[66710] in North American Network Operators' Group
Re: Diversity as defense
daemon@ATHENA.MIT.EDU (sgorman1@gmu.edu)
Wed Jan 21 12:56:05 2004
Date: Wed, 21 Jan 2004 12:55:29 -0500
From: sgorman1@gmu.edu
To: Jamie Reid <Jamie.Reid@mbs.gov.on.ca>
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
I can see how the biology analogy could lead itself to preordained ou=
tcome, but I do not think it was the case in this research. For one =
it is really just a biology analogy, the mathematics are standard gra=
ph theory/statititical mechanics. Actually, the original results we =
got back from the simulations had mass network failure occuring when =
23-24% of nodes were compromised, all being of the same species. End=
ed up we had a flaw in the code, but with that result you could not r=
eally argue that monopolies cause a security vulnerbility. It would =
be impossible to enforce a mandate saying no one vendor could have mo=
re 23% of market. The conclusion would be that even with a thriving =
competitive market vendor specific vulnerbilites can do heavy damage.=
Going after Microsoft or any other quasi monopoly in this case woul=
d not accomplish much. If you look at code red affecting microsoft se=
rvers, they only made up 23-24% of servers connected to the Internet =
at the time (and that was all MS....
I will say it is easy to fall into the politically biased trap, espec=
ially as more people pay attention to what you are doing, but it is s=
omething we try hard to stay away from. Sorry if this has wandered o=
f topic in that regard.
As an aside it is interesting that no worm has yet exploited a platfo=
rm that has a large market share and is at the core of the network. =
=20
----- Original Message -----
=46rom: Jamie Reid <Jamie.Reid@mbs.gov.on.ca>
Date: Wednesday, January 21, 2004 11:20 am
Subject: Re: Diversity as defense
>=20
> These questions are of a personal interest etc...
>=20
> Interesting use of biological metaphors. Is security accurately=
=20
> expressed as an
> economy? Or rather, can security problems be solved as problems of=
=20
> economy?=20
>=20
> I think it is a very compelling and thought provoking paper, but I=
=20
> wonder if using a=20
> specific biological model to support an economic conjecture is=20
> sufficiently immune to=20
> being coloured by political bias.=20
>=20
> I am not accusing the authors of unacknowledged bias, however, the=
=20
> segway=20
> from a biological model to an economic conclusion exposes the=20
> conclusions to=20
> being interpreted as a moral indictment of monopolies in the=20
> marketplace.=20
>=20
> I don't mean to harp, as I have asked questions about the=20
> motivations behind=20
> some of your research before (namely the value of linking of=20
> attacks to country=20
> of origin), and I hope have any of my misconceptions corrected as=
=20
> effectively=20
> as they were previously. =20
>=20
> Best,=20
>=20
>=20
>=20
>=20
> --
> Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca
> Senior Security Specialist, Information Protection Centre=20
> Corporate Security, MBS =20
> 416 327 2324=20
> >>> <sgorman1@gmu.edu> 01/19/04 03:35pm >>>
>=20
>=20
> We've been seeing a bit of media attention of late to diversity as=
=20
> a technique to make networks more secure:
>=20
> http://news.com.com/2009-7349_3-5140971.html?tag=3Dnefd_lede
>=20
> The usual suspect is Microsoft with 97% of OS's, but Cisco's 86%=
=20
> of the router market has been cited as well as SNMP=20
> vulnerabilities of two years ago. The diversity, monoculture and=
=20
> agricutlure analogy makes nice press, but how realistic is=20
> diversity as a defense. Is cost the biggest hurdle or limited=20
> avaiability of competitive products, or simply no bang for the=20
> buck by diversifying. We've run some simulations testing the=20
> effects of different levels of diversity, but wanted some feedback=
=20
> on feasibility. =20
>=20
> http://arxiv.org/abs/cond-mat/0401017
>=20
> Any comments, feedback or discussion would be greatly appreciated.
>=20
> best,
>=20
> sean
>=20
