Criticism of Microsoft 'monoculture' reverberates
By Justin Pope
Associated Press
CAMBRIDGE, Mass. — Dan Geer lost his job, but gained his audience. The very idea that got the computer security expert fired has sparked serious debate in information technology.
The idea, borrowed from biology, is that Microsoft Corp. has nurtured a software "monoculture" that threatens global computer security.
Geer and others believe Microsoft's software is so dangerously pervasive that a virus capable of exploiting even a single flaw in its operating systems could wreak havoc.
Just this week, Microsoft warned customers about security problems independent experts called among the most serious yet disclosed.
After he argued in a paper last fall that monoculture amplifies online threats, Geer was fired by security firm (at)stake Inc., which has had Microsoft as a major client.
Geer insists there's a silver lining to his dismissal. Once it got discussed on online forums, the debate about Microsoft's ubiquity gained in prominence. "No matter where I look I seem to be stumbling over the phrase 'monoculture' or some analog of it," Geer, 53, said.
In biology, species with little genetic variation — or "monocultures" — are the most vulnerable to catastrophic epidemics. Species that share a single fatal flaw could be wiped out by a virus that can exploit that flaw. Genetic diversity increases the chances that at least some of the species will survive every attack.
"When in doubt, I think of, 'how does nature work?' " said Geer, who has a doctorate in biostatistics from Harvard University.
"Which leads you, when you think about shared risk, to think about monoculture, which leads you to think about epidemic. Because the idea of an epidemic is not radically different from what we're talking about with the Internet."
Geer isn't the first to argue that the logic of living viruses also applies to the computer variety, and that the dominance and tight integration of Microsoft operating systems and software makes the global computing ecosystem vulnerable to a cascading failure. Geer's paper did little more than make the point with particular fervor — which only intensified when Geer was fired.
"The hoopla around him losing his job gave the story some extra frisson," said Internet security expert Bruce Schneier, a co-author with Geer. "He got fired because (at)stake wanted to be nice to their masters. But it's like the Christian Church boycotting a movie — everybody wants to see it now."
Microsoft, which denies pressuring (at)stake, says the comparison between computers and living organisms works only so well.
Scott Charney, chief security strategist for Redmond, Wash.-based Microsoft, says monoculture theory doesn't suggest any reasonable solutions; more use of Linux, a rival operating systems, might create a "duoculture," but that would hardly deter sophisticated hackers.
True diversity, he said, would require thousands of different operating systems, which would make integrating computer systems and networks virtually impossible.
Another difference: computers can be unplugged from the network and rebooted; organisms cannot.
The theory also has skeptics outside of Microsoft. Security consultant Marcus Ranum has emphasized that many network threats have little to do with the vulnerabilities of monoculture. Planting three strains of corn offers insurance against some diseases, he notes, but without a fence, deer will eat all three.
Geer — who continues to consult, lecture and work with a startup — also believes monoculture theory points the way to possible solutions. But those solutions are dramatic and haven't always been followed. They would require, for example, banning from the Internet computers whose software hasn't been updated with anti-virus patches.
Microsoft's Charney doesn't entirely dismiss the idea of drawing lessons from biology. "Although biodiversity-monoculture issues may be more complex than people have been thinking about them, it does not mean you can't learn from it and draw some parallels," he said.
Geer calls such comments proof the idea is resonating. "You see Microsoft talking about it," he said, "when before, they didn't."
