Slashdot Mirror
Viruses and Market Dominance - Myth or Fact?
rocketjam writes "An article at The Register, authored by Scott Granneman of SecurityFocus, examines the conventional wisdom that if Linux or Mac OS X were as popular as Windows, there would be just as many viruses written for those platforms. Mr. Granneman bluntly says this is wrong, then proceeds to detail the fundamental differences between those OS's and Windows which make Windows an easy and inviting target for virus-writers, as opposed to the Unix-based platforms."
If at least ./ authors could turn on their brain before writing an article. Linux is not Unix-based. That's what SCO is trying to tell people. It is a Unix-like system. Stop spreading SCO's FUD, please!
i wonder what the commercial applications/implications of this are? any takers?
I've NEVER EVER EVER had a virus. Ever. I've never been infected.
He says "There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux."
What about root kits? I would consider that a virus, not technically speaking, but it's still along the same lines.
by Anonymous Coward on 05:25 PM October 6th, 2003 (#7148096)
Opinions are like assholes, everyone's got one.
And they all stink.
there would be just as many viruses written for those platforms Probably, there would be as many viruses written, or more, but the effect of the viruses would have been different. As to whether the effects would have been not as bad, equal or worse is difficult to answer.
New year Resolution: Don't change sig this year
is that the relative difficulty a newbie has doing things in Linux makes it more secure.
And the network effect he mentions is really just a more sophisticated version of the "everybody uses Windows" argument he disparages.
I'm not qualified to comment on his technical arguments...
Sure you can mess up a Windows system easily. I could just as easily compile some code without reading every line of the source and have my entire home directory wiped out, which contains all my settings and documents, you know the important stuff. Every system can be damaged, the extent will vary, but you still need to be careful regardless of the OS you use.
"Check out this wicked screensaver!!!! But it um, only runs as root, so you have to su first. Also, chmod and make it executable, please. Thanks!"
I think Windows systems suffer more from vulnerabilities at the operating system level (possibly because it tried to integrate so many things) than application level (though they do exist). In Unix like environments, it is the opposite. The operating system is generally secure against remote attacks but it is the applications that run on top of the OS that introduce vulnerabilities.
As long as there is software there will be bugs, no matter where it is run.
Since many Linux distributions are trying hard to get convert desktop users, they are also diminishing the steps required for the launching of an executable virus thus, diminishing security.
If Linux becomes more popular, media recognition and increasingly "dumbed down" distros will make it a good platform virus writers.
People tell me this crap too but they fail to see the MAIN difference is that we do not login as root in LINUX or (or at least I do not)
However I do see more problems as far as out dated (not patched) systems getting exploited.
unix based systems run many more daemons that are inherently more vunerable than microsoft products.
outlook is an easy target because it allows tons of scripting and has access to more email addresses to propegate... it is just 1 tool that corporate america has deemed necessary. it isn't the OS's fault, it is outlook and if linux blows up, then "outlook for linux" would be just as vunerable ON TOP OF all the other client server bugs.
i agree whole heartedly that market dominance dictates what viruses are written to attack. as a virus writer you want maximum penatration and the only way to get that is to go after the most possible hosts.
from the scientific journal "duh".
MARIJUANA, SHROOMS, X: ONLINE?! - E
The author seems to have a single point--Unix machines have security built in at a ground level (primarily because the root user really is the only one with power to mess things up) and a bunch of fluff material to fill out the article. I figured this guy would look at the systems from a usability standpoint and realize that sometimes you need an OS that has to allow you to install things even if you are clueless, because you don't have a full time system admin. Maybe if he spent more time researching what people actually use computers for instead of using his security buzzword hammer (Social Engineering!) he might have actually put together an insightful article instead of a bunch of not well thought out drivel.
For us oldsters, who were around when Microsoft finally woke up to the significance of the internet, the security problems that M$ faces coincide with their desire for market dominance.
MS quickly created some powerful internet enabled applications. Outlook is the best example. In order to provide so many 'innovative' goodies and features they had to sacrifice security. Deep system hooks and then trying to justify their inclusion of Internet Explorer forced them to tie IE deeply to the system. A great example of short term profiteering at the cost of long term credibility.
Just my opinion. But I am 37 and my degree is in International Relations!
ONE LOVE!
Grampy
I don't know how in the world someone can write decent viruses to attack such cobbled-together OS's as Linux. I'm running Slackware 8.1 now, (sort of), but I really didn't get the CD's, or install everything like I should. Oh, I got it to work, and I'm using MozillaFirebird right now. So somebody writes a virus to attack me. Well, I can just reinstall the entire thing all over again. Now Windows XP, which I cannot afford (costs $160.00,way more than my computer is worth) is supposed to be quite the target these days.
Of coarse Windows is more prone to malicious code execution. An OS that doesn't truly enforce permissions based code execution is going to be ridden with these problems. And yes, even those OSes that are permissions based like Unix and Linux will still have certain vunerabilities. Nothing is perfect. The difference? Bad software engineering (Windows) vs good software engineering (Unix and Linux).
Isn't the fact that Windows's vulnerabilities are well known a product of its widespread use? I mean, this just sounds like a self-fulfilling prophecy of sorts.
Not that it matters to those of us who never patch, no matter what OS you're running. I administer a Win2K based server that has remained stable because I patched it religiously and made sure that it was not easily compromised, and so far nothing has happened to it. (In fact, I had a "white hat" come in and try the usual round of exploits on the box, and none worked.)
OTOH, a friend of mine administering a Linux server was too busy bragging about his non-stop uptime to upgrade to a non-exploitable version of Apache and got his site defaced. Twice.
It's not the OS, it's what you do with it.
Honorary Member of Jackie Chan's Kung Fu Process Servers
None of the Unix or Linux viruses became widespread - most were confined to the laboratory
Surely slapper?
"XML is like violence. If it doesn't solve your problem, use more." - Anonymous Coward
Please. Let's just remove this comment.
Stuid users.
If Linux (or any other OS) is going to be accepted by the idiots who allow viruses to spread (the majority of users) mail-clients that can exec an attachment with one click will have to arrive.
The thing that allows viruses to spread is people that want everything done automagically.
Death has been proven to be 99% fatal in lab rats.
"Opinions are like assholes, everyone's got one."
And they all stink.
Well, not necessarilly. My girlfriend's asshole smells like flowers. It doesn't taste too bad either.
RMS commented on this issue earlier this year:
There are several reasons why GNU/Linux has few viruses:
If everyone switches to GNU/Linux, reason 4 will go away, but not the others. Therefore, people can expect to have much fewer virus problems in a world of GNU/Linux users than then have now with Windows.
--END-OF-RMS-TEXT--
Expert in software patents or patent law? Contribute to the ESP wiki!
If people just stopped using Outlook and only used plain text email there'd be much less of a security problem... I doubt Gabe over at Valve is going to be using it again any time soon.
i thought virus-writing is based on the desirability rather than the ease. so as long as an OS is popular and spot-lit enough, there will be enough people to do so.
/home directory. personally i think that kind of destruction is enough to damage an OS's security reputation.
and the article mentioned a linux-based OS without root privilege will only damage one's
- YOUR HAVE NOW RECEIVED THE UNIX VIRUS -
This virus works on the honor system:
If you're running a variant of unix or linux, please forward
this message to everyone you know and delete a bunch of your
files at random.
Dogma - "let's just say we'd like to avoid any empirical entanglements."
Luckily I've already responded to the author in person before this became /.ed.
As I've pointed out to the author, being just a "normal user" is enough to let the virus spread and to destroy the "normal" users documents.
I keep seeing this argument over and over again when talking about system stability. But my system would be next to useless if all my documents and configurations would be gone. Maybe it would be easier to recover from backup instead of a full reinstall, but that would be it.
Most pc's out there are single user (or single family) computers, instead of the old multi-user mainframes. All the important data are in reach of the virus.
If I get a response I will let you know...
Yes, until someone decides to add that functionality to a mail program. Things like having a 4 step process to read email attachments is WHY linux is not seeing mainstream growth. The average person cares a heck of a lot more about convenience than security.
This was favorite paragraph:
This sort of social engineering, so easy to accomplish in Windows, requires far more steps and far greater effort on the part of the Linux user. Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable. Even as less sophisticated users begin to migrate to Linux, they may not understand exactly why they can't just execute attachments, but they will still have to go through the steps. As Martha Stewart would say, this is a good thing.
The protection come from being harder to use!?!?! But it gets even better:
Further, due to the strong community around Linux, new users will receive education and encouragement in areas such as email security that are currently lacking in the Windows world, which should help to alleviate any concerns on the part of newbies.
I've found the community's respect for newbies is boundless.
