Computer Security Environment

I initially posted this in another thread, but as that thread was all over the place (numerous off-topic posts, mine being one of them) and because this is a topic worthy of discussion, I decided to create a new thread about it.

 

There was an article posted by ronjor where the author argued that the security industry shouldn't even exist!
Applications and OS's should be secure by default.

If we look at OpenBSD (thank you Alphalutra1 for posting info), they actually audit the code before releasing it!

 

Hi

TypicallyOffBeat - I very much like your comment! Hmmmm! I guess if the side of a barn represented, 'the whole computing world' Apple would be a small knot hole, on the side of the barn. Well any bad guy shooting at the side of the barn, would always hit M$. Reverse the scenario & you always hit Apple.

Also given that M$ has dominated since the DOS days, a generation of code writers have grown up writing code for M$. Therefore example: If the total population of code writers is 1000, then 998 write code for M$ & 2 write code for Apple. Should the population (1000) contain 10% bad guys. There would be more bad guys writing malicious code for M$ then Apple.

Take Care
Rico

 

From Internet Explorer Myths (Internet Explorer is insecure only because of its popularity):

This article is more germane: Does open source software enhance security?

 

The notion isn't that the market leader's (in this case Microsoft's) software is only insecure due to its popularity (of course that is erroneous), it's that the market leader's software (whoever that may be) is constantly targeted by the 'bad guys' (hackers, malware writers, blackhats, cyber criminals, etc) and thus it's vulnerabilities are significantly exacerbated, to an extent much further than would be the case if it wasn't market leading software. Which poses the question as to whether this notion is universal among all software (particularly OS's), or whether exceptions exist as is potentially the case with Unix and its affiliates. Note that instances where market leading software is still more secure than other software doesn't necessarily invalidate this notion. From everything I've gathered thus far, Microsoft software (particularly its OS's) is inherently less secure than say Linux, but the question remains as to whether for instance Linux would remain 'secure' in the same sense and to the same degree as most people consider it today if it were to become the market leader, or whether it would simply be rendered 'less insecure' than say Microsoft after the onslaught from the 'bad guys'.

Examples of this notion playing itself out are numerous. I've already mentioned the example of Apple (Mac) in my original post. Another good example could be Firefox. When it first arrived on the scene, it was widely regarded as a 'secure' browser, much in the same way that Apple (Mac) was and Unix is regarded. However, once it was popularized the onslaught began and numerous vulnerabilities surfaced and continue to do so. Granted on a smaller scale and to a lesser extent, but consider this. To this day Firefox only has around 14% of the internet browser market, no where near the market leader Internet explorer, and yet this was sufficient for the notion to play itself out. Imagine if Firefox was a market leader to the same extent that Internet Explorer is, the vulnerabilities that surface would likely increase dramatically and if that happened it would be rendered at best 'less insecure' (than say Internet Explorer).

 

Methinks I'm feeding a troll.

 

What do you mean?

 

Security isn't just avoiding Microsoft.

I would say that one of the biggest defining points with Linux is it's userbase. For one, Linux users typically start out by not installing and/or disabling unneeded resources. They are also able to implement more complex features with greater security becuase you do have to have some knowledge to use Linux. I'm sure there are many other similar points, but the point is that Linux would have to change things to be an OS for the masses. Don't forget that Mac OSX is based on BSD. Any OS can be configured for much greater security, with limited user accounts being a big factor in all of them (Windows is the only one of the bunch in which they are not default). The average person will sacrifice security for convenience every day of the week, and in some cases will even make it a demand.

Any, and I repeat ANY, OS can be compromised by a sufficiently motivated and skilled attacker. Let's not forget that rootkits started out as a Unix & Linux phenomena.

Don't forget, also, that the OS itself is not the only attack vector, but any software. Even if the OS was 100% secure, you could have a sloppily made piece of software running that could compromise your security. Microsoft is not the only factor here.

When it comes down to it, if you've got a whole community of organized criminals spending that much time and money into finding ways to infect a system, it will happen one way or another. Having more vulnerabilities than the other guys doesn't help, but it only takes one "wormable" vulnerability for you to have problems. One of the biggest factors with Windows was really that up until after XP was already well established, security wasn't that great of a concern. Only a minimum of security software was required. Back in 1998 and 1999 I, and most people I knew, didn't even run a firewall, and the only real risk was drawing attention to the script kiddies. I just used a small program called "NukeNabber", which just blocked the "ping of death", which, AFAIK, pretty much all OSes were vulnerable to, and I never had any problems. At the time, the count of malware per year was in the double digits, so the AV companies had no problems keeping up. An up-to-date antivirus was really all you needed.

