Administrivia

Administrivia

I've done some more cogent categorization of my sub-blogs, listed at right under “Navigation” (for those of you still experiencing this page through the quaint but ever-popular web browsing experience). If you're looking for drill-down on one particular classification of rant, point and click. I'll also start tagging posts with the category they're replicated to. As if anyone actually cares.

Standard
General Chaos

One way to overcome the cost of switching from monoculture

An immodest proposal: RSS configuration of networked desktops

Most desktop strategies are monocultures. What if you could, through the application of secure web-based technology like SSL and IPSec, create a heterogeneous desktop strategy that gave you 80% of the power of the homogeneous ones? Using RSS as a vehicle, and a cross-platform agent in, say, Java, to do the client configuration?

[more at buzzword compliant]

Standard
buzzword compliance

An immodest proposal: RSS configuration of networked desktops

Let's say everything about your desktop preferences was stored as a set of hierarchical XML fields on a server somewhere on your network. Application settings might be on other servers; “cookies” with your saveed application preferences for websites on another. What if, when you were authenticated at login at a desktop (running ANY operating system), the preferences were aggregated into something similar to an RSS file and sent securely to the desktop, and an agent program used the RSS to recreate your settings as closely as possible on the particular platform you had logged into?

So, for example, if you had a set of network drives you connected to, those shares would be established over the best file service protocol available for the client you were on (NFS, SMB, Windows filesharing, AFS). Bookmarks and cookies were configured for the browser available. Desktop icons would be linked to networked or local applications that provided equivalent functionality, with your preferences translated to them.

Most desktop strategies are monocultures. What if you could, through the application of secure web-based technology like SSL and IPSec, create a heterogeneous desktop strategy that gave you 80% of the power of the homogeneous ones? Using RSS as a vehicle, and a cross-platform agent in, say, Java, to do the client configuration?

I encourage someone to implement this model. All I want is “friends and family” status for the IPO.

Standard
General Chaos

Of Patches and Potatoes: Windows and Monocultures.
Monocultures have spelled trouble throughout history. My ancestors who brought the Gallagher name to the US came here in the wake of the failure of a monoculture–potatoes, which supplied an inordinate percentage of the food supply, were susceptible to a fungus “blight”. The failure of potato crops had a disasterous effect that Ireland, it could be argued, only really recovered from at the end of the 20th century.

Windows is the potato of the Internet age. That's basically what the researchers, including analyst Daniel Geer if @Stake, were saying when they wrote, “Most of the world's computers run Microsoft's operating systems, thus most of the
world's computers are vulnerable to the same viruses and worms at the same time.”

[read the extended remix at buzzword compliant]

Standard
buzzword compliance

Of Patches and Potatoes: Windows, Monocultures, and Bad Things Happening

John Udell, Simon Phipps, and a host of other technorati have pointed to this report, “Cyber InSecurity: the Cost of Monopoly” published by the Computers and Communications Industry Association. It makes a very simple case, based on research by the authors–that having a “monoculture” of operating systems on the Internet creates an inordinate risk.

Monocultures have spelled trouble throughout history. My ancestors who brought the Gallagher name to the US came here in the wake of the failure of a monoculture–potatoes, which supplied an inordinate percentage of the food supply, were susceptible to a fungus “blight”. The failure of potato crops had a disasterous effect that Ireland, it could be argued, only really recovered from at the end of the 20th century.

The EPA has a history of the Potato Famine on its website, which includes this passage:

Besides the horror, what unites the famines today with one over a century ago are the reasons behind them. Ireland's famine and those of the 20th century have similar, complex causes: economic and political factors, environmental conditions, and questionable agricultural practices.

Substitute “vulnerable code” for “environmental conditions”, and “business” for “agricultural”. and you've got a description of the current state of the Internet.

Windows is the potato of the Internet age. That's basically what the researchers, including analyst Daniel Geer of @Stake, were saying when they wrote, in the executive summary:

“Most of the world's computers run Microsoft's operating systems, thus most of the
world's computers are vulnerable to the same viruses and worms at the same time. The
only way to stop this is to avoid monoculture in computer operating systems, and for
reasons just as reasonable and obvious as avoiding monoculture in farming. Microsoft
exacerbates this problem via a wide range of practices that lock users to its platform.
The impact on security of this lock-in is real and endangers society.

“Because Microsoft's near-monopoly status itself magnifies security risk, it is essential
that society become less dependent on a single operating system from a single vendor if
our critical infrastructure is not to be disrupted in a single blow.”

After this report was published, Geer was fired by @Stake, which is a Microsoft contractor. The fact that Geer was apparently fired for mentioning the elephant in the room with him is telling. Considering the world-wide press Microsoft is making to prevent alternative operating systems like Linux from taking root, it's obvious that some folks think maintaining the dependence of the masses on the next release of Potatoes Server and Potatoes XP is essential to continuing their standard of living.

As someone who once earned his bread by installing and administering Windows NT networks, I can't help but agree with the CCIA assessment. While I use multiple computers, I now do all of my daily work (including e-mail) on one of my two Apple computers–mostly because I haven't had to worry about an e-mail worm or script attack since I started doing so. My 12-year old son uses a Windows XP computer, which I'm constantly applying patches to. And as I mentioned in Server Not Found, constant reboots from applying patches actually killed my last Windows 2000 server in my inventory. It sits in the corner of my office, awaiting resurrection with a new mother board or cannibalization of its parts.

The best defense against any assault is defense in depth–relying on one thing for defense is what led to the Maginot Line, and, well, we know how that turned out. Having loosely coupled, heterogeneous systems means that you can more easily ride out an assault (or a fatal bug) in any part of your infrastructure.

The main problem is increased cost of ownership–you need to have people with multiple skill sets to maintain multiple operating systems, Well, maybe. Some alternative OSs may actually reduce cost of ownership for some classes of users. If you build your applications on top of a cross-platform architecture, switching from a MS SQL server backend over to a MySQL backend won't be that big a deal. If you stick to common file formats, the cost of maintaining different office productivity apps isn't that significant (I use Office, AppleWorks, and OpenOffice within my office, on the same files, interchangeably, every day–sometimes even at the same time).

A point made by the study is that any technology monoculture is a potentially bad thing. If we had a Linux monoculture (perish the thought), we'd all be dealing with the latest Linux virus…right?

Hmm. Probably not. Because, you see, there's a big difference in that scenario–anyone can look at Linux's source code. And because of all of the different potential configurations, distributions, and revs to Linux (hell, some application binaries don't work from one version of Linux to another on the same processor platform), a “Linux monoculture” would be an oxymoron.

But here's another example–what if, say, there was another flaw like the floating point “flaw” that Intel had with the Pentium processor, or the, ahem, cache problems that Sun had with the UltraSPARC, and a vast preponderance of systems running the Internet depended on that CPU? What if everybody used the same Ethernet chip for their network interface, and it was found to have a bug that caused it to go into permissive mode? What if someone could, say, exploit a hole in Passport, and use it to launch a DOS on every system running MSN Messenger?

What. indeed. Potatoes may be cheap and easy to cook, but if they're what you live on, their cost of ownership can get extremely high very fast. Just ask any Gallagher you run into.

Standard