When Does Usability Become a Liability?

nasteric asks: "I caught myself in the middle of a very interesting discussion last Friday over Krispy Kreme donuts and coffee. The discussion had to do with usability and security. Many of the Microsoft Administrators I work with argued the more user friendly Linux becomes, the more vulnerable it becomes. They claimed making Linux a friend of Joe User will require it to 'open itself up' and become more susceptible to attack. Needless to say, this became an endless debate between our Microsoft Administrators and our Linux/Unix Administrators that will undoubtedly continue into the morning. Therefore I pose this question to the Slashdot community. Will making Linux more user friendly result in it becoming less secure? Hopefully your expertise will help shed some light on (and bring to and end) our discussion." Does decent usability necessarily imply the presence of vulnerabilities? Macs seem to have this area down pretty well, with little in the way of vulnerabilities. Can Linux software follow the same route?

Re:It's all in the install program...

[LostCluster]

ugh... foobared that post up... you know what I meant. Linux has everything off by default.

Re:oh of course!

[oberondarksoul]

People need to learn that this is not necessarily the case. One only needs to look at the fact that Apache, while being dominant over Microsoft's webserver (the abbreviation eludes me), suffers far fewer exploits than the latter, to know that it is not the case.

Re:Mac OS X "trojan"?

[IntlHarvester]

the code can't even be moved in raw binary form without destroying the resource fork

I assume that most Mac mailers observe the MacMIME [cmu.edu] spec. This makes sending forked files through email a transparent process.

(Not arguing with the rest of your post -- I think it would be a lot easier to trojan Mac users with a "Install this Cool Screensaver" thing instead of jumping through hoops with a fake MP3.)

Re:Yes

[weave]

That's what's great about OS X. If you want to install an app and the installer requires admin rights, it prompts you to enter in your user accounts' regular password. This stops automated trojan installers, but doesn't require a separate id/password for doing system level work. It also alerts you that "Hey, I'm doing something that will change by system."

There is no need to log into an admin account to do any of this kind of stuff under OS X.

I've also never seen an OS X app that says you have to give all users all perms to the root folder, or have everyone running as admin, or open up the program folder for everyone to write to because settings are being stored in the wrong dang place.

Windows could be a lot more secure, but Microsoft doesn't go far enough to shame software vendors into sticking to the logo requirements. How many times have you Windows admins had to support a desktop app or driver for a peripheral that REQUIRES admin or power user rights? It's insane that there are Windows programmers that are still writing crap like this today.

Re:Yes

[Grayputer]

Actually most virus arrivals now do need a luser. Email gateways are doing more scanning and keeping outlook users from becoming auto-lusers. However, one of the latest/best scams is to zip the virus and password protect it (quasi-encrypted) so the gateway scanner can not scan it. Then include instructions in the email that social engineer some luser into unzipping it with the supplied password and running it. I've seen some pretty good email virus scams recently, the text is REALLY good, definitely luser friendly.

Re:Mac Security

[feldsteins]

The argument that Would. Not. Die. Seriously, you can see this argument popping up in discussion forums everywhere with great regularity. Then you can read it in major computer industry publications, too. I'd like to believe that ./ readers know better. For those that don't, here's an interesting article [nytimes.com].

Re:"Microsoft Administrators" have no perspective

[panda]

so they think anything that's user friendly must be vulnerable. A classic logic error, whose name I forget right now.

How about "familiarity breeds contempt"? :-)

How about post hoc, ergo propter hoc?

Re:Yes

[LostCluster]

How many times have you Windows admins had to support a desktop app or driver for a peripheral that REQUIRES admin or power user rights? It's insane that there are Windows programmers that are still writing crap like this today.

They're not. Most drivers that require admin rights to run were written in the days of Windows 9x, and because the device-maker doesn't make that product anymore there is no proper Windows NT/2000/XP driver. It's just that the company or user is too cheap to buy a modern version of the device, and instead resorts to the security-weakening workaround that's free.

Not exactly, but there is some truth to it

[herrlich_98]

If the user doesn't care about security then it is hard to add more security without making the system more difficult to use.

On the other hand a system infected with viruses and trojans can be un-usable.

In all fairness to MS, the Windows history is from a novice single user or small work group. Windows was kinda of thrust onto the Internet, by, well, the growth of the Internet. It is more usable and less secure because of that.

