Computer Security, The Next 50 Years

bariswheel writes "Alan Cox, fellow at Red Hat Linux, gives a short-and-sweet talk at the European OSCON on the The Next 50 Years of Computer Security. Implementations of modularity, Trusted Computing hardware, 'separation of secrets,' and overcoming the challenge of users not reading dialog boxes, will be crucial milestones as we head on to the future. He states: "As security improves, we need to keep building things which are usable, which are turned on by default, which means understanding users is the target for the next 50 years. You don't buy a car with optional bumpers. You can have a steering wheel fitted if you like, but it comes with a spike by default." All of this has to be shipped in a way that doesn't stop the user from doing things."

Educating users

[reldruH]

What the article is basically saying is that we have to teach people how to use their computers. >85% of all the computer problems I encounter are PEBKAC (Problem Exists Between Keyboard And Chair). It's like the old saying goes, make something idiot proof and the world will make a better idiot. If people just learn how to use their computers (you shouldn't download exe's from people you don't know, a firewall is a good thing to have, ActiveX controls aren't safe and your default response shouldn't be to install them no matter what IE says) a huge number of problems would be eliminated. Like it or not, users are the biggest computer problem today. The problem shouldn't be usability, it should be user-ability.

Re:Educating users

[R3d+M3rcury]

Well, I'd make the argument that the problem exists between the keyboard and chair of the software developer--not the user.

Comments like yours remind me of the automobile industry of the 1960s. The problem, they insisted, was not with the cars but with the people who drove them. There was no way to make cars safe and the only hope was better driver education. Of course, the reality is more that they didn't want to devote the time, effort, and money to making cars safer because they'd see no real benefit in regards to sales. And to a certain degree, they were right. It actually took the government to come in and mandate safety standards for cars.

To me, blaming the user is a typical programmer cop-out. "Well, if the user was as smart as me, they wouldn't have these problems." Yeah, I too have seen users do the stupidest things with my software. The difference is that I try to find out what they were thinking when they did this and then work to make sure that others aren't inspired to do the same thing.

Re:Educating users

[R3d+M3rcury]

"I can't tell you how many of my friends (really smart people) can't download a file, then find it later. They just click OK, they don't know what a file extension is."

Exactly. How many tech support stories have we all heard that started with customers who claim to be very smart and know all about this stuff and have made some stupid mistake. Heck, I can plead guilty to that (Oops! The Firewall is blocking FTP--that's why I can't get to your FTP site...).

But some of it comes from the fact that there are things that we don't need to know, but the computer insists that we do know. File extensions are a great example. What does the extension "jpg" tell me? That it is an image encoded in JPEG. What is JPEG? Why do I care what it's encoded in? Why is that different from an image with the extension "tif"? They both look like the same image to me. Why do I need to know whether it's JPEG encoded or TIFF encoded? Why can't it just be a picture?

Well, because some programmer decided it would be easier to detect what kind of file something was if we gave the computer a hint. Thus, if the file extension is "jpg", the program uses a JPEG algorithm to extract the image. If the file extension is "tif", the program uses a TIFF algorithm. This is alot easier for the programmer and faster for the computer rather than reading, say, the first four bytes and looking for FFD8FFE0 and saying, "Ah! It's JPEG," or looking for "II" or "MM" in the first two bytes and saying, "Ah! It's TIFF!" So the file extensions "jpg" or "tif" really aren't there for the user's benefit at all--they're there to make the programmer's life easier.

But what about all these other three letter extensions, like "gif", "pgm", "psd", "bmp"? How is the user supposed to remember this alphabet soup of extensions and what they all mean? Why can't they just hide them? Because then the user won't see the "exe" that denotes a program and may inadvertently run a program which does nasty things.

See? File extensions seem basic to us, but they're pretty superfluous to most people.

Oh, but we know...

[ericdano]

Oh, but we know that Microsoft will be on top of the game. For sure. Absolutely. Windows 2050 will be THE safest, THE most secure version of Windows yet.

Interesting points

[mikesd81]

and overcoming the challenge of users not reading dialog boxes,

That's true. So true. Tons of times I just clicked yes without reading or reading fully and then later on down the road...oops.

I updated outlook express for my mom the one time and it autmatically blocked attachments, confusing her. And me, until I found where to uncheck that.

