Dan Geer on monoculture and complexity: the case of Heartbleed

It is not every day that one reads an outstanding piece of analysis, especially in the computer security arena – usually it’s not that we don’t know what to do, the problem is that we either don’t know how to do it well or simply don’t bother at all. Dan Geer’s recent blog post on Lawfare is a thoughtful exception. I will only quote a couple of paragraphs and leave the readers to have the pleasure of reading the original post:

“Only monocultures enable Internet-scale failure; all other failures are merely local tragedies. For policymakers, the only aspect of monoculture that matters is that monocultures are the sine qua non of mass exploitation. In the language of statistics, this is “common mode failure,” and it is caused by underappreciated mutual dependence.”

“The critical infrastructure’s monoculture question was once centered on Microsoft Windows. No more. The critical infrastructure’s monoculture problem, and hence its exposure to common mode risk, is now small devices and the chips which run them. As the monocultures build, they do so in ever more pervasive, ever smaller packages, in ever less noticeable roles. The avenues to common mode failure proliferate.”

“If the device is field upgradable, then it pays to regularly exercise that upgradability both to keep in fighting trim and to make the opponent suffer from the rapidity with which you change his target.”