On 12/8/2010 3:55 PM, Lamar Owen wrote:
On Wednesday, December 08, 2010 05:11:23 pm Warren Young wrote:
Let's not drag the desktop user into this discussion, too.
Why not?
I thought my reason was clear, but apparently not. You talk the talk of security, but I guess we hang in different security circles and so don't recognize the same shorthand. Allow me to expand.
The reason I don't want to go off into a discussion of SELinux on the desktop is that I believe SELinux -- as shipped in current versions of CentOS -- will fail to stop 99% of the problems you talk about, purely due to the nature of 99% of desktop users.
Those in that vast majority blindly click on things that pop up and stop them from doing what they wanted to do. If a popup message gives a way to make the popup stop appearing, these people will, almost without fail, do that, no matter how well-intentioned or helpful the message, or how inadvisable disabling it is.
These people do not especially enjoy computers -- many actually hate them -- and so do not wish to understand anything more about what they are doing than is required to complete the immediate task. (You may perhaps have seen the current Windows Phone 7 ads? They're aimed straight at this crowd. I believe this ad campaign will be more effective than any Microsoft has had in years.)
Examples:
- UAC on Windows Vista/7. It's done virtually nothing to stop the malware epidemic. Why? It trains users to click on the "yes I really meant to do that" button, regardless of whether the user actually understands what they have just agreed to.
- Hostageware and fake virus popups on the web. The computer tells them they need to spend $X on something that will free their data or remove a virus they don't have. People fall for this all the time.
- Email scams: bogus unsubscribe links, phishing links, false enticements for illicit material...
- How often have you seen this as prologue to a tale of woe: "Are you sure you want to format your operating system hard drive?" "OK"
- Windows security software popups:
-- Firewall: "Blocked connection to port X." "Unblock"
-- Antimalware: "Updated patterns for the sixth time this month" "Go away." Then next week: "Detected possible virus behavior" "Go away." They're trained by then, y'see.
-- Security update: "Apply" Then next week, bogus security popup while surfing Facebook: "Apply"
- Evil EULAs. Not even a technically competent user wants to read pages and pages of legalese. But the point remains, people agree to things they don't bother to understand because they want to get past the annoying popup so they can do what they started out to do.
I am not disparaging this vast majority, merely reporting observed behavior. We're unlikely to ever change them. Many, in fact, are medically incapable of stopping this behavior; it's been studied, and some people are psychologically compelled to click things whenever they appear. (I suppose it's some form of OCD.)
Bottom line, if the tables were flipped on Microsoft and CentOS were the dominant desktop operating system, I believe it would have the same security problems today as it had before SELinux was available. Maybe not the same as Microsoft currently has, but no different than Linux without SELinux.
I wish I could do more than just offer vague, untestable supposition, but the current Linux user base is too small and technically competent to draw any real conclusions about how effective SELinux is at stopping the problems the normals get bit by. It's my experience that the technically competent desktop user rarely needs much in the way of security apparatus. Experience, attitude, and talent allow us to avoid problems most of the time, so the safety net rarely gets tested.
It is possible SELinux would help if seagent didn't exist and didn't show popups. Then the vast majority would simply be frustrated, unable to do what they want, and unlikely find a workaround. Some will manage to dredge up the fix with The Google and blindly type it into a Terminal window, but even that minor impediment would be enough to stop a lot of general users cold. In that case, maybe you have a valid point. Then again, many Windows users disable UAC, so there's no reason to believe that subset wouldn't disable SELinux if CentOS were dominant instead.
To go much deeper, you get into discussions of how (or whether) CentOS should change to prevent these things, but change is driven from upstream and won't happen for years anyway if past is prologue, so again we have a good reason to stop this subthread right here.