To the contrary, I did take this into account in the portion of the quote that you cut:Heterogeneity increases survivability of the *species*, but does little to protect the individual.
What you're not taking into account is contagion. Amongst a homogeneous population, a pathogen that infects your friends can likely infect you. Amongst a heterogeneous population, if the same pathogen infects a friend, there's a significantly lower probability it can infect you.
A site manager seeking to protect their own servers cares little if an attack that takes them down doesn't take down their competitors. In fact, it's kind of bad if heterogeneity means that you go down and your competitors don't. At most, you could say that running the most common system makes you somewhat more vulnerable to attack, and you should take that into consideration when planning your security.
Running more common species makes you more vulnerable.
As I said the last time the bio analogy came up, analogies are like goldfish: sometimes they have nothing to do with the topic at hand. The notion of being non-promiscuous and careful about who you talk to does not work here: non-vulnerable Linux mail servers are fully capable of passing virus-infected mails to vulnerable Windows clients. Firewall mailing lists are currently full fo sorry stories about Blaster coming in through VPNs, even though the firewall was blocking the right ports from the outside.How does this affect networks? Well, if you're a webserver or mailserver that talks to everyone, the heterogeneity doesn't buy you so much (other than, as you said, there might be more pathogens for popular systems). But if you're configured to not talk to the whole world (via a firewall, or something equivalent), then you're a whole lot safer if the machines you do communicate with are different from you in ways that make contagion harder.
Crispin
-- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
