Thursday, October 12, 2006

A quick comment on the McAfee / Symantec / Microsoft kerfuffle.

By now, if you pay attention to any tech site, you've probably seen or heard about the issues that McAfee, Symantec, and other computer security firms have with Microsoft's Vista OS. A general sampling of the plot summery can be found, say like at OS weekly.

Now, as I see it, the issue is fairly simple. Based on reports, like one here on Anandtech's Dailytech site, Microsoft is working directly with Kapersky and cutting other security Vendors out of the Vista development processor. Established firms like McAfee and Symantec are having none of it, and want full access to the Vista development process. You really can't blame them, after all they do depend on Microsoft Windows to exist. You can easily find several articles covering the tit for tat back and forth between the security firms and Microsoft, but that isn't what I want to focus on.

I want to look at why this is a problem to begin with. Microsoft already tread on a lot of IT toes with Windows Xp by proclaiming it as the most secure Windows version ever. Technically, this is true, if hadn't been for the use of the WinNT 5 kernel with over 6,000 known unfixed issues with Windows 2000, that Microsoft is never going to fix. That isn't the issue either that I want to look at.

Let us be honest here, we as consumers take for granted that our Windows Operating Systems are going to be attacked. We take for granted that there are going to be virus's, there are going to be spyware programs, there are going to be ad-ware programs, and there are going to be complete and total jackholes with nothing better to do than write malicious code. We, collectively, as consumers have accepted this. We have, collectively, gotten used to running Virus scans, disk cleanup, disk defrag, and -chkdsk /f /r (y) (enter) exit: reboot, on a weekly or daily basis. Collectively as consumers, we rolled our eyes when the most recent Vista builds had their security control schemes cracked, and collectively we went "Why did it take them that long anyways?" Collectively, as consumers, we've come to expect, and have it delivered consistantly, Microsoft's complete ball drop when it comes to user security.

Microsoft, of course, is fond of comparing their operating system security to Linux, their only real competitor. Now, I could link several stories focusing on Linux vs. Windows security, but lets accept this little factor: Both Operating Systems can be just as Secure as the Other.

Yes, I went there. The fact is, if you take the time to lock down user permissions, lock out ports, get a good hardware firewall, and lock user access, both Linux and Windows can deliver similar security enviroments. The question that needs to be asked in the security debates is if you are comparing apples to apples, or oranges to oranges.

The fact is, Microsoft offers a much more complete operating system. They control everything from the TCP/IP stack, to the Desktop manager, to the file system, to the I/O access, as well as the kernel access.

Linux, however, is just the kernel. While the kernel is the core of the operating system, it needs more programs in order to actually do anything. You can use the command prompt, yes, but if you want to do anything with the Kernel, you are going to need a file system, I/O access, TCP/IP for the network, a window manager and maybe a desktop enviroment.

This is where the comparisons of Windows to Linux generally fall apart. Linus T. himself doesn't make or sell a Linux distro. Other companies such as Red Hat, Novell, or Mepis take the Linux Kernel, tools and applications from the GNU software, and other applications, puts them together, and that is your finished distrobution.

The advantage is that you have more fine control over what goes in your linux distro. If you don't need an IM client or a media player, you don't load one. If you don't need a browser, you don't have to load one. If all you need is the kernel, I/O access, file system, TCP/IP, and a Web Server, you can get that, and just that alone with Linux.

The disadvantage is that you have more fine control over what goes in your Linux distro. If you don't have a clue over what you need or do not need, and again, for the majority of consumers, they probably don't, you can easily bog down your system. To pick on Mepis for a minute (hey, I use it), the system comes with these programs: Kate, Kedit, Kwrite, and Open Office Writer. These are all programs used to write with, some offering more advanced functionality than others. If I add NVU/Kompozer, I now have 5 programs that all let me write stuff. How many do... I actually need? On lower end systems, say like a AMD K5, Kate is a much better choice than Open Office. It's much lighter and much faster. But, if I'm using say, and AMD Athlon64... Kate is... pointless.

