Law No. 2

By Larry Seltzer  |  Posted 2008-10-07 Print this article Print

Law No. 2 states that If a bad guy can alter the operating system on your computer, it's not your computer anymore. In a way, this is a corollary of law No. 1 because the attacker would probably have to run his own code in order to alter the operating system on your computer, but Johansson points out that the operating system, as a practical matter, is a huge and complicated beast, incorporating not only program files but settings, for instance in the registry or ACLs in the file system.

He also points out that there are files, such as edlin.exe, which are part of the operating system but which could be modified with no meaningful consequence to the system. But if an attacker can alter edlin, they can probably also alter more important files. If they can alter edlin then some important defense of the system has broken down, and the system as a whole probably has to be considered untrustworthy.

Law No. 3 is one I've written about many times: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. This is the 1 of the 3 for which things may have changed the most. In 2000 it was absolutely true. Culp makes passing reference to the then-new EFS (Encrypting File System) in Windows 2000, but it had very little real-world footprint at the time. Also, since it's not a full-disk encryption system, there were limits to the protection it could provide. As Johansson points out, there are plenty of tools available, in the form of boot disks, to reset the administrator password in the local SAM (software asset management) hive.

Full-disk encryption, an increasingly popular technology in enterprises, makes this much harder. It's possible to configure such systems so that the system credentials, and therefore the encryption keys, can be obtained, but it's also possible to defeat these attacks through the use of 2-factor authentication.

Bottom line: Law No. 3 has some clear exception cases, but for the large majority of us it still holds. And the exceptions are not just new technology, but inconvenient, so they are unlikely to be widely adopted any time soon.

There is a history of critics pointing to all of these laws, especially No. 3, as excuses by Microsoft for not fixing their own problems, but this is shallow thinking. It's easy to demonstrate that they all apply to other platforms as well. Consider No. 2, about modifying the operating system: rootkits, the ultimate form of this compromise, originated on UNIX many years before they were on Windows. Perhaps Law No. 11 is that a security problem doesn't become important until it affects Windows.

We'll see how things work out for laws 4 through 10 as Johansson sees it, but I see a pattern. The improvements in security in recent years are designed to help you avoid the situations embodied in the laws, not to break the laws. There has been some improvement around the margins, but basically the rules are standing.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel