SUBTERFUGUE motivation

Why was SUBTERFUGUE written?

We users of GNU/Linux and other Unix-like operating systems (collectively referred to here as *nix) sometimes indulge in a bit of smugness when we read about the ceaseless wave upon wave of viruses that plague those hapless legions of the damned--Microsoft Windows users. To a degree this feeling is justified, as the security features of Windows are a generation behind *nix with respect to this sort of problem.

Our faith in the superiority of *nix security is somewhat misplaced, though. For the coming battle, *nix is almost as defenseless as scorned Windows.

When people think of *nix security problems, they usually think of transitory security lapses caused by implementation and administration mistakes, rather than the broken-by-design problems of Windows. Historically, security has been thought of as a user-versus-root problem.

Today, though, the user frequently is root (being the owner and primary user of his Freenix PC) and faces instead the more insidious user-versus-application problem. Suppose you download a viewer application from Redmond Pandemic, Inc., and run it. At that point, that application can do just about anything that you could do using your account. It can, for example

  • surreptitiously monitor what you view and report back to RPI,
  • steal your files, uploading them to the net,
  • erase your files,
  • make subtle modifications to your files, causing problems you may not detect for a long time,
  • install rogue applications (e.g., DDoS clients, password sniffers),
  • send threatening, incriminating, or libelous email,
  • make financial transactions on your behalf,
  • download incriminating files (e.g., child pornography) onto your computer,
  • etc., etc.
Much of this you would probably detect eventually, and for some of these cases, you might have an action against RPI, assuming that you could pinpoint them as the cause and summon the resources to engage them legally. In the mean time, though, you could suffer great, irreparable harm.

A related problem is the system administrator's dilemma one might call root roulette. In this situation, the administrator must run some program (e.g., an installation program) as root, thereby putting his entire system at the mercy of that program. (This is disturbingly similar to the case of Windows users blithely executing "run me" programs they receive in their email.)

It is theoretically possible to run the root program safely by disconnecting the host from all networks (assuming the program doesn't need a network connection), and carefully comparing the state of all files before and after the program in question is run to ensure that nothing untoward was done. This is, though, simply unworkable in practice.

So far, problems due to these shortcomings are relatively rare. This may be due in part to *nix's limited use as a client OS up to this point. But this respite won't last.

There are corporations, entities out there that don't see your computer as your property--they see you, or at least your behavior while running their software, as their property. We see them pushing, stretching the boundaries all the time. Increases in computing power and network bandwidth and changes in the political and legislative environment are making it all the more tempting for these entities to "borrow" part of your computer, and by extension part of you, for their purposes.

The primary goal of SUBTERFUGUE is to help you keep control of your computer. It can do this not only by flagging and blocking errant application behavior, but also by allowing you to subvert the goals of the application in a more general way by controlling its reality. It's not meant as a replacement for using free software, which is a key way for you to maintain control of your computer, but it can help you to detect perfidy and regain control over any software, free or not.

Computers exist to serve humanity--not the other way around.

SUBTERFUGUE exists to shift power back to where it belongs--to you.