Hi, This is one of the better articles I came across on the Melissa issues. Assuming mayn security-aware readers on this list, I thought I'd forward it for some interesting reading. OBFW: Does your FW scan for the newest macro viruses?... cu -pete > Forwarded From: Aleph One <[EMAIL PROTECTED]> > > http://www.salon.com/tech/feature/1999/04/07/melissa/index.html > > Who was vulnerable to Melissa? Only users > and companies who'd standardized on a > software "monoculture" -- like Microsoft's. > > By Jamais Cascio > > April 7, 1999 | I admit it: I am highly amused that a virus named after a > topless dancer from Florida managed to bring the Internet to its > (figurative) knees. I can be amused, since I wasn't affected by the virus > in the least. Unlike the hapless users who found that a list of porn-site > passwords had been sent from their machines to 50 of their nearest and > dearest friends, I'm on a Mac, and I use Word Perfect and Eudora. > > Although the press trumpeted Melissa as the worst Internet attack since > the Robert Morris Worm, only computers running a particular combination of > Microsoft software were vulnerable in any meaningful way. You had to be > running Windows and Word 97 and Outlook e-mail. People who weren't just > sat back and wondered what the fuss was all about. > > For those of us who pay attention to such things, the fuss was, at its > root, about organizations mandating a certain operating system, word > processor and e-mail program for all of their users. Turns out that many > of the places reporting an infestation of Melissa (and its variants) were > corporations and government agencies that had enforced a single standard > for computing within their confines. > > This has become increasingly common. For reasons of efficiency, entire > offices -- from receptionists to graphic designers to engineers -- are > moved to a "standard" platform. Everyone in the company uses the same > system, regardless of whether it's the right tool for the job; no platform > or software diversity is allowed. > > In biology, a local environment where only a single organism propagates is > called a "monoculture." Usually found in agri-business, particularly > forestry, monocultures are very efficient and profitable. An entire stand > of trees in a "managed forest" will be of consistent size, wood type, even > color, minimizing the waste and maximizing the profit from that acreage. > Sometimes the plants are cloned from a standard model. Trees that aren't > the right "crop" for the area are eliminated, as they take up space and > sap resources that would otherwise go to the desired species. > > Natural monocultures are less common, but are not unknown. Extremely > aggressive species, introduced into a region where their natural predators > are unknown, can quickly overwhelm the ecological niches, driving the > native competitors to the margins, or to extinction. > > The problem with monocultures is that they are extremely sensitive to > attack. Monoculture stands are identical plants with identical defenses. > Unlike a diverse stand of trees, a disease or infestation can rip right > through a monoculture, leaving the entire forest worthless and dying. In a > heterogenous stand, diseases and infestations can be stopped when they > don't have an immediate host to jump to; in a monoculture, every adjacent > tree is a new host, waiting and vulnerable. > > The same can be said for computing environments. > > Melissa took advantage of the fact that an increasing number of computers > run the same set of Microsoft programs. From the virus' perspective, all > of these computers had the same "biology" -- they were the same species. > As long as the virus got passed from compatible host to compatible host, > it could continue to propagate and thrive. The only way it would stop > would be if it found itself on a host that wasn't compatible, that didn't > have the right set of Microsoft programs. A Mac, for example, or a network > using Lotus Notes, or a user with Word 5 instead of Word 97. > > Heterogenous environments can be safer from infectious attacks because > they don't provide a wealth of identical hosts through which a virus can > replicate and spread. In a diverse ecology, each of the different species > will have a different set of defenses and different kinds of > vulnerabilities. This is not a new revelation; for years, it was standard > procedure in the aeronautics industry to have redundant pieces of flight > software, in many cases written by entirely different teams, so that they > wouldn't fail in the same way. > > Admittedly, there are compelling reasons to standardize on a particular > platform or a particular set of applications. It's a more efficient use of > tech support time, especially as popular systems become increasingly > complex and difficult to support. Standardizing on a given set of programs > means not having to worry about incompatible file types. The deals > Microsoft offers computer manufacturers also come into play: Why spend > money for competing applications if consumers can get this software for > "free"? > > Then there are the increasingly complex inter-application connections in > Microsoft programs. In many situations, the intimate coupling of > programming interfaces and dynamic libraries means that applications can > work together tightly. But problems arise when this increasing software > integration (reportedly, Windows 2000 will include Outlook as part of the > operating system) comes with little or no security. A successful attack on > one part of the computer opens up the entire machine, and then the entire > network. > > The appalling aspect of the Melissa macro-virus is not that it got loose, > but that it was possible at all. Why is it that a word processing document > can grab a copy of your address book and send out copies of itself under > your name without you even knowing about it? Who decided that swoopy new > features and powerful inter-application commands should be added to a > system without any thought of security? We should be grateful that the > Melissa author chose only to be annoying, and not truly malicious. > > Lest I be accused of gratuitous Microsoft-bashing, let me quickly > acknowledge that an all-Macintosh or all-Unix environment would be nearly > as vulnerable to monoculture attacks as an all-Windows office, if there > were the same sort of aggressive development of Mac or Unix viruses. > > The reality of the world, however, is that Microsoft has come to dominate > a growing set of digital environmental niches. The relentless spread of a > single platform, steadily incorporating more and more interrelated > "features," marginalizes, pushes out and finally kills its ecological > competition -- in turn creating the very monocultures that leave the > software vulnerable to subversion. > > Melissa's spread should not surprise us. Instead, we should take it as a > friendly warning. > > salon.com | April 7, 1999 > > > -o- > Subscribe: mail [EMAIL PROTECTED] with "subscribe isn". > Today's ISN Sponsor: Hacker News Network [www.hackernews.com] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
