The pernicious characteristics of monocultures, by Paul Strassmann.

Casper Aleva tonus at dsinet.org
Thu Nov 29 17:40:12 PST 2001


The following essay by a manager with clue,  Paul Strassmann, is part of
the special report on Internet security and
hackers on the American
public broadcaster PBS and worth reading.

Source: 
http://www.pbs.org/wgbh/pages/frontline/shows/hackers/blame/threat.html

===
The purpose of this article is to explain the risks arising from a
Microsoft software monoculture.

The term "monoculture" is originally derived from agriculture. It is the
practice of growing the same crop each year on a given acreage. Rotating
crops helps control certain insects and diseases; farmers who repeatedly
grow the same crop on the same land become increasingly dependent on
chemical insecticides, and must resort to new disease-resistant plant
varieties, and practice soil fumigation and similar methods of
controlling insects and diseases that are usually controlled by crop
rotation.

If a large number of farmers, in proximate geography, adopt monoculture
practices, even the dependency on chemical means will not be sufficient
to protect the crops. Although the quantity of food is increased, the
humans create an environment that is hospitable to vermin, pathogens,
and diseases. Paradoxically, by increasing specialization monoculture
farmers increase the threats to their food supply.

The potentially destructive, injurious and deadly characteristics of
monoculture practices are remarkably comparable to conditions one finds
prevailing in computer networks. Therefore, it may be useful first to
examine an agricultural case before venturing into an exploration of
what it means to have Microsoft software present in most of the
computers in the world.

Agricultural Case: The Irish Potato Famine

The "Great Potato Famine" or the "Irish Famine" occurred in 1845-49 when
the potato crop failed in successive years. The crop failures were
caused by blight that destroyed the potato plant. It was the worst
famine to occur in Europe in the 19th century. By the early 1840s,
almost one-half of the Irish population--but primarily the rural
poor--had come to depend almost exclusively on the potato for their
diet, and the rest of the population also consumed it in large
quantities. A heavy reliance on just one or two high-yielding varieties
of potato greatly reduced the genetic variety that ordinarily prevents
the decimation of an entire crop by disease, and thus made the Irish
vulnerable. In 1845 a fungus arrived accidentally from North America,
and that same year Ireland had unusually cool, moist weather, in which
the blight thrived. About 1.1 million people died from starvation or
typhus and other famine-related diseases. Many emigrated, and by 1921
the population was barely half of what it had been in the early 1840s.

The Software Case: Microsoft's Dominance

Microsoft's dominance in operating systems represents a new threat to
the national security and to the systematic reliability of our
computer-based society.

It is a fact that a large number of political institutions, both in the
U.S. and in other countries, are becoming increasingly aware of the
economic and security risks that arise from the ubiquitous presence of
Microsoft. The U.S. government as well as a European Economic Community
(EEC) Commission is trying to contain the expanding power of Microsoft
by litigation. This is insufficient. One must also address the risks
from attacks on a largely homogeneous systems management environment.
Info-terrorists and criminals will continue to take advantage of the
ever-growing proliferation of flaws in the gigantic Microsoft system,
consisting of hundreds of millions of lines of failure-prone code.

The Microsoft software monoculture is dangerous because this firm is
pursuing its global expansion objectives with unconstrained ambition.
Its strength is reflected in its share of all profits from the software
business. That advantage has widened steadily from 24 percent in 1987 to
64 percent in 1998 and is likely to climb as Microsoft is expanding its
reach as a vendor of software packages to becoming a networking services
giant. In its recently announced .Net initiative, Microsoft has
projected a vision of a world that is inter-connected with Microsoft
centers from where each computer receives not only its operating
software but also a continuous stream of data and applications.

Microsoft now sets its sights not only on the control of local computing
but also on the sources from which all program code and data originate.
Upgrading Microsoft software has been a logical choice for customers who
wished to keep up with changes in technology. The risks of an integrated
family of operating systems running all global computers, a declared
Microsoft objective, make selecting a Microsoft platform more than a
purely technical choice. An all-encompassing operating system bares
itself to hostile exploitation of paralyzing security flaws. The
presence of a fatal defect is unavoidable as the complexity of Microsoft
systems expands to bizarre proportions with each new release. It is the
search for such a fault that occupies the minds of some of the brightest
computer experts. Finding a crack through which one could induce mayhem
with only a few keystrokes would be worth a great deal of money,
especially when supporting an act of terrorism.

Microsoft and the Information Monoculture

It's only a question of time before the ubiquitous presence of Microsoft
operating systems, supported by a software-updating network, reaches a
level of interconnectivity that makes a universal systems crash
feasible.

All that will be required is inducement of a widespread information
infrastructure collapse through a deliberately executed and pre-planned
act of information warfare. The risk from a software monoculture has
increased due to the shift from custom-made software to packaged
applications residing on an integrated family of Microsoft operating
systems. As a result, the risks from planned subversion of a software
monoculture now overwhelm the demonstrable benefits of standardization
of an otherwise chaotic software environment.

The future of Microsoft should not be judged only by antitrust criteria
or the commercial merits of its software. It should be also reflected in
the unprecedented security risks to our civilization that a software
monoculture generates. The Microsoft defense that it was only maximizing
profits using common competitive methods is insufficient. Business
practices that may be tolerable for a small competitor become perilous
whenever scaled up to security-threatening proportions to global
computer networks.

Our computer-based information society is still in its early stages of
development. Its resilience and dependability is still not adequately
understood. If history teaches anything, it is the insight that
monocultures of any kind--especially if they can propagate in a matter
of seconds--should not be allowed to flourish without adequate
safeguards.

===

Casper Aleva

Dutch Security Information Network
e: tonus at dsinet.org
w: http://www.DSINet.org/
c: http://www.DSINet.org/casper/pubkey.txt
==
"Don't quote, I want to know what _you_ have to say." -Unknown
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks-legacy/attachments/20011130/1b26c6c2/attachment.sig>


More information about the cypherpunks-legacy mailing list