Linux has the whole multi-user UNIX, USENET, geek, Internet history behind it. It is more secure and less usable because of that.

I see Windows and Linux evolving toward each other in security, in usability and in many other ways.

Re:It's all in the account setup...

[J. J. Ramsey]

"On Windows they call it Administrator, on Linux they call it Root. It's the same thing, the user account that has no restrictions on it. Every user wants to run that way, because seeing a "permission denied" message on their own box just isn't going to make them consider the system user-friendly."

Except it's not quite the same. On Linux, graphical apps, at least the ones that are part of the distro's admin tools, prompt for the root password if they are started by a regular user. Windows XP, as far as I've been able to tell, doesn't do this. Ordinary *nix apps are designed to run with user-level privileges, and this has been so from the beginning. Many Windows apps, however, are written with a permissive environment like Windows 95/98 in mind, so apps do things that only work if the "Program Files" directory is writable. Most Linux distros have a regular user account created as part of the installation. Any additional users created as part of a Windows XP installation have Administrator privileges by default.

On a typical Linux box, running as a regular user is usually the path of least resistance. The opposite is true for Windows XP.

Re:Wha?

[AKAImBatman]

If the os let a person say:

burn song.wav to cd1 as audio-cd
burn all songs in c:\mp3 to cd1 as data-cd

that would be pretty easy and friendly. But no os does that AFAIK. No reason you couldn't make a bash alias to do that and then it would be easy for people.


Actually, that looks pretty close to AppleScript. Unfortunately, the "ease of use" tends to become a liability to advanced users, as they have difficulty remembering the syntax.

Re:It's all in the install program...

[Gurp]

One of the biggest design flaws in Windows from a security perspective is that nearly every service that comes with the system is turned on by default.

No longer true as of Windows 2003.

IMO, the biggest flaw is Windows security is the legacy the crappy default file permissions Windows NT has left us with. These had everything R/W to everyone, more or less.

Applications developers are still writing software that (a) assumes this is still true (only true if the user is an admin) and (b) writes files outside of the user's profile (requiring point (a)).

Until this is fixed, dumb Windows admins will continue giving people local admin privileges as a matter of course, leaving the door wide open to whatever MalWare happens to arrive in their inbox.

Re:Wha?

[Kur]

Wrong. Language studies have shown that computer langauges are not equivalent to conventional lanugages . One study, in part, was undertaken to identify whether teaching and using computers at an early age is beneficial. Unsurprisingly, it showed absolutely no benefit. Unlike spoken languages, where the earlier you start, the better you are, computer languages showed no such advantage. That's good news for adults.

Sorry, I do not have the source available. The study was discussed in the NYT within the last year or so.

The answer is "no"

[retro128]

Windows was NEVER built with security/multiple users in mind. It just kind of was added on as an afterthought when they got into the networking game. The problem Microsoft has had has always been of one with backwards compatibility. Windows 3.1 apps had to be compatible with 95, 95 apps had to work on 98, and so on. That's why to this day any app you install is going to drop something into the /WINDOWS/SYSTEM directory. Applications for Windows were pretty much written assuming that they will have full access to everything in the system. In a lot of cases that's still true today (for instance, an HP scanner driver/program I installed won't work properly on any other account besides the one that installed it).
When you install a Windows app, it typically wants to go in and overwrite/add .DLL's, write stuff into the HKEY_LOCAL_MACHINE registry hive, and other such important things.

Linux/Unix, on the other hand, has always, always always been about networks and shared access. And the apps have always been written as such. Users can install and run apps straight from their home directories without having to add or change anything in /sbin, /lib, or /etc. Primary system files never need to be touched, nor should they be. If someone wants to change the look and feel of their shell or X, they can write the appropriate file into their home directory.

I guess what I am trying to say is that Linux won't be necessary to "open up" as it becomes more user friendly because it and the apps that run on it have been written with the idea that it's a shared system. Give the user their sandbox to play in and don't let them touch the rest of the system. Saying opening up the system Windows style is apples and oranges because Windows was originally created with a single, trusted user in mind, and it's been impossible for Microsoft to extricate themselves from that trap they set way back when. If you want an analogy, take a look at SMTP. If it was originally built with distrust in mind would we be having the problems with spam we are today?

Been that way since 1984

[daveschroeder]

At least you understand it's not an "MP3 virus" or some kind of issue with iTunes, as others believe.

