Schneier on Security

Clive Robinson • August 22, 2019 5:38 AM

@ tfb, Jeff,

Whenever I hear someone talking about unixoids having a ‘stronger security model’ I want to hit something.

This has been going on for at least as long as the 286 Processor has existed…

The thing that history teaches us in ICTsec is,

The less market share an OS has the less likely it is to be generally[1] attacked.

Which if you think about it is the malware writers/developers sensibly putting their effort where it potentially has the best ROI for them. So not just “low hanging fruit” but “biggest orchard” as well.

Also there is the fact that, the more popular an OS is, the more criminals there are that use and know it. Which is a mirror of the general population of which criminals are just a small fraction. After all “familiarity breeds contempt” as well as experience.

So in general it’s kind of a Problem-Squared issue, and the popular OS gets way more malware attention than would be expected for it’s market share. Which in turn makes the small market share OS look way more secure than it realy is. That is in the general case malware is a numbers game that reflects the current state of the consumer marketplace not the the relative merrits of the products in that marketplace.

So much so in fact, it kind of flies in the face of the old saying about “obscurity”… Which means that if the OS developers for different OS’s are equally as skilled and on average each OS is about as secure (which they are), then at any given time there can indeed be some safety in obscurity, all be it fleetingly.

We actually saw this in play a few years back with “Security Personalities” recomending Apple-over-Microsoft, then at other times Linux-over-Microsoft etc. But as each new “personality” recomended OS become more popular, general “fire and forget” malware catches up with it as it’s popularity rises. Which makes making such recomendations “A Mug’s Game” which catches up to you.

But it runs deeper than that, sometimes those who think they are “special” and can design “a better mouse trap” eventually realise just what is involved and they in effect walk away from it. The classic example is those who think security “segregation can be done by software” and maybe a little by hardware such as an MMU… Then the likes of “RowHammer” come along and their heavily fortified Castle standing like a “cubist abstraction” in sunlight, is found to have foundations not on rock but sand and it sinks under it’s own weight. They sometimes eventually learn what “Real Segregation” is about, then what is needed by the way of heavily mandated choke point communications is required. Others start from that point then find the issues of not having “Real point-to-point communications” that is what happens when your Shannon Channel is leaky, or worse shared and how in consumer devices “Real Segregation is not an option” if you want to get the positions of various end points correct. But even that is insufficient as “End Run Attacks” happen in the tangible physical world just as much as they do in the intangible information world.

If @Nick P is listening in he can point you in the direction of OS’s that are more secure and have been shown to be by various mathmatical proofs etc. And yes such OS’s tend to have very small market share as well, because such OS’s tend to come at a price… In fact quite a significant price if they came from those in the MIC.

But as they say “That’s not the half of it by a long way”. Because they are not “the” security solution but a quite small “part of” a security solution.

As far as the big bucks go, then there is the price of the physically secure computer hardware. Then the SCIF to “energy gap” the computer to go ontop of that. But it does not stop there, you then have to start on physical security… So then there is the cost of the strong room to protect the SCIF. But strong rooms need guarding not just at the entrance but at all times, and even guards can be coerced so you need several on the pay roll, background checks etc etc. Even then people still walk out the front door with all your secrets in a Rubik’s Cube.

In Short real security costs big if you don’t want to take chances, and even then it can be defeated. It’s why in “physical security” they do play dice with probability and leverage obscurity where ever they can. Because it reduces both the number of people “In the Know” and likewise the time that those people know the information to very short intervals thus reducing an attackers “window of opportunity”.

[1] There is a difference between “generally” and “specifically” when it comes to security, and this applies to OS’s and applications as well. Basically there are four types of criminal and two types of target. That is the majority of the criminals do not pick “specific targets”[2] they go for targets that fit a pattern, so your chance of being attacked is based on probabilities.

[2] If you are a “Person of Interest” it does not matter what “consumer OS” you use they will have ways to break in to it even if it requires what once used to be called “front pannel access”. Thus if you are more than just of “interest”, you will have to up your game beyond air/energy gapps to actuall physical security in depth, designed not to stop them but delay them enough for a security team to deal with them.