Security Experts Debate Danger of Computing Monoculture

Security Experts Debate Danger of Computing Monoculture

Dennis Fisher

Ten months after co-authoring a paper positing that Microsoft Corp.’s dominance in the operating system market is a hazard to the security of the Internet—a claim that cost him his job—Dan Geer has lost none of the zeal for the fight.

Geer, now the chief scientist at security vendor Verdasys Inc., in Waltham, Mass., defended his position as forcefully as ever at a recent debate on the topic with Scott Charney, Microsoft’s chief security strategist. With the Usenix Annual Technical Conference here as a backdrop, a standing-room-only crowd backed Geer—former president of Usenix and respected security researcher—in his assertion that the Windows “monoculture” threatens the Internet’s safety.

“A computing monoculture is a danger; it is a security danger, and it is a national security danger,” said Geer, who holds a doctorate in biostatistics from Harvard University and did pioneering work on Project Athena, a networked computing venture, and the Kerberos system at the Massachusetts Institute of Technology. “An ecosystem that is low on diversity is in danger. It is the predators who force the prey to diversify.”

Geer’s paper, published last September and written with security expert Bruce Schneier, among others, ruffled Microsoft feathers and, said Geer, ended up costing him his job as chief technology officer of @Stake Inc., which does business with the Redmond, Wash., software maker. Officials at Microsoft and @Stake, of Cambridge, Mass., denied at the time that Microsoft played any role in Geer’s firing.

In his fast-paced Usenix presentation, Geer seemed more revival-meeting preacher than scientist. In fact, one of the questioners at the end of the debate called him “Reverend Dan.” And to the Usenix members—wearing shirts with Linux logos and toting laptops running KDE on top of Debian or FreeBSD—Geer’s words played like gospel.

Geer argued that without a significant diversity of operating systems on the Net, the network is at constant risk of a major disruption, thanks to the target base’s homogeneity. If a handful of operating systems each owned a sizable chunk of the market, the number of machines potentially affected by an attack would be far lower, thus minimizing the effect on the Internet.

Comparing the Windows monopoly to the agricultural world, Geer said that just as stubborn farmers who grew only cotton saw their crops devastated by the boll weevil, enterprises that fail to diversify are setting themselves up for failure. “All monocultures live on borrowed time,” he said. “We farm data and electrons. Are we so vain to imagine that we are not subject to the laws of nature?”

Charney, the second to speak, was decidedly the visiting team. But Charney, a former federal prosecutor, was hardly overmatched. As a former colleague quipped, Charney’s participation in the debate equaled “throwing the lion to the Christians.”

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzer’s Weblog.

Sensing the need to gain friends, Charney related how he came to be the Department of Justice’s lead prosecutor for cyber-crime in the ’90s. After his boss saw him creating DOS subdirectories, Charney was deemed a “computer expert” and nominated to head a new computer-crime unit. The story drew many laughs.

But Charney wasted little time laying out his problems with Geer’s thesis. He assailed Geer and his co-authors for advocating “forced diversity” and not allowing the market to dictate which products are most successful. Charney cited the spread of last year’s SQL Slammer worm as an example of what little difference he believes diversity would make. The worm infected a tiny fraction of 1 percent of the machines on the Internet, yet the traffic it generated had a measurable effect on the network’s performance during the peak of the outbreak.

“If a very small percentage of machines can have a broad effect, we’d have to diversify operating systems not into two but into millions,” Charney said. “It’s not really clear to me how that’s going to work in practice.”

What was clear by the end of the debate was that many audience members agreed with more of Charney’s points than they thought they would. But that didn’t stop the anti-Microsoft faction from scoring perhaps the best point of the afternoon. In a question-and-answer period, a slight, ponytailed man went to the microphone and said: “Mr. Charney, I just wanted to say that I believe the single most dangerous piece of software ever written is [Internet Explorer].”

As the crowd clapped and laughed, Charney simply smiled and shook his head.

Check out’s Security Center at for the latest security news, reviews and analysis.

Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page

Copyright © 2004 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in eWEEK.