Where should security live?

Where should security live?

Summary: Here is a question that lies beyond the normal Linux vs. Windows arguments we make here, but whose answer should concern even Linux users.

TOPICS: Security

Here is a question that lies beyond the normal Linux vs. Windows arguments we make here, but whose answer should concern even Linux users.

Where should security live?

The facile answer is everywhere. Professional network security managers tend to want to scan at the edges of their networks, and centralize patch management. We amateurs tend to leave it all at the edges, that is, every box we own has security on it. This leaves it up to individual users to manage security programs, making even little children into security managers. It's not a good solution.

Microsoft is placing security within the operating system, but can we trust it? And this also begs the question, to what extent should security be built-into Linux?

While there are fewer hackers attacking Linux than Windows, and perhaps fewer exploitable features overall, both exist. The question is also vital if we're to see true desktop Linux, which means home systems which run Linux exclusively.

Personally I would like to see more home security placed in residential gateways. In fact gateway companies like Netopia are increasingly centralizing security, selling it as a service in which the gateway itself acts as a thin client.

What do you think? Should Linux security live in the operating system or in a separate firewall? Does the security argument matter in competition with Windows for the desktop market?

Let us know in TalkBack.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Human trust

    Last year NASA (and others) computers were hacked by a teen in Sweden. This was done though a gateway. Cisco routers in fact. Code was also posted on a Russian web site. The question is "Who" forgot to release/patch the software on the appliance? Security should be a factor in every application. The problem is the gateway must allow data packets to pass though allowed ports that the OS and applications use. To say where security should live? It should be everywhere. With the wealth of file sharing applications on the market it is almost impossible block access without rendering some applications useless. Every developer Linux/MS..etc.. has security in mind but that doesn't mean the first version or future versions will be secure. Exploits are even found before a full packaged release. The instant a human says "this is secure" an exploit is found and that statement has relevant history. We should have a clear understanding here about open source and "secret" proprietary code. What/who would we trust? A department head and it's employees? or thousands of people putting an application to the test? Who is responsible and held accountable for exploits that cost everyone time and money not to mention loss of data? Built in security? isn't it all built in? How can we say Redhat Enterprize Linux has less built in security than MS? or the other way around?

    There are several factors here. A secure file system and file permissions, and who/what sets those permissions. i.e. owner,group,read,write, and execution. File transactions/transmission/submission and encryption. Secure ports and applications.

    The Linux built in extent example: My little children use Linux. They don't have access to #1 root pass word. #2 They don't have administration applications on menu. #3 They can't view, or change permissions on system files. #4 Fire wall security is built in and set at install. #5 Downloaded files can not be executed/installed from the desktop and can only be viewed. None of this was very hard to set up and they still enjoy multimedia on the web. Unlike other operating systems that allow a free for all desktop execution of exploits,spybots, and viruses. Why is it that other operating systems require third party mantanace applications to defend it? Those applications need to be upgraded, and maintained. Where's the built in extent here? Seeing is believing and as far as the gateway is concerned, let's all rely on a handful of humans to keep our systems safe. Don't get me wrong, I think it's very helpful and adds to better security. Another layer for portable application layered systems.

    • The current security models suck

      [i]"How can we say Redhat Enterprize Linux has less built in security than MS? or the other way around?"[/i]

      You really can't. Security mechanisms is there in ALL modern Operating systems. People just don't like to make use of them, because it's inconvenient. Windows has em, but the default setup sucks. linux distros have em,a nd their default setup is much better, but for the average userm it too sucks. The current models for security in computers are out dated. Access lists, and su/sudo are okay for the technical users, but not for the majority of users. The entire idea of security needs to be torn down and rebuilt from scratch - this time, with the average user (the type of user that expects to be able to click on anything and have it work) in mind.

      [i]"Unlike other operating systems that allow a free for all desktop execution of exploits,spybots, and viruses."[/i]

      You could have just as easily given your children a restricted account in Windows XP. 99.9% of windows malware assumes the user will have admin privledges (because 99.9% of windows users do) and will fail miserably when run under a restricted account.

      [i]"Why is it that other operating systems require third party mantanace applications to defend it?"[/i]

      I assume you mean Windows here. Look at it this way...

      * The vast majority of desktops run Windows.
      * The vast majority of the people using those desktops run as administrator.
      * The vast majority of those users don't have a clue (or give a crap) about security.

      The math is not difficult.

      Show me an desktop operating system with a relevant market share, and I'll show you a market for third party protection tools.
      • I have to agree with the toadster!

        I like your post because it shows that you are obviously well learned about how to secure your OS but I must agree with Toadslife post because most users don't want to think about security.

        The problem as I see it is a balance between ease of use and security. These two are at odds with each other. If you make it easy you make it insecure for the user if you make it secure you make it too complicated for the average user.

        Mac has done a decent job with security and Linux could take a few pointers from them. I prefer Linux for a variety of reasons but I know after getting many friends to use Linux that the biggest stumbling block for new users is security. This I blame on MS because once your hooked on double click installs anything else seems like too much complexity. However, when looked at from a spyware, trojan, virus point of view sudo and su don't seem like big deals.

        When I had my an attempted theft of my vehicle from my home I installed both home security and other security measures and after about the first month I stopped seeing an alarm password and other security measures as a hassle because they became a habit and a good one. Now I am glad to have these devices in place. I am also glad not to have spyware, viruses, or trojans in my computer.

        If you want to know where security should be addressed it all depends on what you are securing. If you had a million dollars you wouldn't leave it on a table in an open room but if you are storing bags of lawn clippings I think you don't need to secure it very well.

        If you computer supports your network infrastructure than you better secure it every way you can. But if you simply use it for playing solitare offline than its not worth the trouble.

        I think sometimes as IT and technologist we forget computers are tools for different purposes and like life it just takes a little thought to answer these kind of questions.
        • Agree and disagree

          Both of you guys make good points. But I feel I need to make clear that even to an end user/non user, security is a concern. More than 100,000 customers of Wachovia Corp. and Bank of America Corp. have been notified that their financial records may have been stolen by bank employees and sold to collection agencies. My subject was "human trust". In another case, a laptop was stolen from a car. With 16,500 names and S.S. numbers on it. This isn't really about what OS is secure. Dana was speaking about security at the residential gateway. And as Toadlife said any OS can be secured. This stuff isn't about locking a car and setting the alarm. This is about Humans and their "talk" and ego's. Intelligent Humans and human mistakes. Maybe Netopia should secure bank data?
          Sorry but I had to sound the human alarm. lol...
          • human alarm

            Apple ipod
  • Where should security live?

    Where should security live?

    The facile answer is everywhere.

    Yes I fully agree! Every decision should be made with security in mind. From programmeing to simple scripting. From simple program installation to vast deployment of a new system.

    High security often means reduced acceesibility.

    After my 20 years in the business I have yet to see the day when people don't have their passwords on the side of the screen in yellow sticker for all to see.

    I have yet to see the when CIOs are not aiming to stopp people getting into their networks from outside, when one can simply walk into the organisations building or what ever and sit by a computer an start hacking and planting serious spyware.

    The highest danger does not com from outside! It comes or is already on the inside.

    To talk about security and mention Windows in the same sentence gives away the amateur status of the speaker immediately.

    Don't you ever learn anything?

  • Security? Meaning what?

    Security has WAY too many facets nowadays to be referred to as such. Were you referring to OS security? anti-virus? anti-spam? network hackers? you mentioned a few in the article. Perhaps you were thinking also of identity theft? cell-phone viruses? data encryption? I think you get my point. Personally, before I read the article, I thought it was going to be about enterprise business applications, which would narrow it down to 5 or six completely different niches.... The answer for each facet is different.
    Security has become a catchall hotphrase/buzzword for vendor, consultant, reporter, and PHB alike.
    Time for a shake-out.
  • harden the PC

    The most obvious flaw with the PC (regardless of OS) is that it's all too easy for code to be overwritten by badguys or user error. For the comptuter to ever make the leap from a hobbiest box to appliance, we need to stop this silliness. We need to protect the OS and apps with hardware. This way stability is never more than a reboot away. After all, when't the last time you had to reinstall the software on your television? Or apply security patches to your automobile? Using hardware to protect software won't solve all the security problems, but it's a very powerful weapon that isn't even being used yet.

    • Tv and Cars do not store anything.

      Your TV or your Car does not store user defined data. It is very easy to reset them to factory defaults. If my computer forgot everything that I did when it came under attack, then it would be a much less valuable machine.

      It is a hard job to separate the data and programs the user intends to be stored on the computer from the data and programs that bad guys want to store on the computer.

      I makes it even harder when you are tricked into storing something that the bad guys want you to store.

      I don't see how hardware can help in this situation. Please edutate me.
      • RE: Tv and Cars do not store anything

        Certainly computers store more user data than a car or television, but that's no reason to pass up the advantages of hardware protection.

        Let's take a simple example. On your windows machine you have a program called mspaint.exe (default MS paint program). When's the last time it was updated? From what I can tell, not in years. So making it vulnerable to overwrites is a needless risk. It should be in ROM or some other protected media. This doesn't fix any bugs in the code - it just means the bugs won't cause the program to be corrupted or erased.

        And if you don't see the advantages of simple hardware protection, what do yo propose? Do you agree that the current security schemes which all depend on the goodguy programmers being smarter and faster than the badguy programmers have not made significant headway? Do you agree that computers are still far too unstable for the average non-technical user who doesn't understand spyware, rootkits, etc? Do you agree that historically all companies ultimately grow inneficiant and lose their edge? I would put MS, Symantic, and the like in this camp. The fact that we're still fighting security issues daily is my proof. We need a more innovative approach.