Monoculture: Flawed Argument

Dan Geer has written again about his monoculture concerns with Microsoft on endpoints. He calls it a "back of the envelope" analysis. This type of label serves great purpose because it absolves the author of any requirement for due diligence while making points that many will still believe and internalize. I happen to believe the monoculture argument is extremely weak so am happy to critique the article regardless.

Some pertinent points:

  • The math is incorrect – off by an order of magnitude. This doesn’t really matter because…
  • The assumptions are poor – there are more like 800 million desktops in use on the Internet.
  • The units are inconsistent – the analysis equates infections per day with web site visits. This only works if the average number of websites visited per day is one. (This works for the monoculture argument, I believe.)
  • The data point is confusing – why use data on botnets when discussing "cascade failure" and "survivability"? In fact, the goal of botnets is to keep the PC up and running, so it survives. (It would potentially create another problem, if you believed the monoculture argument to begin with.)

There are two even more significant reasons why the argument is a red herring:

  1. It ignores all security mechanisms. In fact, if monoculture really were a problem, we’d already have had cascade failure at least twice – with Blaster and Sasser. (This would actually hold true for any worm that targeted Windows.)
  2. It is entirely impractical. Even the monoculture article states (my emphasis):

10 days after our publication the CIO of the Department of Homeland Security was being grilled on the subject of monoculture on the floor of the House of Representatives [3], not that it dissuaded him from ending up with 200,000+ desktops, all Microsoft.

That is pretty much the whole point.

There is no security issue with monoculture, at least at the endpoint. It is much more likely that some monoculture of network devices, nameservers, or other components in the cloud could create Internet failure.

1 comment for “Monoculture: Flawed Argument

  1. Ed
    December 12, 2005 at 12:29 pm

    You the man. Props to you for saying this loud, clear, and publicly.

Comments are closed.