The Linux Desktop Monoculture: This Is Better Security?

Monoculture is a big part of what ails us in the Windows world. Ironically, to succeed in the mass desktop market, Linux may have to develop a monoculture of its own.

The sources of our computer security problems these days are diverse. But theres general agreement (even I agree to some extent) that one of the major sources is the overwhelming market share of the Windows platform and the single target it creates for attackers as well as legitimate software developers. This is the famous "monoculture" argument.

To a degree, this argument holds that even if we all agreed that Windows is well-designed and robustly secure, attackers would still have an advantage because of the ubiquity of the platform. Furthermore, security attacks are almost always platform-specific, and if youre looking to write a successful attack youd want (like any developer) the widest possible market, so you have a reason to choose Windows. The theoretical argument is strong, as is the empirical evidence, that a monoculture facilitates overall insecurity.

Now Linus Torvalds himself says that 2004 will be the year that Linux breaks into the desktop. Could this be the beginning of the unraveling of the monoculture? I have a slightly different perspective on this issue.

First I should mention that while I agree with Linus that the elements of a credible and successful Linux desktop are stronger than they have been in the past, Ill be very surprised if there is any really serious growth. The market for Linux desktops could double or triple and it would still be puny. Linux couldnt have a more enthusiastic free-spending evangelist than IBM these days; they do certify a fair number of their systems (almost all ThinkPads) for Linux, but try to buy a notebook or desktop from them with Linux preloaded. When major PC companies start to offer Linux PCs, then Ill believe it has arrived.

One thing those companies are going to insist on is a consistent platform. When you buy a computer from Dell, its Dell that assumes the main support burden. If we imagine a Dell Linux PC anytime soon, Im fairly certain that Dell will make decisions for us in that PC, such as one specific distribution, one specific window environment (e.g., just KDE, no GNOME or any of the alternatives), and so on. Making their support burden manageable means limiting the number of items they are obligated to support.

Next page: A big step forward?