Security Is a UI Problem
There’s a saying that it’s very easy to secure a Windows box—just unplug it. Behind this bit of humor is a serious point; namely, that it’s very easy to make a secure system if you’re willing to compromise functionality. A machine that doesn’t do anything is by nature very secure. The problem that faces software developers is how to balance usability with security.
A Tale of Two Security Models
Many people argue that UNIX is more secure than Windows. When pressed, however, they find it very hard to point at vulnerabilities in the NT kernel. Indeed, on paper the Windows security model is obviously superior; every object has an associated access control list, and this list is checked by the kernel on every access.
The UNIX model, in contrast, is much more primitive. Only files have any kind of access control (although, in fairness, most things on a UNIX system do tend to be files), which just have user, group, and everyone permissions. There are only two levels of security:
- Users can do whatever root allows them to do.
- Root can do anything.
Experience suggest that the simpler model provides greater security, but this isn’t always the case. VMS, for example, has both a complex fine-grained security model and a superb reputation for security. The difference between VMS and Windows is that VMS machines tend to be run by people with a huge amount of experience tuning and configuring VMS. If a large proportion of your job is understanding a particular security model, then you’re probably going to be quite good at ensuring that that system is secure. In contrast, a large number of Windows machines are home machines run by people with little or no computing experience, or in small companies with no dedicated IT staff. Where VMS users configure their security policies carefully, Windows users simply turn off the security measures because they’re too complicated to get right.
Perhaps the same criticism can be leveled at UNIX. To make the comparison fair, let’s look at Mac OS X. Built on a UNIX kernel (although not a particularly traditional one in many ways), OS X inherits the UNIX security model. In OS X, a user encounters no system interference for 90% of the things that he or she might need to do on an everyday basis. For other activities, such as installing updates, the user is prompted to enter a password. In other words, the security system keeps out of the user’s way most of the time.