IT Monoculture Or Mass Hysteria?
MonsieurEvil
Join Date: 2002-01-22 Member: 4Members, Retired Developer, NS1 Playtester, Contributor
Join Date: 2002-01-22 Member: 4Members, Retired Developer, NS1 Playtester, Contributor
in Discussions
<div class="IPBDescription">An interesting editorial for discussion</div> <a href='http://www.theregister.com/content/4/33396.html' target='_blank'>http://www.theregister.com/content/4/33396.html</a>
An interesting editorial on the concept of homogenous networking and the corporate IT environment. If you don't read the whole article, or do not understand enterprise computing, don't bother posting here as you will be eaten alive by my rebuttals. For those in the IT engineering field or with a desire to do so, feel free to add your thoughts on this article. My personal opinion is that it's pretty spot-on and points out the fallacy that getting rid of microsoft will somehow make computing more safe (especially since most people who say this are too young to remember UNIX and mainframe computing, and how often it was successfully attacked in the 80's and early 90's before they became marginalized by PC's).
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->From the attention the subject is attracting at the moment, one might assume that our so-called software “monoculture” is about to spawn a plague of biblical proportions, writes Stephen O'Grady of tech analyst firm RedMonk.
Gartner’s new study, discussed here, recommends that user organizations deliberately deploy other platforms in certain domains as a defense against viruses and vulnerabilities associated with Windows. The idea is that if an attack on Microsoft platforms succeeds, and “cascades” through the network, then some users running non-Windows systems will be insulated from the attack.
The Gartner report follows hot on the heels of another publication containing very similar arguments. Just a few weeks ago the Computer & Communications Industry Association (CCIA), a trade group closely associated with most of Microsoft’s major competitors, published a report entitled “CyberInsecurity: The Cost of Monopoly -- How the Dominance of Microsoft's Products Poses a Risk to Security.” That publication, which was, incidentally, possibly responsible for getting one of its authors fired, concludes that the nature of a software monoculture pre-disposes users to unacceptable levels of risk of catastrophic, system-wide failures. Further back in time, others have made the same argument, as we see from a highly entertaining article by John Quarterman here which draws parallels between the monoculture Internet and the threat of the Boll Weevil on the Cotton Crop in the early part of the last century.
What’s RedMonk’s take? We think arguments underpinning the monoculture narrative are somewhat under-baked, and rest on somewhat doughy foundations. However, the narrative engendering these arguments is extremely powerful, which makes life far harder for Microsoft. The monoculture narrative is easy to understand. It has powerful and vocal champions in an internet community that is already predisposed to anti-MS feeling. The narrative comes at a particularly bad time for Microsoft—some customers that were willing to give Microsoft the benefit of the doubt when it comes to Trustworthy Computing(TwC) feel they have had their fingers burned. The monoculture narrative is sticky, and is aimed at a receptive audience. Microsoft’s biggest problem is that the monoculture narrative essentially appeals to the gut rather than the head; it’s an appealing story, without requiring compelling facts (in the IT domain) to back it up.
A few analysts have leapt to Microsoft’s defense on the subject as well. In these politically correct times arguing against diversity is often not the best way to win friends and be popular, but Rob Enderle makes the case here that diversity is not always a good thing. While we don’t subscribe to his notion that “diverse environments are less secure,” neither do we believe that they are intrinsically more secure. Michael Gartenberg, for his part, points to the fallacy of the underlying assumption that alternate options may be more secure. We think this argument overlooks the point of Gartner’s study, which is more about the timing of the failures, but his point has its merits.
We’ve treated the underlying arguments and conclusions seriously, however, and it seems to us that both the CCIA and Gartner’s conclusions are based on some flawed assumptions. To wit:
What Monoculture?
While many point to Microsoft’s ubiquity on the desktop as the major systemic threat to cybersecurity today, does it really make sense to view the desktop as a monoculture? Sometimes it’s better to see the trees than the forest, because as it turns out not all trees are the same. Without question, Microsoft’s different operating systems share vulnerabilities, but despite the widespread impact of some very serious exploits like the Blaster disaster, experiences vary.
Widespread virus attacks are unquestionably inconvenient, and a tremendous loss of productivity to those affected – and that’s just the beginning. But those organizations, for example, that employ personal, as well as perimeter, firewalls emerged relatively unscathed by Blaster. Those organizations that had taken the time to patch their machines with the available fixes also didn’t have to worry about that vulnerability. The point here is not that Microsoft is without blame, because it is not, but to describe Microsoft systems as uniform, and so uniformly at risk, is to ignore significant differences in configuration and management.
