Security and Privacy in a Networked World/Operating systems

NOTE: This and a couple of the following, more technical topics make use of Wikipedia articles to provide the basic understanding of the matters (e.g. operating systems in this topic. These articles deal with technology and are not much disputed, having reached the common knowledge stage. They also provide some good links for further study under the reference sections.

What does an OS do
A computer without any software is only good as a decoration. Software is needed for word processing, web surfing, graphics and many other things. Yet, another thing is needed - the 'middleman' between these programs and the computer that also controls different components of the computer. The middleman is known as the operating system (OS in short).

So the OS has two main roles
 * mediator between the computer and the user. If we had to issue commands directly to the computer, we should use electric signals and binary code. Today's operating systems have come a long way - the early ones had to be controlled by a sophisticated command system, most modern ones sport a graphical user interface (GUI), recent systems also support touch-activated displays.
 * controller of different devices. Clicking the Print button of our web browser sends the command to the OS which in turn instructs the printer what and how should be printed. Likewise, the OS controls scanning the images and displaying them on screen via the graphics editor, sending e-mail through the network interface, playing music via the sound card and speakers, and so on.

Read the Wikipedia article on OS: http://en.wikipedia.org/wiki/Operating_system

NB! Those with less technical background will likely find the "Components" section a tad too technical - grasping all the concepts there is not needed for this course. Yet, this kind of knowledge will not hurt either - so take it easy, but learn as much as your background allows.

Some remarks to add:


 * One of the first actual OS-es was released by IBM in 1964 - the OS/360 (later OS/390) that ran on the zSeries mainframe family. Interestingly enough, the family has come up to these days  - the most recent addition was the zEnterprise BC12 from July 2013. All the long line shares full backward compatibility, meaning that in principle, software from e.g. 1970 should run on the 2013 machine (compare this to e.g. Microsoft Office...).
 * At first, developing an OS was major task suitable for a close-knit group of specialists (like a company or a research group at an university). Today, the ubiquity of Internet has made it possible to create new OS-es in a variety of ways, there are systems that are run by companies (e.g. Microsoft Windows), purely by community (e.g. Debian GNU/Linux), even single persons (e.g. Slackware Linux) or anything in between these.
 * In early computers of the 50s and 60s, necessary software (including OS) came along with the computer - hardware was incompatible and most programs only ran on specific computers. With the advent of the PC-compatible class of computers (which means 'the' personal computer for many ordinary users, mass production of software took over. This also created a market for software - what was earlier a complementary tool (like a spare tire coming with a new car) became something that could be turned into a product.  Since then, all proprietary systems - even those coming pre-installed on a new computer - have been paid for by the copy. Yet, many people still assume that "Windows came with the computer" - this is not the case, even if the price is hidden.

Security in operating systems
Tanenbaum defines the overall goals of OS security as
 * data confidentiality - meaning that only authorized people should get access to it
 * data integrity - meaning that the data is valid, nobody has (accidentally or deliberately) tampered it
 * system availability - meaning that the OS must be robust enough to handle overloads and various conflicts
 * exclusion of outsiders - meaning that the control of the computer must remain in the hands of the original owner (tõday, many computers fail this point by being controlled by remote attackers).

In the very old days, computer were elite devices being accessible for and run by just a small number of high-level specialists. Data security as such was a non-issue as several factors contributed to it:
 * input and output devices were primitive - early computers typically had data entered via manual switches and displayed the results via indicator lights (later, printed output appeared). Thus specialized knowledge was needed to even understand the controls.
 * the workflow was distributed between computer engineers (the forefathers of todays' sysadmins), operators, programmers etc. Mostly only a few key people had access to the whole process.
 * software was incompatible - for years, all serious specialists wrote their own software tools. The complexity and personal nature of the work made "drive by" use by unauthorized people difficult.
 * hardware was incompatible - early computers were not connected to each other and were tailor-made specimens. Moving data was difficult, more so in secrecy.

In these settings, traditional methods of security - above all, limiting physical access by doors, locks and wardens - were enough. However, when computers became to be shared by several users, it made some kind of inner organization necessary - this led to the development of various mechanisms like file access rights, user groups with different privilege sets etc to prevent both accidental and deliberate tampering of user data by other users. Again, as computers were scarce, isolated and used by but a small number of people, these measures usually worked - and if they failed, the consequences were sorted out within the small community.

As computers became connected into networks, more measures were needed. Mostly starting with the appearance of Unix systems in early 70s, computers (and OSs) started to be compatible with others in varying degrees - this was beneficial in many ways, but also raised several points in security:
 * unauthorized data leaks over the networks became a reality
 * compatibility also worked to help seriously bugged or malicious software to spread. A good example of such a half-accidental malware case is the infamous Morris worm from 1988.

Interestingly, the appearance (and later dominance) of personal computers (PCs) initially diminished the risk of data spreading in unauthorized manner - as for a time, most PC-s were standalone, not connected to the network. On the other hand, the OS of the time - MS-DOS by Microsoft - was designed with exactly this situation ("one computer, one user", no networks) in mind. Later, when PC-s started to connect to networks (and especially Internet), the security shortcomings of the system became apparent.

MS Windows started out as a graphic shell (user interface) on top of DOS rather than a separate OS (Windows 3.0, 3.1, 3.11) and turned into a heterogenous union of the graphic shell and the underlying DOS (Windows 95, 98, ME) - while the latter appeared be complete operating systems, they in fact still had the two layers separate. Only the NT series (NT 3.1, 4.0, Windows 2000 and subsequent) were designed as full OSs with at least some considerations for the multiuser, networked environment (see Tanenbaum's book for more details - it is a strongly recommended reading for those with IT background, being one of the top sources on the internals of OSs).

Additional reading and links

 * TANENBAUM, Andrew S. Modern Operating Systems. 3rd Ed. Prentice Hall 2007
 * CARLTON, Jim. Apple: The Inside Story of Intrigue, Egomania, and Business Blunders. Crown Business 1997
 * GATES, Bill, MYHRVOLD, Nathan, RINEARSON, Peter. The Road Ahead. Penguin Books 1996
 * LEVY, Steven. Hackers: The Heroes of the Computer Revolution. 25th Anv Ed. O'Reilly Media 2010
 * MOODY, Glyn. Rebel Code: Inside Linux and the Open Source Revolution. Basic Books 2002
 * OSdata.com: History of Operating Systems. http://www.osdata.com/kind/historyna.htm

Study and blog

 * Task A (less technical - suitable for students with non-technical background): compile a personal checklist for OS maintenance in your main computer (could also be "my next computer" list starting with the purchase of the computer and post-purchase activities like installing an antivirus etc). List daily/weekly/monthly etc activities (both one-time and recurring) and assess their importance/urgency.
 * Task B (more technical - for those finding Task A too simple or boring...): try out Kali Linux (http://www.kali.org). Test at least three security tools coming preinstalled on Kali Linux on a safe and legitimate target (e.g. a dedicated test computer, your old laptop), focusing especially on the operating system. Blog your experiences - try to be as specific as possible without disclosing sensitive information (e.g. do not disclose your password etc).