Linux is a parasite, and it may be our future

Linux is a parasite.

So is Unix.

The first Unix ran on a DEC PDP-7. But DEC did not sell PDP-7s to run Unix; it sold them to run its own operating system called "DECsys".

Later Unix versions ran on PDP-11s. But DEC did not sell PDP-11s to run Unix; it sold them to run later operating systems called RSX-11, TSX-11, CTS-11, and RSTS.

DEC's minicomputers were simple, compared to today's PCs. They would load and run just about any program. On many models, the loader program (what we would call the bootstrap code) was entered by hand on a front panel.

There was no trusted platform, no TPM, no signed code. It was easy to load Unix onto a DEC minicomputer. The success of Unix was due, in part, to the openness of those minicomputers.

But to be honest, Unix was a parasite. It took advantage of the hardware that was available.

Linux is in the same way a parasite on PCs. PCs are sold to run Windows. (Yes, a few are sold with Linux. But PCs are designed to run Windows, and the cast majority are sold with Windows.)

PC hardware has been, from the original IBM PC, open and well-documented. Linux took advantage of that openness, and has enjoyed a modicum of success.

Linux is a parasite on Apple PCs too, taking advantage of the hardware that Apple designed.

But the life of a parasite is not easy.

As Apple changes its hardware and bolsters security, it becomes harder to run Linux on an Apple PC. It is possible to run Linux on an M1 MacBook. I expect that the effort will increase over the next few years, as Apple introduces more changes to defend against malware.

Microsoft is making similar changes to Windows and the PC platform. Microsoft designs and builds a small number of PCs, and issues a specification for the hardware to run Windows. That specification is changing to defend against malware. Those changes also make it harder to install Linux.

Will we see a day when it is impossible to install Linux on a PC? Or on a Macbook? I think we will, probably with Apple equipment first. Devices such as the iPhone and Apple Time Capsule require signed code to boot an operating system, and Apple is not divulging the signing keys. It is not possible to install Linux on them. I think a similar fate awaits Apple's Macbooks and iMac lines. Once that happens, Linux will be locked out of Apple hardware.

Chromebooks look for code signed by Google, although in developer mode they can boot code that has been signed by others. (The Chromebook boot code looks for a signed kernel, but it doesn't care who signed it.)

Microsoft is moving towards signed code. Windows version 11 will require signed code and a TPM (Trusted Platform Module) in the PC. There are ways to load Linux on these PCs, so Linux has not yet been locked out.

I think Microsoft recognizes the contributions that Linux makes to the ecosystem, and is taking steps to ensure that Linux will be available on future PCs. Apple, I think, sees no benefit from Linux and is willing to lock Linux out of Apple devices. Microsoft sees value in letting Linux run on PCs; Apple doesn't.

It might be that Microsoft is preparing a radical change. It may be that Microsoft is getting ready to limit Windows to virtual systems, and drop support for "real" PCs. The new "Windows 365" product (virtual computers running Windows accessible from a browser) could be the future of Windows.

In this fantasy world I am constructing, Microsoft provides Windows on virtual hardware and not anywhere else. Access to Windows is available via browser, but one must acquire the hardware and operating system to run the browser. That could be an old PC running an old (in the future) version of Windows 10 or Windows 11, or it could mean a Chromebook running ChromeOS, or it could mean a desktop PC running Linux.

This would be a big change -- and I'm not saying that it will happen, only that it may happen -- and it would have profound affects on the IT world. There are some thoughts that come to mind:

First, performance becomes less important for the physical PC running the browser. The heavy CPU work is on the server side. The PC hosting the browser is a fancy terminal, displaying the results of the computation but not performing the computation. The race for speed shifts to the servers hosting the virtual instances of Windows. (And there is less pressure to update local PCs every three years.)

Second, the effort to develop and support Windows drops significantly. A lot of work for Microsoft is maintaining compatibility with hardware. Windows works with just about every piece of hardware going back decades: printers, video cards, disk drives, camera, phones, ... you name it, Windows supports it. If Microsoft shifts to a virtual-server-only version of Windows, a lot of that work disappears from Microsoft's queue. The work doesn't vanish; it shifts to the people building the non-virtual PCs that run the browsers. But the work (and the expense) does vanish from Microsoft's accounts.

