On Wed, 2003-10-08 at 08:37, Andrew Plato wrote:
> > I think Andrew misses the point of the Geer, et. al. paper. The fact
> > that many sites can limit the damage caused by an exploit through the
> > use of third party solutions and/or good hygiene does not really solve
>
> > the problem...Even though it is possible for
> > clueful people to limit damage to their own sites, there is evidence
> > that many sites do not and the fact that these sites largely represent
>
> > a monoculture makes them an attractive target for worm and virus
> > writers.
>
> Let's break down Geer's (et al) premises:
>
> 1. A monoculture exists.
>
> 2. This monoculture has risks.
>
> 3. The monoculture is bad and should be changed.
>
> The first point is sound. Yes, a monoculture exists. No debate there.
>
> The second point is partially correct. In a vacuum, yes, the monoculture
> has risks. But this monoculture does not exist in a vacuum. It must
> interpolate with thousands of different systems. So those risks are not
> a grave as the paper suggests.
>
> The third point is absurd. It flies in the face of decades of security
> reasoning that says, when you have risks - mitigate them. Rather than
> focus on the risks, Geer focuses on the environment where those risks
> exist. And rather than talk about mitigating the risks, the paper
> suggests that we need to fundamentally alter the environment (i.e. bust
> up Microsoft.)
>
> This premise totally ignores the numerous 3rd party products that are
> NOT dependent on that monoculture that can secure it. So, while the
> monoculture might have risks, they are easily mitigated risks. Hence,
> this premise is flawed. It ignores one of the most salient concepts in
> security: risk mitigation.
I think there is a different problem here. The nature of computer use
is changing that makes third party apps less important here.
The current problem is that you have a move from the dominant users of
computers being computer professionals to one of a consumer market.
These are people who have, for the most part, no clue as to what third
party apps they need. Many of them are just now figuring out that they
need anti-virus software. Given a few more years, they might figure out
that keeping it current would be a good idea.
These are users who view computers as a form of techo-magic. You wiggle
the mouse thusly and things happen.
Now add in the influx of broadband "always on" connections into the
mix. You now have millions of insecure machines with no firewall
protection running as root user.
Anyone who had broadband should have a hardware firewall. Period. If
they want extra stuff, that can be an added bonus, but they need that as
a base level of protection.
The problem is that many broadband providers have made it difficult or
impossible to put a hardware firewall on their systems.
MSN is one of the worst in that area. They use proprietary protocols
that require a Windows box. (Which don't work very well, even on a
clean install. But that is another rant.) Their tech support has been
specifically instructed that hardware firewalls are not allowed or
supported for MSN broadband users.
Why do they do it? Most hardware firewalls provide DHCP. They
absolutly hate the idea of someone being able to hook up more than one
machine without being able to charge them extra. (Even though they
provide no extra service for the extra machine(s).)
This greed is a big part of the problem. Getting firwall protection for
all of the current broadband customers would solve a big chunk of the
problem.
Monoculture is not the problem. Unprotected monoculture is the problem.
--
alan at clueserver.org - alan at ctrl-alt-del.com
"...new-fangled and artificial treasons have been the great
engines by which violent factions, the natural offspring of
free government, have usually wreaked their alternate
malignity on each other...."
- James Madison in The Federalist No. 43,
This archive was generated by hypermail 2b30 : Wed Oct 08 2003 - 15:35:20 PDT