Other Monocultures
As seductive as it is to root for David against Goliath, the fact is: Microsoft is not the only “monoculture” in the digital world. Protocols and open APIs are an example of a necessary monoculture; it would be difficult to describe the web, for example, without HTTP as a common interface. Or DNS. And so on.
Linux is increasingly a monoculture. Linux is seen as “the Microsoft alternative”, and as such, is almost by definition a monoculture. Apache, like Linux, is one of the core applications constituting the web’s backbone. Should we kick Linux and Apache out or reduce their exposure in favor of IBM AIX, say, and Lotus Domino, just because these are not Microsoft and not Linux? We don’t think so.
Six of One, Half a Dozen of Another
This fact shouldn’t be news to anyone, but other operating systems have vulnerabilities too. Really – it’s true. Linux – the current OS du jour – has its occasional difficulties. A recent study by the mi2g group – which was not directly commissioned by Microsoft – found that Linux was actually breached more often than Microsoft’s server product. But vulnerabilities happen to everyone. A vulnerability in OpenSSH - the secure shell underpinning Linux and some Unix communications, was identified by in September. The vulnerability, based on a good old buffer overflow attack, could potentially allow a remote machine to access a network. OpenSSH is shipped with most Linux distributions, and the Apache web server. The fact is that all software is potentially insecure; some is better, some is worse.
In that context, making your desktop environment heterogeneous may make you less susceptible to a tsunami style failure (which one would hope would be a very rare event), but as we’ve seen above there are ways to minimize your risk of those failures through patching and configuration management – although these methods are too inaccessible for most users right now. And interestingly, by diversifying, you’ve just upped the amount of vulnerabilities that your IT staff needs to monitor. Instead of just watching for Windows vulnerabilities, they now need to watch for both. This makes us more secure how, exactly?
Biological Arguments
One of the main concerns we have about the monoculture narrative is that is based on the sweeping usage of biological examples. Whether it’s Boll Weevils or communicable diseases, these metaphors can only be so relevant to IT.
RedMonk clearly believes analogies drawn from nature are an excellent way of communicating and making accessible difficult technical concepts. Many CFOs will fall asleep, drooling, half way through a conversation about protocol vulnerabilities, for example, but start talking about the economic effects of smallpox or the bubonic plague on an unprepared population and you’re pretty much guaranteed to have their attention. It’s very important to remember, however, that these concepts are analogs and metaphors, and should be treated as such.
Nature has much to teach us, but it is not a perfect mirror for the digital world. McAfee Antivirus does not equal a flu shot, a firewall does not equal a Hazmat suit, and a Boll Weevil only has so much similarity to a piece of viral code written by a 17 year old. Are there parallels to be found? Certainly. But let’s not get carried away by them, because the digital world is as different from the natural world as it is similar.
IT and the Decision Making Process
Most importantly, however, we believe that any purchasing decision should be driven by business requirements rather than abstract notions of security through diversity. While the latter may have some beneficial impact during a disaster type scenario, a lack of attention to the former is certain to have a negative impact on end-user productivity and TCO.
This is not to say, please note, that an alternative desktop equates with poor performance or an inability to meet user requirements. Products like the Java Desktop System and the SuSE Enterprise Desktop have their places, but to us the decision to use or not use those products should be based on their merits and ability to meet the established requirements. At RedMonk, for example, we could have half of our staff running on Apple and half running on Linux and thus be free from Windows based viruses, with a diversified threat base.
Doing so, however, would make it harder, not easier, to work together, while our software purchasing and maintenance resources would be stretched. CRM implementations have long been maligned for their failure to meet business requirements; often this is because IT has not adequately addressed the needs of their users, and so CRM systems go unused. Implement a “diversity” oriented solution for the dubious security advantages it might present, and the result is likely to be no different. Gartner, to their credit, recognizes when it recommends that this approach be done right, or not at all.
Ultimately we believe the monoculture narrative is itself a cultural virus. Organizations should therefore be very careful in making purchasing and strategy decisions based on it. Diversification as a concept should be examined as a strategy no more or less important than issues like resource requirements, total cost of ownership, and user needs. Security is an important concern for everyone, and we don’t want to downplay its role in the decision making process. But to make that factor the primary motivator for sales of a desktop package strikes us as the worst kind of IT driven decision making. There are a lot of good reasons to pursue alternative desktop strategies where appropriate, but we don’t believe that concerns about “monoculture” are one of them.
© Copyright 2003 RedMonk
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
An interesting editorial on the concept of homogenous networking and the corporate IT environment. If you don't read the whole article, or do not understand enterprise computing, don't bother posting here as you will be eaten alive by my rebuttals. For those in the IT engineering field or with a desire to do so, feel free to add your thoughts on this article. My personal opinion is that it's pretty spot-on and points out the fallacy that getting rid of microsoft will somehow make computing more safe (especially since most people who say this are too young to remember UNIX and mainframe computing, and how often it was successfully attacked in the 80's and early 90's before they became marginalized by PC's).
