The triumph of convenience
Off the Beat: Bruce Byfield's Blog
A few years ago, my neighbors asked for help securing their computer. They were running Windows, so my knowledge was limited, but I did set up a separate administrative account and add passwords to their regular accounts. When I looked at their computer a month later, they had removed both -- and were back to getting viruses and malware along with their movie downloads. Their explanation? That my simple safeguards were "too inconvenient."
"Let me get this straight," I wanted to say (but didn't). "It's too inconvenient to spend ten seconds typing a password, or twenty logging into a different account to install software. But it's not too inconvenient to have your computer at the shop every few months to scrub it clean and to sometimes lose files because you haven't bothered backing them up."
Partly, I didn't say anything because telling off people I see several times a week would have been awkward. But mainly, I didn't bother because I knew I'd be wasting my time. I've learned through experience that, asked to choose between short term convenience and ongoing security, the average user chooses convenience every time.
This is hardly news. You only have to consider how many people use obvious passwords -- either personal information like their pet's name or date of birth or something like "qwerty," "abc" or even "password" -- to realize that they are unclear on the concept. If they do choose a better password, then you can bet that they leave it taped to the underside of their keyboard or on a post-it in the top-drawer of their desk. Even using a password manager is often too much trouble.
It's not that security is hard. Several weeks ago, I was exploring Tails, a distribution designed to maximize security and privacy. Tails' methods were thoroughly documented, but anyone who cares to spend a couple of hours reading all of it would come away with a sound basic knowledge of the issues and solutions.
The trouble is, most people won't take the time to read, much less implement the necessary precautions -- and that effects how computer interfaces are designed, and how operating systems are implemented, regardless of the security built in to them.
Security in retreat
Part of the problem, of course, is that most people's expectations are conditioned by the Windows releases of twenty-five years ago -- operating systems designed for single users that were as wide open as a canopy.
Those were simpler times, and even Windows has evolved better security (even if the effort has often been like adding a foundation after the house was built). But the expectations established at the start of personal computer era are still very much with us. Measures that seemed reasonable in the institutional settings in which Unix were born are apparently unacceptable in the home, where everything is expected to work as effortlessly as a TV or any other appliance.
In fact, as soon as the desktop is considered seriously, the pressure of convenience starts to erode security -- even security built into the design. The history of Linux could be written as a series of retreats from well-established security practices in the name of making the desktop more convenient.
Few of these retreats seems major in themselves. Automount external drives? Let all users burn CDs? Why not? Never mind that these restrictions were based on best security practices. Other operating systems have these features, and people expect them. Yet all the changes for the sake of expediency add up until now I suspect that many Linux distributions run only marginally more securely than Windows, if at all.
Meanwhile, projects like Bastille Linux, which everyone used to run immediately after installing a desktop machine, have been relegated to servers. Today, most people would find the idea of running Bastille on a desktop machine distinctly odd -- and the results too restrictive.
Just as seriously, given the triumphal march of convenience, the type of security emphasized has changed on Linux. Like most Unix-like systems, Linux once emphasized architectural security, if not as much as operating systems such as FreeBSD. It was built and configured to prevent breaches of security in the first place. Users might choose to relax security, but the default settings were designed to lock down the system as much as practical.
By contrast, today Linux relies at least as much on reactive security, just like Windows does. Instead of striving to be impenetrable, it relies at least as much on frequent updates and, on servers, anti-virus protection. Yet even though these precautions are automated and simplified as much as possible, they are frequently ignored. And don't even think about encouraging a regular system of backups -- that is so obviously a non-starter that developers don't even try to enforce a regular cronjob for such a basic pre-caution.
It's not, you understand, that I'm paranoid, or think that enduring a few hardships in the name of security builds character. I can be as lax as anyone in taking precautions, although every few weeks I suddenly realize that I'm overdue to make some basic efforts.
Nor am I die-hard command line advocate. I understand that suggesting that everyone avoid the desktop would be useless and make me a hypocrite besides.
Still, I wonder if, by imitating a convenience-oriented rival while maturing, Linux has missed some opportunities to build an operating system that would serve its users' better interests. Somehow, I would be more comfortable if I could think of a single case in which architectural security was chosen over immediate convenience.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.