Linux Concerns: Convenience vs. Security

Is Linux secure? Only if you work at it.

Ask why you should use Linux, and inevitably someone will claim that it is more secure than Windows, and doesn't need anti-virus protection, either.

Such claims sound like a wish-fulfillment, promising computing without the precautions that that have become routine in the last two decades. The only trouble is, they are half-truths at best. Like any operating system, Linux is only as secure as you make it -- and the current trend is to choose convenience over security.

Once upon a recent time, Linux was more secure than it is today. Only the root user could mount external device, and in many distributions new users were automatically assigned a few groups that limited the hardware they could access. Distributions followed the principle of least privilege (aka least access), under which users, applications, and devices receive only the access to the system that they absolutely require.

Applying least privilege makes for a securer system, which is where Linux gained its reputation. However, a secure system is often an inconvenient system, and hopes of desktop domination put pressure on distributions to match the convenience of Windows. The problem was not so much that increased popularity encourages the writing of viruses and malware as that the hope of popularity encouraged the relaxation of security standards in dozens of little ways.

A few changes had mixed results. For example, the rise of Ubuntu introduced the use of sudo, which helps to reduce the amount of time that the root user is loged in. But, as implemented, it can make possible the control of a system from multiple accounts, which means that Ubuntu simultaneously increases and decreases security. More often, though, the changes were in the name of being as convenient as Window, with the cumulative effect.

Many of these relaxations were minor in themselves, such as allowing anyone to reboot the system or burn a DVD or to install extensions to software like Firefox or Vim for their personal use. However, the cumulative effect is that Linux's reputation for security is less true today for most distributions. While complete control of the system is still likely to involve social engineering -- that is, deceiving a user -- personal accounts today are easier than ever to compromise.

Mobile and Cloud Compromises

In the last few years, the preference for convenience has accelerated even more with the rise of mobile devices and cloud services.

You might imagine that Android, being a Linux derivative, is secure, but as phones and tablets are shipped, nothing could be farther from the truth. Most mobile devices ship with so little security that it takes hours of work to set up the basics. Even then, between the free services that come with the device and the apps that you install, you can quickly have two dozen outsider organizations with access to your device.

The overwhelming majority of these outsiders are benign, of course. To think otherwise would be paranoid. Yet the fact remains that they are strangers, and you have absolutely no idea of how well they secure the data that they store or their access to your device. From a security perspective, the arrangement is simply not a good idea. The difference is that when you follow basic security steps, you know your system is as trustworthy as you can make it, while on a mobile device, you simply have to trust that a stranger is doing their best for you.

Put in those terms, common modern practice sounds as naive as it actually is. Yet, with the rise of Chromebooks, the triumph of convenience goes one step further. Instead of checking for malware yourself, you are invited to trust the manufacturer to scan your system for you -- a useful convenience, so long as the manufacturer never hires a careless or a malicious employee.

The point is, when you allow a service to access your system, you can have no idea who you are giving access to. But the convenience is so great that few of us stop to imagine the tradeoffs that can be involved, even with the best of intentions on both sides.

The High-Wire Act

Realizing the extent of convenience's victory over security, you can easily become paranoid -- all the more so because your reaction is justified. Give your reaction full range, and you might quickly end up working only on a computer that has no Internet connection, and is stored down a mine shaft with three layers of security guards between it and the rest of the world.

In other words, favoring security as much as convenience is currently favored is simply going from one extreme to another, and no solution at all. The trick is to find a balance between security and convenience that allows you to get your work done.

Fortunately, there is no shortage of information online about how to strike this balance. Security hardening tools and tips for your workstation are everywhere. For mobile devices and cloud services, you can store your data encrypted, or, as Tahoe-LAFS allows, store your data in pieces across multiple clouds, so that it has to be re-assembled to use. Instead of using someone else's cloud storage, you can create your own with ownCloud.

With mobile devices themselves, you should seriously consider rooting -- altering them so that you have root access. Voided warranties and bricked devices are a possibility -- or were once -- but rooting remains the only way you can be completely sure of securing your mobile device. Given today's security standards, rooting is not just a clever bit of hacking, or a technological accomplishment, but, increasingly, a necessity.

Yes, such actions take effort. In particular, you should not consider rooting until you have thoroughly investigated the possibilities on your device. But restoring basic security seems worth the effort. You may choose not to revert to the security standards of the past, but with a little effort you can do far, far better than the modern norms.

Photo courtesy of Shutterstock.




Tags: Linux, Security Advisory


0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.