Dan Geer is an extremely well respected security expert. When he worries about something, people listen.
One of the things he has worried - and warned - about is the danger represented by IT "monocultures" - the situation that arises when everyone uses the same software, for example, and therefore everyone shares the same vulnerability to a computer virus or other security threat.
Just as the word "virus" has been borrowed from biology and provides an apt and vivid descriptor for its IT analogue, so also does the word monoculture function: think of the consequences of Irish potato blight, or of the wiping out of the American Chestnut tree, which once numbered in the billions in the forests of the American East and is almost extinct as a mature species.
Well, last November, Dan wrote a perspective piece for CNETnews.com, called Massachusetts Assaults Monoculture. In that article, he wrote:
As a matter of logic alone: If you care about the security of the commonwealth, then you care about the risk of a computing monoculture. If you care about the risk of a computing monoculture, then you care about barriers to diversification. If you care about barriers to diversification, then you care about user-level lock-in. And if you care about user-level lock-in, then you must break the proprietary format stranglehold on the commonwealth. Until that is done, the user-level lock-in will preclude diversification and the monoculture bomb keeps ticking.
As it happens, Dan's bomb went off a few days ago, with the breakout of the "Backdoor.Ginwui" virus, a malicious bit of code that Symantec introduced in an alert as follows:
It has been reported that Backdoor.Ginwui may be dropped by a malicious Word document exploiting an undocumented vulnerability in Microsoft Word. This malicious Word document is currently detected as Trojan.Mdropper.H.
The fact that Dan’s expectation came true can hardly be a source of surprise. Indeed, the only curious aspect of the fulfilment of his prediction is that it took as long as it did to occur.
The reason, of course, is that hackers like targets that offer the most visible and dramatic results – and the bigger the better. If that target is unpopular (such as Microsoft), then again, so much the better. Thus it is that the more successful the software product, the more attractive it becomes. That’s no criticism of Microsoft, or of any other vendor, but one of the regrettable costs of success.
Still, from the end-user point of view, it is an added burden on the value of the product in question. After all, it’s one thing to have a target painted on your back and reap huge profits as a cost of doing business, and quite another to pay a premium price for a dominant product, and share the same risk without offsetting compensation.
It’s also not a surprise that something as prosaic as a Word document should become the innocent carrier of a bit of malicious code. After all, stringent security policies (such as those my firm employs) already block jpegs, zip files and other vehicles known for problem code. But no one’s policies automatically block all Word and Excell files, since those are what – for now at least – most people create, send and read (they do, of course, scan them for known viruses). This therefore elevates such files not only to the level of ideal vectors, but grants them the status of attractive challenges as well, capable of showcasing the chops of whatever hacker can succeed in employing them to pull off a high-profile assault.
All of which, as regular readers of this blog might assume, leads me to a conclusion that has something to do with ODF – a standard that is already supported by four major products, two of the proprietary persuasion (Sun’s StarOffice and IBM’s Workplace Managed Client) and two of the open source (OpenOffice and K Office) variety.
The risk profile between a monoculture and a diverse IT culture such as this is mathematically clear. By definition, even if ODF compliant products as a group were someday to trade marketplace shares with Microsoft Office, no individual user of any ODF compliant product would share the same degree of risk that every Office user has today, by reason of the fact that she would inhabit an IT culture with a much richer genetic pool. And no virus is likely to operate at the level of standardization at which these disparate products exist. As a result, just as a species with a diverse gene pool is likely to be able to withstand the assault of a new disease in far better form than a species of clones, so also would an IT environment based on multiple instantiations of ODF be more resilient than a monoculture of Office users, only more so.
Why more so? Because in nature, a virus isn’t personal. No malign intelligence creates a natural virus to attack a specific target. But in the world of hackers, the opposite is the case.
The moral of the Dan’s story, as well as the current reality of the Word Backdoor Ginwui virus is therefore clear: in IT diversity there is safety.
For further blog entries on ODF, click here