Marcin Wielgoszewski lead a great dicsussion about operating system security being overly dependent on user skill. Here is my post in its entirely:
Awesome discussion on an unfortunate topic. Marcin, great job. I'd like to add a few comments that may be redundant, but nonetheless valuable (hopefully) from what I covered in Geekonomics (http://www.geekonomicsbook.com).
There may certainly be idiot drivers, but on the whole the car’s safety rating is agnostic; that is, the car is “safe” no matter who the driver might be. Whether the driver drives *safely* is another matter entirely.
In the software market however, the security (analogous to safety in vehicles) of the operating system largely depends on the user; that is, is the system configured correctly to protect the software itself from exploitation. This is far too brittle a model; it doesn’t scale reliability, and how in the world are 500 million users supposed to get all their configurations correct? Configuration, in large part, is a red herring that distracts from the issue.
So to say that an “operating system is only as secure as the idiots using it” is not only accurate it touches on something that is wildly unfair.
Drivers do not need to configure their vehicle’s crumple zones, side impact bars, or seat belts (besides adjusting) to receive protection. These are safety feature IN ADDITION TO good and safe design of the vehicle, not REPLACEMENTS FOR the lack of good and safe design. Compare this with your typical computer system. The user must configure almost everything (ACLs, firewalls, etc) including the roadway (the router) not, as with vehicles, in addition to good and secure design of the operating system, but largely as a replacement for the lack of good and secure design. This isn’t fair. As a matter of public policy, it is unjust.
In 1950s and 1960s America, the car companies could freely, and without danger of appearing hypocritical, point to drivers and say, “see, it’s the nut behind the wheel that is causing all these roadway fatalities. It’s not us.” When in fact, it was to a large degree a manufacturing issue. Sure, drivers had SOME culpability for roadway fatalities, but not ALL culpability as the manufacturers made it appear.
In today’s software market, the same situation exists as it did in 1950s and 1960s America. Software consumers are “the nuts behind the keyboard,” the “idiots” as they are deemed. It is software consumers that are blamed extensively for not configuring their “vehicle” correctly. But this doesn’t make sense. Why in the world should we blame users for manufacturing defects that could not possibly be their fault? Why should the security of an operating system depend on the intellectual strength of the user when the safety rating of a car is agnostic to whoever the driver might be? According to my elderly mother, plenty of idiots are on the road today, but you’ll note that the U.S. has held steady the number of roadway fatalities at roughly 40,000 per year despite over an 80% increase in traffic since the 1980s. More “idiots” are driving – and driving longer distances – than ever before, but the safety of vehicles remains agnostic to both potential and latent idiocy.
Certainly, if someone drives drunk, they are culpable, but culpability is bounded. What if the wheel falls off their car at highway speeds (or their fuel injection system crashes as it did with GM and Prius vehicles).? Are the users to blame for manufacturing defects? In the software market, culpability is unbounded. Software consumers are blamed for any failure to protect their systems, manufacturing defect or not. Why should software consumers be liable for manufacturing defects in software products? The lack of consumer protection and the imbalance of culpability in the software market are truly astonishing. To expect 500 million+ users to configure their systems correctly in order to receive suitable protection is not only unjust, it is barking madness.
Thanks for the opportunity to post, Marcin. Cheers.
Is it a configuration issue or a design issue?
I expose these problems as design issues in my comment to Richard Bejtlich's post on More Unpredictable Intruders - http://taosecurity.blogspot.com/2007/11/more-unpredictable-intruders.html#comments
A lot of the technology and links that I provide are excellent solutions to this problem, and also the discussion that was brought about as a result of Marcin's post between myself and Roger Halbheer. I'm certain that I wouldn't have fully formulated these ideas without reading your book, Geekonomics
I hope that you've read some of my commentary, because I'm anxious to talk with you about it. I see a lot of correlation between your "crash test dummies" and software security assurance (i.e. Build Security In / Gary McGraw's TouchPoints, OWASP CLASP, Michael Howard's Microsoft SDL, and my CPSL - http://www.tssci-security.com/archives/2007/12/02/why-pen-testing-doesnt-matter/
I also see a lot of correlation between your "seat-belt", "crumple zones", and "Interstate highway" models and the TCSEC - http://www.tssci-security.com/archives/2007/11/23/formal-methods-and-security/ - Orange Book's use "functionality" and "assurance". Both are necessary to increase the overall security of a platform, and they should work together to provide adequate protection (even under the worst conditions)
It's also good to see you blogging. Keep up the good work.
Posted by: Andre Gironda | December 05, 2007 at 12:31 PM
Let's be clear to distinguish between the different scenarios though. As has been repeatedly pointed out cars are designed to be "safe" under "ordinary" operating conditions. They are not designed to be "safe" from a malicious adversary. A car won't stop someone from deliberately ramming you in the area of the car most likely to cause personal injury. It won't be safe if someone cuts the brakes, loosens all the wheel nuts, etc. Heck, it won't alert you to those situation either.
Your analogy isn't completely unfair, you just need to better define the proper purposes of software and what constitutes normal use and then we could at least theoretically come up with objective standards that the manufacturer must meet.
My copy of your book is on order, apologies if this is going over old ground.
Posted by: Andy Steingruebl | December 05, 2007 at 02:12 PM
Thanks for commenting David, I enjoy the discussion. Learning new things every single day. Dre has been raving about your book to me for the past couple weeks, so I buckled down and used my $25 gift certificate wisely ;)
Looking forward to future posts!
Posted by: Marcin | December 05, 2007 at 11:04 PM