Security vs. Convenience

Although my intent is not to start the next GNOME/KDE-level war, it seems there must be a happy medium between total desktop insecurity and total desktop unusability. Linux offers so many ways to secure data that it's important to realize it's okay for folks to have different needs and desires. Sure, there are some basic security measures we all should take—things like:

  • Don't write your password on a sticky note fastened to your monitor.
  • Don't leave your e-mail account logged in on a public computer.
  • Keep your system updated.
  • Do have a password.
  • Don't use “password” as your password.

Apart from that, and I'm sure a few other common-sense practices, security is different for different users and different situations. Take the password scenario—it's very good to have a complex password. But, if your screensaver kicks on every three minutes of inactivity and requires you to type that complex password, your security measures have taken you hostage.

Now before I get hate mail (you know who you are, you've likely already started writing a comment here below), let me assure you, I'm not advocating insecure computer practices. What I am advocating is freedom. If I want my laptop to auto-log in, and not lock the screen with the screensaver, as long as it's only my data being exposed, it should be okay. Sadly, when it comes to freedom, we need to let people have the freedom to do dumb things too. And now if you'll excuse me, I need to try to remember my luggage combination, “1, 2, 3, 4, 5...”.

______________________

Shawn Powers is an Associate Editor for Linux Journal. You might find him chatting on the IRC channel, or Twitter

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

you get what you (are willing to)pay for (timewise and not only)

Larry Tobos's picture

There is a right way and an easy way to do things. Most of the time they are not the same. Most of the time we try to save costs, hire the cheapest and dumbest, and so on- greed is human nature in most of us...

Anyway, my point being that most of the time, and on most platforms, not only UNIX-es, the software is anally written, with no security in mind. Then again, in the beginning, UNIX cost big bucks and it payed big bucks to those who mastered it.

Case in point- for some reason, I can only "reliably" capture from my TV card on Ubuntu if I am root. Yes, I know, I could look up for the real culprit, or just blame whoever, or I can workaround and log as root, do the dirty, and then change permissions on my videos. I bet 99% of the people and 100% of the time will be like me and choose the easy way. But it makes perfect sense most of the time.

Security & Convenience

Chetan's picture

Security and convenience have always been at loggerheads for ages. If you put, say 10 locks on your door every time you leave home, it may make it extremely difficult for a thief to break in, but at the same time, it may make it very inconvenient for you to get in and out each time. Now, there may be a relationship between how many locks to put (initial and recurring cost), and the value of what is protected, and it may be a guiding factor for the choice, but basically, it is your comfort and your perception of the overall security situation in your area, is what will make the decision for you.

It depends on who owns the computer...

Macon's picture

I think this whole discussion comes down to who owns the computer. If you are using a company provided computer, you must abide by the security and software restrictions placed on that computer by the company.

If it is your personal computer, go ahead and do what you want. If you get your system or identity hosed - that's the price you pay.

The same cannot be said about a business computer. If it gets compromised, things get much uglier fast. The loss or theft of customer and/or proprietary company data can result in loss of public confidence - which equals loss of jobs due to lost business. So playing loose and fast with the company's security can easily become the ultimate "screw your buddy" episode. You had to be "free" on your computer and now you and your buddy are out of a job....

Well, these remarks aren't as

WhenceSockets's picture

Well, these remarks aren't as much about my settings, as far as I know (I've a lot to learn), as they are about a bad practice that I and thousands should watch for. My settings might be germane to the extent that SSL may be forced upon a web connection; I'm just beginning to learn about that.

I'm often taken aback at web forms that ask for sensitive or potentially sensitive personal information, at least in the initial stage, via an http rather than an https connection. Examples are employment applications and comments, questions, or complaints to providers of health care. Some of the responsible corporations are doing very well financially; even if one is not, how much can it cost to set up secure web forms?

A bit, but not a whole lot

mattcen's picture

Only the cost of getting a certificate authority to validate their (the company's) identity, and sign their SSL certificate. I just looked up a basic VeriSign plan that offered this, and came up with $740 for 1 year, which was more than I expected, but perhaps isn't that much in the grand scheme of things.

The only other cost may be a possible upgrade to server hardware to handle the overhead of encrypting and decrypting HTTPS, but often I suspect this would be negligible if at all necessary, especially if you only use HTTPS for login and other sensitive web forms.

