The triumph of convenience
Off the Beat: Bruce Byfield's Blog
A few years ago, my neighbors asked for help securing their computer. They were running Windows, so my knowledge was limited, but I did set up a separate administrative account and add passwords to their regular accounts. When I looked at their computer a month later, they had removed both -- and were back to getting viruses and malware along with their movie downloads. Their explanation? That my simple safeguards were "too inconvenient."
"Let me get this straight," I wanted to say (but didn't). "It's too inconvenient to spend ten seconds typing a password, or twenty logging into a different account to install software. But it's not too inconvenient to have your computer at the shop every few months to scrub it clean and to sometimes lose files because you haven't bothered backing them up."
Partly, I didn't say anything because telling off people I see several times a week would have been awkward. But mainly, I didn't bother because I knew I'd be wasting my time. I've learned through experience that, asked to choose between short term convenience and ongoing security, the average user chooses convenience every time.
This is hardly news. You only have to consider how many people use obvious passwords -- either personal information like their pet's name or date of birth or something like "qwerty," "abc" or even "password" -- to realize that they are unclear on the concept. If they do choose a better password, then you can bet that they leave it taped to the underside of their keyboard or on a post-it in the top-drawer of their desk. Even using a password manager is often too much trouble.
It's not that security is hard. Several weeks ago, I was exploring Tails, a distribution designed to maximize security and privacy. Tails' methods were thoroughly documented, but anyone who cares to spend a couple of hours reading all of it would come away with a sound basic knowledge of the issues and solutions.
The trouble is, most people won't take the time to read, much less implement the necessary precautions -- and that effects how computer interfaces are designed, and how operating systems are implemented, regardless of the security built in to them.
Security in retreat
Part of the problem, of course, is that most people's expectations are conditioned by the Windows releases of twenty-five years ago -- operating systems designed for single users that were as wide open as a canopy.
Those were simpler times, and even Windows has evolved better security (even if the effort has often been like adding a foundation after the house was built). But the expectations established at the start of personal computer era are still very much with us. Measures that seemed reasonable in the institutional settings in which Unix were born are apparently unacceptable in the home, where everything is expected to work as effortlessly as a TV or any other appliance.
In fact, as soon as the desktop is considered seriously, the pressure of convenience starts to erode security -- even security built into the design. The history of Linux could be written as a series of retreats from well-established security practices in the name of making the desktop more convenient.
Few of these retreats seems major in themselves. Automount external drives? Let all users burn CDs? Why not? Never mind that these restrictions were based on best security practices. Other operating systems have these features, and people expect them. Yet all the changes for the sake of expediency add up until now I suspect that many Linux distributions run only marginally more securely than Windows, if at all.
Meanwhile, projects like Bastille Linux, which everyone used to run immediately after installing a desktop machine, have been relegated to servers. Today, most people would find the idea of running Bastille on a desktop machine distinctly odd -- and the results too restrictive.
Just as seriously, given the triumphal march of convenience, the type of security emphasized has changed on Linux. Like most Unix-like systems, Linux once emphasized architectural security, if not as much as operating systems such as FreeBSD. It was built and configured to prevent breaches of security in the first place. Users might choose to relax security, but the default settings were designed to lock down the system as much as practical.
By contrast, today Linux relies at least as much on reactive security, just like Windows does. Instead of striving to be impenetrable, it relies at least as much on frequent updates and, on servers, anti-virus protection. Yet even though these precautions are automated and simplified as much as possible, they are frequently ignored. And don't even think about encouraging a regular system of backups -- that is so obviously a non-starter that developers don't even try to enforce a regular cronjob for such a basic pre-caution.
It's not, you understand, that I'm paranoid, or think that enduring a few hardships in the name of security builds character. I can be as lax as anyone in taking precautions, although every few weeks I suddenly realize that I'm overdue to make some basic efforts.
Nor am I die-hard command line advocate. I understand that suggesting that everyone avoid the desktop would be useless and make me a hypocrite besides.
Still, I wonder if, by imitating a convenience-oriented rival while maturing, Linux has missed some opportunities to build an operating system that would serve its users' better interests. Somehow, I would be more comfortable if I could think of a single case in which architectural security was chosen over immediate convenience.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.