Third, this change is one that Apple cannot follow. Apple has built its strategy of privacy on top of a system of local processing -- a secure box. They don't send data to remote servers -- doing so would let your personal data escape the secure box. It has no way to offer virtual instances of macOS that correspond to Windows 365 without breaking that secure box. (And just as Windows 365 allows for longer lifespans of local PCs, virtual macOS would allow for longer lifespans of Macs and Macbooks -- something that Apple would prefer not to see, as they rely on consumers replacing their equipment every so often.)

If Microsoft does make this change, the prospects for Linux improve. If Microsoft pulls Windows off of the market, then PC manufacturers must offer something to run on their hardware. That something cannot be macOS, and it certainly won't be FreeDOS. (As good as it is, FreeDOS is not what we need.)

The operating system that comes with PCs may be Linux, or a variant of Linux built for laptop makers. There could be two versions: a lightweight version that is close to ChromeOS (just enough to run a browser) and a heavier version that is close to today's Linux distros.

If Microsoft makes this change -- and again, I'm not sure that they will -- then we really could see "the year of the Linux desktop". Oh, and it would mean that Linux would no longer be a parasite.

Windows 11 is for the enterprise

Microsoft's recent announcement of Windows 11 has gotten a lot of people asking questions? Why now? Why the change for minimum requirements? And why was the announcement so plain and unassuming?

I think the answer lies in Microsoft's customers for Windows. So let's look at the different types of customers. We can see that there are a few different types of customers for Windows.

Enterprises: Large companies with lots of computers. They authenticate with Exchange. They use Microsoft Office, SQL Server, and other Microsoft products. They buy lots of licenses. They pay for support. And -- importantly -- they depreciate computers over a three year schedule, and they frequently replace computers every three years. They have dedicated IT support teams (possibly outsourced or contractors) and they have discussions and plans for IT.

We can consider large non-profit organizations and large government agencies in this group, as long as they replace their computers every three years.

Small businesses: Companies with fewer computers (probably less than 100). They don't use Exchange for authentication; they assign everyone a computer with a password and share data via workgroups. They use the software that comes with the computer (Windows and Office). And they don't replace their computers every three years; they keep them longer.

Small business do not (typically) have plans for IT, other than "keep things running and replace computers when they fail". They let their computers age in place, with no specific plans to upgrade Windows or applications.

We can consider small non-profit organizations and small government agencies in this group, as long as they don't have formal plans to replace computers every three years.

Typical individuals: Like small businesses, they have few computers, they use the software that comes with the computer (possibly Office 365), and they keep their computers for longer than three years. They, too, let their computers age in place.

Enthusiasts: These are individuals who enjoy tinkering with hardware or software. Like the typical individual, they have a few computers. Unlike the typical individual, they take a more active interest in IT. They probably have more computers than the typical individual, and they tend to have some computers with the latest versions of Windows. (They may also have older computers with older versions of Windows, just for fun.)

Enthusiasts were important in the early days of Windows. They downloaded beta versions, showed Windows to their friends, and learned how to make Windows work on different types of hardware. The were an important part of the "Windows revolution" over DOS.

Gamers: These individuals have few computers. They take an interest in hardware, and software when it helps their gaming experience. They use powerful computers, either built by themselves or off-the-shelf with custom video and replaced disk. They may replace equipment every three years; the time is driven not by depreciation schedules but by hardware and game software.

Browsers: Individuals who use Windows like a Chromebook. That is, they have a computer running Windows but they use only web apps. They don't use local applications (not even Office). Like typical users, they have no plans for upgrades and tend to use computers for a long time.

With these different groups in mind, we can gain some insight into Microsoft's motivations.

Microsoft's announcement for Windows 11, and specifically the requirements for 64-bit, and TPM 2.0, limit Windows 11 to recent computers. This is going to cause some problems for some users, because the equipment they currently have will not support Windows 11. But look at the groups, and see which will be affected:

Small businesses, typical individuals, and browsers will not be affected by Windows 11. They probably do not run the latest version of Windows 10, and may be running Windows 8.1 or even Windows 7. (The latter is unlikely due to the lack of support for Internet Explorer.)