--
Regards,
Matthew Cengia

Not exactly

Matthew Stinar's picture

You can get certificates for way less than that and SSL doesn't work unless you also pay for a static IP address, which usually costs just a little bit extra. In my case, my web host offers certificates for $15/year and charges an extra $3.95/month for a static IP address. That works out to less that $65/year for hosting a secure site.

Bot nets. Plain and simple.

Anonymous's picture

Bot nets. Plain and simple.

How Much Security?

obx_ruckle's picture

If I am reasonably sure that I am the only one using my computer just how much security is needed? On the other hand, if this is a Powers blog simply to air his own personal opinion and/or random thoughts why are the rest of us here?

Where I draw the line.

rich_c's picture

While I pretty much agree with everything in this opinion piece, I don't agree with people having the freedom to abuse root/administrator user ids. In my opinion, this is not only exposing them to potential breaches but does every other Linux (For example.) user a disservice by making really awful security practices seem OK and normal.

Let's get the discussion going

ShawnG's picture

You have hit on a topic that was drilled into me back in my army days. Apply the APPROPRIATE security measures for the given situation and/or data. Doing retinal scans or voice analysis to protect resumes is overkill. But the same tools to protect the nuclear launch codes make perfect sense.

For MY setup, I can't bring myself to do an auto-login for my machines. Not even the private desktop box no-one else has access to. But I see absolutely no need to lock my workstations when the screen saver kicks in. If I'm going to be gone long enough for that to matter, I log out. So personal routines are also a factor in this discussion, I think.

For my server, I take a more paranoid approach - it IS connected to the Internet directly (web server). But for my desktops, I prefer the convenience for everyday use, rather than locked down tight, anal security barriers. There's a time and place for that, but if it gets in the way of me doing my regular work, then something needs to change - either my opinion about the security of what I'm working on, or the code needs to change to understand that in some cases I just don't care.

For instance, when I login, I ALWAYS see a message asking me to enter my password so that Amarok can have network access. Network access for my music player - playing local music files. I ALWAYS hit cancel. (it wants the network access for the MySQL integration, I know, but I don't care). And Amarok works fine every time. So why do I need to see this EVERY TIME? Someone's idea of security has overridden my idea of convenience. But where is the "right" balance point? I think that is a personal answer in every case.

All Hail Penguin Powers....

ajboesch71's picture

I completely agree Freedom Rocks....To Secure or Not To Secure...that is the question...

clowns never heard of an 'opinion piece'?

Anonymous's picture

I think those lambasting you on this blog entry need to get a life. It's a blog , for cripes sake!

:o)

Shawn Powers's picture

Heheh, yes, indeed this was just a little opinion piece. I happened to shock and offend some people when they saw my laptop auto log in, and they almost died of horror when my screensaver didn't password protect on activation.

My goal was not to profoundly inform, rather to calmly reassure those with similar practices. I don't want people to think that in order to use Linux they need to fit the "standard mold" of security. Again, we're free to do as we like, and I like to remind people of that so that *I* get the flak, and not someone else.

Feel free to just skip this if it offends you. You can have your money back if you like. ;)

Shawn Powers is an Associate Editor for Linux Journal. You might find him chatting on the IRC channel, or Twitter

Follow-up article?

mattcen's picture

I have to admit when I read the headline to this article from my RSS
feed, I expected a more detailed pros/cons article (perhaps from David
Lane, it sounded like his style) of what sorts of generic security
measures can be considered, and how difficult it is to decide when
you've gone too far.

It'd be great to see a follow up article on this one with more of that
detail.

Before I continue, I'd like to mention that I view LJ headlines
exclusively through RSS (using rss2email to bridge with mail and view in
Mutt), and just now having a look at the last week or so's headlines on
the LJ homepage, I remember seeing every one of them in the RSS feed, so
if you feel you're missing out on some, perhaps you're subscribed to the
wrong feed. I think I recall the URL changed along with the revamp of
the website.

A few examples that I often am faced with:

Firstly, I *do* have a password prompt for both my login, and
screensaver, though I'm prepared to concede that at least the
screensaver prompt may be a but unnecessary.

I almost *always* send emails via Mutt on my server (which I can SSH
into from my Nokia N900 with a bit of difficulty on that tiny keyboard),
because I've gotten into the (perhaps unnecessary) habit of GPG signing
all of my emails with my private key, knowing how easy it is to spoof a
From: header. I only have my GPG key stored (apart from backups) on my
home server, because I don't trust that any other system won't be
compromised. It's quite likely that *nobody* who receives mail from me
validates my GPG signature but I use it anyway.