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->From the attention the subject is attracting at the moment, one might assume that our so-called software “monoculture” is about to spawn a plague of biblical proportions, writes Stephen O'Grady of tech analyst firm RedMonk.
Gartner’s new study, discussed here, recommends that user organizations deliberately deploy other platforms in certain domains as a defense against viruses and vulnerabilities associated with Windows. The idea is that if an attack on Microsoft platforms succeeds, and “cascades” through the network, then some users running non-Windows systems will be insulated from the attack.
The Gartner report follows hot on the heels of another publication containing very similar arguments. Just a few weeks ago the Computer & Communications Industry Association (CCIA), a trade group closely associated with most of Microsoft’s major competitors, published a report entitled “CyberInsecurity: The Cost of Monopoly -- How the Dominance of Microsoft's Products Poses a Risk to Security.” That publication, which was, incidentally, possibly responsible for getting one of its authors fired, concludes that the nature of a software monoculture pre-disposes users to unacceptable levels of risk of catastrophic, system-wide failures. Further back in time, others have made the same argument, as we see from a highly entertaining article by John Quarterman here which draws parallels between the monoculture Internet and the threat of the Boll Weevil on the Cotton Crop in the early part of the last century.
What’s RedMonk’s take? We think arguments underpinning the monoculture narrative are somewhat under-baked, and rest on somewhat doughy foundations. However, the narrative engendering these arguments is extremely powerful, which makes life far harder for Microsoft. The monoculture narrative is easy to understand. It has powerful and vocal champions in an internet community that is already predisposed to anti-MS feeling. The narrative comes at a particularly bad time for Microsoft—some customers that were willing to give Microsoft the benefit of the doubt when it comes to Trustworthy Computing(TwC) feel they have had their fingers burned. The monoculture narrative is sticky, and is aimed at a receptive audience. Microsoft’s biggest problem is that the monoculture narrative essentially appeals to the gut rather than the head; it’s an appealing story, without requiring compelling facts (in the IT domain) to back it up.
A few analysts have leapt to Microsoft’s defense on the subject as well. In these politically correct times arguing against diversity is often not the best way to win friends and be popular, but Rob Enderle makes the case here that diversity is not always a good thing. While we don’t subscribe to his notion that “diverse environments are less secure,” neither do we believe that they are intrinsically more secure. Michael Gartenberg, for his part, points to the fallacy of the underlying assumption that alternate options may be more secure. We think this argument overlooks the point of Gartner’s study, which is more about the timing of the failures, but his point has its merits.
We’ve treated the underlying arguments and conclusions seriously, however, and it seems to us that both the CCIA and Gartner’s conclusions are based on some flawed assumptions. To wit:
What Monoculture?
While many point to Microsoft’s ubiquity on the desktop as the major systemic threat to cybersecurity today, does it really make sense to view the desktop as a monoculture? Sometimes it’s better to see the trees than the forest, because as it turns out not all trees are the same. Without question, Microsoft’s different operating systems share vulnerabilities, but despite the widespread impact of some very serious exploits like the Blaster disaster, experiences vary.
Widespread virus attacks are unquestionably inconvenient, and a tremendous loss of productivity to those affected – and that’s just the beginning. But those organizations, for example, that employ personal, as well as perimeter, firewalls emerged relatively unscathed by Blaster. Those organizations that had taken the time to patch their machines with the available fixes also didn’t have to worry about that vulnerability. The point here is not that Microsoft is without blame, because it is not, but to describe Microsoft systems as uniform, and so uniformly at risk, is to ignore significant differences in configuration and management.
Other Monocultures
As seductive as it is to root for David against Goliath, the fact is: Microsoft is not the only “monoculture” in the digital world. Protocols and open APIs are an example of a necessary monoculture; it would be difficult to describe the web, for example, without HTTP as a common interface. Or DNS. And so on.
Linux is increasingly a monoculture. Linux is seen as “the Microsoft alternative”, and as such, is almost by definition a monoculture. Apache, like Linux, is one of the core applications constituting the web’s backbone. Should we kick Linux and Apache out or reduce their exposure in favor of IBM AIX, say, and Lotus Domino, just because these are not Microsoft and not Linux? We don’t think so.