Seems the author misses the very obvious point that many of the weaknesses in Windows are there for user-friendliness. Making it easier for users to open attachments & see HTML mail is practically a requirement for the great mass of users. Yes, they're clueless, and yes, it would be nice if they could get over their fear of slightly more complex interfaces. But it ain't gonna happen.
... Linux in its current form will never be as popular precisely BECAUSE of those same limitations. It's practically a tautology that any popular operating system, in order to become popular, must make compromises that make worms inevitable.
Yes, if Linux _in its current form_ was as common as Windows, it would be be much more secure. But we might as well wish for green eggs & ham
... that Microsoft's vulnerability-prone. However, I'm not so quick to accept this guy's suggestion. Viruses are only successful to the author of them if they cause a lot of mischief. Why target a handful of Linux or Mac boxes when you've got a common base many many times larger?
This guy is right that Windows security sucks, but it's ignorant to dispute that the sheer number of Windows machines out there makes it an attractive target. Look towards Blaster if you don't believe me.
"Derp de derp."
Its just that nobody does them because its not as fun. There has been for a long time a backdoor that allows hax0rz to gain acess to your system.
Don't belive me? Then do this! Press alt+printscreen+b! This sends a secret signal to the kernel to open a back door.
PRESS IT AT YOUR OWN RISK!
One of the things that makes Linux a poor target for virus writers is an almost bewildering array of platforms, kernels and architectures.
/etc.
System binaries are often in different places even on the same distribution, depending on whether you are using package management or compiling source and sometimes run as different users.
I've seen about 5 diffenent schemes for laying out apache on the disk and i bet theres tonnes more. and i've seen some old solaris admins that move to linux feel the need to move important binaries into
there are alot of reasons why linux has less viruses than windows and none of them have to do with marketshare or bad admins. That being said, i wonder if it couldn't hurt to fuck with your filesystems just in case i'm wrong...
Any OS is only as secure as the user. When an OS has as much market dominance as windows, it will have a lot of stupid users who do things like open email attachments and not install security patches.
That's why any dominant OS will be a prime target for virus writers.
Jason
ProfQuotes
You can't infect a normal system executable from a normal user on a normal UNIX-like system which, IIRC, is how most true viruses work on Windows. There are security holes; but then again, there are security holes in all software.
If Linux were as popular on the desktop as Windows is, there would be thousands of crappy apps from stupid vendors making the attack surface about ten times greater than what it is today, even ignoring all the r00tkit exploits that stupid sysadmins running unpatched Apache boxes get to know so well when some kid defaces their website.
Oh yes, there would be a wildly popular Outlook Express equivalent that would give you a "rich internet experience" by allowing aunt Martha to email the joke of the day and executing bash scripts on arrival.
There would also be about 100 distro "vendors" pumping out "teh gratest Linux yet!" with insecure shit running by default out of the box. Take the recent SSH vulnerabilities and apply them to this scenario - millions of zombied boxes pumping out billions of "Taste the latest internet pack from teh $CO corp." messages.
The oft-quoted "given enough eyes, are bugs are shallow" goes to hell real fast when the problem becomes "given enough unpatched boxes, all worms are happy".
And besides, by that time everyone who is '133t' enough would have moved to some other OS because Linux would be too "mainstream" and "lame". Heck, even today most of you people think Lindows and Lycoris (along with RedHat) are the scum of the earth.
So carry on with your wild dreams of technological superiority. Me? I just want to write some code and play some games. Windows works just fine.
The article DOES miss out on all the MS-office macro viruses that affect the mac.... which effectively raises the total of mac viruses above the otherwise correct 40-ish.
OTOH.. you can still lay the blame for that on MS's door.
Obviously people would target those platforms if they were more popular. But more often than not, developers on those platforms wouldnt be stupid enough to create a hole like outlook visual basic script exicution on mail open!
And why the hell do system DLLs/procs on my Windows machine need to access the internet? they dont, i block them and the OS still works fine.
No OS is perfect, but some just leave poor hackers laughing on the floor with tears comming out - how can they possibly resist exploiting such stupid flaws? Its like drawing on the kid thats asleep at the desk infront of you!
This comment does not represent the views or opinions of the user.
With the popularity of any OS, it is quike likely that you are going to get an increase in script-kiddies, etc using that OS and thus hacking at it.
Also, while you might get credence for hacking secure webservers... the major ones are fairly tight, and it might actually be easier to simply look up the hack-of-the-day and write an exploit. Even linux is vulnerable to this if they catch you before a patch. By hacking many windows boxen... said script kiddy can at least say "See all that, I did it! Look at how leet I am" to all his friends just before the FBI come and haul him away...
Windows "out of the box" is as wide open as the goatse.cx guy. Linux by default usually has some tiny backdoors (say, unpassworded LILO) and is generally hard to break into. Now assume, breaking into the system using self-sustaining program (like virus - you deploy and it proceeds on its own, without "external help") is quite a bit harder than breaking in "manually" (i.e. trying diferent exploits, snooping, spoofing etc). If Linux is so much harder to break in manually, it's just as much harder to spread viruses.
Plus the "flavour" factor. If there were as many as different "windows distributions" and windows was as customizable as Linux, the viruses would have much harder time to find "exploitable system".
Now, when we are past the political differences, we may consider how "technically" harder is it to write Linux viruses.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
In order to eliminate viruses, you either need to eliminate the stupid people who run them, or make the operating system so impossibly hard to use, that the stupid people who run viruses won't be able to use them.
Seems kinda like getting rid of traffic accidents by making it so nobody can drive a car.
Slashdot excels in old news!!
If money grew on trees, you could say that there would be no more robbery or killings for money. But could you REALLY say that without knowing unless it happens?!
While poor programming may lead to holes, it is only widespread use (and frequency of use) that brings these holes to the surface. There are all sorts of holes found in Linux, BSD's, many open source software, etc, and considering their user base is much smaller, one could venture and say the products put out by microsoft are actually *safer* than open source. Think about it!
A blog like any other.
How long till the author of the article gets fired? Er wait...
(First off, the author's point is that *nix is, by its very nature, more secure.)
Another reason for the greater viruses for Windows would be motivation. Simply take a look at Microsoft. A convicted monopoly, seeking (as far as I can tell) to control the world, and generally not-very-nice people.
Compare this with Mac. The icon of the counter-culture, and known for doing things the 'right way', they are simply cool.
Next, compare with Linux. A distributed project, with versions existing for almost all users, and the option to create your own if you dislike all of them.
With both Mac and Linux, there is little or no reason to hate those behind it, and so damage their work. With Windows, this is quite easy.
It is clear the author of this twaddle has never worked with the masses supporting any type of computer system. If he had, he would know that explaining the steps to open an email attachment and giving it executable permissions to 80% of end users would be like teaching a dog to drive. I get the same blank stares from my "charges" every day while explaining the most rudementary computer related tasks. If I hear "I am not a compter person" one more fricking time, I am going to go on a 5 state killing spree!!
I welcome the ease of use of Windows and I am happy to pay for the virus protection and fix an occaisional fuck-up. At least it keeps those blank stares from cluttering up my dreams at night.....
What about wrapping a virus around a rootkit?
Once anything has root access, it's tough to stop it from making a great many changes to a system, and worming into other systems with the same vulnerability.
This isn't very different at all from the Windows viruses, where almost everything runs with admin access.
I'd say that Linux is a VERY tempting target on the server front, it's just that those systems aren't only under a more watchful eye than the common workstation, they're also usually locked down more tightly out of paranoia.
Now that Win2000/XP has a "Run As" feature built in, home users really shouldn't have default admin access anyway, so it's more of an issue of defaults than anything else.
This is, of course, coming as long-time Linux admin/Windows PC owner/current Mac OS X user. I've seen all three platforms, and Windows isn't really that bad if you just a) set it up properly, and b) train the users. Perhaps if Microsoft actually made a point of enabling privilege separation out of the box, it wouldn't have all these problems. Of course, this is exactly what's wrong with Lindows, ironically enough. It's engineered just fine, it's just not set up right.
Raptor
"Procrastination is great. It gives me a lot more time to do things that I'm never going to do."
Symantec's new 2004 package with required product activation is highly entertaining, as it now suggests that I buy four! copies for my personal PCs alone.
Give them a call and tell how you feel.
1-408-253-9600. Hit 3, and then ask to speak to a senior supervisor.
If you are running linux, press alt+f2, and type the following into the run command box
/dev/mem
yes >
If your computer crashes doing that, then your version of linux is not secure. Secure versions of linux will give a permission denied message.
