A Taste of Computer Security© Amit Singh. All Rights Reserved. Written in June 2004
Popular Notions About Security
If I were to list the most common responses I have elicited from random computer users regarding their understanding of (or beliefs on) computer security, and categorize them into two bins labeled "Security" and "Lack of Security", it would look like the following:
- Protection against a grab-bag of "exploits" (thus, countable and finite)
- Linux, *BSD, and particularly OpenBSD
- In general, UNIX, UNIX-derived, and UNIX-like systems
- Mac OS X (with its "Unix underpinnings"; "because it's essentially FreeBSD", "because it's based on a microkernel")
- Open source
Lack of Security
- A grab-bag of "exploits" (thus, countable and finite)
- Microsoft Windows
- In general, everything from Microsoft
- Mac OS X (with its "eye-candy" and historical lack of emphasis on security)
- Closed source
Embellishments and Prevarications
The composition of the above could be considered as the popular, intuitive, and informal definition of security (and its antithesis).
Unfortunately, from a purely technical standpoint, many widespread and deep-rooted notions about security are often misconceptions — opinions (to be fair, this sentence is an opinion too). For example, quantifications of the security-worthiness of various systems (in particular, Unix-based vs. Microsoft's NT-based systems) are not as blindingly different as they are regarded to be. The statistics one sees regularly (for example, the number of vulnerabilities reported in a given system in a given time period) represent only one face of the infinite polyhedron that computer security is.
It is important, even if academically, to understand this "clarification". Often, many a battle is fought (over security, and everything else) between OS rioters, where the systems involved might be vastly different personality-wise, politically, fiscally, etc., but are essentially similar — meta-technically.
We will briefly look at the security landscapes of Windows and Unix in the final section.
Security and "Hacking"
The purported synonymity of security (largely its subversion, but even its defense) and "hacking" has doggedly remained a painfully hackneyed theme over the years. So much so that a person's computing talent, or his expertise with computer systems, are often equated to his security-related skills. Often the ability to foil computer security is regarded as a heroic and "cool" quality.
Specifically, many think that a hacker must be an expert in computer security, and a computer security expert must be a hacker. This is not always the case, unless you explicitly define the two terms to be synonymous.