Computer Security

Recently I was trying to troubleshoot my sister's computer, and my ranting about the problems encountered while trying to get it connected to the Net and reasonably protected against viruses, etc. (it runs Windows 98SE) led to the more general topic of security. At one point my father asked me (apropos of my comments on the particular anti-virus and internet security program I had been trying to install--I won't name names to protect the guilty) what was the best security package for Windows, and my answer was "Linux". This article will elaborate on that statement, because I think it's important (or at least useful) to understand the reasons why Windows seems to suffer so much from these things, where other operating systems don't.

In the main page for my "computers" category (the one that led you to this article), I posed the same question and gave an ambiguous "hint" as to the answer (or rather as to what isn't the answer): "It isn't that all operating systems are inherently vulnerable to viruses." Now I didn't mean by that that all operating systems aren't inherently vulnerable to viruses--they are, in the sense that no operating system can possibly be 100 percent secure against all possible attacks. However, given that basic fact, there are certainly better and worse ways to handle security, and Microsoft appears to have picked the worse ways wherever they had a choice.

That isn't necessarily because Microsoft has purposely set out to create a product that was insecure; it's just that they haven't bothered to make security a priority. Microsoft's attitude seems to be that they'll try to fix problems as they occur, but there's no need to rethink the fundamental design of their software (Windows and all the MS applications that go with it). And it's that attitude that has given us virus after virus, worm after worm, servers running Microsoft software being compromised, people's private information being compromised, and all the other problems we hear about in the news--and by now we realize, after seeing major web sites go down because of such things, and seeing the reports on how many people suffer from identity theft and other crimes because of all the malicious code that's out there that Windows doesn't protect us from, that it is a big problem, even if Microsoft doesn't want to admit it.

Linux, by contrast, is a good example of an operating system that was built from the ground up with security as a primary goal. The Postscript to this article, and some of the links at the end, go into more detail about how exactly this is done; here I just want to stress the point that Linux proves by example that it is possible to have an operating system that is inherently secure without sacrificing real functionality. That's why I answered my father's question the way I did. (I should also note, by the way, that the same features of Linux that make it inherently secure also make it much less prone to crashes and other forms of havoc that are all too familiar to Windows users. I'll mention that again below.)

Comparison of Windows with Linux easily shows up a number of ways in which Microsoft has given us a bum deal. Here are some of them:

The above might seem like more than enough, but there's still another reason why Windows gets compromised so often and other systems don't, and it's a reason that's the exact opposite of what you might think:

Windows gets cracked so much because the source code is secret.

It seems highly counterintuitive, but in fact it's a well-known rule in the cryptography world: a truly viable method of security must be able to withstand general knowlege of its method of operation. After all, the people trying to break into your system are going to figure out its method of operation sooner or later, by hook or by crook, so if you don't allow for that possibility, it will bite you. But there's an even greater side benefit: the more people who know the method of operation, the more people there are who can find problems before the bad guys do. And if a good guy finds a problem first, it can be fixed before the bad guys ever get a chance to exploit it.

This last is one reason why systems whose source code is open (like Linux--though of course Linux, like all other flavors of Unix, also does many other things better than Windows) do so much better at being secure: there are just so many more pairs of eyes who are both capable of finding and fixing problems and motivated to do so. Microsoft, by contrast, seems to believe that if they can just keep all their code secret, the bad guys won't figure out how to exploit it. (Of course at this point the code underlying Windows is such a mess that no self-respecting programmer in the open source world would touch it with a ten-foot light pen. But that wasn't always the case.)

An excerpt from an article linked to on the Reasons to avoid Microsoft site puts it this way:

There are advantages to openness per se, though not the one most often cited. Open source developers have got to be more careful and security-conscious than their closed-source counterparts. This encourages a better product overall. There is a corresponding disadvantage in closed-source software: obscurity may inconvenience blackhats a bit and help limit the number of potential attackers, but it works only so long as obscurity is maintained. Secrecy can be useful, but it is a fragile defense. Once the code is released, the software becomes an easier target than it once had been; but because it was developed with the assumption that it would not be released, it is likely to be sloppier and easier to exploit than [Open Source code].

So what to do? Here are some recommendations. (Note that these are brief and should not be taken as gospel--to do a proper job of research, you should learn many more details that I don't go into here. The links on my main computers page are one place to start.)

