New World

Melissa, Microsoft and monocultures

---

JAMAIS CASCIO advises suits and other Hollywood weasels on what could happen over the next hundred years. He worries about being called a futurist.

Although the press trumpeted Melissa as the worst Internet attack since the Robert Morris Worm, the truth of the matter is that only computers running a particular combination of Microsoft software were vulnerable in any meaningful way. You had to be running Windows and Word 97 and Outlook e-mail. People who weren't running this combination undoubtedly were sitting back wondering what the fuss was all about.

For those of us who pay attention to such things, the fuss was, at its root, about organizations mandating a certain OS, word processor, and e-mail program for all of their users. Turns out that a lot of the places reporting an infestation of Melissa (and its variants) were corporations and government agencies that had enforced a single standard for computing within their confines. Everyone in the company uses the same system, regardless of whether it's the right tool for the job. No platform - or software - diversity allowed.

In biology, a local environment where only a single organism propagates is called a "monoculture". Usually found in agri-business, particularly forestry, monocultures are very efficient and profitable. An entire stand of trees in a "managed forest" will be of consistent size, wood type, even color, minimizing the waste and maximizing the profit from that acreage.

The problem with monocultures is that they are extremely vulnerable to attack. Monoculture stands are identical plants, sometimes even clones, with identical defenses. Unlike a diverse stand of trees, a disease or infestation can rip right through a monoculture, leaving the entire forest worthless and dying. In a diverse stand, diseases and infestations can be stopped when they don't have an immediate host to jump to; in a monoculture, every adjacent tree is a new host, waiting and vulnerable.

The same can be said for computing environments.

Melissa took advantage of the fact that an increasing number of computers run the same set of Microsoft programs. From the virus' perspective, all of these computers had the same "biology", were the same species. As long as the virus got passed from compatible host to compatible host, it could continue to propagate and thrive. The only way it would stop would be if it found itself on a host that wasn't compatible, that didn't have the right set of Microsoft programs. A Mac, for example, or a network using Lotus Notes, or a user with Word 5 instead of Word 97.

Heterogenous environments are safer from infectious attacks because they don't provide a wealth of identical hosts from which to replicate and spread.

There are very good reasons to standardize on a particular platform or a particular set of applications. It's a more efficient use of tech support time, especially as popular systems become increasingly complex and difficult to support. Standardizing on a given set of programs means not having to worry about incompatible file types. The various deals Microsoft gives to computer manufacturers also comes into play -- why spend money for competing applications if consumers can get this software for "free"?

Add to this the increasingly complex inter-program connections in Microsoft applications. In many situations, the intimate coupling of programming interfaces and dynamic libraries means that applications can work together in a seamless fashion. The problem emerges when this increasing software integration -- reportedly, Windows 2000 will include Outlook as part of the OS -- comes with little or no security. A successful attack on one part of the computer opens up the entire machine, and then the entire network.

The appalling aspect of the Melissa macro virus is not that it got loose, but that it was possible at all. Why is it that a word processing document can grab a copy of your address book and send out copies of itself under your name without you even knowing about it? Why is this situation tolerated?

Lest I be accused of gratuitous Microsoft-bashing, let me quickly acknowledge that an all-Macintosh or all-Unix environment would potentially be just as vulnerable to monoculture attacks as an all-Windows office, if there were the same sort of aggressive development of Mac or Unix viruses.

The reality of the world, however, is that Microsoft has come to dominate a growing set of digital environmental niches. The relentless spread of a single platform, steadily incorporating more and more interrelated "features", marginalizes, pushes out, and finally kills its ecological competition, in turn creating the very monocultures that leave the software vulnerable to subversion. We should not be surprised by the appearance of Melissa. Instead, we should take it as a friendly warning.

© Daily Mail & Guardian - 14 April 1999

* Jamais Cascio is a consultant and writer specializing in scenarios of how we may live over the next century. His clients have included mainstream corporations, film and television producers. He has written for many publications, including Wired and TIME, and is currently working on a screenplay. He is an active member of the oldest and most influential online community, The Well, and believes that new technologies are pushing people into new social, economic and political realms.