Monday, October 16, 2006

Operating System Security:

By now, if you pay attention to any tech site, you've probably seen or heard about the issues that McAfee, Symantec, and other computer security firms have with Microsoft's Vista OS. A general sampling of the plot summery can be found, say like at OS weekly.

Now, as I see it, the issue is fairly simple. Based on reports, like one here on Anandtech's Dailytech site, Microsoft is working directly with Kapersky and cutting other security Vendors out of the Vista development processor. Established firms like McAfee and Symantec are having none of it, and want full access to the Vista development process. You really can't blame them, after all they do depend on Microsoft Windows to exist. You can easily find several articles covering the tit for tat back and forth between the security firms and Microsoft, but that isn't what I want to focus on.

I want to look at why this is a problem to begin with. Microsoft already tread on a lot of IT toes with Windows Xp by proclaiming it as the most secure Windows version ever. Technically, this is true, if hadn't been for the use of the WinNT 5 kernel with over 6,000 known unfixed issues with Windows 2000, that Microsoft is never going to fix. That isn't the issue either that I want to look at.

Let us be honest here, we as consumers take for granted that our Windows Operating Systems are going to be attacked. We take for granted that there are going to be virus's, there are going to be spyware programs, there are going to be ad-ware programs, and there are going to be complete and total jackholes with nothing better to do than write malicious code. We, collectively, as consumers have accepted this. We have, collectively, gotten used to running Virus scans, disk cleanup, disk defrag, and -chkdsk /f /r (enter) (y) (enter) exit: reboot, on a weekly or daily basis. Collectively as consumers, we rolled our eyes when the most recent Vista builds get their security control schemes cracked, and collectively we went "Why did it take them that long anyways?" Collectively, as consumers, we've come to expect, and have them delivered consistantly, Microsoft's complete ball drops when it comes to user security.

Microsoft, of course, is fond of comparing their operating system security to Linux, their only real competitor. Now, I could link several stories focusing on Linux vs. Windows security, but lets accept this little factor: Both Operating Systems can be just as Secure as the Other.

Yes, I went there. The fact is, if you take the time to lock down user permissions, lock out ports, get a good hardware firewall, and lock general user access, both Linux and Windows can deliver similar security enviroments. The question that needs to be asked in the security debates is if you are comparing apples to apples, or oranges to oranges, or apples to oranges.

The fact is, Linux and Microsoft offer two different types of products. Microsoft offers a complete operating system under one brandname. Microsoft controls everything from the TCP/IP stack, the Desktop Enviroment, the Window Manager, the file system, the I/O access, the kernel access, and everything else needed to be able to run the Operating System. On top of the Operating System Microsoft offers text editors, web browsers, media players, and control devices that allow the Operating System to be used.

Linux, however, is just the kernel. While the kernel is the core of the operating system, it needs more programs in order to actually do anything. You can use the command prompt, yes, but if you want to do anything with the Kernel, you are going to need a file system manager, I/O access, TCP/IP for the network, a window manager and maybe a desktop enviroment. While it is taken for granted that a Linux distribution has these items, they are items that are added to the Linux Kernel.

This is where the comparisons of Windows to Linux generally fall apart. Linus T., Alan Cox, Marcelo Tosatti, and Andrew Morton do not make or sell a Linux distro directly, although they are among the most prominent kernel programmers. Other companies like Red Hat, Novell, or Mepis take the Linux Kernel and combine the kernel with the tools and applications to make a useable distribution. Typically these tools and applications derive from the Gnus Not Unix (GNU) Operating System, although the range of Free and Open Source Software today can mean that a lot of Non-GNU software is used in a Linux Distribution.

Generally the advantage to being able to select all the different parts of your operating system is that there is a finer control over what goes in your operating System. Consider this about Linux: If you do not need an Instant Messanger client or a media player, you don't have to have one loaded. If you do not need an internet browser, you are not forced to load one. If all you need is the kernel, I/O access, file system manager, TCP/IP, and a Web Server, you can get that, and just that alone with Linux.

The disadvantage to Linux is that you are given control over goes in your Linux distro. Consider the average user for a second who does not have a clue what program they use. Most of us know somebody who when asked what browser they were using, they responded with Windows. Most of us probably also clarified, that's their operating system, what browser are they using. The average consumer doesn't know what programs they use because they do not care about what programs they use. Yes, we can make charts all day long and take screen shots of the tools we use to clean up their computers and tell them why certain programs are bad, but to the average user a computer is a tool. If it doesn't work, replace it with one that does. Now, imagine taking this user and putting them in front of a Linux Distribution for the first time.

To pick on Mepis for a minute (hey, I use it), the system comes with these programs: Kate, Kedit, Kwrite, and Open Office Writer. These are all programs used to write with, some offering more advanced functionality than others. If I add NVU/Kompozer, I now have 5 programs that all let me write stuff.