Six of One, Half a Dozen of Another
This fact shouldn’t be news to anyone, but other operating systems have vulnerabilities too. Really – it’s true. Linux – the current OS du jour – has its occasional difficulties. A recent study by the mi2g group – which was not directly commissioned by Microsoft – found that Linux was actually breached more often than Microsoft’s server product. But vulnerabilities happen to everyone. A vulnerability in OpenSSH - the secure shell underpinning Linux and some Unix communications, was identified by in September. The vulnerability, based on a good old buffer overflow attack, could potentially allow a remote machine to access a network. OpenSSH is shipped with most Linux distributions, and the Apache web server. The fact is that all software is potentially insecure; some is better, some is worse.
In that context, making your desktop environment heterogeneous may make you less susceptible to a tsunami style failure (which one would hope would be a very rare event), but as we’ve seen above there are ways to minimize your risk of those failures through patching and configuration management – although these methods are too inaccessible for most users right now. And interestingly, by diversifying, you’ve just upped the amount of vulnerabilities that your IT staff needs to monitor. Instead of just watching for Windows vulnerabilities, they now need to watch for both. This makes us more secure how, exactly?
Biological Arguments
One of the main concerns we have about the monoculture narrative is that is based on the sweeping usage of biological examples. Whether it’s Boll Weevils or communicable diseases, these metaphors can only be so relevant to IT.
RedMonk clearly believes analogies drawn from nature are an excellent way of communicating and making accessible difficult technical concepts. Many CFOs will fall asleep, drooling, half way through a conversation about protocol vulnerabilities, for example, but start talking about the economic effects of smallpox or the bubonic plague on an unprepared population and you’re pretty much guaranteed to have their attention. It’s very important to remember, however, that these concepts are analogs and metaphors, and should be treated as such.
Nature has much to teach us, but it is not a perfect mirror for the digital world. McAfee Antivirus does not equal a flu shot, a firewall does not equal a Hazmat suit, and a Boll Weevil only has so much similarity to a piece of viral code written by a 17 year old. Are there parallels to be found? Certainly. But let’s not get carried away by them, because the digital world is as different from the natural world as it is similar.
IT and the Decision Making Process
Most importantly, however, we believe that any purchasing decision should be driven by business requirements rather than abstract notions of security through diversity. While the latter may have some beneficial impact during a disaster type scenario, a lack of attention to the former is certain to have a negative impact on end-user productivity and TCO.
This is not to say, please note, that an alternative desktop equates with poor performance or an inability to meet user requirements. Products like the Java Desktop System and the SuSE Enterprise Desktop have their places, but to us the decision to use or not use those products should be based on their merits and ability to meet the established requirements. At RedMonk, for example, we could have half of our staff running on Apple and half running on Linux and thus be free from Windows based viruses, with a diversified threat base.
Doing so, however, would make it harder, not easier, to work together, while our software purchasing and maintenance resources would be stretched. CRM implementations have long been maligned for their failure to meet business requirements; often this is because IT has not adequately addressed the needs of their users, and so CRM systems go unused. Implement a “diversity” oriented solution for the dubious security advantages it might present, and the result is likely to be no different. Gartner, to their credit, recognizes when it recommends that this approach be done right, or not at all.
Ultimately we believe the monoculture narrative is itself a cultural virus. Organizations should therefore be very careful in making purchasing and strategy decisions based on it. Diversification as a concept should be examined as a strategy no more or less important than issues like resource requirements, total cost of ownership, and user needs. Security is an important concern for everyone, and we don’t want to downplay its role in the decision making process. But to make that factor the primary motivator for sales of a desktop package strikes us as the worst kind of IT driven decision making. There are a lot of good reasons to pursue alternative desktop strategies where appropriate, but we don’t believe that concerns about “monoculture” are one of them.
© Copyright 2003 RedMonk
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
Comments
*dances around room*
On the topic, I really don't see the point in removing Microsoft. I have no problems with the company or it's products; they work for me just fine. I have mates who use Linux and other crazy OSes but I don't have a clue as to how to even find a file in them.
With regards to monoculture, whilst you can say "Well if we have more diversity that means less vunerability" you can just as easily say "Well if we have a monoculture we can work on making it as secure as possible" i.e. If you know that everyone is going to be targetting a single system, you can devote all your efforts to making that system impervious. You can protect yourself against specific threats.
Does that make sense? Or did I completly miss the point of the article?
While Microsoft is the standard today, and is being pushed upon many places like my school district for one (via a binding agreement to purchase so many dells) and with people these days looking out for themselves and there careers more than they do for the greater good, the first week of school in the C++ class I TA for and the CISCO class I am a part of, we couldn't be on the computers becuase blaster had taken down our network, and was still running rampant on the administration side of the network, so we couldn't be on the computers, in our computer class...
the ironic thing is that our principal and the superintended (both openly anti mac/linux) had the macintosh G4's that we recent upgraded to jaguar with out teachers own personal funding, removed from the class room. Even though we do C++ and cisco, our ability to do Maya and Bryce and basically any other hardcore rendering was thrown out the window. However the Mac's wouldn't have been affected by the attack at all.
