The dirty little secret about the tech press is that most of it isn’t very technical. While columnists like Dan Gillmor, Declan McCullagh, and John Dvorak opine week after endless week about computers, the Internet, operating systems, and security, it’s doubtful that any of them has ever seen the actual source code to any significant piece of software (let alone understood it), a block diagram of a significant ASIC (let alone the Verilog), or even an encryption algorithm.
Given this fundamental ignorance, it’s no wonder that, when confronted with a new issue they don’t understand, the tech press’ opinion leaders fall back on familiar old battle cries (which frequently have nothing at all to do with the issue allegedly under discussion,) and to quoting each other as if repeated ignorance becomes wisdom. Case in point is Dan Gillmor’s column in today’s Mercury News, echoing an earlier Cnet column by Declan McCullagh to the effect that the Bush Administration is missing the boat by not beating-up on Microsoft in the name of computer security. These are McCullagh’s remarks (Gillmor’s are derivative and therefore uninteresting):
But, according to people familiar with the draft report, it pays scant attention to Microsoft, which has been responsible for more online security woes than any other company in history.
Such an omission would be glaring. Intentional design choices and unintentional bugs in Microsoft Windows, Outlook, Word and Explorer have created vulnerabilities so numerous they’ve become legendary. Shoddy default settings have practically begged intruders to plunder Windows-equipped PCs. Any serious look at Internet security has to start with the world’s largest software company.
But the Bush administration appears to have punted. During an invitation-only briefing last Thursday, a National Security Council official told about two dozen attendees from civil liberties groups and trade associations that the White House had no problem with the Internet’s “monoculture” environment. Biologists warn against plant monoculture, which permits pathogens to spread like wildfire. The same principle applies to malicious code and our largely-Microsoft Internet environment.
In the first place, the plan is a high-level look at the security situation as it exists today, and a set of recommendations for improving security in the future. There is no reason for it to dwell on any particular piece of software or vendor; even if there were, I don’t want my government telling me what software to buy.
Then there’s the great and wonderful use of the term “monoculture”, the biological term popular among posers of all stripes in discussions ranging from culture to education to technology (but rarely to farming, where it actually applies). McCullagh brands Microsoft with the mark of the monoculture beast, a distinction they would deserve even if their software was next to perfect, simply because they have so much market share.
There are two problems with this, and they both speak to McCullagh and Gillmor’s lack of technical sophistication: 1) Not all Microsoft operating systems are the same; Windows 95, 98, 2000, NT, Me, and XP have different vulnerabilities, as do the Office Suites at various release levels; and 2) the alternative to Microsoft, Linux, has actually reduced diversity across the Internet as a whole, by assimilating a formerly wide variety of Unix platforms under a single standard. In the example McCullagh cites, the monoculture curse can be broken by growing different varieties of rice, the relevant analogy of which is different varieties of Windows or Unix. They don’t see their own logic at work.
But more importantly, “monoculture” (or “standards”, as we engineers like to say) doesn’t inherently weaken network security, as long as the standard has strong safeguards. And when we shift the discussion around to the relevant safeguards, Gillmor gets all freaky about control:
But the much-ballyhooed, much-revised “National Strategy to Secure Cyberspace” looks alarmingly like a recipe for the world’s control freaks — the people who view security as a way to help big government and big business regulate the way we use technology.
It’s about control, alright — about people who own property having control over it, and the power to protect it from theft.
And that’s the thing that really bugs our columnists.
Perhaps I would be more impressed if this contained even a few more facts.
First, the point of monoculture as a problem relates to the fact that attacks on a monoculture are propogated rapidly through the monoculture and if a monoculture is also a monopoly, then the whole infrastructure is open to rapid, thorough breakage. There is nothing in the comment that refutes that.
Then, after not accepting the monoculture problem as real, we get a surreal 180 degree turn to where linux is the real problem because it is reducing the unix gene pool. That ignores the AIX, Solaris, freeBSD, HP-UX etc. that exist today and will exist for a long time to come. But come on, monoculture either is or is not a problem, and if it is, linux sure isn’t the problem here.
By the way, many of the security vulnerabilities for Windows are related to the product platform (IE, Word, Outlook) and the bundling of them to discourage competition, not to the underlying OS. So to me the whole ’95, ’98, ‘whatever line smacks of lacking technological prowess.