As long as software is programmed by humans, though, there will be security vulnerabilities, at least until someone can create an air-tight programming language (which, again, would have to be programmed by humans, and so would be unlikely to ever happen). Then the attackers would just get better at social engineering. The bottom line, however, is that security is about more than installing software.

If your concept of security consists of little more than brand names, then you don't know security at all.

 

Great summary, Notok!

Ouch

(But true)

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

That will always be the case. It's said someplace that the only safe computer is one that is unplugged. LoL

Microsoft chose to be in the limelight with global public distributions of their creations and so they given a big green light to be taken to task by everyone from script kiddies to the sharpest of pencils in the box who are code engineers of the highest degree.

If there really is any consolation to all this talk about securing, it's that equally sharp if not even sharper minds then Microsoft salaried personnel exist on both sides of this equation which is evident by the marathon session see-saw effect we all live with today.

One day the good guys so to speak have a leg up on matters followed by a period where the black hats are in control and so the beat goes on.

Electronic communications certainly have evolved though as the convincing instruments they are & were designed to greatly narrow the distance between geographical boundaries as well as offer us another local platform for learning, but not so much more than we always been accustomed to all along. I look at a simple invention called the telephone and am reminded that their not so far different in convenience then computers really.
After all is said and done, computers, at least the Microsoft type, are really nothing much more than just a glorified copying machine that also doubles as a visual/audio communications aid platform for entertainment and/or creativity sharing & showing off your talents with the help of a program here or there.

The real point of contention here is the common line known as the internet. Does anyone really know exactly what frequency scale it operates with? To coin a very simple analogy, if someone doesn't know your telephone number, then you really don't even exist. And whatever doesn't exist, can't possibly be compromised or tampered with in any way.

But i do get the point from the above post and hope this didn't wander too far OT.

 

@tayres

The link concerning open source software and security was informative, so thanks for sharing that. However, I think I just discovered what exactly a troll is and so am dismayed with you for making such a comment. I won't bother delving into how unfounded of an accusation that was as it will likely lead to further off-topic posts consisting of personal attacks. But the framework of this thread is simply a culmination of a series of observations in conjuction with some basic objective analysis. If creating such a thread that generates substantive discourse is troll-like behavior, than so be it.


@Notok

Thanks for the reply, it was the substantive feedback I was looking for. So in general you basically agree with the aforementioned notion, right? If I read you correctly. . .

You agreed with and reinforced the premise that all software is inherently insecure to some extent, that all software has vulnerabilities waiting to be discovered.

Now the question is whether you agree with the remaining premises. If so, you are basically in agreement the notion. If not, please provide objections to them as I am seeking critical analysis of this notion.

The second underlying premise behind this notion is that as software becomes more popular (bigger user base), the more it is targeted by the 'bad guys'. It follows that the market leader would thus be targeted relatively more.

The final premise is that the increased level of attention, time, and effort that the 'bad guys' put towards compromising the software results in increased level of vulnerabilities (qualitatively and/or quantitatively) and an overall decrease in the security of the software.

As a side note, was that comment about not knowing security directed at me?

 

If 90% of the users had Linux as OS world-wide, Linux would be the most attacked OS in the world and the bad guys will do their evil job as always and they will find ways to attack Linux as much as Windows.
History repeats itself, unfortunately there are still people who have to learn this over and over again. If you want a very safe computer, use a rare OS and rare applications, if you can find them.

The challenge is to protect the most attacked OS and to do this in a way everybody is able to understand. Linux and Apple are of course the easiest way to escape from all these problems.

Since all software are vulnerable, I decided to replace Windows and Applications with the original, but configured version during each reboot, because no OS and no Application protects ITSELF enough. That's why I have to do it.

The rest is a matter of stopping the installation & execution of malware immediately and as much as possible.
Unfortunately security softwares aren't foolproof either and that's why I have to remove their failures during reboot, which is of course TOO LATE.
The irony is that my security is mainly based on non-security softwares.

 

Hello,

I disagree with the following idea, stated by several people:

If Linux were more popular, it would be attacked more - true.
If Linux were more popular, it would be more vulnerable - not true.

Linux is Linux.

If Linux user base grew by 500%, then so would the number of people developing it and maintaining it - regardless of who and why targets it.