Since Microsoft is the norm when it comes to desktops, any young kid with some know how and some spare time can write a virus, and sic it on the world. Microsoft may be a hulking giant, but small speedy kids can easily bypass it's defenses and strike at the pink underbelly that is the buggy code we have come to use virtually everywhere.
Both the school website servers (dhs.djusd.k12.ca.us) are on linux, despite diplomatic pressure being applied by the super and the administration. One box was donated by apache and is required to run it, and the other is kept on linux because the teacher (Jan Meizel in the computer field since the 60's) put her foot down, and since the county and the district are required to have a filter to get federal funds, and She spoke out against the filter that they bought, and the way the district is "running" our network. (we have maybe 70% uptime and it's obscenely slow for dual T1) they took away the job of technology coordinator from her (she had been doing it for 17 years for free) and now they pay another teacher to do it.
Microsoft is the standard and that doesn't look to change, but anyone who is a cisco puts it "a knowledgable network administrator" knows that linux and other platforms besides winodows are somewhat more secure than what windows churns out.
Having that been said, Monsieur go read my damn story (your one of the effing main characters, get in the muh already!) and since I need to go put my books away becuase I got all my homework done in class, which is why I had time to try and tackle this topic. I am out
pleasant day to all
Btw thankyou profoundly for putting a halt to the rampant religious debates in here. I was so tired of coming into this forum and just seeing a dozen religious topics <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html/emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif'><!--endemo-->
oh, and on a side point the district and the superintendent are the same people that I have to circumvent just so our group of 10 people can play NS at school during lunchtime... aparently one of the gods at the district office said that gaming at lunch was unnaceptable becuase we took up to much bandwith (despite the fact we play on the LAN and not on the net, besides the firewall makes that impossible without getting expelled)
<!--QuoteEnd--> </td></tr></table><span class='postcolor'> <!--QuoteEEnd-->
Oh maybe they were just wishthinking <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin.gif' border='0' style='vertical-align:middle' alt='biggrin.gif'><!--endemo-->
Some Operating Systems are more secure by design, UNIX based OSs are, and NT based OS should be but the recent Blaster, Sobig.f and messenger service (dumbest 'feature' in the history of bad features) seem to indicate otherwise. One of the big problems I have with MS is that they just can't seem to make their software secure, they've had like 3 or 4 patches to RPC and it still gets exploited. Also, they seem to have unnesesary deamons running by default for no readily apparent reason (messenger service). Now, its no secret that I really dislike microsoft so take my post as biased if you want.
Oh yes, Good job killing the EvC thread (part 4). If only we could just outlaw religious threads outright....
<a href='http://www.globetechnology.com/servlet/story/RTGAM.20030604.gtlinuxjune4/BNStory/Technology/' target='_blank'>http://www.globetechnology.com/servlet/sto...ory/Technology/</a>
<a href='http://www.globetechnology.com/servlet/story/RTGAM.20030604.gtlinuxjune4/BNStory/Technology/' target='_blank'>http://www.globetechnology.com/servlet/sto...ory/Technology/</a> <!--QuoteEnd--> </td></tr></table><span class='postcolor'> <!--QuoteEEnd-->
Your HP-UX example is bull, there are linux desktops, BSD desktops, and OSX desktops out there surfing the net all the time, and they are all UNIX based.
Your article is only about Linux, so its really not worth discussing. But you are right in your statement that a lot depends on IT and if they know what the hell they're doing.
It's not just that a lot depends on IT staff, it's that 99.999% depends on IT staff. All OS's are horribly vulnerable to attack riht out of the box. All. No exceptions. MS just happens to have millions and millions more PC's than the others, making it more a spotlight for crapbrain news outlets like slashdot and fox news.
Alright, my bad, I should have been more carefull with my wording. Shall we say POSIX comliant then?
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->It's not just that a lot depends on IT staff, it's that 99.999% depends on IT staff. All OS's are horribly vulnerable to attack riht out of the box. All. No exceptions.<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
Now that I think about it.... most of the distributions out there are rather like that (points finger at SuSE and Red Hat), but not all. Usually the problem lies with installing so many services that hardly anyone will need, and then enabling them (like Windows has been known to do [again, mesenger service is a good example]). However there are distributions out there that are not so horribly insecure 'out of the box'.... perhaps thats because their installers aren't as forgiving. Sure, they will probably be somewhat insecure, but 'horribly' is an overstatement.
