Defending The Kingdom

Mac’s don’t get viruses — everybody knows that. But is it true?

It’s just one of those things that the media hungry — but security disinterested — public has turned into an axiom.

But now that OS X is garnering an increased share of the operating system market, it is increasing its value as a platform for malware, and consequently increasing in value in the software security market.

As always, there is no such thing as perfect security.

Bulletproof fashion in Mexico:

There are bulletproof leather jackets and bulletproof polo shirts. Armored guayabera shirts hang next to protective windbreakers, parkas and even white ruffled tuxedo shirts. Every member of the sales staff has had to take a turn being shot while wearing one of the products, which range from a few hundred dollars to as much as $7,000, so they can attest to the efficacy of the secret fabric.

This is a nice touch: if you get shot and live while wearing one of the garments, you can join the company’s Survivor’s Club.

Part of the protective value of bulletproof clothing is its scarcity, which is why the company screens customers to keep criminals from buying. A world where innocents wear protective gear and bad guys don’t is the safest of all for the innocents, since criminals can stick to low-powered weaponry.

If, on the other hand, criminals start using the bullet-proof clothing, their foes will probably upgrade their shooters. That’s already happening to some extent. “In some parts of Mexico,” the New York Times points out, “drug assassins have used rocket launchers and grenades to wipe out rivals.” That could become more common if criminals stop dying from pistol shots.

In a previous post, a friend and reader asked some great questions. I answered about half of them here. Here’s round two:

1) You have mentioned a couple times data about Firefox and IE’s security vulnerabilities and patches. Could you explain what a security vulnerability constitutes in simple to understand terms? What exactly is vulnerable? Are these vulnerabilities constantly changing and being patched? At what rate?

A browser is a piece of software that interprets the languages of the internet and displays them in a way mere humans can understand. Clever coders can sometimes induce browsers to interpret a particular web language in a way that is harmful to you. For example, malicious code on a website may tell a browser to download and install a virus without telling you. Of course, browser companies (like Mozilla and Microsoft) usually try to eliminate these vulnerabilities when they are discovered.

Also, browsers can have important and well-travelled connections to a computer’s vital file systems (Internet Explorer 6 was famous for this). Imagine two paths into a file system, one of which is guarded by stern-looking toughs and another where old friends are waved through. Some badware programs have found that they can sometimes sneak in the second door if they hide under the cloak of an old friend of the guards.

As with all other security threats, browser vulnerabilities are constantly changing as attackers develop new techniques and defenders try to counter them. Each browser manufacturer patches vulnerabilities at different rates, and new threats pop up as the relative success rates of different techniques like phishing, trojans, keyloggers, viruses, and spyware shift.

2) I use Ad-Aware, Spybot, and Avast Anti-virus as you suggest. I was wondering what you recommend to do when problems are caught. There are usually options (though labeled differently) for Doing Nothing, Quarantining, Deleting, and Repairing. Are any of these options better than others, why or why not?

I like to repair infected files when possible and quarantine them when it’s not. Quarantining is, in my view, preferable to deleting for the same reason the death penalty is often eschewed in favour of a lengthy prison sentence: sometimes the prosecutor is wrong. Quarantining, like imprisoning, lets you correct mistakes when they happen, meaning you get back a file that is probably useful rather than dangerous.

3) I thought you might comment on social networking sites (Facebook, Myspace, etc.) security risks. I’ve heard in conversation with friends that quite a bit of private data can be gleaned off of what people decide to post on public sites. Is this true? What should people be able to post without compromising their security but still being able to participate in an online community?

Beyond the obvious (don’t post your SSN, etc.), there isn’t much I can say. Security and convenience almost always have to be traded against each other, and each person has to decide for herself where to start and end. If you really like sharing information on social networking sites, you might be better off protecting yourself by frequently monitoring your credit reports (the topic of an upcoming post), making sure your bank statements don’t have funny charges on them, and changing your passwords frequently.

4) I was specifically wondering about photographs and writing that you post in public spaces on the internet. Is their a security threat in these being stolen and used for monetary gains? Is it legal for people to take such information? When you post writing or photos is their any sort of laws that copyright what you post in your name? Does the website hosting you gain any ownership of the data?

Sure, people can take your photos and words and use them inappropriately, but it is illegal for them to do so in many countries. The US Copyright Office has a FAQ section on copyright that is worth reading. They say, “Copyright exists from the moment the work is created. You will have to register, however, if you wish to bring a lawsuit for infringement of a U.S. work.” I don’t think a web host gains any ownership over the data you store with them, but you may want to research this carefully if it’s important to you.

This post is related to Security is not a switch. The point I want to make here is that the security problems we all face will never go away. More specifically, the exact type of threats we face will change, but the underlying problem will remain. The problem is that there are people with things to protect (money, information, privacy), and others who want to get it without permission.

I’ve come to realize more completely what this means only recently: there is no day in the future that has perfectly secure software programs and security techniques, making security concerns irrelevent. This is easy to miss, because it seems that security is something that is always improving, even if just a little bit at a time. It’s tempting to think this progress is aimed at a pinnacle, and we’ll hit it eventually. We won’t.

A more apt analogy for the security problems we all face is that of an arms race. Bruce Schneier has pointed this out again and again about numerous security problems. Here he is explaining the problem of spam:

Anti-spam products block a certain type of spam. Spammers invent a tactic that gets around those products. Then the products block that spam. Then the spammers invent yet another type of spam. And so on.

Blacklisting spammer sites forced the spammers to disguise the origin of spam e-mail. People recognizing e-mail from people they knew, and other anti-spam measures, forced spammers to hack into innocent machines and use them as launching pads. Scanning millions of e-mails looking for identical bulk spam forced spammers to individualize each spam message. Semantic spam detection forced spammers to design even more clever spam. And so on. Each defense is met with yet another attack, and each attack is met with yet another defense.

But wait. Is spam really a security problem? Actually, yes. At least, it has all the characterisitics of one, and it can teach us something about security problems in general.

Security problems arise when some people have something valuable that others want really badly. In the case of spam, people have time and attention that is very valuable, and advertisers want it really badly. Few people willingly sit down to imbibe a session of advertisements, but when advertisers do get someone’s time/attention it is remarkably valuable. Faced with this incentive, some advertisers act unscrupulously. Instead of sweetly requesting your time, they attempt to hijack it by spamming your email inbox. You attempt to stop them, and they adapt their methods. It’s a classic arms race security problem.

The arms race is exactly why security will never be solved. So long as some people have something others want badly, there will those who will try to get it by by force or trickery.

The lesson is not so grim

Let’s not get depressed just yet. That security problems will always be with us is too bad. However, this doesn’t mean that you should stop trying, or, alternatively, spend all your time trying to defend the things you’ve got that others might also want.

What it means is that the software and tactics that are being developed every day to combat the problem are less of a solution than you might otherwise have believed. Keeping you, your time, your money, your privacy, and your information secure is probably better accomplished by thinking about the problem correctly.

What I’ve advocated on this site is making yourself a harder target than most others on the internet, so that, with a high probability, a bad guy faced with cracking your defenses will give up and move on to the many other, less well-defended folks.

You might ask: “Wait! We can’t all be above average in terms of security, can we?” That’s true, of course. But most people don’t do much of anything to protect their security, so it’s really not hard to be better than average. Following some of the advice on this website will put you well ahead of the average. Until 50% or more of the world’s internet users start implementing techniques of the type I’ve been advocating, you don’t have to worry about the difficulty of being above average. And that day is a long way off.