how we love meaningless ‘facts’ about security

March 31st, 2008

Consumers like simple answers. In fact, they insist on them. When I was shopping around for an espresso maker, I knew that I know nothing about the subject. I also didn't care to learn about it just so I can pick out the right machine, it's unlikely to be a worthwhile investment. So when I went to the store and started glancing over all the different machines, and the salesman comes up to me, all I really wanted to know is which is the best one? This is the way consumers think. You can give the whole run down of specifications and they will still want you to tell them which one is best. The guy will dance around the issue a little, "well it depends on what you want etc" but eventually he will converge with your viewpoint, because he knows what you want to hear. You want him to tell you which one to pick. It doesn't even matter if he tells you the truth, you just want an excuse so that you don't have to think about it. If it later turns out that he was lying, well I guess I'll have to bite the bullet and do my own research next time.

This attitude demonstrates that we want simple answers to complex questions. Just get the answer and have your peace of mind already, it doesn't matter how accurate it really is.

As technologists, one of our favorite issues is security. People get passionate about security, they have long discussions about it and they're so keen on the latest in security development - in the magazines, on the blogs, everywhere. But it's really just entertainment. They don't actually understand the issues or even want to learn about them, they just want to have the simple answer.

Ironically, security is particularly badly suited to such black&white perception on reality, as it is one of the most complicated aspects of our technologies. Nevertheless, you will often see stories like this, about cracking 3 laptops running OS X, Vista and Linux respectively. Apparently, the Mac was popped first. Now, the reporter of this story will not declare that this test makes Linux the safest platform. Such a conclusion would be completely unfounded. But not saying it is actually not very far from saying it, because if that wasn't the point of this exercise, then what was?

The fact is that the issue of security is much more complicated than most people want to deal with. They just want a smiling salesman to pat them on the back for making the right choice. Consumer IT security is the car sales of the industry.

The other thing is that security is a very delicate issue in and of itself. It isn't about the general quality of a system, it's merely about finding the one weakness in an otherwise perfect system and that can be enough to compromise the whole thing. This makes it distinct from many other facets of computer systems, where 95% is a great score (on say, ease of use). Security is about 100% coverage, non-negotiable. The way to achieve that is to run as few applications as possible, allow as little incoming communication as possible, and keeping a close watch on everything on a day-to-day basis. Which is exactly what desktop users want out of their systems, right?

Ultimately, the stakes aren't high enough to have secure desktops. There is actually software out there that literally does not break, does not crash, never misbehaves at all. The first place to look for something like that would be NASA, where software bugs have enormous financial consequences. Companies also have much better security than you and I do. Companies are conservative, they will stick with a system for 10 years if it runs reliably, no matter how ugly or annoying it may be. But then again they are liable for losing/leaking/corrupting lots of important data other than their own, so they like to be careful about it. We don't have that burden. The worst we can do is lose our own data, which typically means copying it back from a usb drive or something, no big deal.

People get riled up about desktop security when there is no desktop security. All you have is pockets of time where no exploits are found, but then the next one comes along. Servers are a lot more secure, because they obey strict guidelines on when to upgrade software and on what conditions. Tinkering is set to an absolute minimum. Servers also have strict policies on what types of access they allow, and to whom. This is why servers get compromised far less than desktops.

The mentioned report indicates that the Mac was hacked immediately, which probably means there's a glaring exploit out there right now. Then the Vista box survived 3 more days before it was brought down. Run that test next month and the results are likely to be completely different. Treat these tests statistically and all you get is a bunch of exploits moving around such that at any given moment there are a number of exploits available on every platform. If hacking a Linux box is 10 times harder than a Windows machine, then that doesn't really do much for us, as the past decade has shown that compromising Windows machines is a no brainer for a motivated person. That means instead of 2 days you'll survive for 2 weeks, little comfort. Now if it were 100 or 1000 times more difficult, that could actually make you feel better, but the difference is unlikely to be that big.

The desktop is practically the most insecure platform in use today. You can run anything you want on it and change your entire software stack everyday if you want to. Who's gonna stop you? From a security point of view, this is completely untenable. You cannot give people the freedom to run whatever they want while at the same time enforcing a strict security policy, those two are mutually exclusive. If you want better security, you'll have to put up with more pain, and you'll have less freedom. The quoted article says that the Vista box was compromised through a bug in the flash plugin. Now can you really blame Microsoft for bad code in Adobe's godawful flash plugin? Flash is the perpetrator here, not Vista. Okay, so they could be stricter in what things they allow and what not. But that would either partially break the flash functionality (or other software) or render it entirely incompatible. Would you prefer that? Of course not.

The truth of the matter is that technology advances at a fast pace, and we love to be part of that. We will happily run beta code as long as it's easy to install (Firefox) and doesn't burn us too much. But you can't combine the incessant thirst for the newest software with any kind of reasonable security model. It's easy enough to tell the server: Only these 5 applications are allowed to run here. But you can't do that on a desktop, because the user might want to do anything and everything. There is no security, because there isn't nearly enough security auditing happening. qmail hasn't had a security hole in 20 years, but then it's hardly received any updates in years. Would you be satisfied running Firefox 0.8 today? I doubt that. But that sort of longterm and meticulous verification is what it takes to examine a piece of software in detail and make absolutely sure that it doesn't have any issues.

Granted, there are very different attitudes toward security in various places. Unix was designed as a multi user system, and therefore security was one of the guiding principles. No user should be able to mess with another user's data and no user should be able to bring down the system. Microsoft never designed their stuff for security (apparently it didn't seem to matter) and had a nasty backlash when they found out to their astonishment that people did care about the issue. In recent years, they have tried to take the matter seriously, but it seems like they're still perplexed by it.

Now that the media seems poised to regularly stack up Windows, Os X and Linux on "security", this topic isn't going away. There will be many more "head to head" tests, which based on their criteria (sometimes more sound, sometimes less) will indicate a so-called winner, in a contest that ultimately doesn't measure anything useful. If the test was to pit the kernels of each operating system against each other, then that could be insightful. But who apart from kernel developers cares about the kernel? Kernel security bugs is a class of bugs to be taken seriously. But far more security holes are uncovered everyday in common applications that we really want to use. Applications that have nothing like the scrutiny of a kernel.

Our systems are insecure (some more, some less, but ultimately they all have weak points) because we care a lot more about new software than about security. A system that gets cracked in a week is not a secure system. One that can withstand years of attacks, now that's more like it. Our desktops are of the former category.

:: random entries in this category ::

1 Responses to "how we love meaningless ‘facts’ about security"

  1. Boyo says:

    "espresso maker ... unlikely to be a worthwhile investment"

    You break my heart. Coffee is the most important drink of the day!