  1. A Hardware Firewall/Router: This is your first of multiple layers of defense, and does a lot all by itself to make you less vulnerable to worms and bots that are always crawling around the Web looking for sitting ducks. Just about any brand on the market these days has the required functionality.

  2. The Right Operating System: In my opinion, this is not Windows (for reasons which should be obvious from the rest of this article)--in fact, although I prefer Linux, I'm willing to be open-minded and say that the right OS is just about anything but Windows. However, if you're forced to run Windows, you can still do a lot better than its defaults. The key point is not to do your ordinary tasks with administrator rights (you should never sign on to your computer with administrator access unless you need to to install a program or do other system maintenance--and when doing this you should only connect to external machines if you have to, such as for downloading updates/patches). For everything else (e-mail, web surfing, etc.), use your regular user account (you did set one up, right?), and make sure it doesn't have any extra access rights.

    (I should note that even if you do the above on Windows, you're still not as secure as you would be running Linux and doing the same thing--which Linux, of course, makes you do by default. The reason is that, even if you are running as an ordinary, "non-privileged" user, many of the programs you run will make use of operating system services that require access to things like the file system, the keyboard, the network interface, and so on. Under Linux, and any other sanely designed operating system, the system calls that accomplish this are done using your ordinary user privileges, so that no matter how hard you try, you can only clobber the parts of the system that you have access to. On Windows, however, many important operating system services are provided by processes that, for reasons presumably known only to arcane Microsoft programmers, automatically "escalate privilege" in order to do their work--meaning that the programs you run, if they call these services, can damage parts of the system that your ordinary user account doesn't normally have access to. So even though the suggestions I'm making in this article can grant you a degree of safety when running Windows, there are still lots of holes that you can't really plug. See the Postscript to this article for more discussion of this point.)

  3. A Software Firewall: (Updated August 2010) This page used to recommend a software firewall, such as ZoneAlarm (for Windows), in order to, as I put it then, "prevent unwanted traffic from getting out" (by contrast with your hardware firewall/router, which, as noted above, is to prevent unwanted traffic from getting in). However, even then I noted a potential flaw in this idea: some key programs that have to access the Internet to function (in particular web browsers) are inherently exploitable, meaning that their whole purpose is to run "code" that is handed to them (since that's what web pages are--code that tells your browser what to do). Because of this, I recommended that you not allow such programs to be on the software firewall's list of "trusted" applications that can access the Internet without asking your permission.

    Even then there was an obvious flaw in my advice, since having to explicitly give permission every time you open your web browser is inconvenient, so many people just won't do it; and if you don't do it, then the software firewall isn't really giving you any added protection (since if there is malicious code running on your machine, it can simply "hijack" the web browser in the background to get its network traffic out). However, since then I have found that it's even worse than that: because of the way these firewalls work, they can be either circumvented or prevented from loading at all by malicious software. I'll pick on ZoneAlarm since it's the one I'm most familiar with, but it's important to realize that the types of exploits that are described here, here, and here could, as far as I know, be used against any Windows firewall (the specifics would differ, but the net effect would be the same).

    In view of these types of issues, I've come to believe that the "protection" offered by a software firewall with regard to stopping unwanted outbound traffic is illusory, and I no longer recommend running one for that reason. I do still recommend having a software firewall as a second layer of protection (after your hardware firewall/router) against unwanted inbound traffic; and of course if you have a laptop there will be times when you are not behind a hardware firewall/router, or when being behind one does not completely protect you (for example, when you are plugged into some form of public Internet access, such as at a hotel or airport, or a WiFi hotspot--the wireless router that provides the hotspot does technically "shield" you from the Internet as a whole, but not from other people using WiFi in the same area who might want to snoop). But for purposes of protecting against inbound traffic, the firewall that is built into Windows is pretty much the same as any of the third-party offerings, so if you just make sure that is configured to give you maximum protection, that's the best you can do. (However, as already noted, the default settings of the Windows firewall are not the ones you need for maximum protection; see the next item.)

    (I should also note that, as with so many other types of "protective" software, there would be no point in even trying to run an "outbound filtering" program on Linux--in fact, the line of research that led me to find out about the ZoneAlarm vulnerabilities described above started when I thought about trying to write an equivalent program for Linux, and started digging in to how firewalls work in various operating systems. Linux, as you're probably expecting by now, has a built-in firewall, as do all Unix-type operating systems, and it can easily be configured to give you the maximum possible protection against unwanted inbound traffic. But even Linux's firewall can't reliably do outbound filtering, simply because of the inherent nature of programs like web browsers--how is the firewall going to know whether any particular packet sent by the web browser is genuine or a "hijack" caused by a piece of malicious code? It can't. But unlike Windows users, Linux users are under no illusions about what protection the system can and can't provide, so they can make decisions about their network usage based on reality.)

  4. No Sharing: One particular area where Windows' default settings are highly unsafe is that of "sharing". Unless you explicitly tell it not to, Windows will assume you want to share the files on your computer with other computers--which means that it will listen for incoming network traffic in case it's a request from another computer to see what files you have on your computer. There are at least two reasons why this is a bad idea. First, as with so many other defaults in Windows, it's the wrong default: file sharing is not something you should ever do automatically, without thinking about it. It should only be something you're doing explicitly, under a specific set of circumstances where you are sure it's safe--and once you're finished with that specific set of circumstances, you should turn it off again.

    Second, even under circumstances when you want to share files, there are better ways of doing it than telling your computer to indiscriminately listen for incoming network traffic. Computers that do that should be doing it only because they have to to fulfill their function (for example, web servers and mail servers that have to be visible to the entire Internet), and professional system administrators spend a lot of time and effort making sure such computers are protected against unwanted intrusion--and even then they sometimes fail. You are most likely not a professional system administrator, and you should not have to be one just to share files between you and your friend's computer--but Windows doesn't do a very good job of making other options available.

    So by default you should always turn off all the "sharing" options on Windows, so nothing is exposed to other computers. (No sharing is the default on Linux and Mac OS X, of course.) Recent versions of Windows give you a fairly easy way to do this: just tell Windows that every network you connect to, even your home LAN behind your hardware firewall/router, is a "public" network. This will automatically disable sharing, and combined with the Windows firewall, that will make your computer "invisible" to others. But sometimes you do want to share files between your own computers--for example, to make backup copies of your data. What then? There are ways to do this in Windows, of course, but they're still clunky and don't give you the level of control you really need.

    Fortunately, in these times where the price of low-end computers is coming down into the consumer electronics range, there are alternatives. You can get a cheap Linux box now for a few hundred dollars, or repurpose an old computer that doesn't have enough horsepower to run Windows as a Linux server. There are even "plug computers" coming out now that run Linux and are specifically designed for this type of need: you literally plug them into a wall socket, plug in an Ethernet cable that goes to your hardware firewall/router, and get a USB external hard drive (you can get a terabyte now--August 2010--for less than a hundred dollars US), and you now have a file server visible on your LAN that you can back up to, and that can be configured to be secure (for example, you can tell it to only accept incoming traffic from one specific machine--your PC). Then you can keep sharing turned off on your Windows machine and still get all the benefits.

  5. Anti-Virus and Anti-Spyware Software: If you're really running the right operating system (i.e., not Windows), you already have virus protection, spyware protection, etc. as part of the inherent design of the system. But if you do have to run Windows, these things are additions to the operating system that you definitely need. By the way, this includes making sure that the data the software uses (virus definitions, lists of spyware to watch for, etc.) are up to date--which means going online and downloading the updates (all of these software packages have automated ways for you to do this) on at least a weekly basis. If you have a broadband connection to the Internet, I recommend that you set up the software to do this automatically (schedule it for some time like 4 a.m. when it won't interfere with your use of the computer). This is one of the few instances in which it's OK to let software "call out" to the Net without your direct intervention.

    (By the way, you may be wondering why I didn't recommend the same thing for the operating system above--you can do that if you want, but be aware that, unlike anti-virus and other protective software, where the "automatic update" feature is dedicated to a single function, the "automatic update" feature of Windows isn't limited to downloading security patches whose sole purpose is to make you safer. It also downloads new "features" that you may not need or want. For that reason, I don't recommend doing automatic update for Windows itself--that's one area where you just have to take the time to manually check for updates and only download the ones you really need.)

  6. A Dumb E-mail Client: Yes, the word "dumb" is intentional. Many, many, many exploits of Windows take advantage of the fact that Outlook (or Outlook Express), the default e-mail client for Windows, is so "smart". It does so many things automatically (which, as I noted above, is a bad idea)--things like opening attachments, executing HTML code, following external links in e-mail messages. Sure, it's smart--just smart enough to be dangerous. Far better to use a "dumb" e-mail client that doesn't do any of those things unless you tell it to--so when the latest virus-infected e-mail comes in, you won't be at risk, because you, unlike Outlook, are smart enough not to open attachments, or execute code or follow links unless you know what they do or where they go. (Practically all of the "right" web browsers--see next item--also include good e-mail clients--and if you run any operating system but Windows, you will have still others to choose from. I use KMail, which is part of the KDE Personal Information Manager suite called Kontact, and comes with most Linux distributions.)

  7. The Right Web Browser: Just as Windows is not the right operating system, Internet Explorer is not the right web browser if you want to be secure. First of all, IE is "smart" in the same sense that Outlook is smart--it's just smart enough to do really dumb things, but not smart enough to realize that it should ask you first. For example, when most web browsers see a piece of HTML code in a web page that's not formatted correctly, they ignore it--but IE tries to figure out what it "should" have said, and then does that! Ever run into an "HTML Error" message while using a browser other than IE? The ill-formed code that caused the error is probably there because of this "feature" of IE--the wingnuts who coded it weren't smart enough to test it in another browser, and IE never told them there was a problem.

    Even worse, though, Microsoft (as part of its plot to take over the world) has set things up so that a lot of really useful functions, functions that have nothing necessarily to do with web browsing, are packaged in files that are part of IE. Why? What does this accomplish except to give malicious code more ways to do damage? (Particularly if the malicious code exploits a function packaged with IE that does automatic privilege escalation, as discussed above under "the right operating system".)

    There are plenty of better browsers out there--I've put some links to their sites on my Computers page. (Of course, if you were running the right operating system, you'd have this problem solved already--sorry, couldn't resist. I primarily use Konqueror, which comes with most Linux distributions; for some sites, which for some reason aren't convinced that Konqueror has full security capabilities, which it does, I use Firefox.)

I know the above sounds like a lot, especially if all you really want to do with your computer is to exchange e-mail and surf the web. Maybe someday computers will be to the point where you can just buy one, plug it in, and safely do those things without giving it another thought, but we aren't there yet, and Microsoft isn't likely to take us there any time soon. If that makes you interested in checking out another operating system besides Windows, all the better--because some of those are a lot closer to that ideal than Windows is.


You may be wondering, in view of all this, about various hardware and software that Microsoft, Intel, and others are promoting (not to mention new laws like the Digital Millennium Copyright Act, or DMCA, and other laws aimed at "piracy") which have been hyped in the media as being needed to make computing (and digital information in general) more "secure". Aren't those things aimed at achieving the very goal I just referred to--allowing the customer to just take a computer out of the box and use it safely without giving it another thought? The short answer is "no"; the Trusted Computing FAQ gives a long and well-written answer. Here I'll try to give an answer that's somewhere in between.

Part of the problem is that there seem to be so many threats out there, all waiting to jump on you as soon as you connect your PC to the Internet. First it was viruses, then worms, then spyware, then identity theft, etc., etc., until it seems like there's just no way to keep track of it all. And indeed, to users of Microsoft software, and probably even to the programmers of that software, it seems like there is an ever-increasing number of threats, each one requiring a new piece of software to protect against it. You need an anti-virus program, but that doesn't protect against spyware, so you need a spyware detector, but that doesn't protect against malicious scripts on web sites, so you need more security features in your browser, and so on.

One of the important points that I tried to stress in the above article is that all this is in no way a necessary part of computing, or surfing the Net. It's purely an artifact of the way Windows is built. For example, you may have noticed that I commented that other operating systems already have anti-virus and anti-spyware features built in. I don't need a special anti-virus program on my Linux machine, or a spyware detector, or any of the other stuff that clutters up my Windows machine. Why is that? Because the Linux operating system (like all flavors of Unix--and MacOS, too, now that it has Unix under the hood) is built from the ground up with the understanding that the computer it runs on is going to be linked to a lot of other computers, some of which may not be trustworthy.

As soon as you start to build an operating system this way, the "problems" that Windows users see as an unbounded proliferation of different threats can be greatly simplified. No matter how many different individual threats there are, all of them depend on being able to do one of two things: (1) get code to run on your computer that you don't want to run; (2) get information from you that you don't want to give out. If a putative threat doesn't do one of those two things--either because it doesn't try to or because it tries to but can't--it isn't a threat. Many threats try to do both, but that doesn't matter, because the solution is still the same: design the operating system so that it's as hard as possible to do either of those things. All Unix-based operating systems have always been designed this way. Windows isn't, and that's the root of its problems--all the legions of anti-virus and anti-spyware programs and so forth are just kludges tacked on to Windows to make up for this fundamental failing.

Viewed in this light, you can see that all the hype about "trusted computing" and other proposals to supposedly "solve" this problem are not responses to a real problem at all: they're just manifestations of the fact that their proponents are either unwilling to see or don't want you to realize that better solutions are already here. We already know how to design an operating system for home computers that "solves" all the problems that these proposals are supposed to "solve"--but of course it "solves" them by not letting them become problems in the first place.

This is not limited to operating systems. The proponents for "trusted computing" essentially want to make the entire Internet into a "secure" network of machines running their proprietary hardware and software--but again, the problems that this is supposed to "solve" have already been "solved" by people who simply understood what needed to be prevented (the two things I listed above) and designed open standards and software to implement them. The primary technology involved is called public-key encryption, and you've probably used it many times without realizing it. Every time you sign in to a secure web site, such as an online banking site (it will have https:// in its URL instead of http://, and most browsers also put up a "lock" icon or something similar to let you know you're in "secure mode"), you are using an open standard called Secure Socket Layer (SSL), which uses public-key encryption to ensure that nobody except you and the site you're talking to can read your data. "Trusted computing" wouldn't make such transactions any more secure than that.

(You can use public-key encryption to encrypt your own documents, e-mails, and so on, using Pretty Good Privacy, or PGP, software. You can also encrypt documents using someone else's public key, so that only they can decrypt them. My Miscellaneous page has a link to my PGP public key. By the way, you might notice a section called "Is PGP Legal?" on the PGP site above and wonder about it. Yes, governments have tried to restrict people's ability to use PGP and similar open standards for their own security. I discuss these types of issues in more detail in my article on Digital Rights Management.)

Can these existing technologies guarantee that you'll never get a computer virus, never get spyware, never be a victim of identity theft? No, of course not, but neither can "trusted computing" or anything else. No technology can take the place of common sense, which is the same as it's always been: don't give out personal information to people, or web sites, you don't trust. And as the sites I link to which talk about this in much more detail make clear, "trusted computing" is a misleading term because as far as we, the users, are concerned, it wouldn't make web sites, software, or anything else any more trustworthy. What "trusted computing" really means is "computing which is trusted by the vendor to keep the user from controlling it". We don't need that to protect ourselves against viruses, spyware, identity theft, and the rest. Existing technologies can do at least as good a job, and you get to keep control over your computer to boot.

A Final Note

You may wonder why I rail against Windows so much here when, as you'll know if you read my Computers page, I have a Windows machine at home. Why haven't I thrown it away or re-formatted it to use some other OS? Well, if it weren't for a few particular computer games that only run on Windows, I probably would have done just that by now (the latter, not the former). I don't use that machine for e-mail, or surfing the Net, or anything else that requires regular access to the Net (in fact, just about the only time the machine connects to the Net at all is to download its weekly anti-virus update or when I'm doing other maintenance tasks that require it). Now that I have Linux established for all essential functions, my hope and intent is that that machine will be the last Windows machine I ever buy. Even then, though, I'll still have to deal with Windows at work, so I'll still have stuff to rail about. But I'm not necessarily saying that everybody should boycott Windows altogether, or that we should all move heaven and Earth to convince our employers to do likewise (though come to think of it, that isn't a bad idea). I'm just saying that, given Microsoft's track record, it seems prudent for us as users to view their claims about providing more secure computing with more than a few grains of salt.

(Update, 2006: I now no longer have a Windows machine at home, since my Windows laptop's hard drive kicked the bucket early this year and I replaced it with a Linux laptop--by which I mean a laptop that came with Linux, and only Linux, pre-installed. Googling linux laptop will show you some places you can order one online. We actually have two at home now, one from Linux Certified and one from R3 Technologies. Both are doing just fine. I was greatly pleased to find that there are a growing number of suppliers for both laptops and desktops with Linux pre-installed.)


The World Wide Web Security FAQ: The more or less "official" stewards of the web are the World Wide Web Consortium (W3C). This is their information source on web security; some of the specifics given are dated (for example, the state of browsers and security support in them has changed a lot since Netscape was the only one with SSL capability), but it gives a good general overview of the issues, and good information about the security risks of browsing the web in the Client Side Security section. Also, if you have a web site, even if you don't run it yourself but pay a hosting service like I do, the Running a Secure Server section is worth reading.

Privacy, Security, and Viruses: A FAQ by the writer of W3C's general FAQ about the web (not the same as their security FAQ above). Some good answers to important questions about surfing the web.

This Groklaw article on the CERT 2005 vulnerabilities list raises a lot of the issues I discuss in this article. Particularly interesting is a comment by "brc" towards the end of the page. I'll quote from his opening comments here:

Comparing how many patches or even how fast they are fixed, for any given OS, tends to be a useless comparison. Every OS will have them occasionally, and any vendor can inevitably twist the numbers to say what they want. And it only takes one to hurt you. The true long term difference is whether the flaw is a design flaw or a coding bug, and if exploited, how damaging it is. A coding bug like a buffer overflow or missed exception can be fixed, because it is an unintended result of how the program functions. In contrast, a design flaw cannot necessarily be fixed, because the program was intentionally coded this way, and fixing it means breaking the intended functionality of the program.

With a design flaw, the product was intentionally written to do something that turns out to be a bad idea. It's things that may be trumpeted as great features of a product, that people may use for valid business reasons, but that because they were not thought out with security in mind, are easily exploited by attackers. Because they are intentional functionality, you can't create a fix that prevents the attacks while leaving the product intact and working as it did before.

Microsoft's biggest problems are not the unintentional bugs (which every OS has) - they are the design flaws that are all so common in MS software.

The rest of his comment goes into some specific examples of the design flaws he's talking about. Couldn't have said it better myself.

(And by the way, such design flaws aren't just in Windows applications; they're in the design of Windows itself, the core operating system. This article gives a good example; it discusses a serious vulnerability in the way Windows applications are driven by "messages" sent to them. A quote from the start of the article:

The flaws presented in this paper are, at the time of writing, unfixable. The only reliable solution to these attacks requires functionality that is not present in Windows, as well as efforts on the part of every single Windows software vendor.

The article was written some time ago (the exact year is not given, but it mentions testing exploits on Windows 2000, so presumably it was before the launch of XP in 2003), but the flaws it describes are, as far as I know, still present and still unfixable. The article also discusses the differences in design that make Linux, and Unix-based systems in general (such as Mac OS X) simply not subject to this type of attack.

Linux Firewalls and Anti-Virus: Needed or Not?: An article on PC World discussing the differences between Linux and Windows relative to system vulnerability to attack. It makes similar points to the ones I make above, but also mentions a possibility I didn't discuss: that even if you run a safe Linux system, you could have files with Windows viruses on them passing through your e-mail, so it might be worthwhile to have a virus checker to filter these out before forwarding on to your friends that haven't yet seen the light and are still running Windows.

Security Report: Windows vs. Linux: An article in The Register which gives a good comparison of the two operating systems, along the same lines as I do in this article, but with more detail on some key issues.

Linux Viruses: An article on Rick Moen's web site which goes into some detail about the features that make Linux as an OS much less vulnerable to viruses.

Linux vs. Windows Viruses: Another article in The Register along the same lines as the previous link. A good tag line from this article: "To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it."

Spyware, Adware, Windows, GNU/Linux, and Software Culture: Another good article on the differences between Linux and Windows when it comes to viruses, spyware, and related matters. There's also some good discussion of how the Windows and Linux "software cultures" each got to be the way they are.

Real Story of the Rogue Rootkit: An article in Wired News about the "Sony rootkit" fiasco--I've put this link here instead of with the rest of the Sony rootkit links on my DRM page because the article has some more general comments about computer security and the linkage between companies that want to put spyware on your computer (which, by the way, includes Microsoft itself) and the companies like Symantec and McAfee that are trying to sell you software that's supposed to protect you from it.