How many do... I actually need?

On lower end systems, say like a AMD K5, Kate is a much better choice than Open Office. It's much lighter and much faster. But, if I'm using say, and AMD Athlon64... Kate is... pointless. Open Office offers much more document functionality. But how do users know what program is right for them? How is the common consumer going to know that if they are using a Pentium processor, they are better off not using Open Office, but if they are using an Athlon, they have the performance to run Open Office?

The point is that since the average consumer does not know what programs are good for use or not on their Linux distro, they are dependant on what the Vendor sets as the default. Microsoft sets it's own programs as the default for everything, and the user has some assurance that these programs will work somewhat in the way they are intended to work. The same cannot be said in the Linux Distribution world where the defaults can change wildly from distribution to distribution. I am not saying that's a bad thing. That is one of the good things about Linux, there is a distro for everybody to use.

What is important to keep in mind here is the amount of control that is relenquished to the vendor. Again, this is not a bad thing. If you want to hand-peice your own Linux distribution from the ground up with .deb repositories, or if you want to compile from scratch, that's your prerogative. I'm not going to stop you, nor would I dissuade you. For the average user, or for the person who isn't keen on taking the time to do so, having someone else piece together the distribution is the way to go.

And that is where we start picking away at the key security differences between Microsoft and Linux, and why business's like McAfee and Norton can exist in the Microsoft world, but don't really have a place in the Linux or Unix markets.

Some Vendors, in order to make their Operating System easier to work, will make design choices that remove a lot of the visible security features, such as Linspire. It doesn't mean that the security isn't there, it just means you'll have to work to turn it on. On the other extreme you have OpenBSD (not a Linux, but still *nix), which hand reviews everything that makes up the code, and sets the tightest possible security standards. Your security is only going to be as tight as the vendor sets unless you, the person using your operating system, takes the time to go in and change the settings.

The fact is with McAfee and Symantec is that they built their security Empires on Microsoft's behavior. Microsoft built their operating system without reguards to security. Like Linspire does with their Linux Distribution, Microsoft was more concerned with making their product USEFUL, than they were about making it secure. I am not saying this is, or was a bad thing or a bad goal, especially in the days before I1 (Internet1) was established. Again, behind honest, when Windows 95 came out... would you really want to use a Macintosh or an MS-DOS box? Would you really want to use the ... um CDE? was it? On unix? As a home user, Microsoft was the only realistic choice availabe.

Not a bad start... and, again, one I can't fault Microsoft for. Like the Xbox did for taking console gaming mass market in the US, Microsoft Windows brought in entire new generations of computer users who would never have dreamed of learning a Unix System.

The security problem really came afterwards with the advent of Windows "New Technology," or WindowsNT, and the prevalance of networked computers. During the time in which green screened Bulletin Board Systems (BBS) gave way to the World Wide Web, Microsoft was also working on their new version of Windows, while appearently completely failing to account for the trends towards networking.

One of the main reasons why Symantec and McAfee were able to exist was derived from Microsofts abysmal track record with code security. While Microsoft's Windows and Internet Explorer products are held as the most viled examples what proprietary products can degenerate to, the real factor was the attitude behind the code choices.

Microsoft generally coded with the idea of what users could do IF the system was compromised. McAfee, Symantec, and other security vendors established their business on the CLEAN UP of compromised Windows Systems. Consider the virus Michelangelo for a second. Symantec got massive amounts of publicity for a non-issue Virus, and made a name based on a free detection (what about removal?) utility. It was not until later in the life of the Security industry that there was a focus on PREVENTION of threats before the system was compromised. The entire industry started out cleaning up known and public threats. What did Microsoft do? Relatively nothing. Microsoft did not change procedure or coding methods in any way to accommodate or account for the virus threats. There was no policy shift towards code responsibility at all. Microsoft's cavalier attitude is one of the main reasons why most security professionals are not expecting Vista to be the security bunker Microsoft is promoting and promising. Vista's already been cracked, multiple times. The kernel protection (PatchGuard) has already been breached. Has anything changed from the past versions of Microsoft Windows? Doesn't look like it.

Unix Vendors, then Linux vendors, generally held a different view of security. Their view is of what users can do WHEN the system is compromised. Their motives also where drastically different. Microsoft aggressively sought after the home market, forming an entire new market segment for computers. Unix vendors were after big money targets, selling to institutions like Banks, Stock Exchanges, Point of Sales, and Power Stations. To Unix vendors, it wasn't a question if someone wanted to break into the system, it was a question of when someone would attempt to break into the system. Because of the different markets being sold to, Unix vendors took security far more seriously than Microsoft ever has.

