Andrew Plato wrote: >>The main thrust of the report is that monoculture is devastatingly >>dangerous. Geer has said publicly that a Linux monoculture of the >>same magnitude would be just as bad. >> >> > "Monoculture" or not. The report still ignores the fact that there are >numerous diverse and independent systems that mitigate the risks of a >"monoculture" environment. Therefore, the report is artificially >elevating the seriousness of the "monoculture" environment. > I don't think they ignore it. I think it highlights that this heterogeneity needs to be preserved. So when you are considering a security product to defend your Windows machines, make sure it does *not* run on Windows :) >>In this report, the authors talk about the possibility of crafting an >> >> >>>exploit that could wipe out or cause massive failure of Windows >>>systems. >>> >>> >>Like Code Red, Nimda, Sapphire, and Blaster, each of which were >>capable of wiping out most Windows systems, and did. Seems like a >>pretty credible claim. >> >> > But they didn't! You proved my point. Code Red, Nimda, Blaster, etc. all >had the ability to wipe out the Internet and grind every machine to a >halt. But they didn't. Code Red was probably the worst and it hit maybe >25% of the Windows machines. Why? Again - third party mechanisms >(anti-virus, firewalls, intrusion prevention systems, etc.) contained >that spread. Normalcy was restored within hours. > So the diversity that Geer et al say we need to preserve worked. >Embedded Windows is hardly a strong market. Sure, they have some little >palm things and other simplistic devices. But even so, embedded Windows >isn't going to run IIS or MS Word. Windows 2000 and embedded Windows may >have some similar components, but they're not the same technologies. So, >you're making an apples to oranges comparison. > To the contrary, they likely will run IIS to give the little embedded widgets a web management interface. And they definitely will have RPC DCOM, which is what Blaster leveraged. >>When the August NE American blackout happened, there was a >>significant report of some of the power grid being controlled by >>a Windows RPC DCOM system, which is precisely the Windows component >>that Blaster exploited. This may not have been the proximate cause >>of the blackout, but there's essentially no reason why it could not >>have been. >> >> >Yes I have heard the same thing too. That situation could have been >easily and painlessly mitigated with effective AV, > How could AV possibly have mitigated a server worm like Blaster? How could *any* signature-based defense defend against a fast spreading worm that hits your machines faster than any AV company can distribute an update? This was the point of Staniford et al's Warhol Worm paper <http://www.vnunet.com/News/1132084>: that worms can spread across the entire Internet in minutes, far faster than AV vendors can get a new signature out. >But, when companies make executive bonuses a priority and hire >salespeople to do security audits, then they only have themselves to >blame. > The point is not how concerned people can keep their own little islands of functionality. It is about what will or won't affect the millions of slackers out there who clearly do a bad job, and won't improve on whatever they install. >>And the 5% or so of Windows users who deploy these tools will be >>safe, at least from direct attack. I'm running a Linux system >>that is entirely safe from the Swen virus, and still I am >>laboring under a 300% increase in mail traffic for the last >>week due entirely to that single virus. >> >> >Get a firewall that blocks attachments. Easy as that. > Can't do that; I get legitimate e-mail that has attachments. Again, the problem is not that my systems are vulnerable to Swen; the problem is the sheer volume of crap that I get from all the other people out there who are infected, and have my e-mail in their address book or web cache. >>I disagree with the analogy. MS is the 900 lb gorilla, >>and the rest of the problems are spider monkeys. MS has: >> >> >>a near monopoly on desktops >>a near monopoly on document systems (Word, PowerPoint, Excel) >>the #1 position in servers >>the absolute worst security of all popular systems, by a long, long way >> >> >>I submit that security incidents & problems induced by Microsoft are greater >> >> >>than the sum of all other problems combined. An easy claim to back up, >> >> >>when you consider that most security incidents are cleaning up >> >> >virus-infected desktops. > >Wait, but Cisco IOS runs 90% of Internet traffic. So, isn't Cisco a 900 >lb gorilla as well? Why aren't we breaking up Cisco? > In theory, we should be very concerned about the substantial monoculture in major routers. In practice, because Cisco's security doesn't suck, they are rarely a security problem. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
This archive was generated by hypermail 2b30 : Tue Sep 30 2003 - 14:02:50 PDT