The computer can be taught to enforce security policies that the users themselves are unlikely to uphold, given their propensity to ignore advisories and software dialog boxes. Software engineers must build in security that is active by default, and they must understand the user so that security tools are actually used.

But also keep in mind who the user will be. Some advanced users would probaly not need/want the security by default. New users or non-advanced ones would need it. We would need to find security to be adaptable.

In a comical way maybe the system can say "well you hosed /etc once, do you wanna do it again?"

Language Advancements

[Umbral+Blot]

This article seems to focus more on security by design, which is of course important. However security also can be implemented at the language level, for example Java's sandbox. I predict that over the next 50 years languages will improve to prevent programmer from making "stupid" mistakes such as copying user input directly into a buffer that will be become an html document. Tainting already solves some of these problems, but there is still work to be done. (for example to discourage programmers from creating empty "de-tainting" routines when they don't have time to do it properly, de-tainting should really be done by libraries and by the language alone, but I digress)

Another MS issue . . .

[bblboy54]

....and overcoming the challenge of users not reading dialog boxes....


I have to agree that this is a serious concern and as a tech, I often want to blame the stupid user since I deal with them frequently but on the other hand, can you really blame them? In any given day, an end user sees an unmeasurable amount of dialog boxes and our minds are designed to filter out things that are annoying. Instead of "Hey your email wasnt sent" you get 3 dialog boxes first that have no meaning. Of course, there is the next-next-finish epidemic as well. Does anyone really ready any options anymore? We all just go for the next button until it turns into a finish button. There are 2 huge problems with this. The first is that mixed in with all these stupid notices, there are important messages that go unnoticed. The second issue is that this is something that spyware companies thrive on for legalities.... in the middle of those next-next-finish games is the little line that signs your computer over to the dark side.

Re:Not really an expert

[Cybersonic]

you know he wrote the Red Hat FireStarter iptables GUI and various parts of the linux tcp/ip stack right?

Two generatrions of safety engineering

[Beryllium+Sphere(tm)]

Aviation went through this phase a long time ago. Accidents were called "pilot error" unless the airplane broke up in midair.

The field of "human factors" recognized that controls and displays need to be designed so that it's possible for a well trained human to get things right even in a hurry. Controls with opposite effects should not be right next to each other. Controls should give meaningful feedback. Important controls should be out in the open where someone can see them.

The aviation world fixed up the cockpit and many "pilot errors" disappeared.

You can't apply these lessons too directly to computer security because bad guys are actively trying to trick computer users. Nobody sends pilots email in flight saying "You must pull the red lever immediately to avoid running out of fuel!". But at least it should be easy enough to secure a computer that an employee from a security firm can do it. We're not there yet -- a recent security conference had vendors running open WiFi access points without firewalls.

Re:Two generatrions of safety engineering

[FireFury03]

Only thing? No. Interfaces also make common mistakes easier to recover from

However, some mistakes cannot be recovered from - for example, if you click the "yes" button on the "would you like to install this malware" dialogue. In this case you might be able to use journalling features of the filesystem to undo the damage, but if you've done other things since then you probably couldn't selectively roll back the filesystem changes associated with the malware without rolling back everything else too.

In this case the UI has to be designed to make unrecoverable mistakes difficult or impossible to do in the first place so the "how do I recover?" problem (almost) never comes up. This is a very hard thing to do unless you want to turn computers into appliances (most people wouldn't like appliance computers since they wouldn't be able to install their favorite software) and becomes even harder when the people who want you to make mistakes (malware writers) are actively trying to trick you into making them.

One possibility that has been suggested is kind of a halfway-house between computers as we know them now and appliance computers - the OS would require all executable code to be signed by a "trusted party". However, this brings up some serious problems:
1. Who can be a "trusted party"? Lets say it's the OS vendor, why should I trust Microsoft to guarantee that the signed software is malware-free (especially since they are probably getting paid by the software vendor)? There will certainly need to be stiff penalties for signing software which turns out to be malware.
2. The inability to run unsigned software could be used to lock out the competition - for example, Microsoft could refuse to sign OpenOffice.
3. How much would this "signing service" cost - you can bet that thoroughly inspecting the software to ensure it really isn't malware is going to be very expensive so you just locked out all the small vendors who can't afford it.
4. How are you going to run code you compiled yourself since it won't be signed by the trusted party? This could either be FOSS code that you choose to compile yourself, or your own personal code.

