Forwarded From: Aleph One <aleph1@underground.org>
http://www.salon.com/tech/feature/1999/04/07/melissa/index.html
Who was vulnerable to Melissa? Only users
and companies who'd standardized on a
software "monoculture" -- like Microsoft's.
By Jamais Cascio
April 7, 1999 | I admit it: I am highly amused that a virus named after a
topless dancer from Florida managed to bring the Internet to its
(figurative) knees. I can be amused, since I wasn't affected by the virus
in the least. Unlike the hapless users who found that a list of porn-site
passwords had been sent from their machines to 50 of their nearest and
dearest friends, I'm on a Mac, and I use Word Perfect and Eudora.
Although the press trumpeted Melissa as the worst Internet attack since
the Robert Morris Worm, only computers running a particular combination of
Microsoft software were vulnerable in any meaningful way. You had to be
running Windows and Word 97 and Outlook e-mail. People who weren't just
sat back and wondered what the fuss was all about.
For those of us who pay attention to such things, the fuss was, at its
root, about organizations mandating a certain operating system, word
processor and e-mail program for all of their users. Turns out that many
of the places reporting an infestation of Melissa (and its variants) were
corporations and government agencies that had enforced a single standard
for computing within their confines.
This has become increasingly common. For reasons of efficiency, entire
offices -- from receptionists to graphic designers to engineers -- are
moved to a "standard" platform. Everyone in the company uses the same
system, regardless of whether it's the right tool for the job; no platform
or software diversity is allowed.
In biology, a local environment where only a single organism propagates is
called a "monoculture." Usually found in agri-business, particularly
forestry, monocultures are very efficient and profitable. An entire stand
of trees in a "managed forest" will be of consistent size, wood type, even
color, minimizing the waste and maximizing the profit from that acreage.
Sometimes the plants are cloned from a standard model. Trees that aren't
the right "crop" for the area are eliminated, as they take up space and
sap resources that would otherwise go to the desired species.
Natural monocultures are less common, but are not unknown. Extremely
aggressive species, introduced into a region where their natural predators
are unknown, can quickly overwhelm the ecological niches, driving the
native competitors to the margins, or to extinction.
The problem with monocultures is that they are extremely sensitive to
attack. Monoculture stands are identical plants with identical defenses.
Unlike a diverse stand of trees, a disease or infestation can rip right
through a monoculture, leaving the entire forest worthless and dying. In a
heterogenous stand, diseases and infestations can be stopped when they
don't have an immediate host to jump to; in a monoculture, every adjacent
tree is a new host, waiting and vulnerable.
The same can be said for computing environments.
Melissa took advantage of the fact that an increasing number of computers
run the same set of Microsoft programs. From the virus' perspective, all
of these computers had the same "biology" -- they were the same species.
As long as the virus got passed from compatible host to compatible host,
it could continue to propagate and thrive. The only way it would stop
would be if it found itself on a host that wasn't compatible, that didn't
have the right set of Microsoft programs. A Mac, for example, or a network
using Lotus Notes, or a user with Word 5 instead of Word 97.
Heterogenous environments can be safer from infectious attacks because
they don't provide a wealth of identical hosts through which a virus can
replicate and spread. In a diverse ecology, each of the different species
will have a different set of defenses and different kinds of
vulnerabilities. This is not a new revelation; for years, it was standard
procedure in the aeronautics industry to have redundant pieces of flight
software, in many cases written by entirely different teams, so that they
wouldn't fail in the same way.
Admittedly, there are compelling reasons to standardize on a particular
platform or a particular set of applications. It's a more efficient use of
tech support time, especially as popular systems become increasingly
complex and difficult to support. Standardizing on a given set of programs
means not having to worry about incompatible file types. The deals
Microsoft offers computer manufacturers also come into play: Why spend
money for competing applications if consumers can get this software for
"free"?
Then there are the increasingly complex inter-application connections in
Microsoft programs. In many situations, the intimate coupling of
programming interfaces and dynamic libraries means that applications can
work together tightly. But problems arise when this increasing software
integration (reportedly, Windows 2000 will include Outlook as part of the
operating system) comes with little or no security. A successful attack on
one part of the computer opens up the entire machine, and then the entire
network.
The appalling aspect of the Melissa macro-virus is not that it got loose,
but that it was possible at all. Why is it that a word processing document
can grab a copy of your address book and send out copies of itself under
your name without you even knowing about it? Who decided that swoopy new
features and powerful inter-application commands should be added to a
system without any thought of security? We should be grateful that the
Melissa author chose only to be annoying, and not truly malicious.
Lest I be accused of gratuitous Microsoft-bashing, let me quickly
acknowledge that an all-Macintosh or all-Unix environment would be nearly
as vulnerable to monoculture attacks as an all-Windows office, if there
were the same sort of aggressive development of Mac or Unix viruses.
The reality of the world, however, is that Microsoft has come to dominate
a growing set of digital environmental niches. The relentless spread of a
single platform, steadily incorporating more and more interrelated
"features," marginalizes, pushes out and finally kills its ecological
competition -- in turn creating the very monocultures that leave the
software vulnerable to subversion.
Melissa's spread should not surprise us. Instead, we should take it as a
friendly warning.
salon.com | April 7, 1999
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
Received on Wed Apr 7 21:17:00 1999