Internet Security, Monocultures, and Economic Manifest Destiny

Lots of security experts like talking about the risks of software monocultures which basically says that if there are a whole lot of similar machines on the Internet — all running Windows XP Home, say — then it’s generally fairly easy (well, as these things go) to find a security hole that lets you gain control of all of them, and worse because it’s so common lots of people are trying to do it. So less-popular systems often end have a security advantage — Apple’s OS X isn’t that secure, yet it receives far, far less than its fair share of worms, viruses and other attacks compared to Windows systems.

Okay. That’s point one.

Point two is derived from this article by Steven Den Beste which attempts to link fossils, colonisation, globalisation and the war on terror. The linking factor is that competing fossils, races, and ideologies can grow for a while without having to destroy each other, but eventually they’ll saturate their environment, and the weaker competitors will die off. Basically, the theory is that competitive systems tends to kill off variety, and tend towards a monoculture (although obviously they don’t necessarily ever reach it, nor necessarily do it particularly quickly).

Operating systems and applications fit this theory pretty well: they compete on their merits, and monocultures tend to pay off in every area except security (and sometimes even then — if you’ve got a bunch of computers runnign the most secure OS on the planet, it’s probably not a good idea to add in another couple of less secure computers just for variety; even though the security-by-diversity arguments remain just as true). And historically, competition does tend to crush diversity — there are fewer realistically competing desktop OSes now than there were in the early 90s — we used to have DOS, Desqview, Windows, AmigaOS, OS/2, MacOS — while we now only really have a couple — Windows, MacOS and Linux — and MacOS and Linux are now both Unix derivatives with fairly similar underlying architectures. Much of the difference can probably be explained by “convergence” — Windows, AmigaOS and MacOS had pretty different markets back in the 80s, and you couldn’t really do the same things on any of them; as that changed, the number of viable OSes declined. The same thing’s true of Linux distributions, programming toolkits for Windows, word processors, and more.

So that’s the setup, the dialectic if you will: variety’s good; but it’s also self-defeating — in the end, there will be only one.

But variety is possible in some circumstances, in ways that don’t appear to be merely transitory. The current situation with mail servers seems to match that, eg — an April 2003 scan of some 20,000 hosts came up with the following proportions:

Count   Share   Software
8244    38.78%  Sendmail
3707    17.44%  Microsoft IIS/Other
1981    9.32%   qmail
1789    8.42%   IMail
1244    5.85%   Exim
1243    5.85%   smap
825     3.88%   CPMTA
537     2.53%   Postfix
500     2.35%   Microsoft Exchange
340     1.60%   CheckPoint FireWall-1
848     3.99%   Other
21258   TOTAL

Sendmail still has a pretty good lead in those numbers — you have to include the other four of the top five before you equal its marketshare — but it’s at a level of diversity where attacking sendmail isn’t going to be your one stop shop to world domination.

What’s the analysis then? One is that there’s not a great deal of need for competition: sending emails around is mostly a solved problem, and switching mail servers isn’t usually going to give you any big wins. Another is that there’s not really much commercial incentive in any of the above — you don’t choose Microsoft IIS for the mail server, you choose it for the webserver, or because none of the others run on your OS. Exim, postfix and qmail don’t have a lot between them. Sendmail has a fairly ugly configuration system, isn’t terribly efficient, and has irregular security problems discovered, but usually works pretty fine. Though that is still enough to steadily whittle away sendmail’s dominance (from 100% of the market in the 1980s to what it is today).

But the original thesis was that you’d head towards a monoculture if there was competition; it didn’t say anything about what’d happen if there wasn’t. Which means that particular examples tends to support the thesis, and maybe even supports it being extended to say that competition and monocultures go together, when you’ve got the former, you’ll get the latter; when you’ve got the latter, you’ve had the former.

Which means if we want to retain a good amount of variety in operating systems, or web browsers, or whatever, we’ve got to avoid competition — perhaps not in the small (particular features, our prices), but at least in the large (so that a random person wanting mail is about equally likely to be satisfied with any of the top few mail packages).

In the end, that basically means that when you go to a Microsoft shop you shouldn’t fall over in shock at hearing “Well, we recommend Windows of course, but that Linux stuff’s pretty good too if that’s what floats your boat.”

(By contrast, the same theory when applied to the question of whether open source will ever dominate the world brings up the following answer: it’ll do so precisely when it doesn’t have any flaws compared to other modes of creating software, and when its clear that all the other modes do have comparatively fatal flaws.)

Leave a Reply