From: arne@vajhoej.dk   
      
   On 11/4/2025 8:59 AM, Simon Clubley wrote:   
   > I was aware this was going on, but not to this level. So, in the name of   
   > {short term whatever}, yet another chunk of the critical infrastructure   
   > that keeps this planet running is in the process of being added to the   
   > massive monoculture that is a single point of failure when a vulnerability   
   > or flaw is discovered. :-(   
   >   
   > People thought the public cloud service failures were bad. That's going   
   > to be nothing compared to what happens if an enemy (state level or otherwise)   
   > decides to cripple our way of life and now has massive nice juicy targets   
   > to take down, all of which are running the same technology infrastructure.   
   >   
   > These people are thinking about how they can make profit for their companies   
   > in the short term. I'm thinking that perhaps society should be forcing them   
   > instead to design things so that they can keep society running even when   
   > they are under attack.   
   >   
   > A society that allows critical systems to move towards a single monoculture   
   > without any backup systems or other redundancy is a society that has lost   
   > the plot.   
   >   
   > When the STS computers were being designed, NASA went through a massive   
   > formal process to validate and verify them. Even after all that, they   
   > _still_ added a 5th computer system designed by a different team in case   
   > something happened to the primary systems that they had missed.   
   >   
   > If you are important enough to provide services that help keep society   
   > running, then you should be forced to do the same. The question isn't   
   > about how much this extra infrastructure costs, but is instead about the   
   > cost to society if you don't do it.   
   >   
   > I've been thinking quite a bit recently about just how bad monocultures   
   > and short term thinking can be from a society being able to continue   
   > functioning point of view. Just look at the massive damage done by   
   > attacks on major companies here in the UK over the last year, all of   
   > which should not have had single points of failure like that. :-(   
      
   When the fixed part of the cost for an instance of a type of   
   product increases relative to the total market revenue for   
   that type of product, then the number of instances of that   
   type of products goes down. The reality of market economics.   
      
   It has hit the lower levels of tech stacks pretty hard.   
   No real monopolies but not that many options.   
      
   Main players:   
      
   cloud vendors: AWS, Azure, GCP, OCI   
   servers: Dell, HPE, Lenovo   
   CPU: x86-64, ARM64   
   OS: Linux, Windows   
   Virtualization: ESXi, KVM, Hyper-V   
   Containers: Kubernetes, Docker Swarm   
      
   More options when we go to the higher levels in the   
   tech stacks.   
      
   The lower levels do have security vulnerabilities. Usually   
   harder to exploit than the higher level ones, but for a   
   state actor ready to do something like Stuxnet, then ...   
      
   I believe JPM is spreading out a bit with both private cloud   
   and multiple public cloud vendors.   
      
   But I am sure that VSI would be happy if JPM decided   
   to run some VMS systems as part of OS diversification.   
      
   :-)   
      
   And a Spring Boot micro-service should run fine on VMS   
   (but not Spring Boot Native as GraalVM does not support VMS).   
      
   Arne   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)