In short, I'll grant you that any OS easy enough for a monkey to install is almost certainly going to be horribly insecure out of the box.
You know, all this talk about IT reminds me of a discussion we had in netcom2 recently. We were going over a question in which we had to select three answers of six to get credit. The question was "What are the drawbacks of using OSPF?" or something, one of the correct answers was "Requires a knowledgable Network Administrater". So naturally a student asked "How is a having a knowledgable network administrater a drawback?", to which another student replied "Well, they cost more."
Hence why I find myself as a consultant at places, often surrounded by people with only the barest of computer knowledge holding massive IT responsibilities. After 9 years of doing this professionally, I have found that since beancounters are incapable of understanding ROI and TCO, it is a cycle that will never be broken. It also doesn't help that most IT management grew up with mid/main frame computing and haven't really done anything technical in 20 years...
You make good points. I find that all OS's have pretty terrible track records on security and exploits, and it comes down to how well you build your automated systems for closing those holes (it's one of my main selling points - I write custom software distribution systems for big companies). The myth that Linux or Mac's are inherently less vulnerable is perpetrated by internet newsgroup drones mainly. Look at that huge exploit they found in Kerberos for Linux last year - that root-level vulnerability had existed for almost ten <i>years</i> before anyone caught it from a coding standpoint - who can say how many machines were rooted before then and no one knew how.
Hire MonsE.
Microsoft is a tried and true corporation, as evil as I think they are, (no, not for having more $$$ than I) you CAN depend on it. Sadly, Linux is not ready for a mass corporate deploy. Unless your commiting suicide.
Its nice if your running a small home business and have a tiny LAN, with a redhat core, but honestly, Corporations NEED that dependancy, they can't generate revenues if their network is continuously down...(I'm not saying Linux is instable, because quite honestly it really is.)
Overall untill I think Linux has a better deployment record Microsoft wins the day for dependibility, and reliablility.
Microsoft is a tried and true corporation, as evil as I think they are, (no, not for having more $$$ than I) you CAN depend on it. Sadly, Linux is not ready for a mass corporate deploy. Unless your commiting suicide.
Its nice if your running a small home business and have a tiny LAN, with a redhat core, but honestly, Corporations NEED that dependancy, they can't generate revenues if their network is continuously down...(I'm not saying Linux is instable, because quite honestly it really is.)
Overall untill I think Linux has a better deployment record Microsoft wins the day for dependibility, and reliablility. <!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
Whether its ready or not (and it is 'ready' IMO and has been for a long time) companies are deploying it. Often with great sucess. But all this talk about Linux is kinda getting us off track.
A Microsoft version 2.0, by any name, would just result in another monoculture. Replacing them with a whole bunch of different minicultures would probably result in 90% of them failing and the best few swallowing up all the rest, making another monoculture. In all likelyhood, the 2.0 version would be the most successful in the US. A combination of inherant matters in the software field and the way our economy works would pretty much seal it. Microsoft is just about as "fit" for our economy as is possible. I can't speak for the rest of the world, of course.
The debate shouldn't be over whether or not we have a monoculture. We do, or at least a close enough approximation. It is more helpful to discuss 1) whether this is good or bad 2) if there is way to sustain any other system in the software universe.
Standards do not qualify as monoculture, btw. The faults and benefits of monoculture do not need to apply to them, as an API or whatever can have be standardized yet what's under the skin can lead to completely different strengths and vulnerabilities. To suggest otherwise is to say that screws are monoculture just because they are all the same set of sizes/shapes even if some fall apart the moment they touch a driver, and some will last longer than the product.
Otherwise, the article makes a lot of good points.
It's not just that a lot depends on IT staff, it's that 99.999% depends on IT staff. All OS's are horribly vulnerable to attack riht out of the box. All. No exceptions. MS just happens to have millions and millions more PC's than the others, making it more a spotlight for crapbrain news outlets like slashdot and fox news.<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
Harsh words Monse, comparing Slashdot to Fox News? C'mon surely Slashdot would be the lesser of the two evils, if it is for sure evil. At slashdot there is stories covering all sorts of things, and people have a big discussion about it. Is Fox like that?
I don't think it mattes how horribly insecure each OS is out of the box, what matters is how secure an OS is when it's properly secured(are they all eqaul though?). And even if security is equal, there is more to an OS then security. There is buginess, stablity, speed, software etc.
