September 27, 2003


The Register has a good editorial on the cybersecurity paper that got Dan Geer fired from @Stake.

I thought this was the highlight of the piece, it seems to grasp the root of the argument:

"To summarise, monoculture itself is not of necessity bad for security, nor in theory is Microsoft monoculture, provided Microsoft is prepared and able to reform itself. If however it is not, then the Microsoft monoculture is a clear and present danger to global IT security, and it must be reformed via external means.

That is the document's argument, and it's a perfectly sustainable one, albeit not entirely susceptible to being boiled down into a headline soundbite."

You know, for all the controversy surrounding this paper, a couple of things come to my attention. Firstly, Bruce Schneier is a co-author - a rather respected security expert. Secondly, the idea of software diversity to increase the reliability of a distributed system is not a new one.

Security is in many ways a sub-section of general reliability. Gray and Reuter's bible on Transaction Processing has a section on N-Version programming as an approach to software fault tolerance: the idea is that "Heisenbugs" (non-deterministic, non-repeatable bugs vs. deterministic, repeatable "Bohr-bugs") can be thwarted by different pieces of software doing the same job at once.

Posted by stu at September 27, 2003 08:50 AM