Speculating that Linux would become Windows is ... simply wrong. First, because Linux is a completely different OS. Second, because the mentality of Linux is completely different.

Example: Firefox.
First, it's not 14%, it's more like 30-40%.

Is it vulnerable. Not at all. But will the M$ friends feed you misinfo in every article they can? Yes they will. Fear is the best way to feed a security industry.

Firefox has had some potential vulnerabilities discovered - most of which were discovered by the developers and community and none of which had been ever actively exploited.

More than before? Yes. But that's only because more people are actively working to make it better.

This has nothing to do with the "bad" guys.

The same applies for most open-source and free software and Linux in general.

Anyone using Linux can tell you this. Take Ubuntu for example. You have tens or dozens of small fixes and updates EVERY day. EVERY day. While M$ releases a few updates once a month.

So which one is going to be more secure?

And finally, the NIX software is simply superior. A superior concept. That's all.

Mrk

 

Before proceeding let me preface any further discussion by clarifying that my assertions about the security of other software (Apple, Firefox, etc) are largely based on reports and articles I've read in brief over time and not on any first-hand experience in testing the security myself. So in that respect my knowledge is limited in this area. This is much of the reason I brought this question to all of you to get the perspective of those more intimately familiar with other software (particularly other OS's like Unix and its affiliates) and with a more in-depth understanding of computer security in general.

So the popularization of say Linux (to the extent of becoming market leader) would undermine one of its key assets, namely security, not just by being targeted more by the 'bad guys' but because it would have to be modified to be more user-friendly (convenient) in turn sacrificing security?

You are right. It was simply a misstatement on my part. I didn't mean that vulnerabilities would increase objectively speaking, but rather the extent to which they were discovered and exploited.

Probably true to an extent. But if Linux became market leader to the same degree that Microsoft currently is, much of that user base would be the same computer illiterate masses that make up much of the Microsoft user base, giving the 'bad guys' plenty of computers to compromise and use to propagate their malicious intent. Granted a portion of the user base would contribute to developing and maintaining it as you mentioned, but would this be sufficient to counteract the onslaught?

I never made such a speculation. You are taking my comments out of context. The whole point behind this discussion is to see if the aforementioned notion is universally true among all software, and in particular with the case of Unix and its affiliates. So in that context, the question arose as to whether Linux would become like Windows in terms of falling in line with this notion and being susceptible (vulnerable) to such an onslaught if it became market leader. I think it is evident that Linux is an inherently more secure OS than Windows, no one is really debating that. The contention arises in determining whether the security of Linux would decrease and perhaps be rendered 'less insecure' than alternatives if it was popularized to the extent of Microsoft.

I based my number on various articles I read, some of which are listed below. I got the 14% figure from a more recent article, but I seem to have misplaced it. I'm not sure of the accuracy of these numbers, so the figure I put forward might be inaccurate. I can't be sure. Regardless of the actual number, my broader point still stands. This isn't really that important to this discussion, so I'll leave it at that.

"Firefox, on the other hand, has been growing steadily, reaching 12.46 percent market share." (here)

"Firefox - 13.38%" (here)

"Firefox has not only managed to wrest 10% of the browser market from Microsoft" (here)

 

Hi Guys,

Quick thought - If an app starts out to be a 'one trick pony' it's very easy, or easier to bullet proof. As the 'one trick pony' becomes more of a generalist (tries to do everything) bloat, more errors can occur, the app becomes larger.

Example: SpySweeper early days great, ver 5 problems
ZoneAlarm " " , ZA everything problems.

Growth > popularity > generalist (suites) > speciality apps

Off to work now

Take Care
Rico

 

Security through obscurity works and it helps Linux/Unix, but it's not the main reason behind the relative safety of Unix systems.
- In Unix, the community is always auditing the code and fixing bugs which, by the way, are generally less critic than in Windows. In Windows, the bad guys reverse engineer the patchs and then they release exploits targeting unpatched systems. In some cases, the bad guys are aware of bugs which Microsoft (and the community) doesn't know.
- In Unix, you can do almost everything from a limited user account. The root account is only needed to perform system changes and SU/SUDO is better than "Run As Admin". In Windows, you're forced to use the root account and the only security measure is reducing privileges for vulnerable apps.
- Unix systems are bundled with powerful firewalls by default. In Windows, firewalls are only mandatory since SP2 and huge amounts of users are still running Windows without a firewall.
- The average Unix user install software only from trusted repositories and it's instructed to check checksums. The average Windows user downloads from anywhere and double-click all jokes he/she sees. Also he/she doesn't read EULAs and he/she thinks that Norton/McAfee will correct his/her mistakes.
- In Unix, there are fewer interdependencies thus making bug hunting easier and exploiting more difficult. Also, each service has its own port not shared with other services.
- In Unix, there isn't a cancer like Internet Explorer.

