Friday, March 13, 2009


Another type of diversity

In the H.G. Wells story, War of the Worlds, Martians attack the Earth and things are pretty hopeless. We have no match for their sizzling death ray, and they look about to slaughter us entirely. Ulla!

But then they get a common virus, one that people on Earth shake off all the time. Keeps us home sick for a couple of days, worst case. Wiped the Martians out completely.

Sorry for the spoiler, but I think most of you already know the story.

The point is that they didn’t have any immunity to it, so it spread from Martian to Martian like... well, like their death ray... and killed them all. A lack of diversity did them in: they had no individuals who could cope with the virus.

We see that on the Internet all the time.

No, not Martians: viruses, and lack of diversity. Nearly everyone uses Windows, Internet Explorer, Microsoft Word, Adobe Acrobat. Nearly everyone is vulnerable — they lack immunity to computer viruses and other “malware” that attacks those ubiquitous programs.

Here’s where F-Secure, an antivirus software vendor in Finland and home of my favourite antivirus blog, recommends diversity:

Do note that while we are recommending users move away from Adobe Reader, we are not recommending any particular replacement.

So, we’re not recommending Foxit. We’re not recommending Sumatra. Or PDF-Xchange, CoolPDF or eXPert PDF.

Instead, we recommend users to find their own Adobe Reader replacement.

This way we get more heterogeneous userbase, which is a good idea security-wise. Nobody wants to repeat what happened with the great IE —> Firefox switch. As 40% of users switched to Firefox, about 40% of the attacks switched to target Firefox.

Monocultures are bad.

They’re right, of course, but there are negative points to their advice too.

Avoiding the most popular programs is certainly a way to avoid most of the attacks, and Apple has been using that advice in its Mac advertisements. PCs get viruses. Macs don’t. It’s accepted as truth. But it’s simply the fact that not enough people use Macs for it to be worth the time to develop malware for them. It’s easier just to target the 90% who use PCs and Windows.

But that has a dark side. How many Mac users run antivirus software? Most don’t, right? After all, Macs don’t get viruses, so why bother? Why pay money, why take up disk space and processor cycles with it? And then, when someone does write and spread a Mac virus, aren’t Macs like the Martians in War of the Worlds?

On the other side of the battle — fixing the holes that the malware exploits — it’s also likely that the more popular software will have developers focusing on fixes, both because they’re used to it and have people assigned to it, and because the consequences of exposure are more serious, more widespread.

Then, too, there’s a lot of help out there on the Internet for users of popular software. How do you configure it, what are some of the common problems with it, how do you work around difficulties, is there someone to walk you through things when you need that? You’re much less likely to find a network of experts to help you with software that few people use.

Certainly, people who are likely to be reading F-Secure’s blog are probably equipped to deal with these sorts of issues. The average Internet user is not, and I’m not sure I’d suggest that the average Internet user go looking for a rarely used alternative to Adobe Reader, or to the web browser, or to word processing software, despite the real advantages of software diversity.

No comments: