Diversity as defense

• Previous message (by thread): Diversity as defense
• Next message (by thread): Diversity as defense
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Correct. Microsoft's problem is not security alone, but monoculture. If we
have all systems around Windows2003, we are exposed to risk of devastating
virus attack. No matter, how secure this Windows2003 is.

----- Original Message ----- 
From: <sgorman1 at gmu.edu>
To: <Valdis.Kletnieks at vt.edu>
Cc: <nanog at merit.edu>
Sent: Tuesday, January 20, 2004 7:18 AM
Subject: Re: Diversity as defense


> Agreed, vendor lock in is a very big problem, what the economists would
call increasing returns.  Interestingly most of the research on the subjest
finds that a vendor achieves "lock in" and a dominant market position not by
being the most competitive product.  Random historical accident, policies,
market fluctuations, etc. - i.e. beta vs. vhs or CP/M vs. DOS vs. Apple.
Probably getting far off topic here, but if you decreased the ability of
vendors to lock in customers (increase competition) could you increase
diversity and security at the macro scale.
>


----------------------------------------------------------------------------
----


> On Mon, 19 Jan 2004 15:35:22 EST, sgorman1 at gmu.edu  said:
> > The diversity, monoculture and agricutlure analogy makes nice press, but
how
> > realistic is diversity as a defense.
>
> Well.. if diversity were to actually exist, it would be quite helpful.
Right now,
> if you have a Windows exploit, you might as well point and pull the
trigger because
> you have an 86% chance of nailing the target.  Add in a Linux exploit and
you're well
> over 90%.  That's Russian Roulette with a 10-shooter and one bullet.
>
> On the other hand, let's think about if there were 10 products that each
have 10%
> market share, and even a minimal attempt at deterring fingerprinting of
the target,
> you're looking at a 90% chance that the exploit you launch will fail and
leave a
> nasty mark on an IDS.  Suddenly, it's 9 bullets and one blank.  And even
worse odds
> if you haven't been picking up all the exploits in the series - or not all
the products
> are vulnerable.
>
> Unfortunately, it's not a realistic scenario, because...
>
> >                             Is cost the biggest hurdle or limited
> > avaiability of competitive products, or simply no bang for the buck by
> > diversifying.
>
> I can sum up *every* problem I've had in getting people to migrate in just
> 3 words: "vendor lock in".  Enough said on that topic.
>

• Previous message (by thread): Diversity as defense
• Next message (by thread): Diversity as defense
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]