My N900 has a passcode set on it, as it has saved passwords for my email
and several chat services. Aside from this, I almost never save
passwords for any application or website, and store all passwords for
the websites and services to which I am subscribed inside a GPG
encrypted text file. Admittedly, one of the shortcomings of this
approach is that it means that I don't have many *different* passwords,
as remembering which password is for which service would otherwise be
much more difficult.

A similar scenario goes for my SSH keys. The company I work for does
lots of work on clients' Linux systems, and for convenience (and for a
bit of added security), I use a passphrased SSH key (the only copy of
which is on my company's main server) with ssh-agent to access client
servers, so that I don't need to go and look up our company's account's
password on the client's server (stored in a GPG-encrypted text file we
have for that client) *every* time I need to access their server.

This means that currently, I can't SSH to that client directly from my
laptop while at the office, because I currently refuse to use my
laptop's SSH key to get into their server, because I dread the though of
having my laptop stolen, and having to go to every client's server and
delete my key from the 'authorized_keys' file.

This is probably me being obsessive, as for this to become a problem, my
laptop would have to be stolen, the drive accessed (one thing I
currently *don't* do is encrypt my filesystem), the key found, the
passphrase cracked, a list of possible client servers located, the
username figured out (I don't SSH directly as root), and then the root
password would probably have to be discovered to do any real damage.
This is all assuming this particular client allows SSH access from all
hosts on the internet, and not just from my company, which is sometimes
the case.

It's rarely an inconvenience for me to just SSH out from my company's
server, except in the case where I have to forward a port, which can
often get annoying, as I have to do some dancing and often do *two*
forwards (between me and our server, and our server and the client).

Now that I look at the above, I realise how remote the possibility is of
an attack on a client which led from the theft of my laptop, and yet I'm
still reluctant to relax my methodology.

I could probably continue, but I think I've bored you all enough with my
obsessions.

--
Regards,
Matthew Cengia

No need to be so defensive, I

kabniel's picture

No need to be so defensive, I dont have a problem with opinion pieces, not even those i dont agree with ;)

There has (IMO) been a shift in content in the main RSS feed possibly ever since the redesign of the LJ site, and i think some of us base our views of LJ on that.

Having looked around a bit in the howto section i can see that i have missed several articles in the last month only because they havent hit the main RSS feed, and instead we get more blog posts like this one.

THe LJ site might have just as much high quality content as it used to, but based on the main RSS feed the quality has dropped IMO.

ridiculous

Anonymous's picture

This was a blog?! Maybe it's a good thing you didn't go any further. Desktop environments didn't even come into play.

Agreed

Anonymous's picture

Agreed

Security vs. Convenience

Matt's picture

I use KeePass to secure my passwords across multiple computers using Dropbox. Only I and my wife know my master password (and it isn't easy or based on a dictionary word). That way, if I die, she can still access our information.

My media center does auto log-on, but none of my other computers do.

It's just a question of risk mitigation. How much are you comfortable with? is ignorance bliss?

Post Quality

Anonymous's picture

Not to be rude, but the quality of posts here seems to have deteriorated recently.

A little more thought, examples, questions, suggestions could have been included in an article about security vs. convenience.

Have to agree

Bradl's picture

Have to agree. Little substance here, and an implicit suggestion that the commenters fill in the meat of the matter. Slack.

Agreed

kabniel's picture

I have to agree, instead of informative or newsworthy articles where you actually learned something by reading it, we get what seem to be mostly opinionated blog posts these days.

WTF?

ShawnG's picture

Let me get this straight... you are upset that Shawn Powers can do a short post occasionally that seems to be his own personal opinion? I didn't see anywhere in this posting where it was suggested the article was anything else OTHER than his opinion and/or random thoughts.

Occasionally a light piece like this is more important for the on-topic discussion it triggers, rather than the content of the posting itself. The other comments seem to be on track for that, and yet you are whining off-topic that you were not educated by this post. Give the guy a break - he can't write concise meaningful articles every single time and IS entitled to an opinion piece occasionally.

The phrase RTFM comes to mind if you REALLY want to learn more about security practices - and magazine articles are not necessarily the definitive source for that sort of info. BlackHat and DefCon happen next week too - you can learn TONS about modern security issues there.

thanks for agreeing that this was a waste of space

Edmund's picture

So you're agreeing that when we want to read something worthwhile, skip anything Shawn Powers writes because to learn anything useful we'll have to do our own research. If I were the boss here I'd want a refund for this particular "blog". "Blog" does not equal"random nothings". At least not blogs that are worth reading.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState