Security and your mother's Linux box

Interview with security expert Ross Anderson

LXF: Because nobody's going to block the whole of Hotmail, or whatever it is?

RA: Hotmail isn't that bad, but you could think of one or two of the big British ISPs, that I won't name for libel reasons. If you send mail to abuse@ one of these companies dot com, nobody will read it. You might as well complain to the spammer himself, for all the good it will do.

So the proposal that we have [Anderson recently completed a report for the European Network and Information Security Agency], is that if you complain to abuse@ somebody or other dot com, and more than three hours after that, you get more phish or spam from the same infected machine, then you should have a legal right to claim €10 from them. No need to prove malice, no need to prove actual damage, just "here's the bill". A similar scheme has largely sorted out late flights, cancellations and overbookings among cheap airlines in Europe, because now you get €250 EasyJet or Ryanair bump you off the flight to Barcelona. You don't have to produce a whole bundle of hotel bills and car rental vouchers and argue the toss, you just send them the bill. If they don't pay, you go to the county court, and if they still don't pay, you get the bailiffs to go and collect – believe me, I've done it!

Once you can do that to your ISP, they will all of a sudden find that it's in their best interests to act as the small to medium ISPs do. The kit that you need to firewall machines only costs a couple of hundred grand, and that's nothing to a big ISP. It's just a matter of them making the effort, and having the incentive.

LXF: With a lot of consumer products, like wireless routers, there's no incentive like that – it's pretty much left to the end user to patch these devices, or flash them with new firmware...

RA: Get real! Is my mum going to do that?

LXF: OK then, what steps should an ordinary citizen take to improve their data security?

RA: Buy a Linux box or a Mac. I bought my wife a Mac, last time the Windows box got filled up with loads of spyware.

LXF: So you just don't think the problems with Windows can be solved?

RA: The poor boys at Redmond are doing what they can, but they've got an enormous mountain of legacy codebase to deal with. Although they are beginning to do some semi-sensible things with Vista, in terms of not having users run as root all the time any more, this breaks so many applications that it's hard to get much traction. You end up with this learned helplessness phenomenon, whereby people are trained to keep clicking away these annoying dialog boxes that say: "Do you really want to override this? Do you really want to dismantle your security? Do you really want to run as root?" blah, blah, blah. They have to, to get their work done. That's a fundamental problem of the whole [software] architecture.

From the point of view of a user who's only going to use the PC for web browsing, word processing and one or two other simple tasks like that, the best solution is to move to an alternative platform. The big opportunity, which some Linux distributions are now obviously seizing, is to produce Linux PCs and Linux laptops that just work, which don't need anyone to know what a Tar file is, let alone how to compile stuff.

-------------------------------------------------------------------------------------------------------

First published in Linux Format, Issue 114

Now read How to catch Linux system intruders

Sign up for the free weekly TechRadar newsletter
Get tech news delivered straight to your inbox. Register for the free TechRadar newsletter and stay on top of the week's biggest stories and product releases. Sign up at http://www.techradar.com/register