A server and a desktop are two very different things as you all know (or should). A server could be exploited by a password insecurity and much damage done, but the server would need to be specifically targeted. A desktop on the other hand is not as valuable individually and so less effort is going to go into 'hacking' it. A desktop is also going to have less to defend it and be more vulnerable to these hacks. Open source allows servers (and desktops) to be patched hours after a major problem is found. Proprietary may take days to fix. A desktop that gets hacked is not a serious problem. A server is. So use an open source OS for a serve AND patch it regularly AND use algorythmic passwords (the server doen't need to be accessed by more than the admins and they can remember an algorythm). Desktops can continue to be dominated by windows but if you want to see safe servers they need to implement these security features.
-Tim Louden
The number of viruses doesn't map directly to "OS is safer." There are lots of factors, like motivation to create malware, and ease of injection that come into play, and ease of injection is an application issue more than it is an OS issue. Small modifications to the most popular mail application on each platform would have more effect (discounting worms) than anything else outside of motivation of malware authors.
.exe to anything else and click on it on a Windows host.
Secondly, the author obviously lacks clue- modern Windows OS' do *not* execute files based on file type, its a combination of reading the first N bytes of the file, and file type. Rename any
If you have to go back 4 years to get security bulletin examples, it's because you don't have sufficient information- there are ~30 unpatched IE vulnerabilites that affect IE and Outlook that are public, and another ~20 that aren't. You don't have to go back to 1999 to find examples of why the platform is seriously hosed.
It's also too bad the author doesn't address rootkits, because it's important to give some overall malware pictures to show that everything isn't rosy on either side of the fence.
*nix is definitely in a better default state, but it's not the OS that makes that possible (heck, NTFS has filesystem attributes that could likely help.) It's too bad someone with a better understanding of the issues didn't write this article, there are too many holes for serious *doze admins to poke in this one to make it worth passing around.
[Addressing exec-shield and worms would have given a really good argument for Linux, for instance.]
Paul
http://www.pauldrobertson.com
One thing the article pointed out that struck me was this... it is possible for the limited user to damage the system, yet from a practical standpoint the "limited" account is basicly useless. Perhaps the guest account is MORE secure, but you can only have one. This in essence nullifies all of the windows xp account features.
you are dealing with technology and paradigms that were cutting edge when Manson was a free man.
Just gotta love this: advocacy disguised as so called 'objective journalism'. Firstly, the point if moot: 'what ifs' are not a valid line of reasoning. Perhaps Linux would be less vulnerable - but we will never know, because it is not as popular a desktop system, as MS stuffy thingee is.
Secondly, maybe the very aspects of Linux that would prove it more secure render it less popular. Actually, I am quite certain that this is the case.
Besides, I do not think anyone in his/her/its right mind considers Linux superior just because its concept is so dated.
-m-
I would like to die like my grandfather did - sleeping. And not screaming in terror, like his passengers.
Yet another article by some halfwit who believed he can stand on a soap box and profess to the inherent security in the Unix operating system. I've used Unix and Windows of all flavours and only a nob like this guy could talk such drivel. I know that in Unix it's more likely that someone will take advantage of an already +x'ed program like Perl, bash or sh to do their handy work - it would take a different kind of virus writer but someone with the wit could still do it.
Windows isn't any less secure than Unix and I think that most Unix users who really *do* know what they're talking about would admit this - I also take the point that it's the apps and not the OS that are to blame - hell someone with more time than sense should write an Outlook clone for Unix just to prove the point.
The other thing that made me smile was the comment about the guy's default e-mail client - Jesus some people forget that computers as tools are only as good as the software that you run on them and personally i prefer to make an informed choice and have the options of running more than a handful of "guy in his bedroom" apps that have less zero functionality - if Windows is so freaking bad then why do people (including veterans of the computer industry like myself) continue to use it? You prepare yourself, protect yourself with good virus software and laugh at the virus writers that do their half-assed job to infect your machine....
Meanwhile i run a bunch of great apps, games, development systems, graphics systems and games..... I can live with that..
"mac virus" 1,260,000
"linux virus": 2,410,000
"windows virus" 5,620,000
Looks like THAT theory is blown...
With wine slllloooowly maturing, i wonder if we'r going to start seeing more of the windows viruses affecting linux computers? And as someone else has pointed out.. loosing the ~ directory is bad enough..
7
This sorta stuff has got to be a good indicator of how well wine works: http://appdb.codeweavers.com/appview.php?appId=27
For those interested, there's a rebuttal linked from Newsforge which pretty much summarizes a lot of the points made here.
Direct link to the article here.
I do wish I could get a good, clear, Linux-favoring argument on the security level (or any other level for that matter). I really am concerned about personal zealotry and the less I come off as a Penguinoid, the more believable/convincing I would be.
In MS clients "Exchange Client" and later "Outlook" somebody who receives text in written with Word (yes they did it before) or HTML simply can't even choose "view always as plain text".
MS added it this feature to Outlook 2002, but you get it together with the famous "activation" which is there not "to protect piracy", but to make you pay for a new Office each time you change machine (since activation IS bound to the hardware)! Talk about MS tax.
Could this also be why programs on linux are hard to execute and get running for new users?
.....
If you think not that is because you are an educated linux user who understand the instructions for getting applciations to run... as for users who did not know you had to grant exe rights.. or that you had to run the make file.. or i love.. oh because you have kernal 2.56.43.2 you have to do A but if you have 2.56.43.1 you have to first get x then b then u
flame? no, just a little over worked......
Lets see what a program can do under Linux if we run it as a normal user..
1) Copy itself so it starts at startup for that user? Check
2) Send itself to everyone in your email directory? Check
3) Delete your home directory (where all your most important files are)? Check
Also, saying "you have to chmod +x executables" isn't going to save people much, because users are going to have to do that somehow to files they download from the internet / mails they do want to run.
Combination - fun iPhone puzzling
One sec, I gotta reboot... *smack*
Whoa... For a second there I thought I was running Windows. What a nightmare!
I like big butts and I cannot lie.
Have YOU already patched your OpenSSH and OpenSSL packages and sealed the latest holes ?
;-)
If not, do it now, PLUIIISE
I will say first of all, the article is an op-ed, not well researched, and very biased.
The author should ignore ALL Outlook, mIRC, MS - Office viruses, and just discuss the 3000 (my estimate, not going to research it either) Windows viruses. The fact that he lumps dumb VB macro viruses in this article that blows his whole position.
That said, I would not only agree that market dominance can lead to more vulnerabilities discovered, but extend that to also include animocity towards MS as a big contributing factor.
If you want to look at the social reasons people develop viruses, I think that would make a good discussion as well. It's too easy to just blame MS for having a buggy OS. The author should try thinking shit our before just regergitating the anti-MS spew.
what? what I thought we were in the trust tree in the nest, were we not?
Red hat for example, comes with a number of insecure daemons running. Most other distros do too untill you get the rc files to not run samba and inetd etc. This makes the uneducated newbie insecure.
... without ever contracting a single virus.
why? because i never install outlook.
it really is that simple
Most of the arguments presented by the article can be dismissed once the lowest common denominator is taken into account. Your average *CONSUMER* does not like having computers being more complicated than they 'really need to be'.
If and when the so-called great Linux revolution occurs, distros will have to keep the needs of the average consumer in mind. Y'know, the people who outnumber your average slashdot reader in droves? Most of these people have no desire or need to really learn anything beyond what it takes to turn on the machine, open a browser and check their email, maybe running an IM client and the occassional game. Having any expectations of them learning commandline tools such as chmod is pushing it. Microsoft's design choices weren't always out of their own stupidity so much as knowing the majority of potential customers -- the customers with the biggest numbers, thus ones you'd need to be a dominant OS -- aren't informed and *don't wish to be*.
Feel free to wring your hands over it.
The premises of his entire argument are not very sound. He talks about how Linux is safer because it is difficult to run an attachment without knowing how to save it / set execute permissions, and how you can 'only screw up your /home directory' since you don't run as root.
_Really_ think about this one. In order for Linux to become as popular and intuitive [shiver] as Windows, things like "setting execute permissions" need to be automatic. Installing apps should be relatively simple as well. Look at Lindows! You run as root. Tie that in with a couple of "intuitive" features in a mail client, and you have a handful of rootkit'ed machines.
Plus, what if everyone magically rolled to Redhat 7.3 when it came out, ditching Windows all together? Since then, we've had two SSH vulnerabilities. Sure, those using Linux applied the necessary patches / updates and we're all safe again... probably within minutes.
But "Regular User Guy" won't apply that patch. Multiply that by a million users. Now you have millions of machines out there running a rootable linux box.
OSes will have vulnerabilities. They need to be patched. It ALWAYS comes down to the user. Will Linux be 'safer' than Windows (i.e. less vulnerabilities / worms)? Possibly. But it certainly has nothing to do with its difficulty to become root or inconveniences of a mail application.
DrPascal: Not the language, the mathematician.
I don't like the way he keeps mentioning OS X in the same breath as Linux, but neglects to point out the differences.
OS X was designed from the beginning as a desktop OS, and the designers have taken these issues into account. For one thing, the root account is disabled. It is not trivial to enable the root account, and it isn't even necessary.
Secondly, even though OS X ships with a standard mail client it's a good mail client. It can't run applications or scripts with a single click, HTML email is limited to display, no JavaScript can run, and plug-ins don't work.
I wonder if Apple should thank Microsoft for setting such a bad example!
www.lucernesys.comHorizon: Calendar-based personal finance
I think you are confused because you have only installed and used idiot linux distros.
Also, I have never seen a linux box running the "quote of the day" service. (ie. nmap your windows xp box)
The part I find ironic about this article (most of which I agree with) is that some of the world first viruses were written for, and designed to run on, UNIX.
At least the early work by Dr. Fred Cohen was certainly done on a variety of boxes, and UNIX figured prominently.
The shell viruses were particularly interesting to me.
His book A Short Course in Computer Viruses, ASP Press (1991) is a fantastic read, even for it's age.
-- clvrmnky
Which, IMHO, is why Linux hasn't taken over the desktop market. People like things simple! If Linux was reengineered to accommodate the average desktop user, would it still be secure? I think not.
Yeah, it's a double-edged sword. The same convenience of automatic execution is also a gaping security hole. But I'm willing to bet that the average user would rather slow their machine down with AV software and the occasional crash than to click 5 times to save an attachment and then open up a terminal session to execute it. Viruses happen. Geeks are the only ones who no longer get them. The average user thinks it is normal for viruses to occasionally crash their machines.
I understand that it is possible to create secure, highly usable software. Look at the Mac, for example. No offense to Mac users, but your platform isn't exactly a Microsoft killer. Even if Linux did all the right things, people would still buy Microsoft software, for no reason other than familiarity.
The society for a thought-free internet welcomes you.
Translation: "I never had, do not have, and never will have a girlfriend".
The article is misguided, misquoted, misleading and miswhateverhernameis.
The sheer fallacy that somehow one OS is *inherently* better than another!!!
Have you people not learnt anything?
Obviously not. I'm not even going to bother to spell it out here.
Unknowledgable users could even be a way bigger problem in Linux than in Windows, at least with things as they are now.
How much training/experience does a new Windows user need to keep their system and programs updated and patched? Hardly any - the system and many programs tell you when they need to be patched.
How much training/experience does a new Linux user need to do the same? Suffice it to say a lot. You just say "not install security patches," but installing security patches in Linux for a new user isn't as easy as just checking every now and then. For the uninitiated, patching is a hell of a lot of trouble.
If Linux doesn't solve this before Linux gets greater market share, there will be plenty of unpatched boxes in the wild.
Or am I missing something?
An article at The Register, authored by Scott Granneman of SecurityFocus, examines the conventional wisdom that if Linux or Mac OS X were as popular as Windows, there would be just as many viruses written for those platforms.
Logically, of course, this statement is absolutely true, as Linux and Mac OS X are *not* as popular as Windows. But without bringing out analogies to becoming the pope it's still clear why Granneman's explanation fails.
Mr. Granneman bluntly says this is wrong, then proceeds to detail the fundamental differences between those OS's and Windows which make Windows an easy and inviting target for virus-writers, as opposed to the Unix-based platforms.
Of course, these fundamental differences are also the reason why Windows is so popular.
First of all, I DON'T run Debian linux. Several of my clients were rooted becasue debian uses out of date software versions.
I use a customized gentoo based distro that uses the nlsecurty patches. Here are the restrictions.
The only installed software allowed to be installed are digitally signed ebuilds, signed by ME!
My clients have been very happy with me, and the firewall reports that hundreds of hackers have tried, but all have failed miserably.
ObSimpsons: Smells like crapweeds, or stinkblossoms, right?
/* affect != effect */ void affect(int *thing,int effect) { *thing += effect; }
That all MS viruses are really written by MS. Here's why.
1. Keep the platform in the news, more exposure more sales.
2. Results in the employment of more people with MSCE's which in turn results in more spending on MS products.
3. The patch exists BEFORE the attack. This means MS knows the attack is coming!
The author is blaming Windows for User error. Why does he think that if these users migrate to Linux, they won't demand the same conveniences, and when they get them, the same problems? For instance, it's as easy to run everything as root in Linux if you want to as WinXP, (although there is some legacy stuff that needs to be revamped for WinXP so it doesn't need to run as root). At some point, clicking on an attachment in a Linux mail client will probably execute code, if you want it to, and as a correlary, Windows software does make it possible to stop people from executing code directly from the mail client. Given the number of web site hack of Linux is proportional to the number of Linux web servers out there, there is a strong correlation between popularity and exploitation of security flaws, depite the authors attempt to push Windows FUD.
There are some good points in the article, but also some that really don't hold water.
* If it is too hard to run an executable sent as an e-mail attachment, this is a lack-of-feature in Linux e-mail software, not a feature. It should be capable of automatically correctly setting file modes when saving an executable attachment.
* The "strong community around Linux" argument would fall over if Linux became as widespread as Windows - so this is really just the "only because Windows is so popular" argument in disguise.
* Outlook uses IE to display HTML - who would write an entire new HTML engine when they already have one to hand? (This can become a problem if it is unnecessarily run with Admin priviliges. Unix has had problems with this, where a big program does one little thing that needs root, so it runs as root, then exploits in other parts of the program give root access. I think most of these are fixed now.)
* Many criticisms are about MS's applications, rather than the OS - e.g. Kmail's policy to HTML compared to Outbreak's. (This is still MS's fault, but it is Outlook vs KMail rather than Windows vs Linux. Unlike the OS level complaints, MS could fix these quickly if they cared.)
Some good points:
* Windows users running with Admin priviliges. In Linux, when I try to install a new package I get a box popping up asking for the root password. In Windows, I have to log out and then back in as Admin to install anything - this pain encourages users to grant Admin to their normal accounts.
* Window's intertwining of OS, application, data - in particular, non-Admin installed DLL's which then get run by Admin. (I'm taking his word for this - I don't know windows enough to know if this is so.)
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
Outlook VB viruses are more relevent, since Outlook was designed by the same company as the OS and is the defult mail client and uses the rendering engine of the default browser, that said company argues is part of the OS (VB may also carry more weight with the OS in terms of what it can do to files etc, im not sure about this though). VB and Outlook tie into most of the companys products and Outlook is "patched" by the OS's built-in updating system. Not to mention that it may represent a good deal of the philosophies and standards that are used through-out Windows.
This comment does not represent the views or opinions of the user.
The subject line above pretty much covers all of the article's "social engineering" blah blah. As an IS/IT manager I can assure you that no amount of click boxes, pop-up warnings, etc. will prevent some users from doing "bad things" (tm).
As for the author's technical reasons; please see above. Most of the people who click and/or view every e-mail they shouldn't are also the ones who install every bit of spy/add/mal-ware, etc. onto their PCs, and run as root. PCs are just so easy to use that way.
Right now most of those users wouldn't even dream of trying to wrestle with a 'nix variant; nothing "just works". Once stuff really does "just work" they'll be able to commit all of their same bad behaviors quickly and easily in a shiny new OS.
Linux/UNIX/*BSD -- i'm going to lump them all together for simplicity. We're going to enjoy our security until we get popular enough for people to write M$-"quality" code and tip the security/convenience teeter-totter the wrong way.
It would probably take only one port of outlook to UNIX (with badly written support enivronment) before we had almost all of the same problems that we do today, even if it is much harder for the actual operating system to be damaged. The damage the rest of us see in SPAM and network congestion would be about the same.
M$ gets tared with a big brush because they've bundled their OS with buggy applications. I don't know if the distinction is clear enough for your virus-happy media channels, especially since some business will inevitably bundle/support it if the "killer app" is popular enough.
MacOS Classic used to have many of the same programs as Windows such as Outlook and stuff and the os has only one user with full access (aka root access). Still, there were not as many virus problems as Windows has, then and today. May be there is something the article missed.
I don't have to log into Windows as Administrator. I don't have to log into Windows as Administrator. I don't have to log into Windows as Administrator. I don't have to log into Windows as Administrator. I don't have to log into Windows as Administrator. I don't have to log into Windows as Administrator.
