Wednesday, October 15, 2003

Marcus Ranum Rants Online and Offline

Marcus Ranum is one of the smartest security guys around. A few weeks ago he redesigned his web site in preparation for publication of his new book The Myth of Homeland Security. I hope to get a review copy. Marcus' comment in the latest edition of SANS Newsbites alerted me to his criticism of the so-called "computing monoculture" problem. He points out that the Computer & Communications Industry Association, which funded the "Cyber Insecurity" report (.pdf) that got Dan Geer fired, consists of "Sun Microsystems, Fujitsu, Nokia, Nortel Networks, Tantivy, Time Domain, Vion, AT&T, Verizon, NTT USA, Oracle, Intuit, Yahoo!, Sabre, and AOL." His insights are useful:

"Computers, unlike biological organisms, can rapidly share immunity without having to actually be exposed to the pathogen in question. This is absolutely crucial to understand - it's quite possible that my machine may fix itself automatically so that a worm doesn't affect it. Computers have several main mechanisms for transmitting 'immunity': firewalls, antivirus software and antivirus software auto-update, Windows auto-update, and security-related knowledge bases or mailing lists."

"There is no 'monoculture' here. My system isn't just Windows. My security is effected (and affected) by a bewildering combination of default settings, software patch levels, default firewall rules (I just plugged it in, honest!), browser settings, and antivirus signature sets. We're not in anything like danger of becoming a "monoculture" unless every system was running the same software load-out, security policy, antivirus product, and patch level. In spite of the dearest wishes of countless system administrators, that simply isn't going to happen! So, as much as I hate to say it, Sun's marketing people may have been right, "The network is the computer" - and the network sure as hell isn't going to become a "monoculture" unless Microsoft builds all the firewalls, all the routers, all the switches, all the web accellerators, all the SQL databases and establishes everyone's security, routing, DNS, and update policies."

I don't agree with everything he says, but on the whole his argument makes sense. Debating via analogy is difficult and probably counter-productive. I'll report on his book after I've read it.