Enterprise businesses will not be affected (much) by Windows 11. They will have equipment that is ready to run Windows 11 (thanks to their policy of replacing computers every three years) and they have an IT support team who can coordinate the installation of the new version. (That IT group may not be happy about a new version of Windows, but they can handle the task.)

The groups most affected by Windows 11 will be gamers and enthusiasts. Gamers will have to review the benefits of Windows 11, and will probably replace older PCs when games come out that are for Windows 11 only. Enthusiasts will be the hardest hit: their curated older hardware that is running Windows 10 (because it can) will not be able to run Windows 11. They will have to pony up for new hardware (and find space for it, while keeping their older PCs).

So my conclusion is this: Windows 11 is for the enterprise. Microsoft is targeting enterprise customers (the ones who pay lots of licensing fees) and keeping them happy. (Enterprises love security!)

The other types of users are going along for the ride. Small businesses and typical individuals won't be affected (they already have hardware, and when they buy new PCs they will come with Windows 11).

The folks most affected will be the enthusiasts who won't be able to install Windows 11 on their old hardware. (And probably won't be able to install Windows 10 after its end-of-life in 2025.) That's a small crowd, and they are less important today than they were in the early days of Windows.

Microsoft cannot support old hardware forever. The advantages of increased security are obvious and necessary. A special version of Windows 11 ("Windows 11 minus"? "Windows for the tinkerers"?) that supports older (less secure) hardware would require a lot of time and effort, and the return for that time and effort would be very small.

The enthusiasts and tinkerers need another home, one that is not dominated by the concerns (and economics) of the enterprise.

More virtual, less machine

A virtual machine, in the end, is really an elaborate game of "let's pretend". The host system (often called a hypervisor), persuades an operating system that a physical machine exists, and the operating system works "as normal", driving video cards that do not really exist and responding to timer interrupts created by the hypervisor.

Our initial use of virtual machines was to duplicate our physical machines. Yet in the past decade, we have learned about the advantages of virtual machines, including the ability to create (and destroy) virtual machines on demand. These abilities have changed our ideas about computers.

Physical computers (that is, the real computers one can touch) often server multiple purposes. A desktop PC provides e-mail, word processing, spreadsheets, photo editing, and a bunch of other services.

Virtual computers tend to be specialized. We build virtual machines often as single-purpose servers: web servers, database servers, message queue servers, ... you get the idea.

Our operating systems and system configurations have been designed around the desktop computer, the one serving multiple purposes. Thus, the operating system has to provide all possible services, including those that might never be used.

But with specialized virtual servers, perhaps we can benefit from a different approach. Perhaps we can use a specialized operating system, one that includes only the features we need for our application. For example, a web server needs an operating system and the web server software, and possibly some custom scripts or programs to assist the web server -- but that's it. It doesn't need to worry about video cards or printing. It doesn't need to worry about programmers and their IDEs, and it doesn't need to have a special debug mode for the processor.

Message queue servers are also specialized, and if they keep everything in memory then they need little about file systems and reading or writing files. (They may need enough to bootstrap the operating system.)

All of our specialized servers -- and maybe some specialized desktop or laptop PCs -- could get along with a specialized operating system, one that uses the components of a "real" operating and just enough of those components to get the job done.

We could change policy management on servers. Our current arrangement sees each server as a little stand-alone unit that must receive policies and updates to those policies. That means that the operating system must be able to receive the policy updates. But we could change that. We could, upon instantiation of the virtual server, build in the policies that we desire. If the policies change, instead of sending an update, we create a new virtual instance of our server with the new policies. Think of it as "server management meets immutable objects".

The beauty of virtual servers is not that they are cheaper to run, it is that we can throw them away and create new ones on demand.

When technology is not the limit

The early days of computing were all about limits. Regardless of the era you pick (mainframe, minicomputer, PC, client-server, etc.) the systems were constrained and imposed hard limits on computations. CPUs were limited in speed. Memory was limited to small sizes. Disks for storage were expensive, so people used the smallest disk they could and stored as much as possible on cheaper tape.

These limitations showed through to applications.

Text editors could handle a small amount of text at one time. Some were limited to that amount and could handle only files of that size (or smaller). Other editors would "page out" a block of text and "page in" the next block, letting you work on one section of the text at a time, but the page operations worked only in the forward direction -- there was no "going back" to a previous block.

