What Linux can learn from Windows

In three months, Microsoft users will finally reap benefits from the company's new focus on security. The release of the second major update to Windows XP answers many long-standing design criticisms of its operating system.

But this was not a pain-free learning exercise. Indeed, Microsoft paid a steep price in the coin of user dissatisfaction--and in some cases, lasting mistrust.

In September 2001, the Nimda worm spread throughout networks worldwide, leading corporate customers--including many financial firms--to chastise Microsoft for failing to plug vulnerabilities in its code.

Two years later, the MSBlast worm and a variant of the program infected Windows computers and corporate networks, once again bringing consumer and corporate wrath on the Redmond, Wash.-based company.

Microsoft's service pack represents a solid step toward helping the overwhelming majority of customers who are not security-conscious enough to secure themselves.

But the attacks also compelled Microsoft to rethink how to provide improved security.

Nimda resulted in the Trustworthy Computing Initiative, a companywide program designed to prod Microsoft's development teams toward producing more secure code.

In the aftermath of MSBlast, Microsoft has refocused on security for its next update to the Windows XP operating system, Windows XP Service Pack 2. The changes feature an improved firewall, the ability to turn off pop-up ads and ActiveX controls in Internet Explorer and a control panel that will display the current state of a PC's security.

"One of the things that we really learned after August and Blaster is that...it is not enough to have the technology there; it has to be accessible as well," said Neil Charney, director of product management for Microsoft's Windows Client Group.

The aim is to bring ease-of-use concepts to security. The Windows Security Center will have a simple set of status displays, showing whether the PC is protected by a firewall and has the most recent patches. It will also make sure that the antivirus software is turned on and updated. Users also will be urged to turn on the basic security protections.

The company still hasn't put an indicator on the desktop for the most basic security function: backing up data.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Yet the service pack represents a solid step toward helping the overwhelming majority of customers who are not security-conscious enough to secure themselves.

Microsoft's focus on ease of security also offers an instructive example for the Linux world.

Historically, Linux has enjoyed an advantage in design and user education. Linux inherited its strength in design from Unix. In contrast, Microsoft has had to make sure that its products remained backward-compatible with its original Windows infrastructure, which treated security as an afterthought. Moreover, Windows users tend to be far less tech-savvy than those who use Linux.

However, from its Protect Your PC campaign to the coming service pack, Microsoft appears to have "got religion" about the subject. If Linux is to appeal to the general public, security must get easier.

Linux does have a wide variety of tools to secure a computer running the open-source operating system, but administering a system using the tools is relatively difficult. One tool, Nmap, checks for open data channels, known as ports, that could be vulnerable to an attacker; the tool, however, does not analyze which ports might be threats.

Another tool, Tripwire, creates a digital fingerprint of each important file on a computer and tracks changes to those files. While the software provides good security, it is so hard to configure and use that most users don't try to run the security check. (A company, also called Tripwire, makes a full-featured commercial version that is much easier to use.)

And a good backup utility that doesn't require magnetic tape is still hard to find.

As Linux slogs toward becoming a viable desktop alternative to Windows, proponents know that the battle may hinge on the ability of developers to integrate such security into major distributions. What's more, they must find ways to represent the results in an accessible way for average users. Speaking about the Linux user interface in general, Linux luminary Eric Raymond said as much in a blog that posted recently.

"None of this is rocket science," he wrote, referring to a problem he was having installing printer software using the application's user interface. "The problem isn't that the right things are technically difficult to do...The problem is that the (software) designers' attitude was wrong. They never stepped outside their assumptions."

Some projects are doing it right. A good example of a tool that has focused on ease-of-use is Nessus, which scans a network for signs of vulnerabilities and not only tells the user what it has found--but also explains why the issue poses a security problem.

Still, any Linux version that claims to be for the desktop might want to borrow a page from Microsoft's textbook and give users a central place to see the status of their data and computer system.

In the high-society circuit, they say you can never be too rich or too thin. So it goes that when developing operating systems, you can't ever make a product too accessible or too conscious about security.