A Taste Of Computer Security

andrew_ps writes "Amit Singh has published on his KernelThread.com a paper (mini book really) on computer security. A Taste of Computer Security is a VERY comprehensive paper in what it covers, but is remarkably easy to read. This is not some list of "sploits" though! Topics covered include popular notions about security, types of mal-ware, viruses & worms, memory attacks/defences, intrusion, sandboxing, review of Solaris 10 security and plenty of others. Most notably it includes probably one of the most fair and intelligent analysis of the Unix-Vs-Windows security issue that I have ever seen."

The UNIX vs MS Windows discussion is lacking

[plover]

I specifically was looking for one of the biggest problems with Windows -- Administrator authority is too easily doled out (by default, every home user is also an administrator.) This is exacerbated by the fact that so many Windows applications require the user to have Administrator authority.

For example, the bottom of this page shows a list of games that require Administrator authority to play. Why should administrator authority need to be granted to play a game? And to suggest granting Administrator access to people just so they can play them?

I have found no more powerful example of Microsoft's lack of commitment to security than this. I think this philosophy more than anything else contributes to the proliferation of destructive worms and viruses.

Re:The UNIX vs MS Windows discussion is lacking

[plover]

The security initiatives have been going on a lot longer than just their "global security mobilization" of October 2003. For example, this "Secure Platform" document was authored in December 2002. And since they seem to be able to put out the "hot fix of the week" to handle the "virus of the previous week," I should think they have had plenty of opportunities to get OS patches released, driver patches, or whatever is required to the computers that need it.

Given that, explain why "Microsoft Flight Simulator 2004 - Century of Flight" should still make the list? If software they've released years after they've been aware of these problems still demands bad security practices, who is to blame? The application programmers or the environment in which they must work?

You said, "if an application requires administrator access to run, it is not the fault of the Operating System." Explain how a train simulator could possibly require admin authority except in a poorly architected environment? Then answer, 'who provided that poor architecture?'

This is Microsoft -- author of both these applications as well as the OS. They've had the chance to address it, they've had the incentive to address it, but they have not done so. I stand by my comment.

Re:Sure..

[wwest4]

> Ok, so his thesis seems to be that Windows is insecure because it's too hard? Is
> this guy on crack?
> This isn't a fair analysis, it's just more "MS is teh gay linucks is
> awwwwsome!!!!!11!" tripe.

His thesis is actually more along the lines of (and I'm quoting from the Win v Unix section of the article):

"Current Windows systems have some of the highest security ratings (as compared to other systems)... However, the number of documented security issues and the real-life rampant insecurity of Windows are not speculations either! The problems are real, both for Microsoft, and for Windows users."

Nowhere here is he saying that MS sucks, or that linux r0x0rs. Again, from the sam part of the article:

"We stated earlier that UNIX was not even designed with security in mind. Several technologies that originated on Unix, such as NFS and the X Window System, were woefully inadequate in their security."

The argument that explains the paradox is along the lines of what many of us already know - that MS is more prevalent, has a wider spectrum of users (inexperienced to experienced) and exists in a wider range of vulnerable environments - not just cozy, isolated research labs.

So while your arguments are valid, they don't really go against the overall opinion of the article.

Re:Sure..

[stratjakt]

The problem is deeper than that, don't ask a RHCE to tighten down a Slackware or Gentoo box. Linux distros can be worlds apart. For instance, Slackware doesn't have /etc/init.d, it uses rc.d scripts, etc.

They store config files in different places, with different names (ldap.conf vs nss_ldap.conf, etc). They install apps to different places, and so on and so on. Now we can deal with XFree vs X.org (migrating to X.org on Gentoo also broke, well, almost freakin everything I use, and I still don't know how to properly configure the new font paths for tightvnc)

For that matter, don't ask a guy who's RHCE is a year old to secure a RedHat box, because for all you know, he doesn't know shit about, as an example, Samba 3.0's new config options or iptables (since he was taught ipchains). The OSS world likes to completely reinvent apps between revisions, for some reason.

Whereas, one XP box is pretty much the same as the next, and not far removed for Win2k.

I've had the same problems with both. I installed PuTTY in Windows as Administrator, tried to run it as a user, oops.. No user rights.. This is when you find out what kind of user you are. Do you switch to Administrator, screw around with permissions, and test until it works and you feel it's secure, or do you just go "fuck it" and add your username to the Administrators group so you don't have to deal with that kind of shit every day.

I'm not ashamed to admit I'd put myself in the latter category. Screwing around with filesystem ACLs and group memberships isn't what I like to spend my time doing. My firewall/router is about the only "secured" box on my home lan, which is fine, since I lock the doors when I leave so the likelyhood of a script kiddie sitting down at one of my machines is low.

There is a point to be made, and it's that it's nearly impossible to have the best of both worlds. It's either simple and painless to use (desktops), or super-hardcore secure (servers). Both OS's can function in both roles.