Compilers would allow for programs of only limited sizes (the limits dependent on the memory and storage available). Early FORTRAN compilers used only the first six characters of identifiers (variable names and function names) and ignored the remainder, so the variables DVALUES1 and DVALUES2 were considered to be the same variable.

In those days, programming required knowledge not only of the language but also of the system limitations. The constraints were a constant pressure, a ceiling that could not be exceeded. Such limitations drove much innovation; we were constantly yearning for more powerful instruction sets, larger memories, and more capacious and faster storage. Over time, we achieved those goals.

The history of the PC shows such growth. The original IBM PC was equipped with an 8088 CPU, a puny (by today's standards) processor that could not even handle floating-point numbers. While the processor could handle 1 MB of memory, the computer came equipped with only 64 KB of RAM and 64 KB of ROM. The display was a simple arrangement, with either high-resolution text only monochrome or low-resolution graphics in color.

Over the years, PCs acquired more powerful processors, larger address spaces, more memory, larger disk drives (well, larger capacities but smaller physical forms), and better displays.

We are at the point where a number of applications have been "solved", that is, they are not constrained by technology. Text editors can hold the entire document (up to several gigabytes) in memory and allow sophisticated editing commands. The limits on editors have been expanded such that we do not notice them.

Word processing, too, has been solved. Today's word processing systems can handle just about any function: wrapping text to column widths, accounting for typeface variations and kerning, indexing and auto-numbering, ... you name it.

Audio processing, e-mail, web browsing, ... all of these have enough technology to get the job done. We no longer look for a larger processor or more memory to solve our problems.

Which leads to an interesting conclusion: When our technology can handle our needs, an advance in technology will not help us.

A faster processor will not help our word processors. More memory will not help us with e-mail. (When one drives in suburbia on 30 MPH roads, a Honda Civic is sufficient, and a Porsche provides no benefits.)

I recognize that there are some applications that would benefit from faster processors and "more" technology. Big data (possibly, although cloud systems seems to be handling that). Factorization of numbers, for code-breaking. Artificial Intelligence (although that may be more a problem of algorithms and not raw hardware).

For the average user, today's PCs, Chromebooks, and tablets are good enough. They get the job done.

I think that this explains the longevity of Windows XP. It was a "good enough" operating system running on "good enough" hardware, supporting "good enough" applications.

Looking forward, people will have little incentive to switch from 64-bit processors to larger models (128-bit? super-scaled? variable-bit?) because they will offer little in the way of an improved experience.

The market pressure for larger systems will evaporate. What takes its place? What will drive innovation?

I see two things to spur innovation in the market: cost and security. People will look for systems with lower cost. Businesses especially are price-conscious and look to reduce expenses.

The other area is security. With more "security events" (data exposures, security breaches, and viruses) people are becoming more aware of the need for secure systems. Increased security (if there is a way to measure security) will be a selling point.

So instead of faster processors and more memory, look for cheaper systems and more secure (possibly not cheaper) offerings.

Tablets are controlled by corporations

I admit I was wrong. In my previous post, I claimed that mobile devices would be free of corporate bureaucracy (and control). That's not true.

It's true in the sense that when the Acme corporation buys PCs it can control them with ActiveDirectory and group policies, and that similar infrastructure is not in place for tablets and smartphones. (I'm ignoring the third-party Mobile Device Management software.)

But it's false in the sense that corporations do control the mobile devices. The corporations are not Acme or whoever buys the devices. The controlling corporations are the owners of the walled gardens: Apple, Google, Amazon.com, and Microsoft. These corporations control the software available and the updates that occur automatically. (Yes, you can turn some updates off, but only while those corporations let you.)

The control that these companies exert is indisputable. Apple just recently placed a copy of a U2 album on every iPod and iPhone. Some time ago, Amazon.com deleted books from various Kindle e-readers. These companies are the "tribal chieftains", with immense power over the devices.

Android and iOS are popular in part because they are easy to use. That ease of use comes from the absence of administration tasks. The administration has not disappeared, it has moved from the "owner" of the device to the controlling company. Apple builds the updates for iOS and distributes those updates (along with updates to apps) to iPhones and iPads. Google does the same for Android devices. Microsoft does the same for "Metro" apps.

It may be this control that makes corporations reluctant to use tablets. They may know, deep down, that they are not in control of the devices. They may realize that at any moment the tribal chieftains may change the software, or worse, read or modify (or possibly delete) data on the devices. They may grant other individuals access to mobile devices.

All of this does not mean that corporations (the Acme variety, who are using the devices) should avoid mobile devices. It *does* mean that corporations should use them intelligently. They should not manage tablets and smartphones in the same way that they manage PCs, and they should not use tablets and smartphones in the same way as they use PCs. The model for mobile devices is very different from PCs.

Business can use tablets and smartphones, but differently than PCs. Data should be handled by specific apps, not generic applications like Microsoft Word and Excel. Mobile apps should authenticate users, retrieve a limited set of data from servers, present that data, manipulate that data, and then store the data on the server. Apps should not store data on the local device. (This is also good for the scenario of a lost device -- if it has no data, there can be no data "leakage" to unauthorized parties.)

Mobile devices are controlled by the tribal chieftains. Yet they can still be used by corporations -- and individuals.

Echo chambers in the tech world

We have echo chambers in the tech world. Echo chambers are those channels of communication that reinforce certain beliefs, sometimes correct and sometimes not. They exist in the political world, but are not limited to that milieu.

The Apple world has the belief that they are immune to malware, that viruses and other nasty things happen only to Windows and Microsoft products. The idea is "common knowledge", and many Macintosh owners will confirm it. But the idea is more than common; it is self-enforcing. Should a Macintosh owner say "I'm going to buy anti-virus software", other Mac owners will convince (or attempt to convince) him otherwise.

The echo chamber of the Apple world enforces the idea that Apple products are not susceptible to attack.

There is a similar echo chamber for the Linux world.

The Microsoft world has an opposite echo chamber, one that insists that Windows is not secure and extra software is required.

These are beliefs, created in earlier times, that endure. People keep the idea from that earlier time. In other words, people have trained themselves to think of Windows as insecure. Microsoft Windows was insecure, but is more secure. (Yes, it is not perfectly secure.) Similarly, Apple products (and Linux) are not completely secure but people have trained themselves to think that they are.

I will make some statements that people may find surprising and perhaps objectionable:

• Microsoft Windows is fairly secure (not perfect, but pretty good)
• Apple MacOS X is not perfect and has security flaws
• Linux (any variant) is not perfect and has security flaws

We need to be aware of our echo chambers, our dearly-held "common knowledge" that may be false. Such ideas may be comforting, but they lead us away from truth.

BYOD can be easy with tablets

The "bring your own device" movement has caused quite a bit of heartburn among the corporate IT and security folks. More than is necessary, I think.

For those unfamiliar with the term "bring your own devices" (BYOD), it means this: employees select their own devices, bring them to the office, and use them for work. Such a notion causes panic for IT. It upsets the well-balanced apple cart of company-supplied PCs and laptops. Corporations have invested in large efforts to minimize the costs (purchase costs and support costs) of PCs and laptops. If employees were allowed to bring their own hardware, the following would happen (in the thinking of the corporate cost-minimizers):

• Lots of employees would have problems connecting to the company network, therefore they would call the help desk and drive up support costs
• Employee-selected hardware would vary from the corporate standard, increase the number of hardware and software combinations, and drive up support costs

And in the minds of IT security:

• Employee-selected hardware would be vulnerable to viruses and other malware, allowing such things behind the corporate firewall

But these ideas are caused by misconceptions. The first is that employees want to bring their own PCs (or laptops). But employees don't. (Or at least not the folks with whom I have spoken.) Employees want to bring cell phones and tablets, not laptops and certainly not desktop PCs.

The second misconception is that smartphones and tablets are the same as PCs, except smaller. This is also false. Yes, smartphones and tablets have processors and memory and operating systems, just like PCs (and mainframes, if you want to get technical). But we use tablets and smartphones differently than we use PCs and laptops.

We use laptops and PCs as members of a network with shared resources. These laptops and PCs are granted access to various network resources (printers, NAS units, databases, etc.) based on the membership of the PC (or laptop) within a domain and the membership of the logged-in user of domain-controlled groups. The membership of the PC within a domain gives it certain privileges, and these privileges can create vectors for malware.

