November 30, 2023

Archives for February 2004


Lately, computer security researchers have been pointing out the risks of software monoculture. The idea is that if everybody uses the same software product, then a single virtual pathogen can wipe out the entire population, like Dutch Elm Disease mowing down a row of identical trees. A more diverse population would better resist infection. While this basic observation is accurate, the economics of monoculture vulnerability are subtle. Let’s unpack them a bit.

First, we need to review why monoculture is a problem. The more common a product is, the more it will suffer from infection by malware (computer viruses and worms), for two reasons. First, common products make attractive targets, so the bad guys are more likely to attack them. Second, infections of common products spread rapidly, because an attempt to propagate to a new host is likely to succeed if a high fraction of hosts are running the targeted product. Because of these twin factors, common products are much more prone to malware problems than are rare products. Let’s call this increased security risk the “monoculture penalty” associated with the popular product.

The monoculture penalty affects the incentives of consumers, making otherwise unpopular products more attractive due to their smaller penalty. If this effect is strong enough, it will prevent monoculture as consumers protect themselves by shunning popular products. Often, however, this effect will be outweighed by consumers’ desire for compatibility, which has the opposite effect of making popular products more valuable. It might be that monoculture is efficient because its compatibility benefits outweigh its security costs. And it might be that the market will make the right decision about whether to adopt a monoculture.

Or maybe not. At least three factors confound this analysis. First, monoculture is often another word for monopoly, and monopolists behave differently, and often less efficiently, than firms in competitive markets.

Second, if you decide to adopt a popular product, you incur a monoculture penalty. Of course, you take that into account in deciding whether to do so. But in adopting the popular product, you also increase the monoculture penalties paid by other people – and you have no incentive to avoid this harm to others. This externality will make you too eager to adopt the popular product; and there is no practical way for the other affected people to pay you to protect their interests.

Third, it may be possible to have the advantages of compatibility, without the risks of monoculture, thereby allowing users to work together while suffering a lower monoculture penalty. Precisely how to do this is a matter of ongoing research.

This looks like a juicy problem for some economist to tackle, perhaps with help from a techie or two. A model accounting for the incentives of consumers, producers, and malware authors might tell us something interesting.

California Lawsuit Against Diebold

A group of Californians has filed a lawsuit in state court against voting machine vendor Diebold, in advance of the March 2 primary election.

The complaint asks the court to order Diebold to do three main things: (1) to refrain from further violations of state election laws and regulations, such as installing uncertified software for use in elections, (2) to implement the stopgap security measures recommended by the Raba report, in time for the March 2 primary election, and (3) to implement the longterm security measures recommended by the Raba report or else to withdraw the Diebold systems from use.

Comment Spam

I enabled user comments on this site several months ago, and on the whole I’ve been quite happy with the results. But I’ve had an increasing problem with comment spam, comments submitted to advertise products unrelated to my original postings. Many of these spam comments seem to be trying to leech off of my good Google page-rank, by causing my pages to link to theirs.

I’m fighting back technologically, but that’s a pain in the neck and will just lead the spammers to invent workarounds. So here’s a question for my lawyer readers: Is there anything I can do legally about this? Suppose, for instance, that I made people agree to simple Terms of Use before they posted a comment, and the Terms gave me some legal recourse against anybody who posted spam. It’s my site, and it seems to me that I should have the right to impose reasonable conditions on comment posters. I don’t know how effective this would be at actually stopping the spam, but it’s interesting to consider nonetheless.

U.S. Exports DMCA to Australia

Kim Weatherall notes that in the recent “Free Trade” Agreement between the U.S. and Australia, the Aussies agreed to implement a DMCA-like law, and to extend their term of copyright. Needless to say, these are both bad ideas. Kim offers a long post recounting the history of this issue in Australia.

I only wonder what the U.S. negotiators had to give up, or what other Australian concession they had to forgo, in order to cement these unfortunate provisions.

More Journal Editors Have Declared Independence

In response to my previous post about the revolt by the editors of the Journal of Algorithms, Peter Suber points out that journal editors have “declared independence” before, at least twelve times. Peter’s blog, Open Access News is a great source for news about the trend toward open access to scholarly publications.