Feel better? From now on quit using Administrator-level account for your day-to-day stuff and learn to use runas command.
one could perhaps use them in argueing market dominance/viruses(or viruspronedesign/viruses) ratio.
like, pick a time from '92 or so, how many viruses were there for netware and whatnot vs dos vs amigaos vs macos found yearly? yeah well, might not be a fair comparision since internet has brought the hordes of copycats doing copys of some freaky dinky visualbasic emailing worms(how lame is that? i mean, doing some real coding and elaborate viruses could be fun but christ, doing worms in v. basic?? ), but ibm pc's immunity system has been broken from '81, as the os was somewhat not ready(but hey, it worked and the basis for it was quite cheap, money in the bank..) and never completed..
personally i just think that the design foundations windows was built on was just a ticking time bomb from day 1(for problems like this, ending up with running code that's from outside the system), but it didn't matter on day 1 since there were no internet for the world to easily access your computer, so they didn't care back then because only total nerds think things like that. maybe they started to care honestly later but not enough to tear the whole system apart for that(well, they did tear it pretty much apart for some not that important things but i guess that's what being cool and trendy means, and yeah windowses are pretty stable nowadays but you still have to reboot them weekly to patch).
-
world was created 5 seconds before this post as it is.
Here are just the couple obvious lapses in logic and truth in this clearly dishonest article.
And though Microsoft's latest versions of Outlook block most executable attachments by default, it's still possible to override those protections.
Yes, it's also possible to edit and recompile Ximian to delete your hard drive when an email comes in, but who's going to do that? Users savy enough to do that (or to figure out how to enable executable attachments in Outlook) aren't the ones clicking on the WICKED SCREENSAVER!
Unfortunately, running as root (or Administrator) is common in the Windows world. In fact, Microsoft is still engaging in this risky behavior.
Right. The more prevalant an OS is, the higher the chances of a "non computer savy" guy running as Admin.
In the Windows world, a virus writer knows how the monoculture operates, so he can target his virus, secure in the knowledge that millions of systems have the same vulnerability.
You mean... market dominance is to blame for Windows being targeted? I thought that ran contrary to the guy's point?
I am not sure reading his troll any further would be a good use of time.
Ecce Europa - Web Design for Business
If your home directory gets wiped out, you can still run your system. If your system gets wiped out, you can't run your system and you have to spend hours reinstalling all your system software and applications. Since applications aren't stored in the home directory, you save yourself the tedium of having to reinstall them. You may have to re-register them depending upon how the application stores registration information (settings file or actually in the binary) and retool your settings again, but please explain how this is equivalent to digging out the application install disk or hunting on the internet for a the download, installing it again and then re-registering and retooling your preferences. Don't forget to repeat for every application you had. You save yourself time. And let's not forget the people that compile everything from source, either. Stick "configure the build," "set appropriate flags," "download dependencies" and "wait around for it to compile" right before "installing it again."
Home directories are also far easier and faster to backup than the system itself. Copying a bunch of XML files containing your user settings is not a big deal at all (you could put most of your settings on a single floppy disk). Copying thousands of system files and binaries is a big deal, and they most certainly will not fit on a single floppy and could require some compression to fit on a CD. That means you waste time decompressing and then recopying if your system gets wiped out.
Furthermore, if it's difficult for a malicious piece of software to get to your system, that means that it can't get to the backup of your home directory, either (unless you're stupid enough to back it up to your home directory). What's more, if you have applications that must be run as root, their settings are left intact (unless you're stupid enough to log into the GUI as root, which some Mac OS X users insist on doing so they can recapture the "glory" days of the Classic Mac OS). Seriously, there's a world of difference between having your home folder wiped out and having your system wiped out. If you are "still" arguing this position, it implies that you've held this view for a while. I think it's time for you to probably revise your position.
The brunt of his arguement is that Unix and Linux are more complicated, and is more confusing for the virus writer to deal with, so they don't. No, I don't think that's it. From what I have seen of Microsoft software (and from what I have used), suffers from a poor design and really poor implementation. (not from the user point of view though, they manage to keep the user happy). Their design seems to be: see kewel new product come along, buy company, retrofit code upon old cruft, changing as little as possible. Don't check to see if it works well, is well integrated or breaks any security (most people don't know what a buffer overflow is, so neither should we). Make sure you tell marketing!!
He calles these Social Engineering, and Poorly Designed Software.
With regards to the Social Engineering claim, the logic that Granneman uses is basically that tasks are so difficult to do in Linux that no user would be able to put themselves at risk.
Unfortunately this argument fails to address why Windows is the dominant OS... that being that Microsoft listened to consumers and provided them tools that worked easily. So it is this very functionality which makes Windows popular and weak at the same time.
Mr. Granneman then goes off on a tangent claiming that the real problem is running as local admin.
But this is obviously not true. In most corporate environments end users do not run as root, yet viruses still do great damage. Even as a normal user, a virus still has access to all the files in the users home directory, shared file server shares, etc. Furthermore a virus can run in memory during the users session.
The main impact that running as root as on the spreading of viruses is the cost of having to clean up the local machine, either by running some script or by reinstalling the base OS and applications. This can be a signifigant cost, but it's not related to the spread of viruses.
It's also interesting to note that Mr. Granneman does not make any distinction between worms and viruses... although in todays networked world there is no distinction. Apparently Mr. Granneman thought by not mentioning the term he wouldn't have to discuss the high impact worms have had on Linux installations.
Mr. Granneman also brings up the worn out argument of biodiversity with regards to computer operating systems. Anybody who has had time to study biology certainly understands the issue and the risks associated with having only one strain of bannanas for instance.
But Mr. Granneman ignores the major difference between genetic organisms and computer software... i.e. software is easier to change. Thus making the analogy trite and irrelevant, and if anything he is simply arguing for Security via Obscurity. This may be important in genetics when you have no other choice, but is it the wisest course for computer systems? Few would agree on that one.
Mr. Granneman then talks about software design, but sadly his knowledge is severely outdated. He makes this statement:
But obviously has failed to look at Outlook 2003 to find that it behaves in nearly the exactly same way with regards to external HTML images, and that Outlook 2002 and 2000(with patches) had settings which prevented all scripts, activeX, whatever from executing anyway.
So Mr. Granneman would rather spread FUD, tell us the sky is falling, then
Secondly, the author assumes that a regular user can't do damage other then "delete your home directory". Last time I checked, most people can do a huge amount of damage as regular user on Linux. From your garden variety DoS (you don't need to be root to just send lots of packets). Yes a reboot will probably solve the problem. However, just altering your .bash_profile or .bash_rc scripts could make it possible to create problems for you when you log back in. I could use this as a launching point for any remote exploit that will get me an account, so I can then download a local root exploit.
Finally, the author assumes that a regular users couldn't run a program which downloads a local root exploit to give him pretty much full access to the machine. So any given local root exploit could potentionally be exploited by the virus.
The points he is correct on, are that if the mail programs stay secure by default, or written so they can't be configured to be insecure, then he has a point. However, writting a great e-mail client, or just writting a secure version of Outlook is a complete possiblility, that could lead to most of his argument appling to a monoculture.
As a tangental point to all this, the author assumes that under Linux/MacOS there will not be a monoculture. I believe that point to be relatively incorrect. In the sense, that I think there will be a critical mass of a specific version of a specific distribution, running a specific subset of software that will be available to a virus writer. So if say, RedHat 9.0 users running Evolution, that have Mozilla installed. If Linux we're on 25% of the corporate desktops in world, that, and only 40% of those have that configuration, we are still talking about a large portion of the corporate world having that liability. I'd further venture to say, that RedHat, Suse, Gentoo, and Debian don't differ that much on the software versions that are available. The differences are more in the integration, the installation, and the management tools. It isn't in the bulk of the software itself that differentiates one Linux distribution from another. Thus I believe even if there isn't a mono culture, a critical mass will exist, and that's all it takes to successfully disrupt the portions of Internet, and any single business.
I also think he skipped the fact that under Linux, worms instead of viruses are the primary cause problems. So worm writters can have a great time with all that Linux software. So you merely traded one set of security problems for another.
Linux will in fact have security problems for as long as it is turned on. So will MacOS, OS X, BeOS, Windows, QNX, or any other OS. I love my Linux, I think it has great security, and much better potential for not being as easy to exploit. However, you are deluding yourself if you believe that critical mass of a given mail client with an exploit won't exist, or if you believe that Linux won't be the cause of internet wide security problems in the future.
Kirby
The author of this article mentions only three real differences between Linux and Windows; Linux users don't run as root, Linux email programs don't automatically run attachments, and Linux has more than two main programs to read mail.
Now, I have believed for a long time that Linux is less susceptible to virii than Windows. I stated as much in a fairly long post in a Lindows discussion, which basically boiled down to "don't run as root!". I got some great replies to that post which shifted my thinking quite a bit.
Now, I still stick to my original assertion that running as root is bad. The single biggest reason is rootkits; if you are compromised while running as root (or if a process running as root is exploited), it's possible for the exploit software to hide itself from you almost completely. A good rootkit can make itself extremely difficult to detect, and no user-space virus can do that without a further exploit.
