Why security gets no love

Most of what we hear about security is bad. Most people who like to think they are security conscious are just plastering over termite damage to the frame of the house. Why can't security get any love?

Jack Wallen's "Why the BSDs get no love " addresses the reasons he thinks the various BSD Unix systems do not get nearly the recognition that other operating systems do -- such as their younger cousins, the Linux distributions. The key factor, in his eyes, appears to be the way the core BSD Unix OSs do not present users with flashy GUIs every step of the way.

Of course, to some extent, he is right. The mainstream of home computer users loves flashy GUIs. Despite this, I think the text console-based installer is not as big a deal as people think:

  • Watch the start of MS Windows installations some time, and you might notice that they tend to start with a text console interface, and only start getting into the GUI when the fundamentals are done.
  • Notice that many people never see a Windows install at all, ever. The installer is almost irrelevant to the mainstream. What is needed for parity with the mainstream's expectations is computers with the OS already installed.
  • Many Linux distributions -- many of the most widely used, in fact -- still use text console-based installers. This seems like a pretty strong counter-argument to me.

There are other reasons to doubt the importance of a graphical installer as the big reason BSD Unix systems do not get the "love" that is heaped on Linux. The answer to why Linux gets more hype and attention is much more complex than that, and includes such concerns as marketing power -- in large part because its community is full of people who will talk about how great it is without even understanding half of what they are saying. That is true of anything popular, and says nothing bad about Linux itself, of course.

One point that sprang to mind was, in fact, the very things that make the core BSD Unix systems so great. Jack said:

Not only are they, hands-down, some of the most reliable operating systems, they are bastions of security that refuse to be taken down. It's a shame the BSDs have not met more acceptance across the globe.

The core competencies of BSD Unix are, in many respects, their problem when it comes to popularity. By contrast, every time a new MS Windows version comes out, someone plays around with the GUI features that have been added and writes a review that uses the word "sexy" at least three times. When was the last time you heard someone call real security "sexy?"

Security -- and, for that matter, stability -- is not measured in flashy stuff that happens, wowing the user. It is measured in what doesn't happen. You know your system is secure when it is the one that did not go down along with the rest of the Internet in 2003 thanks to the SQL Slammer worm. You know your system is secure when someone cracks your WPA encryption keys and finds that all traffic on the network is protected by SSH encryption as well. You know your system is secure when it is the one that did not fail an integrity check after a trip to DefCon, and your usernames and passwords did not end up posted on the Wall of Shame.

You are most secure when nothing happens.

This is a problem of security in general. People do not find real security interesting. It is not flashy or exciting, nor is it the least bit "sexy." In fact, you are probably most secure when you turn all that "sexy" UI stuff off.

One reason I use FreeBSD as my primary operating system, despite the lack of sex appeal in the installer, is the fact that I have learned to love the subtle elegance of a system that does exactly what it is supposed to do every day, every time, and does not come with seventeen unneeded services running by default.

Truth be told, even FreeBSD and its close siblings NetBSD and OpenBSD are not perfect. They can still suffer issues from time to time. Work with any operating system long and hard enough, and you will encounter a hiccup. Such is life. It is awfully nice to have such issues somewhere on the order of 1% of the time they happened with MS Windows, and for those issues to be recoverable about ten times as often. It is also nice to have such issues only 10% of the time I did with Debian when I used it as my primary OS of choice.

The apparent lack of sex appeal in a BSD Unix operating system, judging by the reviewers of the world, is in large part a direct result of the priorities of the BSD Unix developers out there being arranged in such a way that these operating systems will continue to be impressively stable and secure.

By the same token, encrypted communication is not a "sexy" topic because all your use of OpenPGP encryption to protect your emails does is ensure nobody reads what you wrote other than the intended recipient. Integrity auditing is not a "sexy" topic because when it shows you all is well, it just says "nothing has changed". Firewall policy is not a "sexy" topic because when your firewall policy is good nothing unwanted gets through.

I really do wish more people made security a higher priority, and made their software choices with that in mind. I do not think that changing the development policy for a secure, stable operating system so that sexing it up a bit gets top billing at the next project roadmap meeting is a worthwhile endeavor, though. What is the point of getting more people to use the stable, secure operating system if you have to sacrifice stability and security as development priorities to get there?

PC-BSD is able to succeed where FreeBSD "fails" in terms of a "sexy" presentation because it is actually built on top of FreeBSD. The added-on "sexy" parts of PC-BSD are in fact the most at-risk parts of the system for security and stability issues. This is not a coincidence.

Of course, people do not like to think about security. Thinking about security is hard, or boring, or too time-consuming. Security is an ever-increasing problem in this world as more and more people who think this way about security -- that thinking about security is something to be avoided -- enter the world of networked computing. This, too, is not a coincidence.

Rather than concerning ourselves with how to get people to choose a product that has a reputation for security, I think we should concern ourselves more with how to get people to make understanding and achieving greater security a top priority. Until we do that, security will continue to get no love. It will be the ugly stepchild in the family of features for which people make their software choices as long as we cannot get people to look past the makeup and sultry tones of "sexy" software when they go looking for good software.

As for me, I find security and stability in an operating system beautiful, even if it is not "sexy" by common standards. I suppose there is no accounting for taste, though.