Therefore, the whole idea of improving security should be realized by means of warning the user of possible risky operations and strengthening the operating system itself which are equally important.
Security threats come in three kinds, (or in fact, I put them into three categories) aggressive attack, seductive attack, fundamental attack. How someone can harm your computer or data in general? They can find some system vulnerabilities on their own and do whatever they want without your help. They can entice you to run some harmful things or disguise their virus or bundle harmful things with useful things. Or, they can (I doubt if they really can, but let's still keep the possibility) put something in the Windows or Linux update / installation files (but people have found things in Windows fonts where the author left his name if you expand it large enough). So these three corresponds to my "aggressive", "seductive", "fundamental" attacks. (I'm not really good with names, so more suitable names are welcomed)

- Under aggressive attack (by which I mean direct attack through system vulnerability) Windows is more secure:
Linux is open source so, theoretically, anyone can go out and find security holes in it. But the process is not so direct with Windows, which makes Windows more secure. Furthermore, Microsoft has a central bug tracking system and all information goes to Microsoft for their system vulnerability. And the company's profit force them to better fix the problem as soon as possible.
(On the long run, Windows has program management tool so it is shouldn't be so hard for Microsoft to enable third-party updating. As Linux is going more commercial, security problems maintenance mechanism will establish too.)
- Seductive attack (attack utilizing user unawareness) concerns general user more I think and I've had tons of malwares that opens certain webpages, adds certain buttons to your Windows start menu, shuts down your computer,(and these are the mild ones), etc, etc. They can take your internet banking information, personal contact information and so on.
Linux wins under this because the ruling factor is security through obscurity. It may not necessarily be so as Linux is gaining popularity but I think you have much less problem of this sort using Linux than Windows right now.
But let's go deeper and see further.
First of all, Linux is diversified and only going to be more so. The bottom line is, if I'm using gnome, you're using KDE, he's using Fluxbox, there are certain things that isn't really easy to do. (Or at least requires far more effort and creativity to do than in Windows.) So diversity really helps.
Limiting user privileges is of course important. Linux is doing good by asking for root password but too much authentication reduces usability and is not good. There's at least a balance to find and there may be smarter ways to do this too.
In the future, however, I see Windows' approach more promising. Ideally, the more complicated (in a good sense, so maybe I should say mature or robust) our "trust rule" is, the less information virus makers will have to mechanically bypass the protection. Just like how internet security is now. If a virus wants to gain administrator privilege to install something, if the system always ask for a fixed password, then the virus can find it by recording keyboard moves, pretend to be an update and ask for your administrator password etc. But if you have a bubble asking the system administrator to answer a question, the virus has to go to a whole different level, to bypass that. (It may not need a human to run by stealing the password from keyboard movements but it definitely needs to bypass the user in the latter case. I think security here, is more of an identification process, how the user knows the thing running is of authentic origin, how the system knows the thing running is of authentic origin. So a little bit of encryption trick would work. Have you guys used Bank of America's internet banking? The encryption with a picture and a user defined name is pretty interesting.) Then it is the system's responsibility to warn the user what are dangerous or highly dangerous operations to make. The process is more of an interactive one. (It is still true that the system can be at most as secure as its user, but ideally, the user is warned at different levels and should be more cautious than the plain asking the password for every system change method.)
What I want to add a little bit is that above all, realistically, the virus developers are always more informed than the average user. So there's a large possibility that they can fool some of the OS users. Building a fool-proof security system is very hard.
A central filtering system sounds like a good idea but I read somewhere that it takes 6 days to build a malicious software but much longer for Microsoft to respond to it. So maybe future security systems should start by asking "Do you know what ... is?". If not, the security system immediately shuts it down. I mean you can always start it again or restart the installation after gaining some more information but the damage is a one time thing.
- Fundamental attack (by which I mean security threats resulting from tampered provider-side files) sounds ridiculous but it may happen and be very tragic.Linux wins because diversity predominates. If all people are downloading from different sources, using different distributions etc, then it takes much more work to harm them all. And we can always fully trust open source because there may always be people examining the source. So Linux is much more secure in this way. (It's not about Microsoft. They wouldn't intentionally add some bad things to their operating systems but some competent ones might and you won't know.)
I am a Fedora user (as you can see most of my valuable posts are about Fedora). Every time I install a software, I get a message if I want to import some "key". I didn't dig into this issue but if it is what I imagine it to be, then Linux put Windows to rout under fundamental attacks even more. If the source files are somehow encrypted with keys that the receiving operating system can validate with, then tampering with installation, updating files will be harder because the key has to be valid. I think this offers very good protection. Windows doesn't have to do this the same way because they can just validate their files with some internal mechanism before they make the discs. The encryption process could be useful for later updates or at least, Microsoft should validate its updates once in a while (and Linux repositories should do that too).
Conclusion:
I am aiming at a discussion rather than a conclusion. There are system internal structures that could make a difference but I don't know that much about them so I did not attempt to discuss them. Instead, I am trying to theorize a framework that security features can be evaluated, ie, whether it improves user level security, or reduces system vulnerability, in what ways and whether it works against aggressive, seductive or fundamental attack and how.
I am inspired by this discussion where people just go every direction and argue from different angles. I think it will be much more clear if we consider security problems from the categorization I suggested.
4 comments:
Dear Paul,
I feel that you have rigidly compartmentalised user and system security into separate watertight compartments. Usually, security accrues, as you pointed out at the beginning of your post, by constant interaction between the user and the system.
