a blog about things that I've been thinking hard about

Computer Security: Why It's So Hard

3 January, 2012
security, trust, appearances

To achieve security, you need to know who and what to trust.

You need to have ways of seeing that someone or something is trustworthy.

But, computer systems require trust from so many different parties.

And what you see on your computer screen is a very tiny percentage of what is there.


Security and Trust

Computer security, like all other forms of security, depends on trust. When I lock the front door of my house I trust that the lock is correctly designed so that it can only be opened by someone with the correct key. I trust the builder who installed the lock into the front door when the house was built. I trust that no one else in my family has given a copy of the front door key to one of their friends without me knowing. If my house has an alarm, I trust the company that installed it, and I trust the company that monitors it.

Computer security is like house security, except it is much, much more complex and it is much, much more fragile.

Who Can You Trust?

Short answer: you can't trust anyone. Not even yourself. Also you can't trust any thing.

Long answer: here is a list of people, organisations and things that you cannot absolutely trust:

Long list of people and things that you can't trust which is more relevant to computer security:

Failures of Trust

There are different ways in which people or things can be un-trustworthy. But these fall into two main categories:

For example, do you trust your 16-year old son to be in charge of the house for a few days when the rest of the family goes away on a holiday? Probably your son would not try to rob you – which would be malice – but it is possible, for example he may be a crystal meth addict, and perhaps you don't even know that yet. However, it is more likely you would be worried that he would have a party and invite all his friends over – which would be carelessness.

Malice and carelessness do overlap somewhat, as a very common form of carelessness is when you trust someone who then decides to trust some other person, where that other person is malicious. For example, your son has a party at your house, and one of the invitees is a friend of someone else who is a professional burglar.

Some of the people we have to trust are more likely to be malicious, and others are more likely to be careless or incompetent. If the brakes on my car need fixing, it's more likely that my mechanic will cheat me in some way as compared to my cousin who fixes cars for a hobby and who is willing to try and fix my car for free. But it's more likely that the mechanic will know what he's doing.

You Can't Go Through Life Not Trusting Anyone or Anything

Even though we know that theoretically no one and nothing is trustworthy, to actually get through each day and get things done, we do put our trust in some things.

It's just like that with computers. There's a whole lot of things that you can't actually trust in relation to computers, but in order to actually use a computer for something useful or entertaining, you have to trust something.

Things We Do and Things We Assume to Improve Trust

In "real life", i.e. anything not to do with computers, we use certain methods to deal with trust issues. For example:

Unfortunately, computers aren't quite like anything else. Which means that computer security isn't quite like other forms of security, and the above techniques may not be reliable in helping us to determine what we can or cannot trust. Or we may have to use carefully designed analogues of those techniques.

Computer Analogues

Computer analogues of the above items may fail for the following reasons:

Computer Aren't Quite Like Anything Else

To fully understand the complexities of computer security, you have to fully understand what it is about computers that makes them different to any other technology that you might know about.

And to do that you have to go to university and learn about computer science. Or, you could go on the internet and study computer science (but to do that you need to know how to use a computer, which includes knowing about computer security, which puts you in an impossible catch-22 situation of having to know in advance about the thing you are trying to learn about).

At a minimum, to have some understanding of what a "computer" actually is, you have to know how to write a computer program in a general purpose programming language. And ideally, you should understand how to write a program for one kind of computer which makes it act like some other kind of computer.

If you haven't got the time to do all that, then I will try to summarise it here:

A computer is an information processing machine which can be programmed to be any other kind of information processing machine. The technical name for this type of completely general information processing machine is the universal machine, a concept which was originally discovered by Alan Turing in 1936-1937.

So a computer is a special kind of machine that can be any other kind of machine.

In practice the user sees a computer as something that has "applications" installed on it. The individual applications are specific "machines" that solve specific problems, running as programs on the computer which is the "universal machine". Some of the applications are themselves universal machines, in effect they are themselves computers, capable of running programs within themselves, i.e. machines running inside a universal machine running inside another universal machine.

To give a very simple example, my Javascript game PrimeShooter is a "machine" which runs inside your web browser, which can be considered a special type of "universal machine", which itself runs as a program inside the universal machine which is your computer.

