kernelthread.com

A Taste of Computer Security

© Amit Singh. All Rights Reserved. Written in June 2004


Popular Notions About Security

If I were to list the most common responses I have elicited from random computer users regarding their understanding of (or beliefs on) computer security, and categorize them into two bins labeled "Security" and "Lack of Security", it would look like the following:

Security

From here onwards, we use the term "Unix" in a collective sense to refer to UNIX, UNIX-derived, and UNIX-like systems.

Lack of Security

Embellishments and Prevarications

The composition of the above could be considered as the popular, intuitive, and informal definition of security (and its antithesis).

Unfortunately, from a purely technical standpoint, many widespread and deep-rooted notions about security are often misconceptions — opinions (to be fair, this sentence is an opinion too). For example, quantifications of the security-worthiness of various systems (in particular, Unix-based vs. Microsoft's NT-based systems) are not as blindingly different as they are regarded to be. The statistics one sees regularly (for example, the number of vulnerabilities reported in a given system in a given time period) represent only one face of the infinite polyhedron that computer security is.

It is important, even if academically, to understand this "clarification". Often, many a battle is fought (over security, and everything else) between OS rioters, where the systems involved might be vastly different personality-wise, politically, fiscally, etc., but are essentially similar — meta-technically.

We will briefly look at the security landscapes of Windows and Unix in the final section.

By the way, I opine that fires of OS-zealotry are pointless and uninteresting, and it is not my goal to fan them.

That said, perhaps no amount of objective explanation could stand against opinion, whether it be informed or uninformed opinion.

In fact, "informed opinion" might be an oxymoron. I believe that knowledge tends to dissolve, or at least weaken erstwhile strong opinions. After all, why would you need opinion in the face of positive knowledge? However, this is just an opinion.

Security and "Hacking"

While the term "hacker" is frequently used ambiguously, it was meant to have a respectable connotation. A definition derived from the Jargon file can be found here. There has been emphasis on qualifying digital criminals as "crackers", "black-hat" hackers, or "dark-side" hackers.

Nevertheless, we eschew political correctness for colloquiality, and use the word "hacker" to mean a bad hacker.

The purported synonymity of security (largely its subversion, but even its defense) and "hacking" has doggedly remained a painfully hackneyed theme over the years. So much so that a person's computing talent, or his expertise with computer systems, are often equated to his security-related skills. Often the ability to foil computer security is regarded as a heroic and "cool" quality.

Ken Thompson, a creator of UNIX, aptly said in 1984 that:

"There is an explosive situation brewing. On the one hand, the press, television, and movies make heroes of vandals by calling them whiz kids. On the other hand, the acts performed by these kids will soon be punishable by years in prison."

Specifically, many think that a hacker must be an expert in computer security, and a computer security expert must be a hacker. This is not always the case, unless you explicitly define the two terms to be synonymous.

1337?

Another aspect of the clichéd portrayal of hackers is their supposed obsession with hexadecimal (and lots of numbers). Many books on hacking actually have chapter and section numbers in hexadecimal.

<<< Introduction main Defining Computer Security >>>