Skip to main content

Security Threat Analysis: Interview With Dino A. Dai Zovi

Picking The Most Secure Platform

Alan: That’s a great point. I recently submitted a request to Apple to allow selective file sharing policy on my notebook. Its fine to have file sharing enabled when I’m at home, but when I’m at a coffee shop or other public access point, I hate having to manually disable file sharing.

Dino: I really like Apple’s Network Locations feature for network configuration and I would also like it if I could associate my network security settings with it also. Windows Vista actually has a good system for this by letting the user identify networks they connect to as “Public,” “Private,” or “Work.”

Alan: Earlier this year, Steve Balmer talked about Microsoft's investigation of Webkit and ultimate decision to stick with Trident. Web developers would love to have more consistent rendering engines, but from a security standpoint, does it make sense to standardize around one set of code?

That is, last year's MacOS exploit and the iPhone exploit were both breaches in the same underlying Javascript code. Since IE8, Firefox, Chrome, and Safari use different Javascript engines, a single exploit wouldn't be able to target all of them. Or, do you think standardization is better because you can collectively pool your resources to develop more secure code?

Dino: While standardization helps create a more secure single standard, it means that any breach of it will be highly applicable to Internet systems. I believe that more diversity in computer systems helps strengthen the ecosystem against attack. Having many diverse targets decreases the profitability of malware and once it ceases being profitable, there will be much less of it.

Alan: If you had to make a recommendation: Mac, PC, or Linux?  Or do you find them to be equally (in)secure?

Dino: For most consumers and home users, I recommend a Mac because they are currently targeted less by Web malware. They also tend to be easier to use so I get less tech support calls. If a user is slightly more technical and/or adventurous, I recommend that they give Ubuntu Linux a try. I recommend Windows Vista for businesses because it is a more secure operating system and better suited towards management in the enterprise.

Alan: Any reason for Ubuntu specifically (full disclosure: I run Fedora on my Linux workstations)?

Dino: I have found Ubuntu to be more user-friendly and I personally prefer Debian-based Linux distributions to the others. But I don’t want to start any religious wars here.

Alan: For our Windows-based PC users, what are some tips for running a "secure" PC? What about our Mac users? Linux users?

Dino: PC users should move to Vista or Windows 7 as soon as possible to make use of their security features. Mac users should do the same with Snow Leopard. Linux users are already pretty well served by the leading desktop distributions, so they shouldn't need to take many additional precautions. For all of these operating systems, the National Security Agency (NSA) Systems and Network Attack Center (SNAC) freely publishes in-depth secure configuration guides that can be followed to further harden your operating system environment.

(Ed.: the NSA’s guidelines can be found here)

  • cruiseoveride
    Wonder why he didnt mention SELinux
    Reply
  • mrubermonkey
    If it were so easy to "take down the Internet" I am sure Iran or China would have done it by now, but the vagueness of his last answer does add to the mystic of his image.
    Reply
  • AlanDang
    Not really -- the black hats make money off the Internet -- it doesn't help them. By definition though, the risk is always about "taking down" a few IXP's or the +1 nodes.
    Reply
  • "Selectively granting privileges to enhanced functionality to Web sites is an area where most Web browsers can improve".

    They may not be core functions but everyone I know who is concerned with security on the Internet uses Firefow with the add-ins Noscript & Flashblock.
    Reply
  • vaskodogama
    mrubermonkeyIf it were so easy to "take down the Internet" I am sure Iran or China would have done it by now, but the vagueness of his last answer does add to the mystic of his image.I am from Iran, All the Iranian Goverment can do, is blocking porn and politics web sites! :D
    Reply
  • pcworm
    I'm also from Iran , come one, we still connect using bloody dial up, you guys cant be serious! although due to the "no copyright" law we can buy Windows, Mathlab, VS 2008 team System,office 2007 and a lot more for less than a dollar each...:-) you dont need broadband here cause piracy is official
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • Gutbop
    Dino: I'm a die-hard Unix user and Mac OS X is the most convenient and functional Unix-based operating system that I have ever used. I can code in a traditional Unix environment, watch a DVD, and use Microsoft Office all on the same system. The system JUST WORKS and lets me get my job done.

    Ahahahaha. Really!? Are you kidding me? Did Apple pay you to say that?
    Reply
  • I am a Mac user as well. I also use many versions of Windows and Linux in VM. I am not a security expert or anything but why is everyone hung up on someone taking down the internet. Hackers use the net to make money or prove a point. I don't think they are going to shut the net down and hold it hostage, who would be forking over the money anyway. And if they did it to prove a point how would they ever get recognition for the task when all communication stops.
    Reply