The triumph of convenience
![](/var/linux_magazin/storage/images/online/blogs/off-the-beat-bruce-byfield-s-blog/318120-13-eng-US/Off-the-Beat-Bruce-Byfield-s-Blog.png)
Off the Beat: Bruce Byfield's Blog
A few years ago, my neighbors asked for help securing their computer. They were running Windows, so my knowledge was limited, but I did set up a separate administrative account and add passwords to their regular accounts. When I looked at their computer a month later, they had removed both -- and were back to getting viruses and malware along with their movie downloads. Their explanation? That my simple safeguards were "too inconvenient."
"Let me get this straight," I wanted to say (but didn't). "It's too inconvenient to spend ten seconds typing a password, or twenty logging into a different account to install software. But it's not too inconvenient to have your computer at the shop every few months to scrub it clean and to sometimes lose files because you haven't bothered backing them up."
Partly, I didn't say anything because telling off people I see several times a week would have been awkward. But mainly, I didn't bother because I knew I'd be wasting my time. I've learned through experience that, asked to choose between short term convenience and ongoing security, the average user chooses convenience every time.
This is hardly news. You only have to consider how many people use obvious passwords -- either personal information like their pet's name or date of birth or something like "qwerty," "abc" or even "password" -- to realize that they are unclear on the concept. If they do choose a better password, then you can bet that they leave it taped to the underside of their keyboard or on a post-it in the top-drawer of their desk. Even using a password manager is often too much trouble.
It's not that security is hard. Several weeks ago, I was exploring Tails, a distribution designed to maximize security and privacy. Tails' methods were thoroughly documented, but anyone who cares to spend a couple of hours reading all of it would come away with a sound basic knowledge of the issues and solutions.
The trouble is, most people won't take the time to read, much less implement the necessary precautions -- and that effects how computer interfaces are designed, and how operating systems are implemented, regardless of the security built in to them.
Security in retreat
Part of the problem, of course, is that most people's expectations are conditioned by the Windows releases of twenty-five years ago -- operating systems designed for single users that were as wide open as a canopy.
Those were simpler times, and even Windows has evolved better security (even if the effort has often been like adding a foundation after the house was built). But the expectations established at the start of personal computer era are still very much with us. Measures that seemed reasonable in the institutional settings in which Unix were born are apparently unacceptable in the home, where everything is expected to work as effortlessly as a TV or any other appliance.
In fact, as soon as the desktop is considered seriously, the pressure of convenience starts to erode security -- even security built into the design. The history of Linux could be written as a series of retreats from well-established security practices in the name of making the desktop more convenient.
Few of these retreats seems major in themselves. Automount external drives? Let all users burn CDs? Why not? Never mind that these restrictions were based on best security practices. Other operating systems have these features, and people expect them. Yet all the changes for the sake of expediency add up until now I suspect that many Linux distributions run only marginally more securely than Windows, if at all.
Meanwhile, projects like Bastille Linux, which everyone used to run immediately after installing a desktop machine, have been relegated to servers. Today, most people would find the idea of running Bastille on a desktop machine distinctly odd -- and the results too restrictive.
Just as seriously, given the triumphal march of convenience, the type of security emphasized has changed on Linux. Like most Unix-like systems, Linux once emphasized architectural security, if not as much as operating systems such as FreeBSD. It was built and configured to prevent breaches of security in the first place. Users might choose to relax security, but the default settings were designed to lock down the system as much as practical.
By contrast, today Linux relies at least as much on reactive security, just like Windows does. Instead of striving to be impenetrable, it relies at least as much on frequent updates and, on servers, anti-virus protection. Yet even though these precautions are automated and simplified as much as possible, they are frequently ignored. And don't even think about encouraging a regular system of backups -- that is so obviously a non-starter that developers don't even try to enforce a regular cronjob for such a basic pre-caution.
It's not, you understand, that I'm paranoid, or think that enduring a few hardships in the name of security builds character. I can be as lax as anyone in taking precautions, although every few weeks I suddenly realize that I'm overdue to make some basic efforts.
Nor am I die-hard command line advocate. I understand that suggesting that everyone avoid the desktop would be useless and make me a hypocrite besides.
Still, I wonder if, by imitating a convenience-oriented rival while maturing, Linux has missed some opportunities to build an operating system that would serve its users' better interests. Somehow, I would be more comfortable if I could think of a single case in which architectural security was chosen over immediate convenience.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.