September 24, 2003

Potatoes, Cotton, and Cyber Insecurity

- by Joe Barr -
The Computer & Communications Industry
Association (CCIA) has published a study authored by a number of well-known security professionals which warns of the dangers inherent in a computer monoculture. The list of authors include well-known names in computer security as Dan Geer, Charles P. Pfleeger, Bruce Schneier, John S. Quarterman, Perry Metzger, Rebecca Bace, and Peter Gutmann.

In a conference call this morning hosted by Ed Black of the CCIA, authors explained the basic problems with computer security in the world today as being one part the result of a computer monoculture and one part a lock-in mentality. The message they hope the study gets across to government, business, and individuals is that when it comes to computer security, diversity is good.

Using the examples of the potato famine in Ireland during the 1840s and the destruction of the cotton industry by the boll weevil, those experts present on the call were unanimous in raising an alarm over today's ubiquitous single-vendor solutions. They warned that this monoculture will lead to the same disastrous fate that resulted from single strains of potato and cotton crops.

During the call, Dan Geer (CTO of @stake) took responsibility for coming up with the idea for the study and said that he approached the CCIA about publishing it, not the other way around. All the authors involved volunteered their time and effort in preparing the document.

The experts steered away from specific examples of insecure design or recommendations for fixes other than to repeatedly stress that diversity is needed. They did point out, however, that the Department of State's Visa processing system was brought down yesterday by one of the viruses that have afflicted computer users around the world in recent months.

Joe Barr has been writing about personal computing for 10 years, and about Linux for five. His work has appeared in IBM Personal Systems Journal, LinuxGazette, LinuxWorld, Newsforge, phrack, SecurityFocus,, and He is the founder of The Dweebspeak Primer, home of the official newsletter of the Linux Liberation Army, an organization in which he holds the honorary rank of Corporal-for-life.


  • Security
Click Here!