This article was started in 2001-09-22, based on a longer original article in French, Les virus informatiques comme sous-produits des logiciels exclusifs. It is available under the bugroff license.

After the Code Red worm hit the world while the SirCam viruses was simultaneously flooding my mailbox and destroying a few friends' computers, I decided that enough was enough and that public awareness ought to be raised so as to eliminate the problem of viruses at its roots. Hence, I wrote (in French) an article Les virus informatiques comme sous-produits des logiciels exclusifs, in which I explained why, according to me, the main reason why computer viruses spread so easily and do so much damages is proprietary software. Here is a summary of the arguments I developed.

When your system is designed around the proprietary paradigm, you are meant to get your software from a variety of proprietary sources, each different, each having its own monopoly, all the more since the ``base system´´, being proprietary, can't possibly be simultaneously taylored to everyone's needs, which thus opens the way to a great number of complementary third parties. Hence in a proprietary software system, it is normal for users to install software from unidentified sources, uncontrolled by the system vendor. Unauthorized copyware, shareware, demoware, are all normal phenomena in the proprietary software world, and only increase the need for such ability to constantly install programs. Software promiscuity is the rule of proprietary software system users.

With free software, the situation is reversed: not only are ``base systems´´ very feature-rich, because they can be freely modified, and so are actively modified and fit together by competing distribution makers, but these competing distribution makers can also manage in a nice way the installation of whatever proprietary third party software could be needed. Hence, in a free software system, the only normal way for new software to be installed is directly from a trusted source. Software hygiene is the rule of free software system users.

We will now proceed to show that from this fundamental difference in paradigms, it follows that proprietary software systems are wide open to viruses and worms, while free software systems are essentially resistant.

These arguments apply with full force to the flagship systems of proprietary software and of free software, Windows and Linux. They apply equally to other free software operating systems: FreeBSD, NetBSD, OpenBSD, etc. However, the situation for other proprietary systems is somewhat more subtle.

For instance, whereas the arguments apply fully to MacOS 9 and earlier versions, part of Apple's MacOS X is directly based on the BSD family of free software operating systems, so its situation is intermediate. Also, Apple tries to control software distribution on its platform, which is a brake to software distribution in general, viruses as well as good software, and possibly prevents it from having flagship position in its category; see more about that phenomenon below.

Proprietary unices, are also in an intermediate situation; most of the software installed by users is also free software or direct derivatives, and the rest is usually expensive professional software installed by experts. This makes them both almost as secure as free software and completely inapplicable to use by average users.

Finally, note that if the flagship system in each category was to change, the arguments would still apply with full force to the new systems, because the essential mode of software dissemination would still be the same.

A mitigating phenomenon in the insecurity of proprietary software distribution is that of centralized "Software Marketplaces" such provided by Apple for third-party MacOS X software, or by all kinds of vendors on Mobile Phone platforms.

Such systems may indeed provide better security through the accountability and denounceability of the various software sources. However, there is an intrinsic demand for software to be installed outside such centralized interfaces. Maybe for Mobile Phone platforms that are considered gadgets rather than actual computers, users can accept that some software they want is simply not available, and they will have to resort to a real computer to do those things unavailable in the official marketplace. But in the end, for their real computers, they will want to control what software they can install, and be able to install all the software that is not available at the centralized marketplace: software that is filtered by corporate or governmental censorship, software under development that isn't suitable for official commercial release, software that does not justify to the authors the burden of publishing on the centralized marketplace, software that short-circuits corporate and governmental controls (including but not limited to pirated software).

And there again, the fallback distribution mechanism for such software will be promiscuity amongst users of proprietary software systems, and hygiene amongst users of free software systems. Therefore, whereas such systems can notably slow down the spreading of viruses, they don't change the essential nature of the problem.

Current proprietary software systems add insult to injury by including dubious features that induce strong security risks: implicit execution of code when receiving mail, opening documents, browsing the web, inserting removable media (floppies, CD-ROMs), or decompressing archives; user-interface confusion between (potentially dangerous) executables and (innocuous) documents, that only experts can distinguish; lack of proper system-wide software package installation management; etc.

Such aggravating circumstances show how Microsoft and other proprietary software system vendors behave in an irresponsible way. This irresponsibility in behaviour can be directly linked to their irresponsibility with respect to the market: since there is legally no possible competition on software distribution services, vendors do not face any threat of potential loss by providing shoddy security; on the contrary, they face direct loss by spending money in tightening security.

