The sources of our computer security problems these days are diverse. But theres general agreement (even I agree to some extent) that one of the major sources is the overwhelming market share of the Windows platform and the single target it creates for attackers as well as legitimate software developers. This is the famous “monoculture” argument.
To a degree, this argument holds that even if we all agreed that Windows is well-designed and robustly secure, attackers would still have an advantage because of the ubiquity of the platform. Furthermore, security attacks are almost always platform-specific, and if youre looking to write a successful attack youd want (like any developer) the widest possible market, so you have a reason to choose Windows. The theoretical argument is strong, as is the empirical evidence, that a monoculture facilitates overall insecurity.
Now Linus Torvalds himself says that 2004 will be the year that Linux breaks into the desktop. Could this be the beginning of the unraveling of the monoculture? I have a slightly different perspective on this issue.
First I should mention that while I agree with Linus that the elements of a credible and successful Linux desktop are stronger than they have been in the past, Ill be very surprised if there is any really serious growth. The market for Linux desktops could double or triple and it would still be puny. Linux couldnt have a more enthusiastic free-spending evangelist than IBM these days; they do certify a fair number of their systems (almost all ThinkPads) for Linux, but try to buy a notebook or desktop from them with Linux preloaded. When major PC companies start to offer Linux PCs, then Ill believe it has arrived.
One thing those companies are going to insist on is a consistent platform. When you buy a computer from Dell, its Dell that assumes the main support burden. If we imagine a Dell Linux PC anytime soon, Im fairly certain that Dell will make decisions for us in that PC, such as one specific distribution, one specific window environment (e.g., just KDE, no GNOME or any of the alternatives), and so on. Making their support burden manageable means limiting the number of items they are obligated to support.
Now, as a Linux advocate, I might still view this as a big step forward. This is the view taken by Bruce Perens with his UserLinux initiative. Perens has taken a lot of guff from KDE snobs over his decision to use GNOME. Debates like KDE vs. GNOME arent as common or vicious as they used to be, but theyre still a big part of Linux culture and administrative issues. Imagine having to deal with training or support for Linux and having multiple distributions, KDE and GNOME to deal with. Likewise, when dealing with your friends, relatives, school, whatever. If Linux on the desktop is going to go big time it has to mean one consistent thing.
So the ironic result could be that for Linux to be successful on the desktop, it needs to develop a monoculture all its own. Popularity of Linux on the desktop will also mean popularity of Mozilla, OpenOffice and a few other things that will become more popular targets for attackers as their prominence grows. Randomly broadcast e-mails with social engineering attacks on this Linux desktop platform will stand a better chance of success; imagine the genuine-looking e-mail from [email protected] with a “security patch” attached to it and instructions for installation.
Linux on the desktop has a catch-22: Either it consolidates around a more consistent platform that can be thought of as “Linux” in the same way as Windows (or major versions of Windows), or the PC industry will have plenty of reasons to resist it. Not a happy set of facts.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Be sure to check out at http://security.eweek.com for the latest security news, views and analysis.
More from Larry Seltzer