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->
The myth that Linux or Mac's are inherently less vulnerable is perpetrated by internet newsgroup drones mainly. Look at that huge exploit they found in Kerberos for Linux last year - that root-level vulnerability had existed for almost ten years before anyone caught it from a coding standpoint - who can say how many machines were rooted before then and no one knew how.<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
Drones? That's harsh too. <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin.gif' border='0' style='vertical-align:middle' alt='biggrin.gif'><!--endemo-->
Having a big vunerability does not matter, what matters is whether Linux would be drowning in vunerabilties if it gained far more exposure. Maybe, or maybe not. I don't think it's possible to know until the future.
So my question for Monse, what OSes do you like, and why?
As far as /. goes, they print stories that both praise and bash linux (albeit more that praise), so that's probably about the best you are going to get. Actually, /. is the only place I've ever seen link to an article about a linux vulnerability at all.
Sorry if I beat MonsE to the punch, but what OS you pick depends on what you want it to do. Linux is great when it's finally up and working, but certain things take lots of hours of tinkering to get working right. Then there are compatibility issues, and user experiance levels, and so on. If both could do the job equally well, however, I'd choose linux, if just because its future outlook keeps getting brighter, while Windows is making only incremental progress and has questionable licensing practices.
Actually you example makes it even more comperable, when one factors in time. you'll notice that the RPC exploiters are able to adapt their technique just as readily as microsoft patches, this is similar to the way a beetle woud, over time, develop an 'anti-anti-beetle gene' or other such method to continue to use the plant.
While that is true, the beetles can't get this "anti-anti-beetle" off www.b33tleh4ckers.com either, it either has it or doesn't and can't do anything about it. It means that beetles or plants can gain advantages without being selectively breed for it. For example, let's take a 4 year old virgin computer (i.e. one that hasn't been used before). As soon as I get it running (and upgraded) I can give it the anti-beetle patch or whatever even though such a thing was lacking when it was created 4 years ago. A plant or beetle can't do that. At best, it survives and possibly passes on a useful gene.
While that is true, the beetles can't get this "anti-anti-beetle" off www.b33tleh4ckers.com either, it either has it or doesn't and can't do anything about it. It means that beetles or plants can gain advantages without being selectively breed for it. For example, let's take a 4 year old virgin computer (i.e. one that hasn't been used before). As soon as I get it running (and upgraded) I can give it the anti-beetle patch or whatever even though such a thing was lacking when it was created 4 years ago. A plant or beetle can't do that. At best, it survives and possibly passes on a useful gene. <!--QuoteEnd--> </td></tr></table><span class='postcolor'> <!--QuoteEEnd-->
The process is still similar, albeit much slower for plants.
Anyone else have some non-entomological points to make on the IT nature of the discussion?
My entire principal of computing can be summed up in my father's luddite nature. He still uses a manual Westinghouse typewriter for all his letter writing and as such, I've hounded him for years to get a computer. His reply is always 'if something does not make my life easier, why should I use it?'. His point is that if a technology makes something more complex and less reliable, why should it become the mainstream? I have applied that philosophy to every system I have ever designed and every application I have ever written - if it does not truly and fundamentally improve the ease of use and simplicity of operation for the average end-user, it's usually not worth doing. Toasters do not get more complex and harder to operate every year, they get simpler. The same for a DVD player, a radio, a car, or anything else. Users of a system want to spend their time using the system, not <i>making</i> it usable. This concept is mostly lost on the programmers of Linux, although they are making improvements all the time - but if you cannot <b>GIVE</b> your OS away, you have a fundamental flaw in your design philosophy. The monoculture is fine if the intended goal is reached - productivity and reliability for end users during normal operation.
Only if your ultimate goal is market domination. Linux started in a finish programmer's (GO GO GADGET LINUS!) bedroom, on a 386. Linus didn't sit down one day and think "Gee, I could make an OS so easy to use that people wouldn't be afraid of computers anymore and I could make millions!" (Steve Jobs did though, but thats another tale). Linus decided to code Linux for 3 reasons:
<ul>
<li>He didn't like Minix. Nobody really liked Minix except Taunenbaum(sp?) though.
<li>He wanted to learn about his brand new 386 processor.
<li>It would be fun.
</ul>
Its great to listen to Linus talk about stuff when he is interviewed, he is the most apathetic public figure in computing. He really just doesn't care what MS does, what Red Hat does, what SuSE does, or whether or not OSS is is being widely adopted, he just codes Linux because he wants to and its fun. Of course because of how he chose to distribute his OS, upstart companies intending to use it for whatever reason either give him stock options, or offer to hire him. He became a millionaire over night by giving software away.
To me, Linux is something to use for philisophical reasons. I really like the concept of Open Source Software (I like Open Standards even more, but OSS implies that really) and so try to promote its use (where apropriate).
It depends: is mainsteam like I am, and like to do really complex things (or at least mainstream CSC major)? For those, the more complicated (and hopefully robust) an OS is, the more options I have, and options make life easier when there is no simple solution.
