You've done it: called up "ps" or Windows Task Manager and wondered "What the hell is THAT?". The answer might be easy: On Linux or Mac OSX anything that you didn't start up yourself will probably be found in "man" (though not always), and for Windows a quick Google will usually serve to identify the process.. maybe. Or maybe not, but even if it does:
It isn't enough.
I want to know a lot more. I want to know why this process is running, what it is needed for. I want to know its size on disk, its expected size in ram, its checksum and more. I want to know when it was installed and when it first ran. I want to know how much cpu it should be grabbing, if it is using the network, the disk, and so on. I want a complete history of patches, when, where and why. I want a one-click way to freshen it and to roll back patches.
I want some assurance that it's safe. Does that seem like too much to ask?
Apparently so. We treat some things that way, but most system daemons are not given that level of attention. They may get individual attention from patches, but you'd usually have to dig hard to get the details. It's all very "black box".
Would this be difficult? It shouldn't be - all this stuff is known and a lot of it has to be tracked anyway, so bringing it to the users desktop actually shouldn't be all that hard.. but who cares? Most users certainly wouldn't, so why make the effort?
Well, I think it would increase security. Right now we very much ignore the computer user as a source of intelligence for system security. Suppose, for example, that a zero-day exploit successfully compromises my Mac and replaces a system daemon. Right now we'd depend on things like TripWire or code signing to prevent or identify such breaches. Code signing was supposed to help in this regard, but as Larry Seltzer points out, the reality is that it really hasn't.
I think adding the human element could be useful too: it's a lot easier to fool a computer than it is to fool its owner.
Well, I suppose that depends on the owner.. but I'm sure you see my point: the more information you make available to the human tapping at the keyboard, the better chance of spotting anomalies. Sure, computer code can rapidly run through checksums, but we have the ability to see things from a higher level, and even the most computer illiterate owner just might spot a problem if you gave them complete access to information.
Maybe I'm kidding myself - maybe Joe Ordinary wouldn't pay the slightest bit of attention to any of this. Maybe it wouldn't help a bit. Maybe..
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2012-07-13 Anthony Lawrence