Fog Creek Software
Discussion Board




Blaster conclusions

Reading through the recent brown storm on the blaster fiasco I came to some conclusions.

An OS monoculture is bad.  Someone made the analogy of if all Ford made was one model and their was a recall, things would be tough. 

There are various reasons to apply or not apply patches:
1.  You need them (apply)
2.  They might break something (test, eventually apply)
You need to assess the risk and have a plan.  The recent NT ras patch comes to mind as one of those "here's a patch for a patch, patch"

If as a company you have a monoculture you need to calculate that into your TCO because as sure as bears $h!t in the woods, you will have a security related incident because of it and spend thousands or hundreds of thousands or more fixing your systems.  "We saved piles of money by standardising on this operating system called Dutch Elm,  I can't possibly forsee anything that would make us want to run more OS's."

Go figure
Friday, August 15, 2003

I don't understand this - if an OS monoculture is bad - then you'll be pushing the "monoculture" to the app level, such a cross-platform ERP client.  Since  there are usually shared apps among significant, disparate parts of the company, you have to standardize on *something*, and then that something will be the point of attack.

Ankur
Friday, August 15, 2003

Outlook is the app of choice for those wishing to distribute worms.

The same monoculture argument pertains.

Its really evolution in action.  If you have a single strain of a particular software and many strains of viral software  then the viral software will always find a successful way to breed.

Although, it also means that the software that's attacked, if it develops defences itself becomes stronger. 

Simon Lucy
Friday, August 15, 2003

I think every company should have 50 different types of OS and office products to ensure they don't have a mon-culture and so are not vulnerable to viruses. This sounds like a great idea.


Friday, August 15, 2003

Much of todays software is Java and/or Web based; Both clients and servers can be deployed without being forced to create a monoculture. That's what standards are for - they give you choice.

With the exception operating systems and the MS office suite, I don't think there's any program that is widespread enough.

A worm that attacks an ERP program would have 2000 installations worldwide, strongly separated, to propogate to -- chances of that happening are slim. WinAmp and Media Player could use a third contender, but neither is a "worldwide monoculture".

I suppose most of the readers are unaware, but a Sun monoculture brought the internet down back in 1989 (or was it 1990?) when J.T.Morris' internet worm was let loose. In 1990 (or was it 1991?), a significant part of the US telephony system was down due to a software monoculture in the exchanges that contained a rebounding bug.

Linux is not a monoculture so long as you make sure you use different distros and different hardware. Unixes at large are even less of a monoculture. And if you hedge your bets by running some servers on *BSD, some on Linux, some on Win32, some on HP/UX etc - then your chances for a resilient system are much, much better.

[And you did remember not to rely on a network infrastructure monoculture, did you?]

Ori Berger
Friday, August 15, 2003

50 is exaggarated (my "hedging" argument was taking an idea ad-absurdum), but 2 or 3 can significantly decrease the TCO. Because monoculture subjects you not just to technical issues (flaws, malware, viruses, etc) -- but also to having no real negotiation power.

Ori Berger
Friday, August 15, 2003

The argument about monoculture seems very flawed to me.

You save a lot by standardising everything to the same OS, office suite, development tool, etc.

Of course, there are cases when this is not true, but for most companies, it's very true.

I think that the benefits of a "monoculture" far outweight it's drawbacks, like being very vulnerable to attacks.

Just hire competent network administrators (more than one if needed), and this will solve the problem.

And no, I am in no way affiliated with M$.

Roger
Friday, August 15, 2003

Let me get this straight.
Companies get hosed by a worm because of flaws in their operational procedures, where I  bet the root cause lies with understaffing and underinvestment. Your solution to the problem is that those same overworked staff that could not test/patch in time now have to support duplicate heterogenious instances of all the systems, and this will make the operational result better?

Just me (Sir to you)
Friday, August 15, 2003

Skipping monoculture for a second (there's a reason why it's used on large farms, and why it can lead to massive systemic collapses, just like a single power grid is very efficient until it collapeses), there's another important conclusion:

* Don't put everything on the internet.

As much as some people have ridiculed their small clients here for not manting to be on the 'net, systems which operate real-world important systems need to learn not to be on the internet. Things like banking systems, and more importantly the infrastructure of power systems, etc. There might be a few interconnects, but they should not be automatic. Back to the old days, maybe, but the stuff is cheap enough now that you can stick two computers on most people's desks if that's the main issue.

mb
Friday, August 15, 2003

It does seem managers love single vendor monocultures.  In my opinion when I am asked about the possibility of a single vendor monoculture reducing TCO, I respond with my favorite Bill Gates-ism.  I look them right in the eye and say  "That's the stupidest f'ing thing I've ever heard"

Go Figure
Friday, August 15, 2003

And guess what? Just today Germany's largest computer magazine (accompanied by its huge community) made a connection between W32.Blaster and the recent blackouts in the States:

http://www.heise.de/newsticker/data/ju-15.08.03-001/ (yes, it's in German)

After "heavy investigations" they found out that National Grid USA uses OPC (OLE for Process Control), which is "the technology being vulnerable for W32.Blaster". And: "Because National Grid USA was not available for a statement, several questions are pending: (1) In what ways does the NG USA utilize OPC? (2) Have there been anyone problems with OPC during the blackout? If so: are they caused by W32.Blaster?"

Gee.

Johnny Bravo
Friday, August 15, 2003

Go Figure,

and then after the manager has let you regain control of your bladder and  asks "Would you care to elaborate?", do you have good story as to why developing every single piece of software twice and operating a full heterogenous redundant network of systems is realy cost beneficial?

