Off the Beat: Bruce Byfield's Blog

A few years ago, my neighbors asked for help securing their computer. They were running Windows, so my knowledge was limited, but I did set up a separate administrative account and add passwords to their regular accounts. When I looked at their computer a month later, they had removed both -- and were back to getting viruses and malware along with their movie downloads. Their explanation? That my simple safeguards were "too inconvenient."

"Let me get this straight," I wanted to say (but didn't). "It's too inconvenient to spend ten seconds typing a password, or twenty logging into a different account to install software. But it's not too inconvenient to have your computer at the shop every few months to scrub it clean and to sometimes lose files because you haven't bothered backing them up."

Partly, I didn't say anything because telling off people I see several times a week would have been awkward. But mainly, I didn't bother because I knew I'd be wasting my time. I've learned through experience that, asked to choose between short term convenience and ongoing security, the average user chooses convenience every time.

This is hardly news.  You only have to consider how many people use obvious passwords -- either personal information like their pet's name or date of birth or something like "qwerty," "abc" or even "password" -- to realize that they are unclear on the concept. If they do choose a better password, then you can bet that they leave it taped to the underside of their keyboard or on a post-it in the top-drawer of their desk. Even using a password manager is often too much trouble.

It's not that security is hard. Several weeks ago, I was exploring Tails, a distribution designed to maximize security and privacy. Tails' methods were thoroughly documented, but anyone who cares to spend a couple of hours reading all of it would come away with a sound basic knowledge of the issues and solutions.

The trouble is, most people won't take the time to read, much less implement the necessary precautions -- and that effects how computer interfaces are designed, and how operating systems are implemented, regardless of the security built in to them.

Security in retreat
Part of the problem, of course, is that most people's expectations are conditioned by the Windows releases of twenty-five years ago -- operating systems designed for single users that were as wide open as a canopy.

Those were simpler times, and even Windows has evolved better security (even if the effort has often been like adding a foundation after the house was built). But the expectations established at the start of personal computer era are still very much with us. Measures that seemed reasonable in the institutional settings in which Unix were born are apparently unacceptable in the home, where everything is expected to work as effortlessly as a TV or any other appliance.

In fact, as soon as the desktop is considered seriously, the pressure of convenience starts to erode security -- even security built into the design. The history of Linux could be written as a series of retreats from well-established security practices in the name of making the desktop more convenient. 

Few of these retreats seems major in themselves. Automount external drives? Let all users burn CDs? Why not? Never mind that these restrictions were based on best security practices. Other operating systems have these features, and people expect them. Yet all the changes for the sake of expediency add up until now I suspect that many Linux distributions run only marginally more securely than Windows, if at all.

Meanwhile, projects like Bastille Linux, which everyone used to run immediately after installing a desktop machine, have been relegated to servers. Today, most people would find the idea of running Bastille on a desktop machine distinctly odd -- and the results too restrictive.

Just as seriously, given the triumphal march of convenience, the type of security emphasized has changed on Linux. Like most Unix-like systems, Linux once emphasized architectural security, if not as much as operating systems such as FreeBSD. It was built and configured to prevent breaches of security in the first place. Users might choose to relax security, but the default settings were designed to lock down the system as much as practical.

By contrast, today Linux relies at least as much on reactive security, just like Windows does. Instead of striving to be impenetrable, it relies at least as much on frequent updates and, on servers, anti-virus protection. Yet even though these precautions are automated and simplified as much as possible, they are frequently ignored. And don't even think about encouraging a regular system of backups -- that is so obviously a non-starter that developers don't even try to enforce a regular cronjob for such a basic pre-caution.

It's not, you understand, that I'm paranoid, or think that enduring a few hardships in the name of security builds character. I can be as lax as anyone in taking precautions, although every few weeks I suddenly realize that I'm overdue to make some basic efforts.

Nor am I die-hard command line advocate. I understand that suggesting that everyone avoid the desktop would be useless and make me a hypocrite besides.

Still, I wonder if, by imitating a convenience-oriented rival while maturing, Linux has missed some opportunities to build an operating system that would serve its users' better interests. Somehow, I would be more comfortable if I could think of a single case in which architectural security was chosen over immediate convenience.