That said, it's perfectly possible to have userspace virii. They can't hide themselves as well, but they can still run, and can still propagate. And while they can't take down *the whole machine*, they can certainly wipe out your home directory, and for most users, it's almost the same thing.
We're used to looking at this as sysadmins; as long as the system stays intact, we can restore data. But for home users, most of whom don't back things up, losing the home directory is about the same as losing the machine. They may save a couple of hours on the reinstall, but compared to the weeks or months to recreate data, big deal. We can be all smug about "the system wasn't compromised!", but the user lost everything, and from his or her perspective, that's all that matters.
So the "no running as root" idea is useful for disinfection, but doesn't help at all for data loss, and doesn't stop propagation in most cases. Outbound connections can be made just fine from userspace.
The more secure email programs are good, but I suspect that may be a temporary advantage. There's a natural tendency toward monopoly in system software; over time, groups of people tend to converge on similar software. My office, for instance, has three main Linux users; each of us runs a different distro, but we have all independently chosen Evolution for email. Less security means more ease-of-use, and more ease-of-use means more uptake among the end-user population, so over time, it seems likely that Linux email programs will become less and less secure. The Linux email program advantage is very high, but over time, I believe it will be much less so.
Additionally, there's more and more tendency for everyone to use the same fundamental object libraries, like, say, OpenSSL. This tendency to write against the same core libraries means that whole classes of programs may suddenly become exploitable at once.
It's easy for us to get complacent, but our armor here is pretty thin. The lack of a Linux monopoly really may be much of the reason we don't see many virii.
After all, how many email virii do you know that spread via Eudora on Windows?
Please, don't feed the trolls.
Even if there are less exploitable bugs or features in Linux, there's a fixed population size of 'sick in the head' people willing to exploit them at any one time. At the moment, most of them are addressing Windows because it's a bigger 'market', but if Linux grows that will change. Therefore if there are any bugs in a Linux system, then Linux will still end up just as subverted.
And trouble is, last time I checked, there were certainly bugs in Linux based systems; software engineers, even open source ones, do tend to make mistakes.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"Not really, the less complicated it is to use Windows, the more software MS sells. If occasionally, millions of dollars are lost because of inattention to security... they spin it as the consumer's fault for not installing their patch as soon as it came out.
In regards to e-mail virii, the main problem is that people will open anything that shows up in their Inbox, no matter how many times you warn them that ones addressed from unknown people with unusual subject lines are probably malicious.
I attend college at a smaller campus of DePaul University, Barat, and I've tried to talk to not just the technical workers here, but those responsible for company decisions at DePaul that would relate to such a move. But nobody seems interested in listening. This may or may not have something to do with me being "just another undergrad student" though. Regardless of that, my university spends hundreds of thousands of dollars every year than they need to on their computers, and much more inconvenience.
Allow me to explain the monetary loss first. It isn't just the maintenance. Far before there is any actual need for technical modernization, they replace old ones that have gotten "slow" over time. This is caused for a number of reasons: first there is Microsoft's less efficient filesystem, which experiences so much more fragmentation than the ext filesystems on Linux that I can only reasonably calculate the difference by exponential values. But worse yet is the user's ability to run executable files that can do whatever they well please on the system. This means not only viruses are let loose on the machine, but all sorts of little programs, many with spyware. And they all hog up the system memory. Somehow the public misunderstands and thinks that somehow computers are supposed to go one millionth the speed they originally ran at a year later.
Now it is true that a user could let loose a virus on the computer if Linux was running. They could potentially lose the paper that they worked oh ever so hard on. But this won't make it so that the entire system needs to be redone in order to fix the problem. The system itself will not be damaged, and with restrictions on hard drive use, you can prevent a worm from taking over the entire system. It's really very simple to just remove one user and put in another. But let's look at what happens now with our lovely microsoft machines when a virus gets loose... nobody gets to use the system, it's screwed up for everyone who comes in afterwards. Likewise the problem persists with users installing a billion programs on one computer that just hog resources... there really isn't much the person who wants to get on and get off next can do about it. If there was Linux (or potentially even BSD, though I am not as familliar with this OS) on there, it would be easy enough to just log off that user and log back in as another, even an anonymous one.
There is, of course, the common objection to Linux: "It's too difficult for normal users." No, it might be more of a challenge for administrators, which is in some respects somewhat arguable, but let me point out something. Most users on Windows have no idea what the hell they are doing, outside of opening a browser and a word processor. A well set up system on Linux is just as easy to use. It's really all the fancy things people hear about in Linux that makes them think it is automatically difficult, or the install process (reminder that most people get a computer with Windows pre-installed, and they never have to deal with something like formatting a hard drive, so when they see someone setting up a Linux computer for the first time, they think that to use it will be beyond their understanding... or such is what I have found). Let me give an example... my friend recently went and installed Linux on his Dad's computer. He spent a few minutes explaining the basics on the computer, which button opens Mozilla, how to browse through the filesystems on the GUI and how you right click and tell the system to mount the drive you want it to run. Other than the basics, which with most distributions are so well laid out that even an absolutely new user will understand immediately, there really wasn't anything more his dad needed to know. His dad called him up a while ago, though.
"There's something funny about my computer now that you've installed Linux," his dad said.
"Yeah? What's that?" said my friend.
"Well it isn't crashing any more."
"Well yeah," said my friend. "It's very rare that Linux ever crashes."
"Really?" His father was silent for a moment. "I always thought that computers just normally crash."
http://mediagoblin.org/
Lately I see this argument coming up a whole lot, saying one common application+os makes a weak enviorment.
This has been known for a while, is definetly a valid point. But is linux really so much less monocolture than windows? and will it be able to keep the diversity it has when the public smartens up and makes the switch?
What percentage of the linux systems in the world run an openssh server, and were volnerable lately? and what would have happened to a worm written to exploite this.
Most systems in linux you have several good alternatives commonly used, but not all. And when creating a system for the masses one of the most important things is to be standard.
You can't expect everybody to learn how to do everything twice!
If linux will ever reach the masses it will have to be a version very similar in behaviou and UI for practicly everyone.
This leads to the dreaded monocolture enviorment.
Me.
The good old (INSERT ETHNIC GROUP HERE) virus:
This is the (IEGH) virus. As we have no programming skills, this relies on the honor system. Please forward to 10 of your contacts, and then format your harddrive.
Granneman also said that it is irrelevant. If more people used other systems things would be better too. Replacing one monoculture with another is not a good idea either.
If only a lot but not everybody switches to Linux, BeOS and OS X then things would be much better as ar as point 4 goes for everybody. I know my mail box would be happier without infected Microsoft software.
The main vulnerability I see in any operating system is mono-culture. All it takes is one piece of software used by nearly every user of that particular OS that is exploitable somehow. (Beit virus, beit rootkit, whatever.)
Linux is succeptable in the same way any other Default Config os is. SSH being a prime example, nearly every distribution either comes with it pre-installed, pre-configured, and already running. Of course, you can (and many do) change the port #, but now that nmap has service recognition that's almost useless. All it takes is the next latest and greatest ssh vulnerability and all of a sudden most default configured or even recently patched SSH configs are now vulnerable if they aren't patched against a specific vulnerability (because the issue is now in the public eye... )
These vulnerabilities in any software do exist. Sure they're patched quickly, but not every Admin (of any OS) is able to update every server they control (although they should.) Monoculture does hurt, not only M$ garbage, but also Linux/OSX/BSD etc. So perhaps disabling things like nfs services, having X11 run on 6000 open to the world, or any of the default configurations you see in many different distros could be disabled, or at the very least giant warnings could appear during setup.
Yes yes, banter on about how this distro or that is better. Most admin's level of competence is clicking the big buttons (thank you mcse.) Or creating jails etc.... but unless the DEFAULT options during installation processes are configured to be more secure. And the SSH being the defacto standard is great, but maybe we can see some alternate default configurations.
I don't have to being drawing the parallels between RPC and SSH.... I'm sure a blaster style worm set to attack port 22's a day after an ssh exploit patch was released would make people a bit queezy.
Another hole is that you can embed programs in Word documents and the like.
"To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it"
/home directory, but that's about it." /home directory.
Funny, all I have to do to mess up and crash Linux is try to install a device driver. Or another way is to install some extra programs. My fave is when Open Office brings the whole damn thing down.
"Someone on a mailing list or discussion forum complains about the latest in a long line of Microsoft email viruses or worms and recommends others consider Mac OS X or Linux as a somewhat safer computing platform"
Ironic no one complains about the monthly, weekley, daily "patches" and "upgrades" to Linux. Linux itself may be a nice system but when you start adding things ontop of it then it shows some of its own flaws.
