[Infowarrior] - Monocultures and Document formats: Dan's Bomb Goes Off

Richard Forno rforno at infowarrior.org
Wed May 24 06:27:07 EDT 2006 

Monocultures and Document formats: Dan's Bomb Goes Off
       
Tuesday, May 23 2006 @ 06:17 PM EDT
http://www.consortiuminfo.org/standardsblog/article.php?story=20060523181724
678

Dan Geer is an extremely well respected security expert.  When he worries
about something, people listen.

One of the things he has worried - and warned - about is the danger
represented by IT "monocultures" - the situation that arises when everyone
uses the same software, for example, and therefore everyone shares the same
vulnerability to a computer virus or other security threat.

Just as the word "virus" has been borrowed from biology and provides an apt
and vivid descriptor for its IT analogue, so also does the word monoculture
function: think of the consequences of Irish potato blight, or of the wiping
out of the American Chestnut tree, which once numbered in the billions in
the forests of the American East and is almost extinct as a mature species.

Well, last November, Dan wrote a perspective piece for CNETnews.com, called
Massachusetts Assaults Monoculture.  In that article, he wrote:

    As a matter of logic alone: If you care about the security of the
commonwealth, then you care about the risk of a computing monoculture. If
you care about the risk of a computing monoculture, then you care about
barriers to diversification. If you care about barriers to diversification,
then you care about user-level lock-in. And if you care about user-level
lock-in, then you must break the proprietary format stranglehold on the
commonwealth. Until that is done, the user-level lock-in will preclude
diversification and the monoculture bomb keeps ticking.

As it happens, Dan's bomb went off a few days ago, with the breakout of the
"Backdoor.Ginwui" virus, a malicious bit of code that Symantec introduced in
an alert as follows:

    It has been reported that Backdoor.Ginwui may be dropped by a malicious
Word document exploiting an undocumented vulnerability in Microsoft Word.
This malicious Word document is currently detected as Trojan.Mdropper.H.



The fact that Dan's expectation came true can hardly be a source of
surprise.  Indeed, the only curious aspect of the fulfilment of his
prediction is that it took as long as it did to occur.

The reason, of course, is that hackers like targets that offer the most
visible and dramatic results - and the bigger the better.  If that target is
unpopular (such as Microsoft), then again, so much the better.  Thus it is
that the more successful the software product, the more attractive it
becomes.  That's no criticism of Microsoft, or of any other vendor, but one
of the regrettable costs of success.

Still, from the end-user point of view, it is an added burden on the value
of the product in question.  After all, it's one thing to have a target
painted on your back and reap huge profits as a cost of doing business, and
quite another to pay a premium price for a dominant product, and share the
same risk without offsetting compensation.

It's also not a surprise that something as prosaic as a Word document should
become the innocent carrier of a bit of malicious code.  After all,
stringent security policies (such as those my firm employs) already block
jpegs, zip files and other vehicles known for problem code.  But no one's
policies automatically block all Word and Excell files, since those are what
- for now at least - most people create, send and read (they do, of course,
scan them for known viruses).  This therefore elevates such files not only
to the level of ideal vectors, but grants them the status of attractive
challenges as well, capable of showcasing the chops of whatever hacker can
succeed in employing them to pull off a high-profile assault.

All of which, as regular readers of this blog might assume, leads me to a
conclusion that has something to do with ODF - a standard that is already
supported by four major products, two of the proprietary persuasion (Sun's
StarOffice and IBM's Workplace Managed Client) and two of the  open source
(OpenOffice and K Office) variety.

The risk profile between a monoculture and a diverse IT culture such as this
is mathematically clear.  By definition, even if ODF compliant products as a
group were someday to trade marketplace shares with Microsoft Office, no
individual user of any ODF compliant product would share the same degree of
risk that every Office user has today, by reason of the fact that she would
inhabit an IT culture with a much richer genetic pool.  And no virus is
likely to operate at the level of standardization at which these disparate
products exist.  As a result, just as a species with a diverse gene pool is
likely to be able to withstand the assault of a new disease in far better
form than a species of clones, so also would an IT environment based on
multiple instantiations of ODF be more resilient than a monoculture of
Office users, only more so.

Why more so?  Because in nature, a virus isn't personal.  No malign
intelligence creates a natural virus to attack a specific target.  But in
the world of hackers, the opposite is the case.

The moral of the Dan's story, as well as the current reality of the Word
Backdoor Ginwui virus is therefore clear:  in IT diversity there is safety.

More information about the Infowarrior mailing list