Computer Security, The Next 50 Years

bariswheel writes "Alan Cox, fellow at Red Hat Linux, gives a short-and-sweet talk at the European OSCON on the The Next 50 Years of Computer Security. Implementations of modularity, Trusted Computing hardware, 'separation of secrets,' and overcoming the challenge of users not reading dialog boxes, will be crucial milestones as we head on to the future. He states: "As security improves, we need to keep building things which are usable, which are turned on by default, which means understanding users is the target for the next 50 years. You don't buy a car with optional bumpers. You can have a steering wheel fitted if you like, but it comes with a spike by default." All of this has to be shipped in a way that doesn't stop the user from doing things."

Language Advancements

[Umbral+Blot]

This article seems to focus more on security by design, which is of course important. However security also can be implemented at the language level, for example Java's sandbox. I predict that over the next 50 years languages will improve to prevent programmer from making "stupid" mistakes such as copying user input directly into a buffer that will be become an html document. Tainting already solves some of these problems, but there is still work to be done. (for example to discourage programmers from creating empty "de-tainting" routines when they don't have time to do it properly, de-tainting should really be done by libraries and by the language alone, but I digress)

Another MS issue . . .

[bblboy54]

....and overcoming the challenge of users not reading dialog boxes....


I have to agree that this is a serious concern and as a tech, I often want to blame the stupid user since I deal with them frequently but on the other hand, can you really blame them? In any given day, an end user sees an unmeasurable amount of dialog boxes and our minds are designed to filter out things that are annoying. Instead of "Hey your email wasnt sent" you get 3 dialog boxes first that have no meaning. Of course, there is the next-next-finish epidemic as well. Does anyone really ready any options anymore? We all just go for the next button until it turns into a finish button. There are 2 huge problems with this. The first is that mixed in with all these stupid notices, there are important messages that go unnoticed. The second issue is that this is something that spyware companies thrive on for legalities.... in the middle of those next-next-finish games is the little line that signs your computer over to the dark side.

Re:Oh, but we know...

[Council]

Oh, but we know that Microsoft will be on top of the game. For sure. Absolutely. Windows 2050 will be THE safest, THE most secure version of Windows yet.

I was really surprised to see someone arguing that Windows does kernel security really well, and that the problem is that people don't want a detailed permissions control system so at all levels they enable everything. But they've provided a good security architecture as far as thread control goes -- it's just that coders down the line are ignoring it.

Of course, how many of those 'down-the-line coders' are at Microsoft itself?

Re:Educating users

[jkrise]

If people just learn how to use their computers (you shouldn't download exe's from people you don't know, a firewall is a good thing to have, ActiveX controls aren't safe and your default response shouldn't be to install them no matter what IE says) a huge number of problems would be eliminated.

I can see many practically feasible solutions, if the above is true:

1. Eliminate all people - that would guarantee security.
2. Eliminate ActiveX controls and IE - can't see that happening even 50 years from now - DOS continues to live, years after being pronounced dead.
3. Implement DRM in hardware - lock out all 'unauthorised' programs - I think this will happen in the next 10 years or so, beginning with the release after Vista.
4. Make phishing, malware-writing and distribution, spam etc. a criminal offence, punishable by life-term imprisonment.
5. Have a tiered internet, with only 'approved' sites and service in 'public' tier - this might get implemented in about the same time schedule as (3).
6. Close down all closed-source anti-virus and anti-spyware firms; making it mandatory for such firms to sell/license code only on open source terms - as things stand now, these guys would love it for computers to remain insecure forever.

-

Two generatrions of safety engineering

[Beryllium+Sphere(tm)]

Aviation went through this phase a long time ago. Accidents were called "pilot error" unless the airplane broke up in midair.

The field of "human factors" recognized that controls and displays need to be designed so that it's possible for a well trained human to get things right even in a hurry. Controls with opposite effects should not be right next to each other. Controls should give meaningful feedback. Important controls should be out in the open where someone can see them.

The aviation world fixed up the cockpit and many "pilot errors" disappeared.

