tag:blogger.com,1999:blog-4088979.post113500093937949165..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Thoughts on MonocultureRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-4088979.post-1135212218307177972005-12-21T19:43:00.000-05:002005-12-21T19:43:00.000-05:00I was impressed with Ranum(?)'s reasoning on this ...I was impressed with Ranum(?)'s reasoning on this issue. The biological analogy is flawed because computer hosts can coordinate immunity through patch management, central configuration of host based firewalls, etc. <BR/><BR/>Some threats emerge if a single host on a network is compromised. Multiplying OSs multiplies vectors, and potentially divides administrative expertise. <BR/><BR/>I'll grant you the scenario of the fatal 0-day attack. I'm not sure that dividing the market share into more chunks is going to prevent epidemics, though. It will probably mean more, smaller epidemics. <BR/><BR/>I'm an anti-windows bigot, and plan to proceed with managing XP workstations with ad-hoc tools, rather than AD in spite of sound advice given by everyone I talk to, including one of the lead developers on the Samba team. So I am predisposed to like the monoculture argument with its implied dissing of MS. But I see a lot of problems with the analogy and its prescription. If we were to follow its prescription, how many OSs would we need to adopt? Several flavors of linux, all three major BSDs, Solaris, VMS, NetWare? Attackers are going after even small niche apps, so there would still be plenty of attacks on a world of evenly distributed OS market share. Then there are cross-platform vulnerabilities. Run the wrong PHP script and it doesn't matter what the host OS is running.<BR/><BR/>I'm not sure accessibility is assured if the average user has a choice of unfamiliar surviving OSes.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1135200596376685552005-12-21T16:29:00.000-05:002005-12-21T16:29:00.000-05:00Agree, security is not a boolean. There are both h...Agree, security is not a boolean. There are both horizontal and vertical views to a system. Diversification helps the horizontal aspects of security.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1135037562934047412005-12-19T19:12:00.000-05:002005-12-19T19:12:00.000-05:00I added my 2 cents on this on my blog. Am I going ...I added my 2 cents on this on my blog. <BR/><BR/>Am I going to have to seperate you and Tom Ptacek?John Wardhttps://www.blogger.com/profile/10741149622435353727noreply@blogger.com