1. All Mac OS and Mac OS X applications have always been able to have any icon.

2. All Mac OS applications and all Classic/Carbon applications under Mac OS X, have always been able to have any name...including misleading names.

I would hardly call this a "deep-rooted, system-wide flaw". What does a Linux command-line executable "look like"? And indeed, it, too, can have any name, yes? Is that also a "deep-rooted, system-wide flaw"?

In fact, this item is revealed as the application that it is in every Finder view *except* icon view (which is also how it will appear on the desktop). Even a simple Get Info reveals that it's an application. The "solution", if one is needed, is to visually badge and/or identify something as executable, possibly with some small addition to its icon, as is done with aliases.

But no, this is not a "flaw" any more than it's been for the last two decades. (And for the market share number enthusiasts, this EXACT same "technique", as it were, was possible during the heyday of Mac market share as well. In fact, it's probably been "exploited" countless times. That's because the "exploit" is nothing more than tricking the user into running something they shouldn't.)

Re:Yes

[jonwiley]

> Most "viruses" at the moment need a stupid user.

Hmm, I was under the impression that most viruses these days just need a stupid email client (read: Outlook), with no intervention by the user required one way or the other.

A virus, by definition [ic.ac.uk], requires human intervention to propagate.

A worm [ic.ac.uk] can propagate without human intervention.

Re:Memory Permissions

[hypnagogue]

comparing the latest KDE and GNOME desktop to Windows XP just shows that as far as usability, Linux may have already surpassed Windows.

I'm not so sure. Showing my wife how to use her new Gnome desktop: opened a samba share, double-clicked on a .jpg; Gimp started automatically... but didn't open the picture.

"Oh. *Ahem* That's because Nautilus views samba shares through the VFS subsystem, which only some Gnome applications actually implement, and none of the applications you would use. So to work around that, honey, just copy-and-paste into your home directory, then double-click the new file, edit it, save it, then copy-and-paste it back onto the samba share using Nautilus. Or if you like, I can su root, change the smb.conf, send a USR1 signal to smbd and then mount the share. That'll work except when you boot when outside of wireless LAN range. Then an additional reboot may be needed."

"Honey?"

Re:Wha?

[julesh]

Tracy Hickman (of Dragonlance fame.) has professed to using a "help you write" tool. Despite using what ammounts to a novel-wizard, [...]

Its not as bad as you make it sound. The software in question is essentially a directed brainstorming application that helps authors make sure their ideas for a novel adequately cover the many different levels that many critics think are essential for a 'good book'. It isn't exactly 'point and drool'...

Re:Apple doesn't think so

[iiioxx]

One nice trick Apple discovered is to have the users be non-root, yet still administrative.

Ahh, that's a fantastic idea. Foolproof.

Downloading email attachment to /home/joeblow/attachments .....done.
[~/attachments]$ ls -l
-rwxr--r-- 1 joeblow joeblow 124 Apr 11 16:30 virus_scan.sh
[~/attachments]$ ./virus_scan.sh
This utility requires a root password to run. Password: ***********
<snip deleting files>

Except that it doesn't work like that. You see, under OS X, the root user is disabled by default. "Administrators" in OS X parlance, are users authorized to do sudo-permitted functions as root. In order for an admin to gain true root-level permissions, they need to enable the root user in NetInfo, and then su to root. If they enable the root user, they are circumventing the protective measures Apple put in place. But Apple *did* put them there, and they *do* work if left alone.

By the way, it's obvious that you are a Linux user, and have never seen the guts of OS X. The following directory structures don't even exist under OS X:

/boot
/home
/lib
/mnt
/opt
/proc
/root

You're just like the Windows Admin talking about Linux security. Ironic, eh?

Re:Asbestos suit time

[emurphy42]

> you can't just supply the Admin password, you have to logout, kill all your apps, login as admin, do what you were trying to do in the first place

C:\> RUNAS /?

RUNAS USAGE:

RUNAS [/profile] [/env] [/netonly] /user:<UserName> program

/profile if the user's profile needs to be loaded
/env to use current environment instead of user's.
/netonly use if the credentials specified are for remote access only.
/user <UserName> should be in form USER@DOMAIN or DOMAIN\USER
program command line for EXE. See below for examples

Examples:
> runas /profile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

NOTE: Enter user's password only when prompted.
NOTE: USER@DOMAIN is not compatible with /netonly.

Re:It's all in the account setup...

