Saturday, 16 November 2002

For the sake of argument, let's say that you're a farmer. You look at the other farmers nearby and 90% of them are planting cotton; the others are mostly growing peanuts. What should you do?

• Plant cotton. It's the biggest crop with the largest market.
• Plant peanuts. There's less competition, and they taste great!

I don't know what you'd decide, but Steven Den Beste is growing cotton. Never mind about supply and demand, competition, advertising costs, the robber baron who dominates the cotton exchange—none of those things matter. Cotton is king!

Or, at least, that's what I gather from Steven's latest essay on Macs, PCs and viruses. Sometimes I think Steven is trolling whenever he writes about Macs; other times I think his finely tuned engineer's mind simply doesn't understand why Macs don't disappear in a puff of logic.

Steven takes issue with the opening statement from a NewsFactor article on Macintosh viruses: "Historically, Mac OS users have had little to fear from the scourge of viruses plaguing their Windows counterparts. The operating system's "Classic" incarnation was practically impervious, Macworld editor Jason Snell told NewsFactor." Steven considers this to be utter nonsense, and says so in about as many words; MacOS 9, he proclaims, is actually more vulnerable to viruses and trojans than Windows NT and its offspring, and the reason Macs don't have any cool, fast-spreading viruses like Klez is that Macs are too small of a niche market for virus authors to bother with.

Let's say that you've planted your cotton, and a few months later the boll weevils come. They eat your whole crop, and then infest all your neighbors—except that one guy down the road a few miles, who's growing peanuts. What do you conclude?

• If everyone grew peanuts, there'd be peanut weevils.
• Peanuts are more pest-resistant than cotton.
• Maybe we shouldn't all be growing the same crop.

Boll weevils decimated the Southern USA in the 1930s because cotton was a monoculture there—almost every farmer who could grow cotton was growing it, and the boll weevils looked at Texas through Georgia as one enormous picnic grounds. They couldn't have asked for a better environment in which to thrive and feast.

Steven's article on Mac viruses (and the lack thereof) is right on the general points, but wrong on the conclusion: If we replaced an all-Windows monoculture with an all-Mac monoculture, the virus authors would surely switch and go after the low-hanging fruit on the Mac platform. But the right solution to this problem isn't to replace the Cotton King with the Peanut King; it's to start growing soybeans and sorghum and rotating crops every now and then.

The idea that we can only replace the Windows monopoly with another monopoly is a trap that many people fall into: We've lived with tyranny for so long that we can only think of change in terms of replacing one tyrant with another. We think that Microsoft's monopoly is the natural outcome of market forces, and—heaven help us—some of us actually drink the Kool-Aid and believe that it's beneficial to consumers.

Microsoft's OS monopoly creates a uniform market for computer software, the theory goes; by creating a large pool of identical consumers, it lowers the barrier for writing applications, which fosters competition and drives down prices. The corollary to this theory is that Playstations, GameCubes and XBoxes are bad for consumers, because they fragment the market, make console games more expensive to write, and reduce the number of games available. (?) By further extension, we can conclude that Ford, GM, Chrysler, Toyota, et al. are bad for consumers, because they fragment the market for auto parts—if the automakers would just converge on a standard and get rid of all the incompatible mufflers, carburetors, etc. that plague the industry, the world would be a much better place for parts manufacturers, and thus better for consumers. (???)

Or not. Maybe what's good for Microsoft is bad for the consumer. Maybe Microsoft's "standardization" efforts are self-serving, anti-competitive, and give the consumer more security risks than benefits. Maybe the consumer would be better served by a free and open market, with a neutral referee who sets the standards and ensures competition. Maybe the Klez virus and its brethren would find it harder to propagate in an environment where not every machine had the same e-mail client, the same address book, and the same scripting language that allowed you to access them.

...which brings us back to the classic MacOS. Steven observes (correctly) that no operating system can defend against social engineering attacks, which Klez and other viruses rely upon to trick the user into unwittingly lowering defenses and helping to spread the virus. Mac users may be smarter and more attractive than Windows users, but they're certainly not immune to trickery. (Steven would probably claim that, if anything, MacOS users are more gullible than the general population, because they pay more money for less computer—but we've touched on this subject before.)

Where the classic MacOS had an advantage over Windows, though, is that the MacOS of old did not have a single, dominating e-mail client with an insecure scripting language and an easy-to-access address book. A MacOS 9 virus that tries to do what Klez does will find it bewilderingly difficult to predict the user's e-mail client, locate the user's address book, or access a scripting language with convenient "hooks" for propagating a virus: The vectors just aren't there. It isn't "security through obscurity," as Steven describes it; it's security through diversity, and it exists in everything from Space Shuttle computers to our transportation infrastructure.

So, to answer Steven's assertion: It is much easier for viruses to spread within a monoculture than a diverse environment. Windows NT/XP/ME and the associated family of Microsoft applications is a monoculture. Classic MacOS is not a monoculture, and even if we boosted its market share to 90%, its e-mail systems would still be more diverse and harder to exploit than a same-sized group of Windows machines. Microsoft's monoculture is not a natural state of affairs for the OS industry, any more than it would be "natural" for Sony or General Motors to have 90% market share in their industries. The ideal way to reduce the vulnerability of our computing infrastructure would be to restore competition to the operating systems market, not to replace one monopolist with another—but since the DoJ just passed up yet another opportunity to do exactly that, the odds of it happening anytime soon are limited.

I should also note that MacOS X does have a dominant e-mail application and a consistent address book location, so it is, in that regard, equally vulnerable to a Klez-style virus that harvests e-mail addresses. Perhaps Apple agreed with Steven Den Beste's contention, that you're not a major player in the computer industry unless your OS has some really fast-spreading viruses?

- Posted by Scott Forbes at 12:14 am. comments.