borg.org

As we try to tighten up our computer systems, in 2018, phishing feels like one of the most dangerous things. Sure, getting someone to open a dangerous attachment that exploits a PDF bug (is there an infinite supply?) is a problem, but let’s imagine users running on such tight systems that dangerous attachments are no longer a problem. Phishing won’t be over.

People will still be fooled by crooks, and if a crook walks up to you in nose glasses and politely asks for the keys to your car you might think something is funny. You do expect give your car keys to strangers, but you expect these people to be, say, the mechanic at the car repair, or the parking valet at the restaurant. The point is if you initiate the transaction (you go to get your car fixed, you go out to eat), the transaction is much safer. In contrast, if a stranger approaches you and volunteers to be a mechanic or valet, you are less likely to fall for it.

We should apply that to computer credentials. If I decide to go to website tuklever.com, it is reasonable for me to then type my TuKlever login credentials. But if some website claiming to be tuklever.com approaches me (via e-mail), why should I hand it my password (aka my “car keys”)? I shouldn’t.

A powerful way to avoid a lot of phishing attempts is:

Never (never ever) type credentials because someone else supplied you with a link, possibly in an e-mail.

Instead, if the link looks good, login to that website manually (type a trusted URL by hand, use a bookmark you typed by hand). Now log in. Now try that link in the e-mail–and if you are asked for another password, don’t do it.

This logic applies in other circumstances, too. Get a call from our credit card company about a suspicious transaction?, and that professional sounding voice asks for verification information from you? Say no, ask what it is about, say you will call back. Call what number? The number the voice on the phone gives you? No! Call the number on the back of your credit card. Same idea as the website example.

Back to my headline: We train people to do the dangerous thing.

• Employees frequently get real e-mail from, say, HR, that includes links to, say, the new payroll system, and click and type in sensitive information.
• For years now American Express has been sending me e-mails that include links to click on and an invitation fo type a password.
• Other credit card companies–fraud departments even–have called me and expected me to give them identifying information.

In each of these cases we are conditioning people to do the dangerous thing. In each of these cases the safe thing to do and the normal thing to do are different. Do we really expect people to rock-the-boat, and refuse to log into the new payroll system, and not get paid?

No. We expect people to be phished, and we are training them for that.

I realize there is a heresy in what I am saying. I am implying that user behavior matters, that how we condition users matters. I am a hairsbreadth from suggesting that user education is a good thing! Horrors, the first step down the slippery slope of blaming the user for bad system design. Next thing you know I’ll make a snide remark about some celebrity caught on live camera entering the PIN 000000.

-kb

©2018 Kent Borg

Linux has won. It is taking over everything, from tiny devices to the biggest super-computers. Apple’s operating systems are all pretty much on the same model, and Microsoft always seems to be trotting along in roughly this direction, too.

The idea is pretty cool: Give each program a uniform view of the machine, keep them from interfering with each other. Not only can each program mostly pretend it owns the entire machine, the model is good enough to be extended to multiple users, all running on the same machine.

Yes, there will be resource limits with all this sharing going on, but that is a necessary limitation, the larger sharing model is great.

So why are we so unhappy with it? Why do we have this big virtualization fad? The operating system was supposed to let multiple users share the same physical machine, why an extra layer of multiple operating systems sharing the same hardware? If these multiple operating systems were different kinds of operating systems (needed to be compatible with different kinds of programs) that would make sense, but mostly we run multiple virtual copies of the same operating system. Frequently the same version of the same operating system. The popularity of hypervisors for providing multiple uniform views of the hardware, keeping them from interfering with each other, seems a big indictment of what the OS was supposed to do. Something is wrong with the API offered by the OS if we prefer the API offered by BIOS. Something is wrong.

And inside the OS, different programs were supposed to do the different things. So why are we now inventing enormous container facilities like Docker and Kubernetes for supplying the features we want? Isn’t that what the OS was supposed to orchestrate?

I don’t see much questioning of the role of the OS, but I see an awful lot of ad hoc reinventing of OS-like services.

Part of this is clearly a limitation of the OS model: Individual programs are isolated from each other, but it seems not isolated enough, we want more isolation, so we fire up new OS instances. Also, individual programs have complicated and conflicting dependencies to shared libraries that the old OS model isn’t good at mediating. Finally, individual programs are not where the action is, we run different programs in concert with both dependency confusions between them, and contradicting desires to be isolated from other programs (so they don’t interfere) but not isolated from other programs (so they can cooperate). It seems these are all issues the OS should handle, and it doesn’t, that’s why we have so many VMs, and these container facilities.

Recently I ran across the various name-spaces that the Linux kernel offers. (Linus is very pedantic that the kernel just be the kernel, but that doesn’t mean it isn’t still freaking gigantic and bursting with features.) These name spaces provide a lot of granularity for controlling what is isolated and what is shared between different programs. It seems they make it possible to completely isolate software, as if you were running completely different operating systems. I say “it seems” because I don’t know that I am right, I don’t know that these different name spaces cover all the bases. And, even if I knew they did cover all the bases, how would anyone ever trust that they did it in a bugfree way? How would anyone ever know that there isn’t some unintended leaking between spaces, security holes hidden in the confusion.

I think this gets to the point: The confusion. The old OS model was simple, that was a virtue. The model implicit in Linux name spaces is so complicated that I almost don’t want to call it a model: if almost no one can understand the implications of all those features, can it be called a “model”? Does it instead become an “artifact”? Something to be studied, as opposed to a model, something clear enough to be understood?

Maybe I am just being overwhelmed and demonstrating my ignorance. But something tells me that the simplicity of hypervisors, presenting a near bare-metal model, isn’t about to lose its appeal as everybody starts to grok Linux name spaces.

I think we are choking on unmanaged complexity, that we are building systems that are more complicated than we know, that not only are they riddled with conventional bugs, but attackers are waltzing though our systems via the security holes made possible by that complexity. But that’s another topic.

My conclusion here is we have run out the old OS model to the point of absurdity, that we need to rethink what abstractions an OS should offer. The old OS model was both powerful and simple, but look at the layers of baroque filigree we are accumulating, it is time to revisit our assumptions about what an OS is.

-kb

©2016 Kent Borg

[I am sure this is not original, on so many levels, but my fingers are compelled to try to capture these thoughts. Forgive me.]

At a fundamental level physicists appear to be deeply religious. Their Articles of Faith are something like this:

• There is order,
• This order can be understood by us,
• It is predictive, has temporal properties, and likely practical implications,
• (Might be isotropic).

Snide remarks aside, there is a deep faith here: What I do in my little life doesn’t seem to have a great and deep order to it, why should the far larger universe constrain itself to being so precisely ordered that we can make exact equations about it? Why couldn’t the universe be capricious and random and arbitrary and I’ll-do-this-here and I’ll-do-that-there? I don’t know.

But physicists have this deep faith that they will understand if they only keep looking, that there is a fundamental order to the universe, that there is a simplicity under all these chaotic details we see when we look about.

As the world I see certainly has a lot of confusion in it, isn’t this a religious perspective by physicists? More creeping Secular Humanism? Isn’t it just another religion?

No.

The difference between the faith of a physicist and that of a religious person is that the physicist wants data what will displace his/er faith. The physicist wants observations that will explain the mechanisms of why we see what we see–even if they are mind-bending and paradoxical–the physicist wants to expose his/er faith and dispel mystery.

The religious person wants faith, wants to hold on to mystery.

If I might get all meta: The physicist has faith that there will always be plenty mystery; that there is no risk in explaining things.

-kb

©2015 Kent Borg