[gmoschin]

While it is true that Windows XP accounts created during setup have full Administrator rights, you don't have to operate the OS that way.

To run with user-only permissions:

Go to Control Panel, User Accounts.
Make sure the Administrator account has a password, and that you know what it is. Very important! If you don't know the password, set one by choosing Change an Account > Administrator > Change Password.

Change your personal account to a limited account, by choosing "Change an Account > Your Name > Change the Account Type." Change the account type to "Limited".

Log off, and log back on again.

Ok, now you're logged on as a User, with a limited account. Congratulations.

Go to Control Panel, choose Add / Remove Programs, and go to Windows Components.
Notice that you don't have administrative rights. Close Add/Remove Programs.

Now here's the tricky part:

Hold down the Shift button (left or right), and right-click the Add/Remove Programs icon.

Choose the "Run As..." option. If you don't have the Run As option, the "Secondary Logon" service may need to be started. Log on as Administrator, right-click My Computer, Manage, go down to Services and Applications, Services, and double-click on "Secondary Logon". Set to start Automatic, and click Start.

Choose "The following user:", and enter in the Administrator account and password.

Voila! You've done the equivalent of "sudo", and are now running the Add/Remove control panel (and any processes spawned) as Administrator.

You can do the same with nearly any icon or shortcut, and for the command line, there's the "runas" command.

Quite useful, really.

Re:Apple doesn't think so

[iiioxx]

But again, even if the root user *was* disabled, and only Administrators could do root-level things, the script would ask for that password. It could still do a lot of damage, installing software, setting up relays, etc. Asking for a password every time a root-level function needs to be executed, as OSX does, is not that great for security when the user is uninformed.

I think you're still overlooking an important point: in MacOS X, administrator-level and root-level are NOT the same thing. Administrator-level functions are a subset of root-level functions. There are things an administrator is NOT permitted to do (and deleting System files is one). If the root user is disabled (as it is by default), those files simply can't be deleted, no matter how clever the script kiddie is.

I think that was the point of this thread, wasn't it? MacOS X was held up as an example of the way an operating system can be both usable and secure at the same time. In MacOS X, you can do any admin-level tasks as a non-root administrator, EXCEPT destroy the system.

And you're right; that directory structure is from my own install of Gentoo. But the example was not intended to address a specific problem.

No, but it illustrates that while you are clearly not familiar with the technical workings of MacOS X's security features, you are quick to dismiss them as useless. My point was that you should take some time to understand MacOS X security before you just shoot it down. I was a Linux user and admin from 1995 to 2002, and I've been a FreeBSD user and admin since 2000. I've installed and managed AIX, SCO, and Solaris systems, as well. I'm very familiar with Unix/Linux security, and I find Apple's solution to be an excellent mechanism for padding in the average user, while allowing the pro/admin to get into the guts of the system. In my opinion, "user-oriented" Linux distros should take note of Apple's methodology in that area, because they could learn a thing or two.

Not a lazy analysis

[Sangloth]

Directly from Google Zeitgeist: [google.com]


==
Operating Systems Used to Access Google
February 2004

Windows 98 23%
Windows XP 46%
Windows 2000 18%
Windows NT 3%
Mac 4%
Windows 95 1%
Linux 1%
Other 4%
==

That's Windows 91% vs Mac 4%

I'm not saying Mac's are more or less secure then Windows, because I have touched a Mac in 12 years.

I am saying that
"Security experts say this state of affairs primarily reflects the Mac's very small share of the personal computer market, which makes it an unattractive target for virus writers looking to spread mayhem."
is hardly a lazy analysis. When there are 22.75 Windows Boxen for every Mac, you can assume that:

Virtually all hackers are familiar with Windows.

As a Windows guy, I haven't had to touch a Mac for years.
That's not the case with Macintosh guys.

A Windows attack would reach 22.75 times the audience as a Macintosh attack.

Further more, Macintosh and Linux users are experienced enough with computers to know what an Operating System is.
These people are experienced enough to download patches, and not open all attachments.

I meet people who don't know what version of Windows they are running. These people cheerfully sign up for Gator(Grrrrrr....), double click attachments, and haven't updated virus definitions since the day they got their computer.

Again, I'm not saying that Windows is more secure, I am saying that it's ubiquity has made it the target to attack.

Sangloth
I'd appreciate any comment with a logical basis...it doesn't even have to agree with me.