The fact that Windows runs on most computers favorizes the dissemination of Windows-based viruses and worms by a network effect, and encourages virus-writers to target this platform. This, however, is only a temporary factor while Microsoft survives, that isn't intrinsic to free software vs proprietary software.

...

...

Hello. My name is Francois-Rene Rideau, and I'm a researcher in Luxembourg.

Today, I'm going to examine the issue of computer viruses from an unusual point of view: the Economic Analysis of Law. I will compare the technical situation of free software and proprietary software with respect to security in general and viruses in particular, and will tie the visible difference in technical outcome to structural differences in legal settings.

Economic Analysis of Law tries to explain the outcome of people adopting rules of behaviour in terms of the dynamic of incentives that these rules induce.

Let's begin with computer viruses. Every year or so, there is one of them that causes a major disruption in computer activity and hits the headlines: Michaelangelo, Friday the 13th, Melissa, I Love You, SirCam, etc. They are always relatively simple programs, targetted at some common security flaw in the design and implementation of some widely available computer system. They then replicate and disseminate themselves by means that involve the active help of some unsuspecting user — usually clicking on the wrong button — and that wrong button often is your favorite Microsoft mail user agent. (if they can disseminate fully automatically without requiring any user action, they are called worms, and are an altogether different topic, but let's not open this can of worms). Viruses waste your precious resources: computer time, disk space, network bandwidth, and most importantly, human time; but they can have various other malicious effects, such as disrupting the normal operation of computer systems, corrupting data, leaking sensitive information, allowing intruders to enter your system, and even damaging your hardware.

Software distribution model: chaotic vs organized Law of Eristic Escalation Centralization vs ... Standardization: chaotic monopolies vs orderly packages

Implicit code execution: Microsoft blunder? application-centric vs document-centric Forced use => forced vulnerability Data Archive formats: self-extractible vs document identifying executable files

Reaction speed: depreciation of administration services homogeneity auditability: closed vs open traceability filtering: reactive vs proactive compatibility: bug-compatible binaries vs bug-fixing sources damage containment

Target size barrier to entry: motivation of petty hackers to destroy vs build

Technically, there have existed viruses for unix. But never wild.

Application-centric vs document-centric view of the world. Proprietary software survive by selling licenses to software; Free software survives by attracting developers. Proprietary software compete for users' minds; Free software compete for developers' minds. Since proprietary software targets unproficient people, it succeeds by building up hype and instant gratification at easy things regardless of long-term results and difficult problems; Since free software targets proficient people, it succeeds by delivering ease of development and deep gratification by providing real structural solutions to difficult problems. Proprietary software is marketed toward the public by weaving its unique features into as many documents as possible, whereas support may be lacking and users should conspicously not be organized in a strong community capable of any concerted action. Free software is marketed toward developers by building strong community support, whereas any notably good features are duplicated or integrated in all other free software. In Proprietary Software platforms, even the worse applications fight hard to be present on the users' desktop; in Free Software platforms, the better applications sometimes don't fight hard enough to be on your desktop. A successful proprietary system displays all over your system even when you don't use it; it's everywhere and you can't escape it; users talk about it. A successful free software is mostly invisible on your desktop, even though it's everywhere it can help; it doesn't get in the way when you don't want it; only developers talk about it.

Liberty: with proprietary software, the only simple programs you can write that have non-trivial effects are viruses - destructive software. With free software, your creativity is immediately rewarded at doing positive things - collaborating to constructing software.

expect the unexpected

not just diversity for the sake of diversity. But *differential survival* => selection of the fittest, and not just in a one unique winner-takes-all competition over average behaviour, but in as many competitions as there are innumerablly diverse niches that fit the needs of some among millions of diverse users, and over every single feature.

As usual in Economic Analysis of Law, the conclusion will be that a little liberty goes a long way toward ensuring safety — not through direct effects, but through the dynamics of it. Or put it the other way, a little protectionism goes a long way toward making a bad mess out of the industry it is applied to. Liberty doesn't help handle the things that have been foreseen, but neither is it a hindrance for them. However, it precisely helps to handle all those things that people couldn't think of in advance or wouldn't think of in advance. Whereas protectionism ensures that some privileged people's interest will be protected to the detriment of some exploited people's interest.

Design Ideas for a Future Virus... and for a Future Security Architecture

Le Libre Logiciel (my page on Free Software, in French)

Faré Rideau

Faré on Computing

Site by Faré Rideau — Donate: bitcoins or paypal