I can see how the biology analogy could lead itself to preordained outcome, but I do not think it was the case in this research. For one it is really just a biology analogy, the mathematics are standard graph theory/statititical mechanics. Actually, the original results we got back from the simulations had mass network failure occuring when 23-24% of nodes were compromised, all being of the same species. Ended up we had a flaw in the code, but with that result you could not really argue that monopolies cause a security vulnerbility. It would be impossible to enforce a mandate saying no one vendor could have more 23% of market. The conclusion would be that even with a thriving competitive market vendor specific vulnerbilites can do heavy damage. Going after Microsoft or any other quasi monopoly in this case would not accomplish much. If you look at code red affecting microsoft servers, they only made up 23-24% of servers connected to the Internet at the time (and that was all MS.... I will say it is easy to fall into the politically biased trap, especially as more people pay attention to what you are doing, but it is something we try hard to stay away from. Sorry if this has wandered of topic in that regard. As an aside it is interesting that no worm has yet exploited a platform that has a large market share and is at the core of the network. ----- Original Message ----- From: Jamie Reid <Jamie.Reid@mbs.gov.on.ca> Date: Wednesday, January 21, 2004 11:20 am Subject: Re: Diversity as defense
These questions are of a personal interest etc...
Interesting use of biological metaphors. Is security accurately expressed as an economy? Or rather, can security problems be solved as problems of economy?
I think it is a very compelling and thought provoking paper, but I wonder if using a specific biological model to support an economic conjecture is sufficiently immune to being coloured by political bias.
I am not accusing the authors of unacknowledged bias, however, the segway from a biological model to an economic conclusion exposes the conclusions to being interpreted as a moral indictment of monopolies in the marketplace.
I don't mean to harp, as I have asked questions about the motivations behind some of your research before (namely the value of linking of attacks to country of origin), and I hope have any of my misconceptions corrected as effectively as they were previously.
Best,
-- Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324
<sgorman1@gmu.edu> 01/19/04 03:35pm >>>
We've been seeing a bit of media attention of late to diversity as a technique to make networks more secure:
http://news.com.com/2009-7349_3-5140971.html?tag=nefd_lede
The usual suspect is Microsoft with 97% of OS's, but Cisco's 86% of the router market has been cited as well as SNMP vulnerabilities of two years ago. The diversity, monoculture and agricutlure analogy makes nice press, but how realistic is diversity as a defense. Is cost the biggest hurdle or limited avaiability of competitive products, or simply no bang for the buck by diversifying. We've run some simulations testing the effects of different levels of diversity, but wanted some feedback on feasibility.
http://arxiv.org/abs/cond-mat/0401017
Any comments, feedback or discussion would be greatly appreciated.
best,
sean