Linux: Genuinely Trustworthy Computing
Opinion: If the recent Sony rootkit debacle taught us anything, it's that "trust but verify" isn't just for nuclear arms talks anymore.
Who controls your computer? If it's a Windows computer, not you. I swear I'll puke if I read one more cheery press release touting "Trustworthy Computing." Richard Stallman strips away the Newspeak and calls it "Treacherous Computing."
Let's take another look at the Sony rootkit/spyware/misuse-of-copyrighted-code debacle to illustrate. (Please see Bruce Schneier's excellent writeup, including the discussion after the article.) For the purpose of brevity, I shall stipulate that Sony's action were despicable and unjustifiable, and if they were some lone powerless kid instead of a big corporation, they would be in jail with much publicity and self-congratulations on the part of law enforcement. Bruce Schneier made these observations:
"Initial estimates are that more than half a million computers worldwide are infected with this Sony rootkit. Those are amazing infection numbers, making this one of the most serious internet epidemics of all time ...What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? ... this one has been spreading since mid-2004."
He also mentions "...the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case." And the tepid response– McAfee, TrendMicro, Kaspersky, and Symantec's fixes only remove the cloak, not the malware itself.
Some responses to Mr. Schneier's article don't give much credit to F-Secure, the one commercial security company to make a big noise, because F-Secure knew about the Sony rootkit for a month before making any announcements, and didn't say anything until after Mark Russinovich broke the story.
Can You Trust the People You Pay to Protect You?
This whole sorry incident brought to light a question that many of us in IT have been asking for a long time–who watches the watchers? It is not paranoia to suspect big companies of making deals with each other that harm us little customers–it happens all the time. There is no evidence of any collusion between the anti-virus companies and Sony, and I'm not suggesting that there ever was. But Sony is a customer of Trend Micro–what does that do to your comfort level? All the security companies have big corporate customers. When a big customer asks for a favor, like "please don't flag our lil' ol' legally dubious, technically incompetent, DRM thang cobbled up out of stolen FOSS code as malware," can we count on them to say no? Even if one security company made that kind of deal, logic would say the others have no reason to protect their competitors.
Which doesn't explain why none of them noticed this charming little Sony exploit, or responded so weakly when they finally did respond. With a hail of criticism, lawsuits, and possible criminal charges against Sony, what is there to be timid about? Some folks think the Digital Millennium Copyright Act (DMCA) is the reason for their timidity. It's a terrible law, and I think the only thing that saved Mark Russinovich from legal retaliation was the sheer outrageousness of Sony's misdeed.
It's already obvious we can't trust Microsoft (as if we ever could) - they're seeing big money in DRM (Digital Rights Management). Read their page on DRM (see Resources), you won't find one single word on how this benefits end-users, except for more Newspeak on how DRM restrictions increase our access to content. There are many words on different licensing models; you can almost hear the drooling over this wonderful new revenue stream. It's a brave new world, where instead of being able to play music and movies on any number of inexpensive devices that we already own, we'll be in the unimaginably lucky position of being allowed to purchase new devices that put all control in the vendor's hands.
Climb Out of the Windows Sewer
Of course us old Linux geeks and other Free/Open Source Software users see the whole security issue as ridiculous, akin to devoting massive resources to developing bigger and better waders, instead of simply climbing out of the sewer. Call me cranky, but it sure seems stupid to continue to entrust one's data and business to a proven leaky, malware-friendly, anti-customer platform like Microsoft Windows. Especially when, despite Microsoft's best efforts, a number of superior alternatives exist: Linux, FreeBSD, NetBSD, OpenBSD, and OpenSolaris.
FOSS enforces trust on a couple of levels. One, the community values of openness and sharing, and two, there is no place to hide. Everything is transparent. It is possible that one of the Linux distributions could make a deal with the devil, and sneak in unsavory bits. But they would be found out, and it is trivially easy to migrate to a different distribution.
The very smart and well-equipped Mark Russinovich detected Sony's little gift to the masses almost accidentally. Regular users wouldn't have had a chance. Which gives you the answer to why certain vendors are Linux-hostile: they cannot control it, and cannot get away with sneaky stunts like the Sony scam. And the motivation behind terrible legislation like the DMCA, which tries to make it illegal to even talk about these things–exposing corporate misdeeds and idiocy simply cannot be allowed.
So the moral of the story is straight from the X-Files: trust no one. Or perhaps more appropriately, trust but verify.
- Stewart Baker, Homeland Security's assistant secretary for policy said:
- "It's very important to remember that it's your intellectual property -- it's not your computer."
- The (probably) unintentionally funny Trustworthy Computing home page.
- Windows Media DRM 10
- From Bill Gates' memo to new employees in 2002: "Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing."
What the AV vendors say about the Sony rootkit. Notice how not a single one of them question the morality or legality of secretly installing a program that phones home, opens the system to exploits, hides itself, changes system files, and has no built-in uninstaller, but rather soft-pedal it:
- Kaspersky calls it "riskware": ..."even though the program can be exploited by malicious users, there was no malicious intent by the developers of the program."
- Sophos had to take a poll to decide if Sony was bad or not.
- Trend Micro calls it a "valid Digital Rights Management (DRM) software package." They also say it's "non-malicious".
- Symantec says "This rootkit was designed to hide a legitimate application..."
- Windows itself doesn't seem to mind having key system files altered without the knowledge or consent of the user- you know, that pesky person that owns the computer?
- F-Secure says "Please note that the uninstallation of the software will require using Internet Explorer and accepting an ActiveX component that might pose additional security problems."