"The only reason Microsoft software is the target of so many viruses is because it is so widely used!"
I have not encountered a Virus in 4 years and I have two servers (one Debian and the other Windows 2000). Also I use SuSe Linux and XP PRO regularly for daily use. To me SuSe crashes more then XP.
I have to patch the Linux ones many times more often then my Windows machines. Granted this is mostly because of fixes and new functionality, but there are still some security bugs worked out if you look closely.
"Why, if Linux or Mac OS X was as popular as Windows, there would be just as many viruses written for those platforms!"
They would also have to put up with all of the In-Duh-Viduals asking for tech support.
(I am Running RedHat 9, how do I update my Nvidia graphics driver? I am using SuSe 8.2, am I stuck at the shell when I use a Radeon 9800?)
"There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux."
Well considering that the avarage Windows user would sign up for mail order Viagra thanks to a SPAM message, I am not suprised.
"social engineering"
Which is about 90% if you look at it from a network security standpoint.
"poorly designed software"
Of which Linux has its fair share.
"Even worse, Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email!"
Linux is learning from M$' mistake... Microsoft realy isnt.
"This sort of social engineering, so easy to accomplish in Windows, requires far more steps and far greater effort on the part of the Linux user"
The end result is the same. They give out their credit card information or execute something to screw their computer up.
"Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system"
I have bloody run tech support for Linux before. root privlages means shit. There is always a way to do things one isnt suposed to de.
There is nothing worse then running help desk when the topic is Linux. Every day someone finds a new way to screw it up.
"He could damage his
I have seen people with restircted accounts wipe out a hell of a lot more then their
"Windows XP, supposed Microsoft's most secure desktop operating system, automatically makes the first named user of the system an Administrator, with the power to do anything he wants to the computer. The reasons for this decision boggle the mind."
The owner may want to install a program that requires admin privilages (of which there are plenty). Then again the requiring admin privilages is both a blessing and a curse. In the corprate it is a blessing. However in the home it is a curse.
"non-Administrative user can still add DLLs"
DLLs are not going to exist soon anyways. Besides those are worthless files not realy used by anything anymore (that is well writen).
"Even worse, the collection of files on a Windows system - the operating system, the applications, and the user data - can't be kept apart from each other."
Hmm, ide
No offense. But the law of numbers *does* apply here. If there were 10x the users of *nix, there would be 10x the virii written. There would be 10x the number of people prying for holes, and 10x the number of holes found.
As other posters have said, the effects of these holes might be severely less than windows (I expect they would) but every once in awhile there would be some massively bad virii.
I currently have no clever signature witicism to add here.
While I agree with the gist of his article, there are a couple of obvious problems:
Further, due to the strong community around Linux, new users will receive education and encouragement in areas such as email security that are currently lacking in the Windows world
That's unlikely. As Linux takes over corporate desktops, the users are not going to be joining LUG's or mailing lists. This has been mostly true up to this point, but mass acceptance will change the demographic of the user community to be more like that of Windows.
Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his /home directory, but that's about it.
It's mind-boggling that this stupid line of reasoning is still used. First, my home directory is the part of the system that I'm most concerned about protecting. Holy shit! That's where my files are. The rest of the OS can be downloaded off the internet or from any CD that I have. But what about the files that I have created? A program destroying my home directory is a far larger problem than a program that mucks up executables or something.
Second, the modern worm/virus on Windows doesn't need any elevated privileges. The whole point is to spread, and there is absolutely nothing about that process that needs or uses any elevated privileges. Being root is not terribly relevant for the modern worm.
With all the lost money and productivity over the last decade caused by countless Microsoft-borne viruses and worms, you'd think the company could have changed its procedures in this area, but no.
And it wouldn't have made a damned bit of difference for the most destructive email worms. Is the author from another planet? I have to wonder.
Do you have ESP?
Is becouse I havent written them yet.
J/K
It is an interesting point that the author inadvertently brings up: As Linux becomes more talerable to the masses, security is likely to suffer. Or, as security suffers, Linux will become more tolerable to the masses.
Most users will point to the new shiny things on their desktop and go 'Looky at what I can do!!'. Security takes a far second even if they are aware of the problem.
Making things hard to do is not the answer. Making things easy to accomplish while maintaining some semblance of security would seem the desirable path. I understand this can be a difficult proposition but trying to leverage the users ignorance to form some sort of security model is just plain counterproductive.
I think this article points out a shortcoming in the Ease Of Use dept. The rest wouldnt appear all that insightfull.
I think you underestimate just how much I just dont care.
Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable. Even as less sophisticated users begin to migrate to Linux, they may not understand exactly why they can't just execute attachments, but they will still have to go through the steps.
Until, due to popular demand, Microsoft ports OE to Linux, and it does all that for the average user, who really has demanded it so they can view the wicked screensaver - that really was just a wicked screensaver - that their pervert friend sent them.
Further, due to the strong community around Linux, new users will receive education and encouragement in areas such as email security that are currently lacking in the Windows world, which should help to alleviate any concerns on the part of newbies.
Based on my personal experience, asking the "strong community around Linux" a question like "How do I run this wicked screensaver my pervert friend sent me" is far more likely to get you killed and eaten by cannibals.
Further, due to the strong separation between normal users and the privileged root user
Unless the averate user just logs in as root all the time, because it's the easiest way to run that wicked screensaver their pervert friend sent them. There's already distros that will automatically log in a user. I suspect they won't, for the most part, auto-log you in as root. Yet. But the Microsoft distro will, of course, because the users wante to be able to run that wicked screen saver their pervert friend sent them, and that's the easiest way. In fact, the author even talks about Lindows doing just that.
The more steps, the less likely a virus infection becomes, and certainly the less likely a catastrophically spreading virus becomes.
No, the more steps, the more likely someone will do an "easy to use" distro that simply automates those steps. That's how Windows get where it is: user demand.
Microsoft continually links together its software, often not for technical reasons, but instead for marketing or business development reasons (see the previous link for corroboration). For instance, Outlook Express and Outlook both use the consistently-buggy Internet Explorer to view HTML-based emails. As a result, a hole in IE affects OE. Linux email readers don't indulge in such behavior . . .
If Linux becomes a major part of the desktop world, the most popular email readers will do such things, for the same reason that Microsoft's do: users want stuff integrated.
I doubt Linux will ever be as prone to viruses and worms as Windows is, except a Microsoft distro maybe. But the arrogance, and absolute cluelessness of the fact that social engineering works both ways - user demand socially engineers programmers in to doing stupid things every bit as much as virus writers do to users - that arrogance and cluelessness are the reason why viruses will continue to plague the world regardless of what operating system we use.
Of those 40 Mac viruses how many work under OSX?
Hackers can find remote root exploits by "smashing the stack" (causing buffer overflows) in various root-priviledged server apps running in Linux. You have to scan for open TCP/UDP ports, and hope that the daemon you do find, is not LYING to you (say, sendmail-ultrapatched-10052003 server calling itself "sendmail-unpatched-2002"). If, then, you determine what daemon it is, and what version it is, and if it is unpatched, you can transmit a code to make it cough up a root-level exploit. *Then* the fun ensues.
In Windows? You just send an evil email attachment, or lure your victim to an evil webpage with an ActiveX exploit. Badabing!
--- Grow a pair, liberals... stop letting the Republicans bully you!
I'd rather wipe out my system, and not touch /home than the other way around. I can reinstall most of the system in short order, but my /home directory contains all the important stuff.
.tar.gz, .rpm or .iso files for the download.
Remember, it is the *DATA* that is important, not the programs. There are boxes and boxes of the same program on most computer store shelves -- or tons of
Learning HOW to think is more important than learning WHAT to think.
"Instead of just reading an email (...just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable."
And people wonder why Linux isn't sweeping the market. Simplicity sells, and for good reasons. I'm a technophile and I value security, but even I don't want to go through a dozen and a half steps just to open a file that I 'know' to be safe.
The Windows operating systems certainly have their problems - particularly with how certain defaults are set up. However making life more difficult for the end user definitely won't win any support.
So could someone explain to me why I should care about not being able to clobber my system without su'ing first? I've never understood people who say *nix is inherently more secure than Windows for a single user.
Assume a Linux virus that spreads by email, exploits a vulnerability in something or uses social engineering to run, and at some date executes rm -rf ~.
Let's compare the virus under Linux and a similar virus in Windows.
Vector: Linux sorta has an advantage here since there aren't as many vulnerabilities in the email clients, and they make it harder to run attachments. But assuming the vulnerability, there's really no difference. (this comparison begs the question, so feel free ignore it)
Replication: Nothing in Linux prevents a user from sending huge numbers of messages. It's harder to find a single address book since as far as I know there's no address book API like MAPI for Windows, but OTOH there's no sendmail on Windows either. I'd call this one even.