It has been constantly reiterated, to the point of becoming a cliche, that security is a process. This process has three main components, the user, the vendor, and the software architecture. All three must be security oriented for a system to be secure.
Now, let us examine your point about aggressive security: How does a cracker invade your computer? Either through a vulnerable open port, or by eavesdropping , stealing your information and knowing your system, or by means of a malicious website. Therefore, all unnecessary ports should be closed by default. Common Linux distributions and Windows both pass in this regard. However, Linux is more secure even in this regard due to its open source nature. It is easier to find holes, but also many people find holes and close it actively. Therefore, holes are closed as soon as possible. In contrast, any information about internally found holes in Windows is not made public but kept in cold storage to be silently fixed as a major update or a service pack. This is an insecure process because at the same time, crackers are actively searching for holes, and it is quite possible that they may have found the very same holes that Microsoft kept aside for its silent fixes. At that time, these appear as zero-day exploits. Have you ever wondered why the reported vulnerabilities of Windows are almost always discovered by a third party security researcher? Or why Windows has so many zero-day attacks? A lot of it has to do with
the lack of transparency in Windows. Furthermore, Linux is also more secure against what you call "aggressive attacks" because it has better tools to deal with zero-day unpatched vulnerabilities. I dare say that buffer overflows and taking complete control of a Modern Linux computer is very difficult because of the presence of SELinux or Apparmor or execshield. I have not yet know a critical vulnerability which will not be lessened by these measures. The protection against zero-days in Windows is very meagre (DEP and UAC) both of which can be theoretically bypassed far more easily than any of the Linux apps. Therefore, I disagree with your point that for "aggressive security" Windows is better than Linux. The defaults of Linux are just better.
Thank you for your comment.
Here are a few things I can think of saying in response now.
Well, I wanted to divide system security into two active parts, system and interaction. I assumed users to be average users and security is gained by interaction with the user such as warning the user etc. Those two parts I consider seperate. User is not an active part but is indeed a limit to security. I didn't explain this quite well in the article.
I agree that holes are actively closed in Linux (but it's hard to judge how active) and because it's open source, everyone can contribute to the process. But again because of its open source nature, there is no trustful central system to spur the process. It all relies on the community. It's not that I don't trust or love the Linux community, it is just information could take longer to get to individual problem solvers and from the patchers back to everyone. And as I said in the post, once Linux is commercial enough, community plus a few well managed commercial bug tracking system will surely result in a more secure Linux.
But right now, Microsoft's system and its closed source nature (which I suppose makes the search for holes harder. But I don't know enough about discovering vulnerability to make it a solid judgement. I suppose having the source greatly helps you find holes.) seems more secure to me. But this is not necessarily solid truth because it involves personal judgement of which outweighs which.
I didn't really take SELinux or Apparmor into consideration. I equalised them with like the other numerous security softwares like firewalls you can have in Windows. And I think if we consider SELinux and Apparmor, we should arm Windows with Kaspersky, Zonealarm or stuff like that?
Well, apparmor or SELinux are far different from anti-viruses or firewalls. The Linux firewall is iptables, but in some distros like Ubuntu, you usually do not need them because all ports are closed by default.
The crucial difference between Apparmor and Windows anti-viruses or other security tools is that anti-viruses depend on black-listing malware. Apparmor or SELinux depends more on a white-list. Anti-viruses are reactive, they delete viruses which have already entered or are on the verge of entering your system, SeLinux or Apparmor are protective- they protect the system by expressly disallowing any unauthorised or un needed process to run a certain program. They are very customiseable and fine grained. You really cannot compare these two. The comparable functionality in Vista is given by protected mode, however, this mode is not very well implemented and really protects only Internet Explorer. That is to say, if you are a Firefox user, you won't have the advantage of Protected mode. However, in Linux, all programs come under apparmor and SELinux. These two actually put restrictions even on the superuser, and protects the system from user mistakes. The difference is as between chalk and cheese.
I suggest you go to the Novell site to learn about apparmor and see the RedHat posts about SELinux and Execshield. The only reservations I have about these apps is that they may actually be creating a "too restrictive" or "too secure " environment in Desktop Linux for their present threat environment.
And always remember one of the first rules in security: A White list is always more secure than a black list. In a white list, you only allow a certain trusted program to run in a certain trusted way, in a black-list, you exclude known dangerous programs and include all the others. The problem with a black list is that there are too many dangers to actually have a 100% chance of catching malware.
In your point about Windows being quicker to patch holes due to a centralised security process, I would suggest that Linux also has centralised security processes for its critical components. And the time taken to fix is shorter in Linux for critical vulnerabilities.
But more about that later.
It is nice discussing with you, I hope I will be able to come up with more concrete information later.
It is nice to discuss with you too. I didn't know about the black list or white list difference but I definitely agree that white list is far more secure than black list. So no one is adopting white list in Windows?
Then maybe you should start some Windows security softwares :) I checked out your blog, very detailed and well presented post. Keep the good work. I'll link to your blog after you have more posts. (It's not very responsible to direct readers to a blog with one post I guess...)
By the way, I use Opera too. I don't understand why not everybody is using Opera. Well, probably one reason, it sometimes have a few compatibility issues or school webCT doesn't support it...But it's so great.
I'll try to learn more about SELinux and Apparmor :).
Post a Comment