 

Great post, which indicates you know what i'm about to say, but i can correct this word: obscurity.
If there's anything that GNU is not, is obscure software. Everything is wide open to read. If anything, that provides an extra challenge vs Windows (closed source /proprietary).

What you meant was that it's not as appealing as Windows.

 

You understood me very well
"Security through obscurity" means that we should only use OpenBSD w/Lynx until they reach .5 % of market share
Then, we move to the next "obscure" app/OS

 

TypicallyOffbeat: To answer your first question in response to my post: yes, if Linux were the dominant operating system it would be targeted more, and have more security issues. We'd still be in essentially the same predicament. The amount of things like malware would likely differ, but it would still be enough to be a problem. Even if you're talking about ten times less malware, you're still talking hundreds of new malware variants per day.

One thing to keep in mind that the vast majority of the massive amount of malware that's out there are slightly modified variants of a single piece of malware. They get one that works, then they just make benign changes that make it look like a completely different file to the anti-malware scanners out there so they have to add separate detection. Of course there is a certain amount of adding new features and such to the variants, but the point still stands.

If you were to list all the malware that was released last year by family alone (ie not list individual variants), you'd probably be surprised at the relatively small amount. There's still lots, it's just that it's not as much as you would probably think.

I would put emphasis on the word "just" there, but yes. One of the criticisms of Windows over Linux has been that Windows ships with everything installed and enabled. In Windows you have everything you could possibly need and you have to disable individual resources if you don't want them. In Linux you have to install/enable what you need. You'll notice that Windows XP was pretty much the first that wouldn't let you customize the install, and it was the first that had that real level of stability (although that was not, by any means, the only factor). To make the OS work equally well for Ma and Pa Jones, as it does as a corporate workstation, they have to put everything in and turn it on. Most of the components exploited by worms are for corporate settings, hence the reason that hardening your system can be so effective.

On top of that, people that are highly technically savvy (eg the average Linux user today) are giong to know how to keep their system safer than Ma and Pa Jones. Give a Linux distro to the Jones's today and their install wouldn't likely be quite as secure as the uber Linux geek's. Now add all the functionality that the masses will expect in their operating system, make all the existing functionality much easier, and you've got a lot more room for vulnerabilities. Like I say, just remember that MacOS is based on BSD. Remember, too, that Linux itself is really only a kernel, and the rest of the OS is individual to the distro.

If you need an example you can do some research on Linspire, which gets criticism for compromising some security for convenience in an attempt to make a Linux distro that Windows users can use (and could be potentially willing to).

You've also got the issue, in some cases, of what constitutes malware. There are tools that can be used for good or bad that businesses would want to detect, and there's things like adware that some people install with full cognizance of what they're doing because they don't realize that there's actually free high-quality alternatives available.

When it comes down to it, right now Linux is made for a relatively niche market, where Windows is made to fulfill the needs of millions/billions of different individuals with different individual hardware and software to suit different needs and wants. There's a lot they can do now because anyone knows that they will need to dedicate some time and energy into learning to use Linux, but they would have to change that if they wanted it to suit everyone. As we all know, added complexity tends to lead to more vulnerabilities. It would also draw in a lot more software developers, and adding more software also adds more attack vectors. Ultimately this issue would not be isolated to Linux alone, or any other single thing. It would be a matter of every aspect of it.

I agree that Linux is Linux, but the point is that they would have to make some fundamental and sweeping changes before it could become the popular choice. For it to do that would probably make it very different than it is today. For starters, the whole ballgame changes when it you have to provide (paid) technical support reps, which they would need. When things don't work the way people expect it to, they have a tendancy to immediately stop and call support, and that costs the vendor money. If you were to take everyone's Windows away tomorrow, and give them a copy of Linux to replace it, right now it would be a support nightmare.

Superior in what way? Ease of use? Gaming? Music creation and editing? Multimedia?

I agree that it has some strong advantages over the other OSes, but they all do (just like every other product in existance). I do not agree, however, that it's a superior choice for my own personal everyday use.

