The operating system oriented security debate is restarted – Phase 2
Examples of what I was saying.

Some days ago I was saying:

What about the configuration? The complexity of an Operating System with all their services, applications and connectivity hardware is not to forget. A program or a service can be well programmed; without any programming bugs; but only a bad configuration can lead to a security hole. You’ll tell me: Yes but the programming is perfect, without bugs then it’s impossible that such a thing append; if it happened then the cause is the user, not me, so it’s not mine. If you build a hell to configure system then yes it’s your problem. The interaction between a program and their plug-ins or a program with other programs can lead to unexpected behaviors. Usability is probably as important as programming practices

As you can read, it was not really a great discovery. But today, while reading my blogs entries, I was amused by some of them. Let me point them.

First, Google Desktop. As you can read in the New-York Times:

The glitch, which could permit an attacker to secretly search the contents of a personal computer via the Internet, is what computer scientists call a composition flaw – a security weakness that emerges when separate components interact. “When you put them together, out jumps a security flaw,” said Dan Wallach, an assistant professor of computer science at Rice in Houston, who, with two graduate students, Seth Fogarty and Seth Nielson, discovered the flaw last month. “These are subtle problems, and it takes a lot of experience to ferret out this kind of flaw,” Professor Wallach said

It’s probably one of the best examples of the phenomenon I was talking about two days ago. It’s sure that these problems are really hard to find and need imagination to discover them. But the point I want to bring is that the security of a program isn’t just in function of his code quality. Two programs can be without security flaws but together, security holes appear.

A post from Peter Torr also worth the reading. He was writing about Firefox and its appearance of security. Sure the code is probably not too bad, but some of the features (including the download and the installation) are obscures. So, my two pennies in the conversation is just to emphasis on the plug-ins point. I already said it before but please take care of smalls and cools plug-ins. As Peter said it, you don’t have any way to check their authenticity.

What’s cool with Firefox is that it’s a potentially slim browser, that you can change at will, with the features you want. The principle is great but also paradoxical when you have security in mind. Probably that Firefox is or will be well studied to upgrade and patch security, but will it be the case with all available plug-ins on their website? Let me doubts. The solution? Probably the certification of them. The feasibility? Near null for the moment.

Finally I don’t say to stop using it and not using the cool plug-ins available; but only to be aware of the situation when you are using these types of softwares.

2 thoughts on “The operating system oriented security debate is restarted – Phase 2

  1. Whenever I install any new software, signed, sealed, or delivered by some certifiable authority, I watch it closely for awhile. In fact, I constantly test, examine, and ask friends who have expertise in areas that I do not to examine my computers and network. That is not my primary use for computers, but I do not trust, I verify, re-verify, and re-verify. I do trust some sources, but I verify. Even if you are not an expert in some area of computer knowledge, you do have friends who have used these programs and have experiences good and bad. You can learn from your friends, their experiences; that is much better than chance in choosing software. There are online forums like Lockergnome, Protonic, Speedguide, Tek-Tips, Spyware Info, and Wilderssecurity to name a few. These site and others like them have folk with experience with software and solutions.

  2. Hello Mr. Weatherly,

    Thank for this commnet. It’s straight to the point. In a near future you’ll be able to rely not just on your friends for this task but also on Microsoft: Spyware Solutions: Technology and Leadership Microsoft’s strategy for addressing spyware and other potentially unwanted software: http://www.microsoft.com/athome/security/spyware/strategy.mspx
    Hope to read another of your comment next time!

    Salutations,

    Fred

Leave a Reply

Your email address will not be published. Required fields are marked *