Strength in Digital Diverisity

Let's get this out of the way up front: any computer system that is not up-to-date with security patches to known vulnerabilities is a disaster waiting to happen. Two questions in the wake of the first major randsomware exploit, dubbed Wannacry, are:

  1. If your system is up-to-date with patches that doesn't mean you're safe - what else can you do to protect yourself?
  2. If your system isn't up-to-date with security patches, why not?

The real question: what can we change to reduce the effectiveness to this exploit - or more competently deployed future exploits - that have the potential to create a serious bunch in the fabric of modern society?

Safety in Diversity

Just like every economist knows monopolies are bad for everyone in an economy except the monopolist, every biologist knows the monocultures are fragile disasters waiting to happen. With the pre-Cambrian explosion of software we've seen since the dawn of the Internet era, it's now possible to call the digital environments we all use - that you're using to allow you to read this article - are ecosystems. I would assert that diversity in digital ecosystems is just as valuable as it is in analogue biological ecosystems.

Some digital ecosystems, due to the top-down nature of their design - for instance those run by two of the largest business entities in human history - focus on being uniform to minimise complexity. That profit-motivated consistency has the inherent side effect of minimising diversity creating a multi-generational monoculture.

The real weakness is the fact that those who release malware into the wild know that for every identified security vulnerability in that monoculture, there are tens-to-hundreds of millions of computers that are uniformly vulnerable and can be exploited in one fell swoop - a substantial incentive, and fertile ground for a self-perpuating pandemic. With those kinds of numbers, "critical mass" can rapidly be achieved, exactly the way it has been in human societies in past viral pandemics.  It's the collection of large numbers of computers with the same flaws, in close proximity, that makes this possible.

The uniformity of Windows is what makes it as profitable as it is for the Microsoft Corporation to control and support it as a single global entity... it is, however, not adventageous to is users.

In contrast to the Microsoft monocultures, the open source Linux ecosystem is vastly more diverse. This diversity is the result of a total lack of command-and-control top-down management like that exerted by the Microsoft Corporation. The Linux world is completely self directed. Entities using Linux can pick and choose Linux kernel configurations, versions, platform architectures, and many other variables based on a staggering diversity of hardware and performance requirements. Yes, there is some conformity due to popular Linux distributions like Ubuntu, Fedora, and dozens of others, but ultimately command and control is given to end user.

It is this top-down command and control and the proliferation of separately managed specialist proprietary packages on proprietary platforms like Microsoft Windows which do not coordinate their updates with their underlying platforms that is the real barrier to a robust and healthy ecosystem.

Due to the relative lack of profit-motivated Linux distributions and deployments of Linux on billions of computers - everything from consumer devices to high performance (aka "Super") computers - and the fact that in most cases, the entire ecosystem of software packages used on a given system is managed by the distribution provider and updates are made available quickly and confidently by developers motivated by technical correctness and self-interest as users themselves, there is little if any barrier to keeping Linux systems up-to-date, including all the relevant user applications.

Yes, there are certainly many poorly supported and maintained OEM devices using the Linux operating system (aka "abandonware"), carrying many known security vulnerabilities. But these systems occur with such diversity of flaws and in such small densities, that they do not comprise a suitably rich source of vulnerable systems to motivate those trying achieve a critical mass.

Voluntary Ransomware

The Wannacry randsomware took advantage of a known vulnerability in various versions of Microsoft Windows used by approximately 90% of desktop software users - or hundreds of millions of computers. In most cases, that vulnerability was patched by the relevant maintainers of those computers, but in many - millions - of cases, these patches were not applied. Why?

There seem to be two reasons:

  1. lack of sufficiently skilled support people to apply them, and
  2. concerns about the compatibility of specific applications in the face of these security patches.

The first issues is not specific to a given operating system technology - there is a global dearth of skilled computer support people to manage large installations of computers. This sort of problem would affect large collections of insufficiently well-maintained (but otherwise uniform) computers.

The second issue, however, is one that is caused by the prevalent model for procuring and delivering proprietary software. The disconnect between the platform on which the software runs and the software itself - often high cost, very specialised proprietary niche software products managed by different top-down command-and-control entities with different motivations and and incentives - creates huge friction in attempts to keep the underlying platform up-to-date.

The problem is proprietary command-and-control

The thing that makes Linux peferable to Microsoft Windows (and any widely deployed proprietary platform with a proliferation of proprietary applications) is that Linux divests command-and-control of software and platform management to the end user, while also providing comprehensive defaults of non-profit-motivated updates. The end user, in the case of open source platforms and applications, is also the developer (or has the potential to be).

Consider this extended pandemic analogy: to address the liability of viral threats to our human ecosystem, we have the tension between multinational corporate-controlled proprietary pharmacuticals vs. generics and remedies developed without a profit motive (e.g. folk remedies like aspirin, and many others out-of-patent protection). In the software ecosystems we similarly have the choice of trusting the relatively uniform top-down control by proprietary corporations or relatively non-uniform bottom-up self-organising software communities to mitigate the threat to our ecosystems.

Unlike the pharmacological side of that analogy, where most real innovation occurs within the proprietary for-profit model, in the software world much (and perhaps most) innovation occurs outside of the proprietary profit-motivated environment. It is carried out by universities, governments, and motivated individuals, using widely-available tools (computers, connected to the Internet) unconstrained by the barriers to entry like health and safety regulation (like FDA).

I think that the strength of distributed organisations exerting our own control over our computing ecosystems to look after our own safety, holds compelling and fundamental advantages over trusting a tiny number of profit-motivated proprietary software platform suppliers plus the myriad of tiny niche proprietary software application providers to successfully coordinate their efforts to protect us from global catastrophic (malicious or accidental) computing platform compromise and failure.