Microsoft Monoculture Myopia

It’s Dan Geer’s report’s anniversary:
Exactly three years later this month, Geer insists that the risks associated with Microsoft’s virtual monoculture remain the same, but a quick glance at the future direction of the world’s largest software maker gives Geer a sense of “total vindication.”

Indeed, three years ago on Sept. 24, Geer penned “CyberInsecurity: The Cost of Monopoly,” a 25-page report he co-authored with a who’s who of computer security experts, including celebrated cryptographer Bruce Schneier and intrusion detection systems specialist Rebecca Bace.

IT Wrestles with Microsoft Monoculture Myopia Ryan Naraine, eWeek, September 10, 2006

In many ways, nothing has changed: Windows still runs on more than 90% of all end-user systems, and buying Microsoft is like buying IBM used to be.

However, before the Geer report, even trying to discuss software monoculture would provoke nervous laughter and attempts to change the subject. Now at least everybody has heard of the problem, and knows that software diversity is the answer. They’re just saying it would be too hard. (It’s not, but that’s what people are saying.)

And there are a few bright spots: Firefox is gaining on IE; Apache runs on more servers than IIS; Apple is solvent; and

Nonetheless, as I said for this article:

We have criminal entrepreneurs doing big, big business on the Internet, using computers that are not secure. This is not rocket science; this is an effect of the monoculture,”
It looks like monoculture is going to remain a problem until its costs grow to become so obvious that people and companies won’t support it anymore.