November 15, 2003

Desktop security: A contrarian view

Author: John O'Sullivan

My computers may be a public menace. They don't have anti-virus software installed, or outgoing firewalls. They are on all the time and connected to the Internet 24/7. Their auto update feature is turned off permanently. I download anything and everything. But I've only had two viruses since 1988, one each on Mac and Windows. Both came from diskettes. This is all wrong, isn't it? My computers should be infested with noxious code bursting out to every computer within pinging distance.

But they're not. They have no viruses and no trojans because I pay very close attention to all the files and processes on each. All software installs are "custom" if that option is provided. I watch the process list and kill anything that is not familiar until I've identified what program its associated with. The Windows registry entries for "Run" frequently turns up interesting tidbits. And all the really important or sensitive files are located on or backed up to a Linux server set up with Mandrake's "higher" setting.

When installing or re-installing Windows (a fairly regular occurrence) I delete Internet Explorer, Outlook Express, MSN, and MSN Messenger to the extent possible. Besides their well known vulnerabilities, they are none of them leaders in their product classes. At setup time I also ruthlessly prune background services. If there's something I want to do and it won't run properly, I'll turn the service on. However, most of them are entirely useless and I never miss them.

Rather than a perimeter defense around a trusted host, I keep tight control of the host itself, and make sure there is nothing worth stealing. I don't recommend this approach to others. It goes against best practices. It may be more lucky than effective. But it has two huge virtues. It's simple and I'm in control.

Everyone seems concerned about desktop security nowadays. There's a consensus that more end-user education is required, and Microsoft appears to be leaning toward compulsory automatic patching of end-user machines. Both of these approaches are dead wrong, and we in the Open Source community must resist them.

The "educate the end users" strategy will fail because it puts the blame for bad systems on the users themselves, as if they had any choice. Joe and Jane Average haven't the slightest interest in computer security. Why should they be? I don't care how my car's anti-lock brakes work. They just do. Those who do show an interest are saddled with stupid, expensive, bloated apps that take over their system and slow things to a crawl. The cure is worse than the disease for most people.

We have all heard many, many security warnings, yet few people have experienced significant problems. Human nature being what it is, people stop listening to the warnings. Some even become suspicious that the constant security warnings are designed not to help them, but to help the companies that profit from security fears.

The "auto-patch" strategy is worse. I cannot believe that seemingly responsible people in the Open Source community are supporting this approach. I'm sorry, but I won't stand for Microsoft or Apple or MandrakeSoft doing anything to my computer without my informed consent, and most users feel the same way. Erecting an auto-magic Maginot Line around every desktop out there is fundamentally wrong. It won't work. It stinks.

By far the worst option is Microsoft's Next Generation Secure Computing Base (NGSCB). This is the re-named Palladium and it appears MS will start rolling out software that supports it next year with XP SP2. With this initiative, Microsoft aims to solve the security problem by removing the weak link: us, the people who pay for and use computers. In typically Microsoftian double speak, "trusted computing" means that we, the users, are not to be trusted. We can't be relied upon to keep our machines secure, so for the greater good, Microsoft will do it for us.

This plan is distasteful and elitist, it too won't work. People haven't objected to digital rights management so far because they haven't encountered it. When they do, they will. More fundamentally, NGSCB is anti-democratic. We expect people to be sophisticated enough to make their own economic, social, and political choices. But when it comes to computers, they're all like children. They need to be told what to do. This is the height of arrogance. Anyone in the Open Source community that advocates such a thing should be ashamed. They, above all, should know the value of democratic principals applied to technology.

What we need is not "solutions," but alternatives. I like the Mandrake security setup. You choose from four clearly explained options, with the ability to tweak later if you want. I'd like to see a system like that for Windows. But we need to add to the existing options a low security setting. That's right, low, and it should be the default. The setting would impose a few restrictions, but give users lots of freedom and need no input. They wouldn't be allowed to send more than an average of one email message per minute over any 60-minute period. And there would be restrictions on outbound services. Too restrictive? Fine, go for a higher security setting. But the higher setting would require more user input.

The advantage of the low setting would be that the machine wouldn't be worth much to a spammer or hacker. Worms would find it easy to get in, but hard to get back out again. And if a machine is not capable of being used as a platform to damage others, is it any of our business how it is set up?

Security is going to be a critical problem for Open Source supporters in coming years. Elitist solutions are going to create as many problems as they solve. My ass-backwards security system may be dumb, but it works for me. Why can't everyone have a security system that works for them? Because we, the experts, have totally failed to deliver such a system. Only Apple has even tried. It's about time we did too.


  • Security
Click Here!