A report last week from a group of security experts and Microsoft competitors raised a very familiar argument: Its dangerous for such a large percentage of users to rely on the products of one vendor, specifically Microsoft. Much of the report, especially the parts written by the Computer and Communications Industry Association (a group formed by Sun, Oracle, AOL, and a number of other Microsoft competitors), go on to say that Microsoft products themselves are particularly dangerous. The group implies that everyone should be using their products instead.
This second argument is about as credible as anything you read in an advertisement. It may or may not be true, you have to consider the facts and that the message is coming from interested parties.
However, the first argument, which has come to be known as the argument against a “monoculture,” shouldnt be dismissed so easily. (This is completely different than the mono culture I once had in high school. The test came back positive and I was forced to miss a couple of weeks of classes.)
The monoculture argument makes absolute sense in the abstract. Its worth noting that this observation is hardly new in software, and the argument is partly inspired from experience in other fields. Environmentalists have used it to argue against certain farming practices, where an over-reliance on particular strains can cause an over-susceptibility to a blight or some other disease. Biologists will argue over whether specific practices really do raise such risks, but the abstract argument does make sense.
The the analogy to the software market is pretty good. We have our share of blights: worms, viruses and other malware, the argument becomes more compelling. Almost all the authors of these attacks target specific operating systems, and because of its popularity Windows is the obvious target.
Im further drawn towards this argument because it doesnt rely on some of the juvenile put-downs and sore loser talk that so often dominate criticism of Microsoft. Even if one believes that Windows is, on its own, as secure as any other operating system available, a monoculture is still dangerous.
There are other non-software analogies to this line of reasoning. For example, the anti-globalist protestors ready to torch a McDonalds. Its because they see an American monoculture extending its grasp over the rest of the world and smothering others (Now, I dont agree with this, its just my sense of the argument). I also think of Salon.coms TV ads pitching the line that the major media is dominated by a few major corporations and they all say the same thing.
I see a lot of this sort of anticorporate sentiment in the monoculture arguments against Microsoft, and I see the attendant paternalistic notion that other people are being suckered into something thats not in their interest, but we know better. When considering the monoculture argument its important to know exactly what argument you are making.
Personally, the only argument I take seriously is the biological analogy: if its dangerous to have one overwhelmingly dominant platform because it vastly increases the ease of mounting effective attacks. But what can be done about it?
As Bruce Schneier, security analyst and one of the authors of the report observes, alternatives exist to Microsofts products. This is an essential point that is perhaps so obvious that it never gets stated: Nobody was ever forced to buy a Microsoft product. Everyone who has ever bought a Microsoft product has chosen to do so and has done so over the alternatives, which have always included computers from Apple and UNIX-based computers, and now include Linux from numerous sources, many of them free.
I guess the authors of the report feel that consumer choice is not enough, and that consumers are making the wrong choices. Im inclined that any serious effort involving government to change the balance of platforms in the market (or, to use Microsofts ironic term, “the ecosystem”) will interfere with the freedom of consumers to make choices, or at least impede their rational decision making. What about government purchasing? Like anyone else, governments have the ability to buy non-Microsoft products. That they still buy a lot of Windows computers tells me that they think Windows is the best fit (or at least the lowest bid).
Speculate instead, about a world in which multiple operating systems are in widespread use. In terms of security we would almost certainly be better off, even though most of those operating systems have their own rich sets of vulnerabilities. For example, theres a long list of Linux vulnerabilities. Most of them are in peripheral packages, but this doesnt usually matter; nobody runs just the Linux kernel.
Problems such as these go mostly unnoticed today because they usually go unexploited, but that would likely change in our hypothetical world in which lots of regular people are actually using Linux. Just as with Windows, many of these users would not bother to take the time and effort to patch systems. How many people are still running Linux 1.x? But lots of people are running Windows from that era.
Even so, Im sure that overall security would improve because mass attacks could never be as massive as they are today. Worm-infected e-mail would have less of a chance of actually infecting its target computer, because fewer of those targets would be running the proper platform.
But of course, security isnt the only consideration. It makes sense that security analysts would tell us, in effect, that security is more important than anything else and that we should be buying non-Microsoft products because of security issues, all other considerations be damned. But people have been rushing in droves to buy Microsoft products for years and I doubt it is because of security. They do so because the products offer a better value proposition.
Telling buyers to buy something else for reasons of general public policy wont be an easy sell. For starts, it doesnt appeal to what is rational to the individuals buying process.
For the most part, ordinary people dont buy “alternative” operating systems like Linux because these platforms are ill-suited to the tasks they need to do. Apple is able to keep a non-trivial market share with a completely proprietary platform, and think of how much more they would sell if they gave up on their own hardware and sold the Mac OS for the standard PC platform. The developers making UNIX and Linux should get their own products up to these standards before talking seriously about getting large numbers of users to run them.
eWEEK.com Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer