by Rik Farrow
<rik@spirit.com>

Rik Farrow provides UNIX and Internet security consulting and training. He is the author of UNIX System Security and System Administrator's Guide to System V.

One of the fun things about being an editor, as I was for the security special edition of ;login:, is that you get to read everything before anyone else does ­ read it not only once, but perhaps several times as the articles move through the production process. So it was that I had the chance to read Dan Geer's thoughtful and erudite speech about the future of the security market several times. I wrote Dan that I didn't agree with all of his points, and he responded by offering to debate them. I declined, but was still troubled by several things he said.

One was that the large vendors are in the best position to provide security products. Vendors already sell service and support and have access to the software, so they are in a great position to provide vertical security integration. My thought was, well, so what? They have had this access for years without doing anything about it. Although the resolution of risk will be a driving force in the near-term future of computing, as Dan drove home, I have seen vendors selling a firewall as a "service" that cost $150,000 to set up. At USENIX, a sysadmin from Sun presented a paper in which she described internal software for closing all the known security holes in Solaris. The internal software was not available outside of Sun, and one wonders why Sun didn't just patch its distributions. With a track record like this, I wonder what the big vendors will do with their opportunity to provide risk management.

The Commons

The statement that really stuck in my mind was something else. Dan mentioned Garret Hardin's term "tragedy of the commons." Hardin's observation was that what is shared in common tends to be subdivided and vandalized over time. The commons referred to were public lands that townspeople could use "in common" for purposes such as cattle grazing. But my wife suggested a more recent example: dogs being banned from a large playing field because their owners didn't clean up the piles of doggy poop left behind. This is a good example of a subset of people ruining a common space for all through their "vandalism."

Dan was referring to the future of UNIX, not to fields. The fate of UNIX as an open system has been that each vendor that licensed it changed it sufficiently to make software porting a big issue and system administration of heterogeneous systems a giant pain. And the various versions of UNIX continue to diverge further, fragmenting what might have been a single interface. When people ask me what I think about the future of UNIX, I tell them that UNIX is not going away, but that other operating systems will replace it in the future.

I see the people who work on the various flavors of BSD and on Linux as those who will be writing the operating systems of tomorrow. They will have firsthand, in-depth experience modifying and improving operating systems. They will also have had the experience of working publicly, in common, with their code exposed for review and criticism by all so motivated. A tough school indeed. And the operating systems they so tenderly nurse are being used today.

Greed

What of the commercial OS vendors ­ in particular, a large vendor that many have grown to fear and loathe? Having just read Dan's speech yet again, I came across an article about economics and sociology in Science News (Bruce Bower, "Yours, Mine and Ours," vol. 153, pp. 205­207). Reading this article allowed me to view the commons in a different light, one I believe will influence the business of computing.

Any of us who know anything about economics will readily agree with Bower's assertion that free markets establish prices based upon rational decisions by the buyer and the seller. Questions of ethics and morality have no place in these decisions as each player tries to slice off as big a piece of the pie as possible.

However, Bower's article is not about ideal markets, but rather about the people who participate in the decisions that define those markets. People, you and I, live in a cultural matrix, including offices, churches, professional organizations, unions, and neighborhoods; and our matrix influences our decisions. In particular, we tend to punish those who appear too greedy, even if it means we too will suffer.

Bower describes several experiments in which the results vary, depending on the culture in which the participants live. For example, there is the "ultimatum game," where one player is given a large sum of money but must share it with the other player. What makes the ultimatum game interesting is that the other player must find the first player's proposal acceptable or neither of them gets any money. In some cultures, the proposer offers an even split, especially if the amount of money is large (three month's wages). In Western cultures, the proposer typically offers between 30 and 40%, and offers below 20% are generally refused. Putting this in real terms, if the proposer has been given $500 and offers only $100 of it to the other player, the other player (who could have had $100 by simply saying yes) refuses, and neither gets any money.

Whoops! This isn't rational at all. The second player is punishing the first for being too greedy. This behavior, the willingness to give up rewards simply to punish a greedy player, shows up in other games as well. In real life, this shows up in some peoples' attitudes toward Social Security (acceptable, because the recipients had worked) and welfare (not acceptable because the recipients did not participate or add to the common good).

What does this have to do with operating systems? Imagine OS vendors playing the ultimatum game with each other (and with us, their customers), but instead of offering money, they offer us OS features. These features include networking, high performance, ease of maintenance, and support for applications, among other things. What has made Microsoft so successful has been its support for applications ­ more applications, and more users of those applications, than any other OS platform.

But herein lies the problem. The interface used by those applications is itself not open, not shared. As the importance of the interface (the API) grows, while Microsoft moves constantly to defend and protect that interface so that it is not shared, the perception of a proposer who is not playing fair also grows. As a society, we have tended to punish those who got too greedy (remember Michael Milken?) or abused their power (Richard Nixon). And Microsoft is definitely not playing "fair."

Looking into my famous crystal ball, I see, instead of an enormous operating system that does everything and has a totally proprietary and closed API, an API that is not owned by a single company. The API provides a specification that can be supported by many operating systems and will cleanly support extensions to the operating systems themselves. For example, the addition of new devices or networking protocols would be supported by this API. The point of an open API is that there can be many players. Or, in terms of the ultimatum game, the organization offering the API is proposing an even sharing, which will not stimulate a punishing backlash against greedy behavior.

Until I mentioned devices and networking, you might have thought I was talking about POSIX, but I'm not. Modern operating systems have requirements beyond those of POSIX, and any API that does not include GUI elements is doomed to failure. Just as POSIX 1 was based on the C interface to UNIX, a new API might be based on some popular computer language. Examples include Perl, Tcl/Tk, and Java, because each of these languages has a core that remains the same on all platforms.

Java may already be sunk too deep into intrigue to become a truly open standard. HP recently, with Microsoft's encouragement, published its own Java standard for embedded devices. If Sun were to bust JavaSoft loose, then perhaps Java would have a chance. John Ousterhout, the author of Tcl/Tk, has left Sun, giving Tcl/Tk a decent chance, although Perl today is vastly more popular. The problem with Perl is that it may be just too damn flexible for describing an interface.

I don't want to get into religious wars about which language is best. I'd rather think about reintroducing the commons in terms of an API that will support the types of applications we are writing today and will write in the future. A common API (with room for some well-mannered, portable extensions) will permit vendors and writers of operating systems to compete on an equal basis. People who talk about Microsoft OS being superior "because the market has chosen" might understand markets, but not software.

Just before I sat down to finish this, I saw an IBM ad about Web security and thought of Dan again. The trouble with IBM, or any other large vendor, as the source of security is that its solutions won't support the commons. Any proprietary security solution will fail, because today's systems must interoperate. The very idea of IBM Web security being available as part of an operating system sold by Microsoft, Sun, HP, or DEC is still ludicrous. Security must be like networking, truly interoperable, if it is to succeed.

I'd like to end on a more personal note. I enjoy being part of a community. I find there is pleasure in becoming part of something larger, whether it is a pickup volleyball game in Golden Gate Park, USENIX, or sharing knowledge. I believe lots of things separate us today, many artificial boundaries, and I think that we would all feel better without those boundaries.