I fully agree. There was actually a really good article that I read about just that subject, but it was like a year ago. I do have some idea where I might have seen it, so I might try to find it. It did talk about things like how they could make a fully secure OS, it just wouldn't be anything that anyone would want to use. With the right kind of focus and resources (including time), you probably could actually make some pretty secure single-purpose terminals for various uses, although I'm sure that there would still be other kinds of security issues, like people giving out passwords and such. The bottom line is that I don't think it's possible to give the user access to sensitive data on a system and have it 100% secure of all issues, the user will always be a factor. That's also going to be a factor with malware - all the attacker would have to do is be convincing enough.

 

Notok, this illustrates what i think is wrong in your reasoning. I used to think like that too.

You assume all distributions are hard. The fact that i personally want to dig a bit, doesn't mean i have to. Ubuntu is REALLY easy to use. If you want it's 'click click click' too. No comands.
If you want support, easy also, pay for it. Documentation: lots. Forums: very active. Updates: daily.

 

With all due respects, I think you're missing the point. It becomes a whole new ballgame when you make any product capable of suiting BILLIONS of people that all have different hardware, different needs, and different expectations. It's the reason that you see people get disappointed about small companies getting bought up by big companies, or when they become a large "faceless" corporation on their own. How do you think Ubuntu's support would change if they had to start fielding hundreds of thousands of calls per day? How would the product change if it needed to be both a media center PC for the technically illiterate and a corporate workstation for literally every industry, all simultaneously?

Even if you're right and it's ready to use, it's not yet made for that kind of thing, and that is inclusive of a whole lot more than the software itself. The software is ultimately what will change, however, as it would become more complex.

Really, though, I don't know that I'd be ready to hand my mom a copy of Ubuntu and expect her to be able to get it going as a media center PC that's ready for gaming as well.

 

Hello,
Notok, maybe the PC is not meant for everyone, how do you reckon that?
This is one of the greatest problems with Windows - trying to make it as "friendly" as possible. Some people are not supposed to use the computer.
Mrk

 

Hi Guys,

Notok - Right On!

PC's - Are for everyone, no one should not have one. That's the pitch anyway with sub $400.00 machines ready, for a waiting public. Software & the whole computer industry, is still in its infancy.

Take Care
Rico

 

Hehe thanks Rico ..and I fully agree: computers are (or should be) for everyone. Science made a huge leap forward when the internet came about because they could suddenly communicate with their peers so much more efficiently. The computer is a tool made to assist and enhance our lives, not consume it. Geeks like us voluntarily spend our time learning computers so that people like the scientists can focus on their work and not the computer. We can't expect anyone else to be interested in the computer itself, just for it's own sake, though. Everyone has their hobby, and there's no reason others should be any more interested in yours' than you are in theirs.

Doctors are notoriously computer illiterate. They have to spend significant amounts of their "off hours" keeping up with the latest information, then the rest of the time they probably spend with their families. The computer and the internet allow for more of the later. That's how it should be, and when it comes down to it I would MUCH rather my doctor spend his time learning how to fight real viruses, and I'll learn about the digital variety so he doesn't have to. I'd find it a little hard to swallow that the computer isn't for them.

Computers can, should, and soon will be used to provide resources to teach kids in countries that are poor enough that they couldn't get those resources otherwise. I'd find it a little hard to swallow that the computer isn't for them.

When it comes down to it security should be intrinsic and transparent. Users will always have a certain responsibility in that respect, just as we all know to lock car doors. The user should not, however, need to know everything about security to maintain a reasonable level of safety, and people that aren't knowledgable and experienced enough to have the kind of sense that some geeks consider trivial and obvious ("common sense") are no less deserving. Especially when you consider that most of us here had the advantage of being able to learn about security the hard way without having to worry about whether an infection could lead to identity theft.

If they're not knowledgable enough to do it on their own, there's nothing wrong with turning to a paid professional (or knowledgable family member) who should be able to make sure their system is as safe as can be reasonably expected, and be available if something happens.

 

Hello Notok,

Bravo

Did you happen to see 60 min last night? Negraponte from MIT & his $100.00 laptop, giving them to poor kids all over the world. In Cambodia kids were getting laptops, and there village did not have electricity. You could pull a string or crank a device to recharge it. Also his laptops are run by AMD, now Intel is muscleing in with its own cheap free laptop, for the poor. Competition to give computer away.

Take Care
Rico