Whenever there’s a new Windows virus out there wreaking global havoc, the Linux types get smug. “That’ll never happen in our open operating system,” they say. “There are many eyes looking over the source code.” But then there’s a Heartbleed vulnerability that keeps them humble for a little while. Anyway, at least patches are propagated faster in the Linux world, right?
While the Linuxers are holier-than-thou, the Windows folks get defensive. They say that the problem isn’t with Windows, it’s just that it’s the number one target because it’s the most popular OS. Wrong, that’d be Android for the last few years, or Linux since forever in the server space. Then they say it’s a failure to apply patches and upgrade their systems, because their users are just less savvy, but that some new update system will solve the problem.
There’s some truth to the viruses and the patching, but when WannaCry is taking over hospitals’ IT systems or the radiation monitoring network at Chernobyl, it’s not likely to be the fault of the stereotypical naive users, and any automatic patch system is only likely to help around the margins.
So why is WannaCry, and variants, hitting unpatched XP machines, managed by professionals, all over the world? Why are there still XP machines in professional environments anyway? And what does any of this have to do with free software? The answer to all of these questions can be found in the ancient root of all evil, the want of money. Linux is more secure, ironically, at least partly because it’s free as in beer, and upgrading to a newer version is simply cheaper.
Story time. I used to work for the US gov’t. In our Bureau, we had a few thousand Windows XP installs. When Vista came out, they looked into upgrading, but for monetary reasons, had to put the project on hold. (They dodged that bullet.) But then along came Windows 7 and the end-of-life plans for XP. Even so, it took a number of years to get through all of the security and compatibility testing required to make the switch. And that’s just the cost of labor. On top of this, they had to pay for all new software licenses. I’m sure they’re working through the same thing with Windows 10 right now.
The US Bureau of Labor Statistics isn’t badly funded by government standards, and certainly better supplied with talented technical people than many bureaucracies. And yet, the act of upgrading the system caused some real institutional pain and required real effort. We can only guess at what the budget of a rural hospital’s IT department looks like, but I’d guess they’ve got a lot fewer resources to work with. Why are a bunch of nuclear physicists at Chernobyl still running XP? Because it’s what they can afford.
The point of this story is a simple one. The cost of upgrading Windows is non-trivial, and Microsoft is always going to insist on receiving payment for newer versions of their OSes — fair enough, that’s how they make money after all, and they need to pay their coders and shareholders. But this will push some institutions, not to mention individual users, to forgo upgrades and keep on limping with out-of-date or otherwise unpatchable systems, which will be ripe for mayhem. There will always be insecure Windows systems out there because you have to pay to upgrade. It’s all about the money.
And although Microsoft eventually offered free patches for XP against WannaCry, they allegedly held back the release of the patch for a few days, in an attempt to shake down some of their former customers who had not yet upgraded. On one hand, you can hardly blame them — they’re stuck supporting 15-year old software at this point. But they also need make users pay for XP support so that they’ll have an incentive to buy the next thing. And there’s that wedge preventing security-relevant upgrades again.
Microsoft isn’t the only company out there making money on OSes. Android may be free, but since new versions of Android are often bundled with new phones, phone companies are reluctant to give up the new hotness for their old devices. But when the hotness also comes bundled with improved security only available to those with new phones, it puts the same sort of sand in the OS-upgrading gears, even though the OS is notionally free.
Free as in Beer
I’ve been using Linux since it was installable on 3.5″ floppies over dialup, so I’m probably one of those “Linux zealots”. And I definitely value the ability to read through kernel code and add new drivers if I feel like it, although I’ve only done it once in twenty years. Still, one of the most attractive features of Linux to me is the “free as in speech” aspect.
But I’m also an economist by training, so I see the invisible hand working nearly everywhere. And watching wave after wave of Windows viruses attacking outdated systems that should have been upgraded made me wonder why, and I think it’s all about the Benjamins. So if you’re a fellow Linux zealot all caught up in “free as in speech”, spill a little for the power of “free as in beer”. After all, it might just be why you’re not running an unpatched Mandrake system on that old Pentium in the basement.