Consider the /root and /user model. While the user has some access to use the system, the /user cannot access anything above their own directory. That means that the /user cannot make any changes to the Operating System itself in a *nix system. Sure, there might be a virus that can enter the system and compromise the running session, but what if that session is the /user mode? Guess what? The /root mode is unaffected. Cleaning up a virus infestation is as simple as dropping back to /root and deleting the Users folder right out of the system. Recreate, or recover from a backup, and roll on. Security can even be taking to another level where the /root and /user accounts can be on two seperate partitions on the drive, or possibly on two different drives. That's just simple basic security that has been in place for decades in *nix. Microsoft's only getting to this model with Vista. What took so long?

Historically speaking, Microsoft focus's on the if, banking on the possiblity that the system will not be compromised, and with Vista takes the stance that they can protect the system From Being compromised. Unix and Linux programmers build on the idea that the system is going to be compromised. It may not be now. It may not be for a long time. The system is built to minimize the impact of what will happen when Malicious code is developed.

That single attitude difference is one of the reasons why McAfee and Symantec, as well as other security vendors, probably will not ever have a market in the *nix world. It is not that intrusions will not be coming. It is not that hackers will not try. It is that *nix systems are built with multiple layers of protection, and code isolation, that make deep penetrations near impossible to pull off without a complete collaspe of the /root account. Despite hackers having full access to how the kernel is built, how the I/O access works, how the file system works, how everything in the OS works, when it comes to Linux, you have not seen anybody making viral applications like "Iloveyou."

The example I like to make is this: You work as a RePossessor for a bank. Your job is to go and either retrieve cars, or disable cars, that payments are not being made on. You have two cars to go after.

One of these cars you have never worked with before. The hood is welded shut, the doors are locked, the gas tank is locked, but the underbelly is exposed. You have some tools that may allow you to pick the lock and get into the interior. Someone may have even given you a copy of a key, you just don't know if it's the right key. You might have some skeleton keys on hand as well.

The other car you need to go get has an open hood, the windows are rolled down, the gas cap isn't tight, and there is a jack on the back seat of the car. You are fairly confident that the skeleton keys you have probably can fit the ignition. The catch is that ignition will accept several types of keys, but only one key will get the car moving.

This analogy is a bit over the top, I'll be the first to admit that. The first car is indeed windows. You don't have any access to the kernel, or the engine. You can get to the storage system (gas tank), but then again, you might not. You may not have a correct user account (keys), but there are tools available that can brute force (skeleton keys, bashing in the windows) your way into an account, or you can use other tools to try to interupt the storage system's converstation with the kernel (keyloggers / network sniffers).

The second car is Linux. Everything is fully documented. There are no secrets about the engine, you can get to that. There are no secrets about the gas tank, the storage system, you can get to that. You can interupt the transmission, or the I/O system, there are no secrets there. You can look at the user accounts, there aren't any secrets there about how they work. You know everything about this car and how it works, everything is opened up to you.

The single catch is that single key that's needed to drive the system. Now, I don't know how many people do Cryptography, but the subject matter is similar. Now, I just did a search on google for these terms : cryptography still secure even if the process is known. I turned a link from CSA on the subject, and there were several other entries listed. The purpose of Cryptography is to hide or disguise content by encrypting the contents. Most of us as kids probably had fun playing spy and writing letters in invisible ink, or by using Cereal Box Decoder rings so that the big grown ups would have no idea about our afternoon plans. Some of us had fun breaking these encryption codes. Bring that forward to today, where security is an issue. A good encyrption system is one where even if the process is fully known and documented, you cannot break the code without the original key. Consider ROT13 for example, or Rotate 13. If you know that somebody used ROT13 on some text, you would just use ROT13 again to read it.

Lbh qvq gung evtug? Tbbq sbe lbh!

The point is that unless you have the root code, you still can't really do anything with the Linux car in the example. Sure, you might be able to turn on the radio with your user account, and you might be able to get the engine to fire, but without the single correct key, the Linux car is going nowhere. That is the difference right there. *nix systems are built with the key in mind first, then the rest of the system is built around it. After the key is in place, then you can work on locking down access to the engine, to the transmission, to the gas tank, to the windows, and everything else. The system, however, is not dependant on the extra parts to be there. The security will still function if all that is left is the single /root key.

Now, if you want to draw a parrallel from the analogy along the lines that malicous code writers for Windows are idiots, that's your choice. It just seems to me that it would be a lot easy to break a system that is fully documented and that is completely open than go after one that you have to look for backdoors in finished code on. Be also a lot more damaging considering how many major resources use *nix systems. Taking down 5million Windows computers is one thing. Dropping a power plant offline? Killing a train switching yard? That's real damage.

The fact is until Microsoft realizes that the problem needs to be addressed by figuring out the protection steps needed to halt an intrusion WHEN the intrusion occurs, not IF an intrusion occurs, or pretending that all intrusions can be prevented FROM happening, then McAfee and Symantec will always have job security.

And *nix systems will always be more secure.

No comments: