
Schneier on Security: Software Monoculture - adambyrtek
http://www.schneier.com/blog/archives/2010/12/software_monocu.html
======
jdp23
It's interesting to see Bruce now largely agreeing with the criticisms of the
original "Software Monoculture" paper.

The article in Information Security also has Marcus' repsonse:
[http://searchsecurity.techtarget.com/magazineFeature/0,29689...](http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1522895_mem1,00.html)

~~~
naner
What do you mean by _now_? His position hasn't changed as far as I can tell.

------
iwr
How do you get around the network-effect benefits of large cultures? While
more vulnerable by being larger (and a more attractive target), these cultures
also develop self-defense mechanisms and an ecosystem of support.

While a custom culture may be safer from wide scale attacks, it's still more
vulnerable to targeted attacks. If you're a bank and you rely on security-by-
obscurity you are in greater danger than if using a tested and documented
standard system.

As an aside, the potato famine was not caused by a singular condition. The law
of the land up to some time before the famine prohibited the purchase of land
by Catholics; only about 7% of the agricultural land was actually in the hands
of the Irish. This meant the vast majority of them were serfs to English lords
and had to rely on small/fragmented patches of land to feed themselves. The
reason potatoes were grown was that no other crops could be grown on these
small plots. In the absence of potatoes, people would have been starving much
sooner.

~~~
tptacek
Your second point is one of the original criticisms of the monoculture idea:
Macs are both safer _and_ less secure because they're a low-profile target.
Give them 50% of the desktop market share and they'll be as bad as WinAPI.

There will never be enough operating environments to provide true diversity.
Say there are ten end-user platforms (there are 5-6 now, including iOS and
Android) each with a roughly comparable share. Each platform now has 3MM units
--- a totally viable susceptible population for malware --- but only 1/10th as
much security attention.

It may actually be the case that the _opposite_ of the monoculture paper is
true, and that we made it through the 2000's without melting down completely
because we basically delegated software security to Microsoft, which stepped
up to handle it.

~~~
lukeschlather
If anyone stepped up to handle it, it was McAfee and Norton/Symantec. And they
really didn't do a very good job.

Really, the sysadmins of the world were doing most of the heavy lifting.

~~~
tptacek
There's "handling", and then there's "vampirism".

~~~
lukeschlather
I once used Norton's tools to remove an infection from a machine, when nothing
else would work. Nowadays I would of course get the data off and wipe the
machine, but this was when I was younger and storage was not so cheap and
plentiful as it is now.

They have definitely done some small measure of good in securing the Windows
ecosystem, and in the first half of the last decade, they did far more than
Microsoft.

------
billswift
Here's a good reply <http://securosis.com/blog/ranums-right-for-the-wrong-
reasons>

