← Back to context

Comment by tptacek

1 day ago

I don't think that's proven out, like, at all; measure it against the returns on hardening mainstream platforms. The "monoculture" security thing has always been overblown, not least because you're never going to get an ecology where you have enough diversity to matter. Having 3 mainstream desktop or phone options is only marginally better than having just 1, and you're never going to have 20.

2 comments

tptacek

Reply
seethishat  1 day ago

Do you do anything besides post on HN ;)

Put everything in MicroSoft Active Directory. Wait until it gets hacked. You will lose DNS, DHCP, Email, file servers, web servers, endpoints, etc. Obviously, running a mono-culture is a dumb thing to do if you want to keep your business running.

Maybe instead, run BIND on Linux servers, Apache on OpenBSD servers, have some Chromebooks, some Macs, etc. so everything doesn't go down together.

Really, it's not overblown... it's just common sense to diversify. Like we do with our diet/nutrition, with our financial investments, etc.

  • tptacek  1 day ago

    It sounds like common sense, but halfhearted diversification --- which is all that's available to mainstream users and enterprises --- can easily reduce security. That's because almost all real world security is logically perimeterized, with a single outward-facing attack surface that's given attention and an implicit premise that post-compromise persistence and pivoting is a given. Nobody survives an internal pentest, not even in 2025.

    So by running BIND on Linux and Apache on OpenBSD and trying to tie it all into MSAD, what you're really doing is just expanding your attack surface, and once any of those are broken, attackers won't have to care about the state of the art in vulnerabilities to extend access from there.

    The "monoculture" stuff is a product of a time when security pundits worried Microsoft was running the table on corporate IT. We're (generally) SAAS startup people here and very few of us run any Microsoft stuff. Almost all of us are better off extensively hardening a single Linux server environment than we are in deliberately trying to sprinkle NetBSD and Microsoft servers. That's doesn't improve security; it just turns your network into a CTF challenge.