Of Mouseovers, Monocultures and Open Source

So, Grandpa, where were *you* when the great Twitter mouseover meltdown took place? Aside from the thrill of being a witness to one of the defining events of the twittersphere (well, this month), living through yesterday's fun and games offers us...

Share

So, Grandpa, where were you when the great Twitter mouseover meltdown took place? Aside from the thrill of being a witness to one of the defining events of the twittersphere (well, this month), living through yesterday's fun and games offers us an important insight, as Charles Arthur notes in the Guardian:

What prevented the Twitter worm from taking over the entire service? After all, at one stage some of the pranks being used meant that simply by looking at a twitter.com page which had an infected tweet, you'd be infected and would reweet that to all your followers. (Ask Sarah Brown, who has a 1.1m followers and had one of them.)

The answer turns out to be simple: what saved Twitter, and its users, was the fact that the majority of its traffic comes via its API (applications programming interface, which hooks into the back-end systems), rather than from visits to the website itself.

…

because far more people – roughly 80% - access Twitter via its API, which was already correctly escaping the HTML in tweets, they were safe, and simply wondered why they were seeing this strange jargon in their feeds.

Contrast that with past worms – such as the ILOVEYOU worm, where the landscape was, essentially, flat: anyone with a Windows computer who opened the email with that title would get infected, because it used Visual Basic script, which was (almost) always enabled.

That's spot on, but I think we can draw a further moral from this tale. As Arthur mentions in passing, the worms of yore were so devastating because they could exploit a global monoculture: Microsoft Internet Explorer or Microsoft Word running on Microsoft Windows just about everywhere. This made it far simpler to exploit weaknesses in distant PCs, because the actual architecture was known with a high degree of probability.

With the mouseover mess, we were saved by the wonderfully diverse ecosystem of Twitter clients operating through the Twitter API. This meant that assumptions that were correct for code running on the twitter.com site were not valid elsewhere.

This hammers home once more the importance of avoiding monocultures, and encouraging rich and diverse ecosystems (multicultures?) One of the easiest ways of doing that is to adopt free software alternatives to all the Microsoft warhorses. The open source world being what it is, it is far more varied, not least in terms of versions and applications (critics might even call it fragmented). That makes mass attacks hard, and therefore unlikely, since ne-er-do-wells don't even bother trying when they can just code for Windows.

Open source is certainly not immune to attacks – for example, I fell victim to the mouseover exploit despite using a completely free software stack (thanks, Twitter.com) - but it reduces the risk overall. That means if you are not using it for business, you are increasing that risk – which would be a pretty irresponsible thing to do, no?

Follow me @glynmoody on Twitter or identi.ca.

"Recommended For You"

Twitter teen hacker hired by web app developer Microsoft delivers stopgap defense against active IE10 attacks