Just me (Sir to you)
Friday, August 15, 2003

Sir,

No you don't deploy every peice on everything.  I'm just saying when you need a system that does xyz be open to different platforms.  I am not talking about custom written stuff a company does.  Buy systems that follow standards and they are easy enough to integrate

Go Figure
Friday, August 15, 2003

Johnny, if it is true that OLE and the worm were to blame, I think this may be the black eye M$ needs

no s sherlock
Friday, August 15, 2003

Personally, I doubt the blackout has anything to do with MS. That theory just feeds the MS-bashers.

Johnny Bravo
Friday, August 15, 2003

Just Me:

No, you don't double everything.

But if you've got many databases, make some of them Oracle and some of them SQL Server. If your IT team can't handle that, you've got much bigger problems than a monoculture can cause.

And about custom development - if you do that in Java (as most "enterprise class" organizations do these days), you have to pay very little attention to make sure it runs on anything that runs Java.

If you program in C / C++, you can use a cross platform environment. It usually doesn't require much more than foresight.

And no, I don't like Java.

When you break down what it costs NOT to have a monoculture, the cost is monetarily small to nonexistant, and usually has to do with getting COMPETENT people to make decisions.

Now _that's_ hard. Imagine if decision makers in these companies actually knew what they were doing!

Ori Berger
Friday, August 15, 2003

Ori,

unless we are talking redundant duplicate systems on dissimilar platforms, you're still down when something happens on a specific platform, so where is the gain?

Just me (Sir to you)
Friday, August 15, 2003

Sir, If I may interject here, I think the benefit is that while yes, some business processes may be entirely down or have a chain in the link broken the benefit is that your ENTIRE organization is not down.  Imagine if this worm formatted hard drives or something else very bad?

Go Figure
Friday, August 15, 2003

Let's say you had a firm corporate commitment to heterogeneous systems. You have windows and linux dns and dhcp servers, some dev systems are win/.net, some are linux/java. You run SQL server, Oracle, MySQL, and PostgreSQL. Of course you have approximately 2-2.5x the staff it would take to manage this, ah, "cluster" than it would a homogenous win/sql or linux/oracle shop.

And when slammer 2 comes out the entire network is *still* down because your sql servers are screaming all over the network. So much for all that money spent.

OTOH, if you maintained the solution I suggested in a later post (strong network segmentation, paranoid networking), you wouldn't have this problem on a homogenous network.

And it's *cheaper*

Philo

Philo
Friday, August 15, 2003

What's the benefit of a multiple-vendor office again?  So that your office is susceptible to Linux insecurities as well as Microsoft insecurities?  Oracle and mySQL insecurities in addition to SQL insecurities?  Apache insecurities as well as IIS insecurities?

Seems to me you've doubled your target size, not halved it.

Beensquared`
Friday, August 15, 2003

heterogeneity is good across offices, but within an office it's more of a headache--i think beensquared has the more likely answer.

however, a limited amount is good. so when your windows machines croak, you can use your mac/linux/beos/os/2 box to connect to the net and download patches/send email/whatever.

mb
Friday, August 15, 2003

The fallacy in the mono-culture argument - which is one of the standard anti-Microsoft lines - is that there are better and more effective methods for protecting networks.

Managing diverse platforms creates lots of extra work and problems. A better investment is to improve the sys-admin procedures.


Friday, August 15, 2003

You monoculture guys just don't get it.  Have a happy life wondering when the next Microsoft snafu will bork ALL of your machines

Not a member of the flat earth society
Friday, August 15, 2003

"You monoculture guys just don't get it.  Have a happy life wondering when the next Microsoft snafu will bork ALL of your machines "

This monoculture guy will have a happy life knowing that the next worm won't bork ANY of my machines because my network is competently administered so that patches are applied a few days after release at the most, instead of still not being applied a month after release.

You have a happy life wondering if the code you download from the gnu project servers has been touched by those hackers that hacked into the server in March.

Robert Moir
Saturday, August 16, 2003

You know, some worms / viruses / whatever exploit a vulnerability that _wasn't_ reported to the vendor, and for which a patch will only be available after the attack is in full force. That has happenned before (not in any of the recent worms, though), and may happen again.

Microsoft's internal network has been hacked in the past (last year). They say nothing was changed. Perhaps nothing really was. But blind trust in a commercial vendor is something that reality will cure you of one of these days.

And ...  something I keep posting and everyone keeps ignoring (and that somewhat troubles me -- why is that?). Administrating two different systems does NOT take twice the effort of administrating two copies of the same system. It's very much like saying that driving both a Ford and a Toyota requires twice as much drivers as driving two Fords. While e.g. Solaris and Win2000 are farther apart than WinNT4 and WinXP, a competent admin should have little problem managing both.

Ori Berger
Saturday, August 16, 2003

<quote>
You monoculture guys just don't get it.  Have a happy life wondering when the next Microsoft snafu will bork ALL of your machines

Not a member of the flat earth society
Friday, August 15, 2003
</quote>

Is your argument against ANY monoculture? Or is it against an MS monoculture in particular?

If the former, your second sentence makes no sense (since it would no apply, for example, to a Linux monoculture).

If the latter, then why not be clear, and say that you are against MS rather than a monoculture.

BTW, I love your handle - "Not a member of the flat earth society." Good to show that in reasoned debate today that people can distinguish between scientifically proven fact (ie the earth is round vs flat) and opinion (eg Linux is better than Windows, or vice versa).

Seeya

Matthew
Sunday, August 17, 2003

*  Recent Topics

*  Fog Creek Home