective, all of these computers had the same "biology" -- they were the same species. As long as the virus got passed from compatible host to compatible host, it could continue to propagate and thrive. The only way it would stop would be if it found itself on a host that wasn't compatible, that didn't have the right set of Microsoft programs. A Mac, for example, or a network using Lotus Notes, or a user with Word 5 instead of Word 97. Heterogenous environments can be safer from infectious attacks because they don't provide a wealth of identical hosts through which a virus can replicate and spread. In a diverse ecology, each of the different species will have a different set of defenses and different kinds of vulnerabilities. This is not a new revelation; for years, it was standard procedure in the aeronautics industry to have redundant pieces of flight software, in many cases written by entirely different teams, so that they wouldn't fail in the same way. Admittedly, there are compelling reasons to standardize on a particular platform or a particular set of applications. It's a more efficient use of tech support time, especially as popular systems become increasingly complex and difficult to support. Standardizing on a given set of programs means not having to worry about incompatible file types. The deals Microsoft offers computer manufacturers also come into play: Why spend money for competing applications if consumers can get this software for "free"? Then there are the increasingly complex inter-application connections in Microsoft programs. In many situations, the intimate coupling of programming interfaces and dynamic libraries means that applications can work together tightly. But problems arise when this increasing software integration (reportedly, Windows 2000 will include Outlook as part of the operating system) comes with little or no security. A successful attack on one part of the computer opens up the entire machine, and then the entire network. The appalling aspect of the Melissa macro-virus is not that it got loose, but that it was possible at all. Why is it that a word processing document can grab a copy of your address book and send out copies of itself under your name without you even knowing about it? Who decided that swoopy new features and powerful inter-application commands should be added to a system without any thought of security? We should be grateful that the Melissa author chose only to be annoying, and not truly malicious. Lest I be accused of gratuitous Microsoft-bashing, let me quickly acknowledge that an all-Macintosh or all-Unix environment would be nearly as vulnerable to monoculture attacks as an all-Windows office, if there were the same sort of aggressive development of Mac or Unix viruses. The reality of the world, however, is that Microsoft has come to dominate a growing set of digital environmental niches. The relentless spread of a single platform, steadily incorporating more and more interrelated "features," marginalizes, pushes out and finally kills its ecological competition -- in turn creating the very monocultures that leave the software vulnerable to subversion. Melissa's spread should not surprise us. Instead, we should take it as a friendly warning. salon.com | April 7, 1999 -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:22:05 PDT