You can't apply these lessons too directly to computer security because bad guys are actively trying to trick computer users. Nobody sends pilots email in flight saying "You must pull the red lever immediately to avoid running out of fuel!". But at least it should be easy enough to secure a computer that an employee from a security firm can do it. We're not there yet -- a recent security conference had vendors running open WiFi access points without firewalls.

Re:Two generatrions of safety engineering

[gihan_ripper]

Controls with opposite effects should not be right next to each other.

So we'll be seeing a great reduction in 'driver error' when the brake pedal is moved away from the accelerator? Actually, this isn't a joke, a new scientist article discusses the possibilty of combining the brake and accelerator into one pedal, with completely different foot actions required to trigger the appropriate response. They do mention that accidents are sometimes caused by drivers applying the incorrect pedal.

Re:Two generatrions of safety engineering

[Tom]

The field of "human factors" recognized that controls and displays need to be designed so that it's possible for a well trained human to get things right even in a hurry.

And there's your problem right there.

a) Most computer users are not "well trained", even by the widest possible streching of the definition
b) For a pilot, flying the thing is his main concern at the time. He might be in a hurry, but he wants to do things, and do them right. For a computer user, security is a nuissance, a distraction from his actual work. He doesn't care, or bother, and if you would pop up a dialog box saying "do you want the system to stop bothering you with security warnings and just allow anything no matter the risk?", I'd say 80% or so of the users would click "yes".

Re:Two generatrions of safety engineering

[MobileTatsu-NJG]

" And if someone wants to be a pilot, he goes trhrough extensive training and tests. This ensures that only people who are mentally and physically able to to fly a plane get to do it. This basically extincts all error sources between console and seat (if you don't count failures due to tiring etc.)."

If anything, this comment supports his point. Despite all of this training, pilot error still occurs. A few years ago I saw a TV show regarding plane crashes. They showed one example of a commercial airliner taking off while its flaps were down. The scary thing about it was the cockpit flight recorder overheard the pilot talking to the co-pilot about a recent crash where the pilot of that plane forgot to raise the flaps. Even though he was aware of the mistake, he made the same mistake, and the plane never stood a chance at a safe take-off.

This is the sort of thing good UI design can prevent. Training can only go so far. You'll find this out soon enough. Sooner or later, you're going to post something on Slashdot and then realize that this site does not have an 'edit post' button. Heck, I cannot even cast stones here. After 10,000 posts, I've made this mistake, too. Even fully trained people with years of experience make mistakes. Ask any commercial pilot, doctor, or dictator-for-life.

Re:Two generatrions of safety engineering

[hackstraw]

The aviation world fixed up the cockpit and many "pilot errors" disappeared.

Pilots are also very well trained individuals with a certain personality type.

Not reading dialog boxes? If anybody has ever used an OS like Windows, the reason they don't read them is because they are bombarded with stupid ones all the time.

Although its almost a historical part of psychology like Jung and Freud, I'm a big fan of "signal detection theory".

It comes (maybe not directly) from Decarte's notion of "clear and distinct".

I believe in consistency and clarity.

Another anecdotal piece of evidence of "the better idiot". I wrote an error message, the only one of its kind where a user is notified to contact me because what happened in the software that I wrote is "undefined". I noticed that the user was not getting anything done correctly, and mailed them asking what was up.

He copied and pasted my error message that said contact me as for the reason that things were going bad.

It was all "user error". He had something screwed up in his environment that he copied from another user, and things started working again.

In Napoleon Dynamite voice:

Idiots!

Cars need licensed drivers, and rowdworthy certs

Remember - if you are going to extend the analogy:

1) You can't drive a car unless you have proven that you posess a minimum level of competency.
2) The car has to meet certain standards to be roadworthy
3) People by and large don't expect others to maintain their car for free
4) You have to pay the governmnet ragularly to be allowed to drive it on the road

I's either a bad analogy, or a very good one - you pick.

