I have been arguing for platform diversity as a structural defence for over a year. The argument: a heterogeneous network is structurally more resistant to single-platform attacks, regardless of which platforms are involved.
The second Linux worm in two months (Lion followed Ramen) requires me to re-examine this argument honestly. Linux is no longer a niche target; the foundation of "diversify away from Windows" is weakening.
The argument as I have been making it
The specific shape: Windows is the dominant platform; attackers focus on Windows; Linux is structurally protected by being a smaller target.
For most of 1999 and 2000 this was demonstrably true. Mass-mailing worms targeted Outlook. Trojans targeted Windows desktops. The IIS Unicode bug targeted Windows servers. Linux operators were, on the available evidence, in measurably less risk.
The argument shaded into a more general claim: any minority platform gets the same structural advantage. OpenBSD, FreeBSD, BeOS, Plan 9, anything-not-Windows.
Where the argument breaks down
Three problems with my argument as I have been making it.
The threshold for attacker attention is lower than I thought. Linux server deployment is, in 2001, a few percent of internet servers. This is enough for attackers to target. The threshold is not "majority" or even "large minority"; it is "economically worthwhile", which is a much smaller number.
The Linux worms exist because Linux is now economically worthwhile to target. The same threshold will be reached by other platforms as their deployment grows. The protection of being a minor platform is temporary.
The protection is asymmetric in ways I had not articulated. Server Linux is targeted; desktop Linux mostly is not. The two are different markets with different attacker incentives. A diversity argument that conflates them is sloppy.
For servers, Linux deployment is now substantial enough to be targeted. For desktops, Linux remains too minor for most attacker attention. The diversity argument needs to be more specific about which population is being defended.
The protection only matters if the minority platform is also well-administered. A poorly-patched Linux server is, on the available evidence, more dangerous than a well-administered Windows server. The platform choice does not produce structural defence by itself; the operational discipline produces it.
I have been writing as if platform diversity were sufficient. It is not. The combination of platform diversity and good operational discipline is what produces the structural defence.
What the argument should be, more honestly
A more careful version:
Platform diversity reduces the impact of single-platform attacks. A monoculture is uniformly affected by any attack against the dominant platform. A heterogeneous environment is not. This is true for any attack distribution that is platform-targeted; it is less true for attacks that target multiple platforms.
The economic threshold for attacker attention is low. A platform with even a few percent of the install base is targeted. The protection of obscurity is real but is bounded.
Diversity must be combined with discipline. Each platform has its own patching, hardening, and monitoring requirements. Diversity multiplies these. An organisation that cannot maintain rigorous discipline on its primary platform should think hard about whether adding a second platform improves or worsens its overall posture.
The case for diversity is strongest in segments where the dominant platform's attacks are most frequent. Servers running web applications, mail relays, DNS — places where attacks against the dominant platform are constant. The case is weaker for purely-internal segments where attacker access is harder.
What this implies for my advice
I need to be more careful in how I frame the diversity argument. Specifically:
Stop treating diversity as a substitute for discipline. Some of my writing has implied that running Linux is, in itself, a defensive choice. It is not. Running Linux with current patches and minimal services is the defensive choice; the platform alone is not enough.
Be more specific about which population is being defended. Server-segment diversity has different implications than desktop-segment diversity. The advice should be specific.
Acknowledge the cost. Diversity has operational costs that I have under-emphasised. Smaller organisations that cannot bear the cost may be better served by deeper discipline on a single platform than by lower discipline on a diverse one.
Continue to argue for it where it makes sense. Where the costs are bearable and the threat profile is clear, diversity remains a meaningful structural defence. The argument does not collapse; it just requires more specific framing.
A small note on writing about structural arguments
The broader lesson, for me, is that the framing of structural arguments deserves more care. "Diversity is good" is too coarse; "diversity in this segment under these conditions, with these specific operational disciplines, is good" is the level of specificity the argument actually needs.
This is the kind of clarification I get from honest re-examination of my own writing. The calibrated humility discipline I committed to in 1999 produces these clarifications periodically. I am increasingly convinced that the discipline of re-reading one's own writing is at least as valuable as the discipline of producing it.
More as the year develops.