[66669] in North American Network Operators' Group
Re: Diversity as defense
daemon@ATHENA.MIT.EDU (sgorman1@gmu.edu)
Tue Jan 20 10:19:10 2004
Date: Tue, 20 Jan 2004 10:18:16 -0500
From: sgorman1@gmu.edu
To: Valdis.Kletnieks@vt.edu
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
--Boundary_(ID_eKY+8xexY+C+jhFPTMWv1g)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
Content-disposition: inline
Agreed, vendor lock in is a very big problem, what the economists would call increasing returns. Interestingly most of the research on the subjest finds that a vendor achieves "lock in" and a dominant market position not by being the most competitive product. Random historical accident, policies, market fluctuations, etc. - i.e. beta vs. vhs or CP/M vs. DOS vs. Apple. Probably getting far off topic here, but if you decreased the ability of vendors to lock in customers (increase competition) could you increase diversity and security at the macro scale.
--Boundary_(ID_eKY+8xexY+C+jhFPTMWv1g)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
On Mon, 19 Jan 2004 15:35:22 EST, sgorman1@gmu.edu said:
> The diversity, monoculture and agricutlure analogy makes nice press, but how
> realistic is diversity as a defense.
Well.. if diversity were to actually exist, it would be quite helpful. Right now,
if you have a Windows exploit, you might as well point and pull the trigger because
you have an 86% chance of nailing the target. Add in a Linux exploit and you're well
over 90%. That's Russian Roulette with a 10-shooter and one bullet.
On the other hand, let's think about if there were 10 products that each have 10%
market share, and even a minimal attempt at deterring fingerprinting of the target,
you're looking at a 90% chance that the exploit you launch will fail and leave a
nasty mark on an IDS. Suddenly, it's 9 bullets and one blank. And even worse odds
if you haven't been picking up all the exploits in the series - or not all the products
are vulnerable.
Unfortunately, it's not a realistic scenario, because...
> Is cost the biggest hurdle or limited
> avaiability of competitive products, or simply no bang for the buck by
> diversifying.
I can sum up *every* problem I've had in getting people to migrate in just
3 words: "vendor lock in". Enough said on that topic.
--Boundary_(ID_eKY+8xexY+C+jhFPTMWv1g)--
