Category Archives: Monoculture

Government-Mandated Monoculture

Apparently Microsoft needs even more of a monopoly:

The Office of Management and Budget and the Defense Department are taking similar but separate paths to ensure a standard Microsoft Windows desktop configuration is used by all agencies.

Karen Evans, OMB’s administrator for IT and e-government, has recommended to Paul Denett, the administrator in the Office of Federal Procurement Policy, that the Federal Acquisition Regulations Council add a clause to the FAR, or OFPP send out a memo to all chief acquisition officers, that would require all IT contracts to include the requirement that all software and hardware does no harm to the standard configuration.

The Air Force, meanwhile, has submitted a three-part clause to the DOD chief information officer that would be included in every IT contract, said Ken Heitkamp, associate director for lifecycle management and director of the Air Force’s IT Commodity Council.

Eventually, Heitkamp said, DOD’s rule could be given to OMB for them to decide whether to take it governmentwide.

— OMB, DOD to enforce desktop standard through procurement, By Jason Miller GCN, 11 April 2007

From a security point of view, this is the height of foolishness, because it will establish a government-wide monoculture that will be very vulnerable to exploits.

-jsq

Cali Cartel

Dan Geer mentions Microsoft and the Cali Cartel in the same paragraph:

If the U.S. really wants to get Bolivian farmers to stop growing coca, then we’ll have to make growing lettuce in the Continental U.S. illegal (thus pricing up something you can grow in Bolivia’s thin air and chill temps), or we’ll have to outbid the Cali cartel for the crop in full. Ditto Redmond; MSFT can’t keep the exploit writers from doing what they do except by making them an offer they can’t refuse.
With $5B in underutilized cash laying around, it is almost criminal that MSFT hasn’t just cornered the market. Of course, the longer they wait the more the price to buy out the opposition rises and, in fact, that $5B may no longer be enough though there’s no doubt a creative pricing structure would have real effects, such as to pay informants 2X what they pay code jocks.
— Punditry: Will Microsoft buy flaws? Ryan Naraine, Zero Day, March 19th, 2007

Dan didn’t say Microsoft is the Cali Cartel, merely that what they’re dealing with in terms of a criminal exploit culture is the equivalent. Continue reading →

Telephone Monoculture Considered Harmful

Kevin Hogan of Symantec says:

“If Windows CE is taken up in a big way in a large market we may see some increased malware activity,” he warned.
“There is not a lot of functionality built in that will stop attacks on that platform, so there could be a problem if it takes off. As for other operating systems there has been very little new activity.”
Windows use could boost mobile malware Increasing use of Windows CE could leave mobile users vulnerable, Iain Thomson, vnunet.com 15 Nov 2006

Continue reading →

Mirror Monoculture

Schneier posts irony:

…the problem of agricultural safety and security mirrors the security issues in computer networks, especially with the monoculture in operating systems and network protocols.

Agriculture Security, Bruce Schneier, Schneier on Security, October 20, 2006

I say irony, because of course the concept of monoculture originated in ecology and agriculture, from which it was imported to computing, which Bruce knows as well as anyone else.