The point is that if you don't know what you are doing with your Linux distro, you are dependant on what the Vendor sets as the default. Some Vendors, in order to make their Operating System easier to work, will make design choices that remove a lot of the visible security features, such as Linspire. It doesn't mean that the security isn't there, it just means you'll have to work to turn it on.

On the other extreme you have OpenBSD (not a Linux, but still *nix), which hand reviews everything that makes up the code, and sets the tightest possible security standards.

Like Microsoft Windows then, your chosen Distro from Linux may not be all that secure. And now we are getting to the point I've been aiming for.

The fact is with McAfee and Symantec is that they built their security Empires on Microsoft's behavior. Microsoft built their operating system without reguards to security. Like Linspire does now, Microsoft was more concerned with making their product USEFUL, than they were about making it secure. All in all, this wasn't a bad goal, back in the days before I1 (Internet1) was established. Again, behind honest, when Windows 95 came out... would you really want to use a Macintosh or a Dos box? Would you really want to use the ... um CDE? was it? On unix? As a home user, Microsoft really did provide the only choice.

Not a bad start... and I for one can't fault Microsoft for doing that. Like the Xbox did for taking console gaming mass market, Windows brought entire new computer users in who would never dream of learning a Unix System.

The problem really came afterwards with the advent of Windows "New Technology" or WindowsNT, or rather the attitude. And that is the point of this:

One of the main reasons why Symantec and McAfee were able to exist was derived from Microsofts abysmal track record with code security. While Microsoft's Windows and Internet Explorer products are held as the most viled examples what proprietary products can degenerate to, the real factor was the attitude behind the code choices.

Microsoft generally coded with the idea of what users could do IF the system was compromised. McAfee, Symantec, and other security vendors established their business on the CLEAN UP of compromised Windows Systems. It was not until later in the life of the Security industry that there was a focus on PREVENTION of threats before the system was compromised. Microsoft's, cavalier attitude, is one of the main reasons why most security professionals are not expecting Vista to be the security bunker Microsoft is promoting. Vista's already been cracked, multiple times. Nothing has really changed.

Unix, then Linux vendors, however, generally have a different view of security. Their view is of what users can do WHEN the system is compromised.

Read that again. Microsoft focus's on the if, banking on the possiblity that the system will not be compromised. Unix and Linux programmers build on the idea that the system is going to be compromised. It may not be now. It may not be for a long time. The system is built to minimize the impact of what will happen when Malicious code is developed.

That single attitude difference is one of the reasons why McAfee and Symantec, as well as other security vendors, probably won't ever have a market in the *nix world. It's not that intrusions won't be coming. It's not that hackers won't try. It's that *nix systems are built with multiple layers of protection, and code isolation, that make deep penetrations impossible to pull off. Despite hackers having full access to how the kernel is built, how the I/O access works, how the file system works, how everything in the OS works, when it comes to Linux, you don't see anybody making viral applications like "Iloveyou"

The example I like to make is this: You work as a RePossessor for a bank. Your job is to go and either retrieve cars, or disable cars, that payments are not being made on. You have two cars to go after.

One of these cars you have never worked with before. The hood is welded shut, the doors are locked, the gas tank is locked, but the underbelly is exposed.

The other car you need to go get has an open hood, the windows are rolled down, the gas cap isn't tight, and there is a jack on the back seat of the car.

Get the picture? Yeah, the first car is your Windows OS, and the Second car is Linux. If you are competent at your job, you are going to take the second car first. And yes, if you want to draw the parrallels that programmers for Windows are complete clueless morons, feel free to do so. When your door gets busted in by Ballmer with his chair, I was never here.

Silly analogies aside, the fact is until Microsoft realizes that the problem needs to be addressed by figuring out the protection steps needed to halt an intrusion WHEN the intrusion occurs, not IF an intrusion occurs, then McAfee and Symantec will always have job security.

No comments: