This is the second article in my series about GNU/Linux security for the GNU/Linux curious and new GNU/Linux user. The first article is here: http://blog.eracc.com/2009/10/23/2009/10/18/gnulinux-security-ubuntu-has-been-cracked/
There are many attempts to explain the differences between GNU/Linux and Microsoft products when it comes to security. In this article I am going to make yet another attempt. I want to make this as simple as I can for the non-technical users out there. Especially those that are using Microsoft products and cannot conceive of anything that is more secure by default. If you are a technogeek god then ignore the fact that the explanations here are very simple. If you, in your great geekness, want to expound further then feel free to post a comment.
At base the Microsoft products all go back to a core that is built on the MS-DOS concept of a single task, on a single computer for a single user. There is little need to be concerned about security with such a design. This is a fine concept if one never attempts to use such a system for anything other than a single task, on a single computer for a single user. But that is not what Microsoft has done. The Microsoft products simply kept that single user, single computer base technology and added on multi-tasking (Running many programs at one time.) and networking (Connecting many computers together for sharing data, printers and so on.) Later multi-user capability (More than one user on a computer at the same time.) was added on top of this single user, single tasking core. Granted the multi-user capability is not really present in Microsoft desktop products, so we can ignore the fact that one may create multiple user accounts on a modern Microsoft based desktop system. I will call the Microsoft model a one-one-one model.
The problem with adding on these multi-tasking, networking and multi-user capabilities to the Microsoft one-one-one products is that there appears to originally have been no concern for securing these systems. The security concern only began once people began to see systems being cracked and exploited “in the wild”. However, there was a serious problem with securing these systems. To correctly raise the security bar for Microsoft systems “out of the box” the core of the operating system should have been redesigned from scratch. The backwards compatibility that has its roots in that single task, single user, single computer model would have to go away at some point. Apparently the high and mighty Muckity Mucks at Microsoft made an executive decision to not do that, ever. So, today we have Microsoft Windows 7 released and containing roots going back to that insecure one-one-one operating system design.
How is GNU/Linux different? A GNU/Linux desktop system is designed from the ground up along the Unix model of multiple tasks with multiple users among multiple computers on a network. I will call this a many-many-many design. As such the basic design also includes consideration for securing the operating system and data on same when many users may have access to the same system simultaneously. Therefore, when a GNU/Linux computer is taken out of the box for the first time it already has a higher security capability. This is because of the many-many-many design that included consideration for security from the beginning.
How does this apply in a real world scenario? Okay, because of the original flawed design decisions by Microsoft many third party software packages require that a user be running as a system administrator with full access rights to the computer, including to system files. So, by default when one pulls out a new computer with a Microsoft system installed the users are created as “administrator” users. This is a problem because now this administrator user can browse to an infected web page and see a pop-up with an “anti-virus” warning. Then our poor user will click the close button on the pop-up and become infested with “Antivirus 2010″ or other fake anti-virus program that at minimum is irritating but may also have broader security implications by then installing other malware (Malicious Software) that can steal personal information. Because the user is an administrator with full access to the operating system’s files the malware that starts from the web page also has full administrator access and can install itself with impunity.
How can I blame Microsoft for these third party software packages and/or users being set up as administrators? Why not blame these third party software designers? Well, I do blame poorly written software that requires administrator access to work correctly. But I also blame Microsoft. Because Microsoft made the poor decision to stay with their one-one-one design and just “improve” it. At first the only way for any software to work correctly with these “improvements” was to have administrator access. Over the years this has changed, but rewriting all software to these new, more secure specifications is a slow and expensive process for the software companies involved. Microsoft should have scrapped that one-one-one model and redesigned the core operating system from scratch. That redesign should have looked something like Unix … or like GNU/Linux.
The GNU/Linux many-many-many system on the other hand works just fine when a plain user who is not an administrator uses programs on it. So, no software run by the user can affect system files. Further, no software on GNU/Linux is designed to automatically allow software to run from a web browser or e-mail application without the user’s knowledge. No open source developers I know are silly enough to think having such “capabilities” is a good idea. So, when our dear user browses to an infected web site and sees a pop-up about an anti-virus infection she can safely close that pop-up without worrying that an infection will occur in the background that will take over her computer. It is very unlikely that a web based malware script written with GNU/Linux as the target could find a way to even infect the user’s home directory. Why? Well, software that is downloaded from a browser instance is not set as executable. So, even if a browser could be made to download a file without the user knowing it the user would have to make changes to the file permissions to make it executable. There are no .EXE, .COM, .BAT or other files on GNU/Linux that can be run just because of their file extension. A file has to be a compiled application or a script and be set as executable before it will run. This automatically makes it much more difficult to infect a GNU/Linux system behind the user’s back. The effort required is much greater than with Microsoft based systems where the file extension makes the application or script able to be run.
I created a script and uploaded it to my web site to demonstrate this. Here is what a “ls -l” file listing of that script looks like when first downloaded:
-rw-r–r– 1 gene users 73 2009-10-23 22:28 a_script_for_you
See that “-rw-r–r–”? That means the owner of the file, the “gene” shown after the “1″, can read it and write to it but not execute it, “rw-”. The group, the “users” shown following “gene’, and everyone else, not shown but implied, can read but not write and not execute the script, “r–r–”. The dashes are placeholders for the bits that allow writing, “w”, and executing, “x”, of files. Now I will change the permissions on the script by hand and run it:
[gene@era4 ~]$ chmod 700 a_script_for_you
[gene@era4 ~]$ ./a_script_for_you
I can only run if you use the command ‘chmod 700 ./a_script_for_you’ or similar!
See? I had to explicitly intervene to make that script run. I would have to do the same if I downloaded a program from a web site. Browsers on GNU/Linux have no ability to change the script to be executable on my system without my knowledge. I have to be involved in the process, so I have to be convinced that making this program or script executable is a good idea. If this script comes from the “Joe’s Bar and Grill” web site and purports to be an upgrade for Firefox I am going to be very suspicious about making it where it will run on my computer. So should you. Social engineering attacks, where the bad guys convince a user to do something stupid, can still occur with GNU/Linux. So beware and be informed about those. But automated attacks that get system level malware installed through the browser or through e-mail are quite impossible on GNU/Linux.
This brings me to my illustration of the Linux House versus the Microsoft House. The Linux House is built with bullet-proof windows that are closed and locked. There are thick steel bar grills over all the windows. The Linux House has thick concrete walls, roof and floors. The Linux House has thick solid steel, bunker doors that bolt at both sides, the top and the bottom. Any thief that wants to get in and steal your family heirlooms is going to have to have some serious means of breaking and entering, like a bazooka or a tank. Yet all the security of the Linux House is behind beautiful and functional facades and the typical resident can be blissfully unaware of it most of the time. On the other hand the Microsoft House is pretty much like your house you live in now. It is quite adequate for day to day living but it is no serious impediment to a thief that wants to get in and steal your jewelry. It has plain old Windows. The thief can pretty much just break those Windows and climb in at will. You see, plain old Windows are no real way to stop a thief.
Can Microsoft operating systems be secured? Yes, they can, up to a point. But the starting point to secure Microsoft operating systems is far lower than the starting point for GNU/Linux systems. However, the flawed original design of Microsoft operating systems that underlie all modern versions of Microsoft operating systems keeps them more amenable to attack even when as locked down as possible. Of course, in reality, the only truly secure computer is one that is never used, by anyone. But then again, no one is going to spend money on a computer that cannot be used.
Any of you serious security types that want to share more information about GNU/Linux and its security by design model or have better illustrations than mine, please leave a comment.