OSNews

"It's the user's fault" is a cop-out excuse, and no real engineer gets to use it. Yeah, it's the user's fault if he drives into a parked car at 30 mph, but dammit it's the designers fault if that causes the car to explode.

For example, it's bad to make it easy to define applications that start up when the user logs on. That allows malware to continue to run on the machine even after a reboot, without having to exploit a root hole. OS X isn't great in this regard (it has two mechanisms, login-items and startup-items), but at least they're pretty transparent, and easy to locate. I've used Windows a long time, and if you held a gun to my head and asked me where in the registry startup items are defined, I wouldn't be able to tell you.

It's bad to make mundane tasks privileged operations. It's even worse to make dangerous tasks unprivileged operations. Installation programs are just about the dumbest idea ever, and date from an ugly DOS past where there was no concern for system security. Who things it's a good idea to give random programs administrative privileges just to copy some files to the correct place? Of course, OS X gets it completely wrong too. Why the hell is anything in / world-writable? *NIX is the only system that gets this right, handling software installation through a specific (and hopefully well-tested) system utility.

Plugins, extendible programs, transparent execution, active data, etc, are all bad ideas. Sometimes, they can't be avoided but they should be used sparingly. Browser plugins are a good example. They're unavoidable. Their installation should either be from a known-trusted source (eg: distribution package repository), or they should require non-trivial interaction on the part of the user (eg: dragging it to a plug-ins directory). The ActiveX model of downloading random code over the internet with nothing more than the user clicking "OK"? Dumb idea!

It's possible to design secure systems that are easy to use. It's not possible when you make kitchen-sink software and have a developer base used to being lazy with security.

In Unix, do you not run make and then make install to put something on your system? This is tantamount to running an installer unless you manually audit the code.

Or in the case of the package management system, you probably use a package manager. I agree that you can trust the package manager to be safe if you trust your distro's repositories (you pretty much have to trust the OS manufacturer whatever system you use, unless you're going to audit the source code yourself). But what if you want to run a commercial program on linux and you don't have the source and there is no agreement to have it part of your distro's repository... it's the same as on Windows.

ActiveX and general extensibility system you see in Windows is part of what makes it successful. Microsoft wants "developers, developers, developers" to take what's given and enhance it to suit their needs. Windows has so many hooks because they want people to have a chance to customize shell behaviors or photo rendering abilities or what items start up on the system. This also makes the system susceptible to all kinds of crap attacks, but it was an engineering tradeoff that was made in the days when the computing world was relatively benign. Things didn't begin to become so dangerous and horrific on the Internet until around 2000.

What seems like a dumb idea with 20/20 hindsight is what also allowed things like Ajax or Flash to exist, or the Google Toolbar. It is what lets you use Winzip or WinRAR easily from a context menu. These sorts of exploitable hooks allow VmWare to copy and paste across virtual instances. All the evil uses of ActiveX and other extensibility technologies are publicized, but the beneficial aspects quietly hum along with no one to mention them (and it's not because they aren't used, but because they are often so transparent that users don't even notice what's happening).

I don't know how Mac OS X init works now, but aren't there a number of places where a root-privileged user could squeeze files? There used to be an rc mechanism with scripts that could be compromised. Now, I suppose you could put your evil software into launchd. Not totally sure how much access you'd need to do this, but I have few doubts that it'll happen if you can convince the user to enter his password.

The real problem with Windows is culture. People who own Windows are cheapskates and want to install free software and tools. Since it's not a predominantly open-source system, those tools install crap along with themselves. Or people download ActiveX controls from obviously shady sites. Really, how can you blame the OS when the user doesn't take responsibility for his or her own security? It's like if you're in a gang neighborhood. Ideally, you shouldn't have to watch what you say and who you talk to, but if you go to the street corner and look at a dealer kinda funny, you're liable to come to some harm. Especially if you keep acting friendly toward him as he's pulling his knife out.

*NIX is the WORST.

There are millions of libraries that you have to keep updated and that even though you use a package manager like apt-get or YaST sometimes those updates still don't want to install.

It's all heaps of junk.

With respect, your knowledge of computers seems to be limited to the PC operating systems produced by Microsoft.

I really think you should go on a course and learn unix.

Protection of the system whilst allowing the user to run programs has been well implemented since the 70's.

The first 'computers' many of us worked with were in fact terminal sessions on unix mainframes - so allowing the user to run programs whilst only admins could actually alter the system was built-in.

They were and remain effectively 'truly secure'. That's why those of us with years of experience of operating systems are always promoting the use of unix based systems such as Mac OS X and Linux.