This flexibility is what makes computers so powerful, and in particular makes them such good value for money, since one "machine" can do the work of an almost infinite number of other "machines", limited only by the amount of effort is required to write the implementations of all those other machines.

This flexibility is also what makes computer security so much more complex and difficult than any other kind of security.

Security is all about what other people can't do to you or to your property or (especially in the case of computers) to your information.

But computers are all about the almost infinite number of things that you can do.

One of the corollaries of this power and flexibility is that people are constantly discovering new and surprising threats to computer security. To give an example that wouldn't make much sense to anyone ten years ago: random disgusting pornography appears in your social network account message page because one or more of your social network "friends" unwittingly installed some "app" into their account and gave that app "permission" to do certain things without fully understanding the consequences.

Nobody Knows How To Do Computer Security Properly

Computer security is so difficult that it is safe to say that no one knows how to do it properly.

One proof of this is that no respectable software vendor trusts themselves to produce guaranteed secure software, and it is now routine for all major software applications to include mechanisms for regular security updates to fix any security problems with current versions of software.

(One of the advantages of Linux-style package management is that there is essentially a single place to do all updates, as compared to Windows where you have to press "OK" on Microsoft updates and Adobe updates, and Mozilla Firefox updates and Oracle/Sun Java updates and Google updates and Apple itunes updates and so on.)

The rate of required updates is so large that it is almost impossible to connect securely to the internet on an old-fashioned dial-up connection, because your internet will not be fast enough to keep up with the required security updates.

Learning How to Secure Your Computer On The Internet

I Googled "How to Secure Your Computer", but I could not find any resource that attempted to give the reader a good understanding of what one is really up against when trying to secure a computer.

Most of the sites giving security advice to the "average" user give a list of specific actions to take, without giving any detailed explanations of the threat models that those actions protect against, without describing any general theory of computer security, and without describing the costs or associated risks of the recommended actions in the list. Inevitably the list is finite, so there are plenty of security issues not in the list.

So instead I Googled "How to Base Jump", and I learned the following:

I'm guessing that a similar amount of effort is required to learn enough about computer security, to have some reasonable chance of keeping your own home computer free of nasty software.

You Can Drive Your New Car Off the Lot If ...

To look at a different analogy, how qualified do you have to be to drive a new car off the lot?

In general, you just need a full driving licence, which a normal adult could acquire from scratch with no more than a few weeks of learning and training.

One thing that makes learning to drive easier than it might be otherwise is that cars are legally constrained to be manageable by the average driver.

To put in another way, you don't require a PhD in physics to drive a car. You don't even need to understand what the word "physics" refers to.

A closer analogy with computers is buying a helicopter, and being allowed to fly it home, without any licence or prior training.

The probability of the average person flying a helicopter home without crashing it is approximately zero.

Something similar happens with computers. Within a week, the "average" computer user will probably have something nasty or at least unpleasant installed on their computer. And probably something undesirable was installed on their computer even before they took it home.

The Constrained Computer

One possible solution to this problem is to buy a computer so constrained in its operation that it's not really a computer (i.e. theoretically, it's a "machine", but not quite a "universal machine").

The most well-known example of such an "almost" computer which is more than just a games console is Apple's iPad. The iPad reduces much of the security risk of computing by severely limiting what the user can do to their own computer. The iPad does this by only allowing software to be installed that comes from the official Apple App Store.

This doesn't solve all possible security problems – for example it doesn't protect against various ways in which someone can "break in" to website accounts which don't depend on breaking into the user's own computer. It also forces you to "trust" Apple Inc., whether you like it or not. But it does eliminate a substantial class of nasty things that happen to normal "home PC" users.

And If You Want a "Real" Computer?

If you've read this far, you'll notice that I have made some attempt to describe the enormity of the problem which is computer security for the average computer user, but I haven't really specified a full answer, or much of an answer at all.

So I will finish with an outline of a possible solution: those of us who understand something about computer security need to create a website which describes the general theory of computer security, in terms of trust models and the like, which is written in the simplest and clearest possible language. This theory also need to give specific examples of security actions that "average" users should take, with explanations of how those actions fit into the general theory, i.e. what the trust model is that is relevant to each action, what is being threatened, how it is being protected, and so on.

Vote for or comment on this article on Reddit or Hacker News ...