Smartphones and tablets are different. We don't make them members of a domain. They are much closer to a browser on a home PC, used for shopping or online banking. My bank allows me to sign on, view balances, pay bills, and request information, all without being part of their domain or their security network.

How is this possible? I'm sure that banks (and other companies) have security policies that specify that only corporate-owned equipment can be connected to the corporate-owned network. I'm also sure that they have lots of customers, some of whom have infected PCs. Yet I can connect to their computers with my non-approved, non-certified, non-domained laptop and perform work.

The arrangement works because my PC is never directly connected to their network, and my work is limited to the capabilities of the banking web pages. Once I sign in, I have a limited set of possibilities, not the entire member-of-a-network smorgasbord.

We should think of smartphones and tablets as devices that can run apps, not as small PCs that are members of a domain. Let the devices run apps that connect to back-end servers; let those servers offer a limited set of functions. In other words, convert all business applications to smartphone apps.

I recognize that changing the current (large) suite of business applications to smartphone apps is a daunting task. Lots of applications have been architected for large, multi-window screens. Many business processes assume that uses can store files on their own PCs. Moving these applications and processes to smartphone apps (or tablet apps) requires thought, planning, and expertise. It is a large job, larger than installing "mobile device management" packages and added new layers of security bureaucracy for mobile devices.

A large job, yet a necessary one. Going the route of "device management" locks us into the existing architecture of domain-controlled devices. In the current scheme, all new devices and innovations must be added to the model of centralized security.

Better to keep security through user authentication and isolate corporate hardware from the user hardware. Moving applications and business processes to tablet apps, separating the business task from the underlying hardware, gives us flexibility and freedom to move to other devices in the future.

And that is how we can get to "bring your own device".

Pendulum or ratchet?

In the beginning, Altair made the 8800, and it was good.

Actually, it was *usable*, by determined hobbyists, and it was usable for very little. But it was available and purchaseable. The computers were stand-alone, and owner/users had to do everything for themselves. It was similar to being part of the first party in a colony. Where the first colonists had to chop wood, carry water, grow their own crops, make their own tools, and care for themselves and their families, the early computer owner/users had to build their own equipment and write their own software.

Later came the manufactured units: the Apple II, the Radio Shack TRS-80, the Commodore PET. These were easier to use (just take them out of the box and plug them in) yet you still had to write your own software.

The IBM PC and MS-DOS made things a bit easier (lots of software available on the market), yet the owner/user was still responsible and life was perhaps not a colony but a house on the prairie. And programs (purchased or constructed) could do anything to the computer, including disrupting other programs.

A big advance was made with IBM OS/2 and Windows NT, which were "real" operating systems that truly controlled "user programs". We had left the prairie and were in an actual town!

The next advance was with Java (and later, C#) which created managed environments for programs. Now we were in Dodge City, and you had to check your firearms when you came into town.

Apple gave us the next step, with iOS and iTunes. In this world, all programs must be reviewed and approved by Apple. You can no longer write any program and release it to the market. You cannot even install it on your own equipment! You must go through Apple's gateway iTunes. Microsoft is following suit with Windows 8 and the Microsoft App store. (Apps in Metro must go through Microsoft, and you can install only operating systems that have been signed by Microsoft.)

All of these changes have been made to improve security. (And let us recognize that Microsoft has been consistently pummeled for exploits against Windows and applications. The incentive for these changes has been the market.)

Yet all of these changes have been moving in one direction: away from the open range and towards the nanny state.

My question is: Are these changes part of the swing of a pendulum, or are they part of a ratchet mechanism? If they are the former, then we can expect a swing back towards freedom (and security problems). If they are part of the latter, then they are here to stay with possibly more restrictions in the future.

Relying on Microsoft (or Apple) to filter out the malware and the bad actors is easy, but it also limits our choices. By allowing a vendor to act as gatekeeper, we give up a degree of control. It is possible that they may choose to restrict other software in the future, such as software that competes with their products. (Microsoft may restrict the Chrome browser, Apple may restrict office suites. Or anything else they desire to restrict, in favor of their own offerings.)