These are certainly not easy problems. I do, however, feel that the ISPs need to take more action against people running malware infected machines. It seems all too common these days for ISPs to ignore abuse reports, let alone run monitoring software to proactively drop the connection to infected machines.
The ISPs should monitor people's connections for malware signatures and upon finding an infected host they should drop the entire internet connection until it's fixed (probably redirecting all web requests at a server containing patches and instructions to fix the problem).

Part of the problem is definately that most of the malware doesn't actually cause a problem for the owner of the infected machine - they don't know or care that their machine is actively being a spambot. Cause hassle for the owners of infected machines and they might actually pay attention to the security of their own systems (viruses were considered a much bigger deal back in the days when their payload often trashed your data).

Re:Haskell.

[PsychicX]

More importantly, the security models currently used in the kernel are broken, and we can formally prove that they are inadequate. Academic research in this area has been extremely productive, but there are major barriers to entry in the commercial world for the obvious reasons.

At the moment it looks like micrkernel architectures (real ones, none of this hybrid stuff) coupled with capability based security systems, should be able to provide real, formally verifiable security. As with most things there are a handful of practical barriers to overcome (primarily performance related), but another 5-10 years and those problems should be sorted out.

For a more in-depth discussion of capability systems, see the wiki page, and this essay by Dr. Jonathan Shapiro. (And to be perfectly honest, he's a professor of mine and my views are colored as such.)

Let's educate some UI designers, too

[tehshen]

I'm with you here. My sibling post (correct term?) and you make nice points about lazy programmers, so I'm going to go and bash some bad designers, too.

I've found that Windows and its applications are really, really stupid with the way they handle dialog boxes. Kind of off-topic, I know, but since most security issues are luser error, I can guess that most of those are caused by blind click-click-clicking Yes to dialog boxes.

I get a dialog box when I try to delete a file. I get several dialog boxes whenever a program crashes - something about an error report. At my school, they've managed to set up Word so you get three dialog boxes when you open it: one asking you to disable macros (to which the average user goes What?), another telling you that macros have been disabled (yes, that's why I clicked that button) and another telling you that there's a window open.

With so many dialog boxes around, most of them unnecessary, I don't blame the average user for ignoring the important ones. If you press Yes, the nasty evil dialog box will go away. Sooner or later the times comes when you install some spyware trying to get rid of the dialog box.

And what has Vista done? Put even more of them in. Quoth even Paul Thurrott: The problem with UAP is that it throws up an unbelievable number of warning dialogs for even the simplest of tasks. That these dialogs pop up repeatedly for the same action would be comical if it weren't so amazingly frustrating. It would be hilarious if it weren't going to affect hundreds of millions of people in a few short months. It is, in fact, almost criminal in its insidiousness. Gah, showering the user with more dialog boxes is useless, as they ignore them all anyway!

I'm on a roll here. What else?

When I want to Save a document, I go to the button marked Save. At least, I do on Gnome and OS X: Windows likes to have buttons called "Yes", "No" and "Cancel" instead. So instead of doing what I want (Saving), I have to read the dialog to find out which button Saves my document. And most people wouldn't even try to read it; they'd just click Yes and hope it was the right one. Oh, and the dialog text is often in a small font with no discernable main point about what it does.

Windows dialog boxes are obtrusive enough that people would rather make them go away (think: click Yes) than working out what they do. Here's an example of a Mac one - I can tell what each button does before reading, and even if I have to read, there's some nice bold text so I don't have to read it all. Here's the worst example of a Windows one I could find. Note none of the above things that the Mac does right. This isn't the best example, I know, but it points out where Windows fails best.

I reckon you could've eliminated a fair few spyware installs if the "Yes" button was labelled "Install Software", or the "Next" button was lebelled "Accept this Licence", or whatever it is. No more "Let's click Yes to make the nasty evil dialog box go away", but some people will think "Do I really want to install this software?" or "Do I really want to run this program?". It makes people think, and thinking is good when you're trying to make decisions.

Oh, and:

"How dare you try to type at another window when I am here, infidel scum!"

"And Vista dyes the rest of the screen black, just in case you didn't notice me the first time. See?"

Where was I? Oh yes, computer security. I don't think it's fair to blame any and all spyware installations on user error. Windows places you on a path above a crevasse with a bicycle, and expects you to pedal to the other side. Sure, you might get blown off by wind (read: security holes in the OS). Many people