These same companies like to play cut-throat games with each other for market share. In current times, IT budgets are extremely sparse. We had to cut ours in half. Training? Gone. Vacation? Uhh, would you mind cancelling it? "Do more with less" is our mantra right now. More like "Do more than you ever have with the least you've ever had." It's little wonder why morale around here is bottomless. To give you a feel for how bad it is, the company I work for laid off 12 IT employees two months ago. 3 of those were either pregnant or recently had a child. One of them was 7 months into a complicated pregnancy with twins. You know why the CIO dumped these people? Pregnancy and child-rearing does not equate to productivity. He prefers to have young, single males that don't mind working insane hours and get paid (relatively) little to do so. Do more with less!
In tough times, the IT providers out there must find creative new ways to spur growth. "Diversify your platforms." Sounds nice. Err, I mean, it sounds <b>expensive.</b> I cannot even imagine what it would cost our company to diversify our platforms to provide fault-tolerance at an OS level. We are 98% Windows on the desktop (department full of Macs for creative stuff.) Zero *nix. Moving even a single one of our critical n-tier business apps to something like Linux would be a monumental undertaking. We don't have the time, the money, or the resources to pursue such a project. Convincing the business... the holders of our purse strings... that platform diversification is a sound investment would be a phenomenally difficult task.
"How does this increase sales or benefit the customer?" would be the first question.
"Uhh, it doesn't?" replies the CIO.
"Denied"
IT providers understand all of this. So it seems to me the easiest way to convince someone of the need is to provide scare tactics. Mass hysteria. Lots of viruses capable of wiping out entire networks in short order. Research articles from the most respected IT research firm on the planet. Quite a compelling list of cannon fodder. They are certainly going to get some CEOs scared. And they'll get a platform diversification project started in quite a few of these companies. That means a boost in IT spending again, something desperately needed in the struggling IT provider industry.
Meanwhile, other companies will continue to do the things they need to survive these scare tactics. A sound firewall strategy and aggressive patching/research help to reduce the risk. We haven't been hit since NIMDA came around. A good friend of mine is a network security engineer. He makes a ton of money and is really good at what he does. He watches for Internet happenings and takes the necessary precautions to reduce risks. At least 1/3 of the time when I call him he is busy working on yet another threat. "We're chasing down a virus so I can't go out for a beer tonight, man." So it is with IT life today.
Ludditism, it kicks @$$... almost! <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif'><!--endemo-->
I would consider using a typewriter as being too luddite for one's own good, but the principal is still important.
Toasters do not get more complex because they have a simple task. Same with DVD players, Radios, and Cars. Computers are not quite the same as them.
Computers have far more depth than any of these things. There is simply much more room for user interactivity. Now yes, some things are actually quite simple, like installing NS, using a spreadsheet, or surfing the net. But these are only some of the things that can be done with computers.
What is so great about the mass market? They have far too much influence. In the early 90s people didn't have to be geeks, but they did have to adapt somewhat to computers. So the true dummies were barred. Nowadays it feels like the computer have adapted to the true dummies. The massmarket has far too much say over computer games, news and movies.
Improving ease of use, simplicty etc. is great, but it should never come at a trade-off for anything, like power, stability, features etc.
For YOU, not for an average consumer. And yes, VCR's and toasters and such have become simpler, and yet more powerful. You are just too young to have used them in the 70's and early 80's and seen what a chore it was. <!--emo&;)--><img src='http://www.unknownworlds.com/forums/html/emoticons/wink.gif' border='0' style='vertical-align:middle' alt='wink.gif'><!--endemo-->
Trust me, the success of the Windows OS is due to market-driven forces, not the Gatesian Empire - the market wants simpler to use, at an expense of features and customization. A toaster that allowed you to specify heating to a thousandth of a degree, plus set config data for optimal toast density, average air pocket volume, staleness factors, and parameters of darkness of the buttered side would fail - a tiny percentage of toast-freaks would love it, and the majority of people that just want some warm bread would go buy the simpler model. There is no conspiracy, this is market-driven economics.
The mass-market is what gives the funding to little hobbyists like Linus - it is not be dismissed, as without the funding of the more homogenous whole, the eclectic minority would not exist.
Then why aren't the Macs winning? I think the simple answer is that they would be, were it not for Apple's fuckups with pricing (Gasse didn't think market share was important) and some other huge mistakes. Personally I don't think Windows is "easier to use" then any given OS, people just get that idea because Windows is EVERYWHERE (partially due to MS buisness practices). If it were really "easier to use" there wouldn't be much of a need for the helpdesk.