Re:Educating users

[reldruH]

Good point, and I might have to plead guilty to jumping the gun. I've written software that was definitely too difficult for anybody who wasn't me to figure out on their own; I think most software developers have. Responsibility is two-fold, it falls on both users and programmers. Programmers have to take the time to make sure their software is intuitive and not confusing, but users have to learn the basics. I can't tell you how many of my friends (really smart people) can't download a file, then find it later. They just click OK, they don't know what a file extension is. I jumped the gun I admit, but I think I still made a valid point. Better driver education was needed in the 1960's. It could still stand to be improved today, but you're right in that it's not the only problem.

Computers do too much.

[Eideewt]

I think a less complex interface would do wonders for the PEBKAC angle of computer security. It seems to me that computers try to do much more than the average user wants or needs, which just creates more opportunities to screw up, and also makes the computer seem a lot more intimidating.

If we were to hide most of what the computer can do, then users could focus on what they really need it to do. As it is, non-technical folk just learn to tune stuff out, which isn't exactly good when we want them to pay attention to security (like just where that attachment came from, and whether that wonderful program they see is going to screw their computer). A normal user doesn't hope to comprehend everything that their computer is doing, so they don't think about the effects of their actions so hard. The computer is a wily and unpredictable beast. How will they know if it was something that they did that messed the computer up, or whether it did it on its own. Users need to be able to get comfortable with the machine before they'll really worry about it. User interfaces these days are just too much for anyone without an affinity for machines (like many of us here) to come to grips with. They just learn the tasks they need to do and hope the thing doesn't break.

Most users need to be able to use a word processor, a web browser, and maybe an IM client and music player. Why do computers give them lengthy lists of programs which can be run, windows that can obscure each other and take on funny proportions (I hate those things), zillions of little icons in the tray and even more on the desktop, and why do they sprinkle system settings in with all that? That's a lot of stuff to tune out.

If I were designing an interface for noobs, I'd get rid of all that stuff.

I'd have just one menu bar, which would contain at minimum the four essential applications that I mentioned. There would probably also be a couple of popup menus for less frequently used programs (less commonly used office apps, games). Programs would be sorted by function, and the guys writing installers would absolutely not get to create a new submenu for their company, to prevent the mess that any Start Menu will turn itself in to after a while.

Programs would always run full screen. I know there are plenty of slashdotters here who are very upset by that, but this interface wouldn't be aimed at you. You can do whatever you like with your giant monitors. On a screen only a thousand pixels across, overlapping resizable windows are just a complicated waste of time. Most any program will require all the screen real-estate to be useful, so it makes sense to just let them have it.

My four main apps would not only be launched by clicking their icons; the same icons would also give them focus. There's no reason do duplicate them (I realize that this means those four would have to be MDI apps. Tabs seem like a good solution.). When users want a web browsers they'll be able to always click in the same place. Additional apps launched from the menu would just hop into the bar next to them. (This sounds a little like OS X's dock, but I'm not too familiar with it, so I'm not sure how close it is.)

I might also put in a file manager. It wouldn't display system files, or even hint to the user that they exist. I think it would be search based, but it's way too late at night for me to put serious thought into it. A file manager might not be the best idea any way. If users can just start up their apps and let them handle the file types they know about, then the old "porn.jpg.exe" attack gets pretty much foiled.

That's about it, really. I think that would accomplish most everything that needs doing for most users. Naturally an admin mode of some kind would be required. I envision a simple one that would allow users to tweak the OS's look and install software from repositories (either online or from CD). Real admins could go yet further. Maybe just a CLI. It doesn't matter much. Anyone with the will and the know-how to muck around with the system's guts will figure out whatever you throw at them.

Oh, and mouse cursors would be big, because I like them.

Re:Educating users

[iwan-nl]

I have not seen an equivalent of Window's Automatic Updates in any distro

Strange, both my home distro (ubuntu) as my work distro (redhat enterprise linux) have automatic update functionality. Well, not as automatic as Windows actually, but they prompt me to install updates from a little tray icon.

Re:What's the point of this?

[deadweight]

A computer security conference in 1956 would have been mainly about gaurding the building the thing was sitting in! Actually, you STILL need physical security, so maybe that's not so dumb....