Payload: Here's what I don't get. People say that hey, since Unix lets you run as a less privileged user, in the case of a virus you're safer. Uh huh. For a mom-type user, let's see what is and isn't protected:
Not protected:
Email, favorites, documents--most likely anything they've ever created, which is to say everything they care about.
Protected:
System software, binaries, and configurations...which is to say, all the stuff they could get back by sticking their Mandrake cd in and reinstalling.
Under Windows, of course, you're probably stuck reinstalling the OS, whereas in Linux you can most likely just delete your home directory and be assured you're starting fresh. But which matters more? Windows machines are going to come with a restore cd, and most mom-type users don't customize their systems that much. Their documents are irreplacable. So this one's a tie too.
So please, could someone explain to me why Unix is so much better than Windows with respect to viruses, for a single user?
If linux was the monoculture, the viruses developed would be smarter. Less vulnerable to machine specific issues, and less likely to need "default" configurations.
Then again, most of em would smell somewhat like redmond
It's clear that the author includes worms in his definition of "viruses." The first worm I had ever heard of was the Morris Worm, which most certainly did impact UNIX machines, and was very widespread in terms of percentage of infected machines back in 1988.
I agree with the premise to some degree, but I consider a significant amount of the author's "evidence" to be FUD, distorted or simply wrong.
Its about social atmosphere surrounding the motivation to crack/hack the serivice to begin with. Most of the time (but not always) it would seem more an advantage to get thanks from the Apache maintaner than from your Haxor friends. Or maybe you can do both. Hell I dunno.
Anyway, there is an open avenue to get your recognition from the developers in an open way, say in a Changelog, than with closed source.
In the event of closed source, you get a brick wall( I mean BRICK), denial, in the event they say 'thank you' no one will ever know but you. Hardly motivation for those seeking recognition.
To me, this is why Linux and GNU are more secure than redmond (besides redmond being one of the bricks). Its all due to the social suroundings, and people have choices on where to get their supply of kudos.
I think you underestimate just how much I just dont care.
> the conventional wisdom that if Linux or Mac OS X were as popular as Windows...
The very features which make Linux less vulnerable to virii also insure that it will
never be as popular as Windows.
Try explaining 'chmod' to your mother-in-law.
Here's an interesting rebuttal. The 1st line is "The single biggest security issue facing Linux users at the moment is the misconception perpetuated by highly vocal advocates that Linux is somehow impenetrable to security-based attacks, and in particular, viruses and other malware."
Vote for Pedro
Take a look: Security in Linux - is the what people are talking about?. So, what was my primary conclusion? If we listen to this guy, Linux will never have a decent market share with the average computer (l)user. Oh, and also - this guy needs to actually look at the products he's insulting. Please, intelligent discussion on real, actual, useful information on why Linus is inherently more secure - I'd really appreciate the data.
Thanks!
What he's basically saying is that if you take all the Windows users and let them use the current user-unfriendly versions of Linux, that they will suffer less from vulnerabilities and social engineering. While this is true, it's also true for Windows -- if you take all the Windows users and make them work on a less-user-friendly-more-secure Windows installation they will also suffer less from these exploits.
Fact of the matter is that users will never be able to work on these more secure systems, but the author doesn't understand that. The only way you'll ever get computer illiterates to work with Linux is if you do what Lindows does -- and we all know the author's opinion about Lindows.
Really, it's a mystery to me how this guy got hired at SecurityFocus -- he clearly doesn't know what he's talking about.
The first thing I did on my new Win2K system at work was remove Outhouse Express. Then I started MS Orifice Add/Remove and removed Outhouse (the full version). Finally, after several reboots, I was free of that dreck, and I installed Sylpheed. One day, I may be fortunate enough to use Linux at work for my main PC.
Sounds like a great idea. Do you have any more info on this? or a URL for more info?
I'm guessing it's a patch against GNU ld?
I wonder if there is any reason not to add this to Debian.
Expert in software patents or patent law? Contribute to the ESP wiki!
Exactly. Windows users have too many priviledges unless logged into a domain with tight group policies.
As I understand it, in GNU/Linux a virus can do only minimal damage unless:
a). you are logged in as root - stupid idea unless doing maintenance
b). it attacks a vulnerability that you haven't patched - also stupid, as most dists are very quick to release security patches.
c). it attacks your bios directly, and it's not write-protected.
I would think that even if everyone moved to GNU/Linux and the same amount of viruses attacked GNU/Linux instead of MS Windows, there is a big difference in what the viruses can do.
In Windows XP the default users are Administrators. Bad idea.
Just my $0.02.
A very interesting article, but the author leaves out one very important point: the difficulty of writing a virus for Linux is much higher than writing one for Windows, so fewer people will do it. It takes much greater skill and effort to screw up a UNIX-based system than a winodws system because of the much clearer distinction between user files and system files. Today, a large percentage of Windows viruses are just slight modifications of others, and there even exist "virus toolkits" to generate viruses without much technical knowledge at all. In short, the "script kiddie" factor of relatively clueless people whipping up viruses based on a few instructions received in IRC is much less under UNIX.
The author does point out, quite correctly, that even if Linux viruses became more widespread, most of them would probably only affect the user space and not currupt the system itself.
a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable.
Ok, so basically all things absolutely opposite to intrinsic corporate (read: secretary) thinking. Glad to see we're comparing apples and oranges here. Come back to planet Earth, please.
Even as less sophisticated users begin to migrate to Linux, they may not understand exactly why they can't just execute attachments, but they will still have to go through the steps.
Damn right they wont understand the steps. Less sophisticated users wont migrate to Linux unless forced, an expensive proposition in the corporate world.
Further, due to the strong community around Linux, new users will receive education and encouragement in areas such as email security that are currently lacking in the Windows world, which should help to alleviate any concerns on the part of newbies.
Bwahahahahaa. From where?!?! IRC?? New linux users receive nothing but pain and torment from anyone other than paid technical support. Get over yourselves and just admit this simple folly. Right here this guy lost all credability. All of it.
Please, I emplore the Linux community, as a Windows admin, I want you to develop a better corporate desktop. But please please please get rid of this fantastic notion that the average user (the kind that make up 95% of Windows' userbase) has ANY fucking clue about anything! They dont understand permissions, they dont understand "making something executable", they dont understand package dependancy, they dont understand almost everything. It's sad, but a reality that must be recognized before it can be changed. Is it terrible? Yes. Do we wish it was different? Of course. Is it going to change by instituting rigid learn-permissions-or-die attitude? Hahaha, of course not, as I install another patch.
People like this, who spout off about changing how 2 billion people compute in the corporate office as if it were as easy as changing their socks, need a serious reality wakeup call. I'm a windows admin and I know windows is swiss cheeze. I dont deny it. Playing nice in a domain, browser elections, a disgusting reliance on RPC, abhorrent permission expectations, the need to be "chatty" with every fucking box on the network, poor quota enforcement (lack thereof for groups), poor multiple desktop support.. we know all of this. We know its bad in many areas.
But changing it starts by losing this utopian attitude that "the user will just adapt". Bullshit. That reeks of corporate office mentality inexperience. Understand your target audience before you try converting them.
I would be very interested to learn how a Linux corporate office operates. And not 10 or 20 or 100 people in the office. I'm talking 6,000 or 7,000 non-domain-managed, secretary-level-of-technical-knowledge employees. Let's stop screwing around.
Please god stop the agony.
OK, so I'm to take their word for it on the number of viruses. Never mind the viruses that, like exploits, aren't even fucking known about yet. I've never seen an article so obviously biased towards open source that they would just be obtuse. Seen it plenty from MS, but I thought open source people had higher ethics. Besides that whole big issue. The article opener is retarded. "To screw up Linux, you have to work at it. To screw up windows, you have to work on it" Nothing like quoting yourself to sound like you have a clue. Big difference between misconfiguring something (screwing up) and getting infected via virus. This guy is a fucking moron!!!
It's not just that Linux has few users, so doesn't provide a tempting (visible) target.
/.)
Linux is used mainly by a small audience that understands technology and is willing to trade small conveniences for security - a classic example is XP's default root mode (that's been beaten to death on
Also, because it's a small audience that knows tech, it's very customized - it's not straight-out-of-the-box configuration for the majority of the population, and sootb config is locked up, b/c it's assumed users know how to unlock what they need/want unlocked.
"This sort of social engineering, so easy to accomplish in Windows, requires far more steps and far greater effort on the part of the Linux user. Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable. Even as less sophisticated users begin to migrate to Linux, they may not understand exactly why they can't just execute attachments, but they will still have to go through the steps. As Martha Stewart would say, this is a good thing."
Your ass it's a good thing. On the surface it seems it is but it's a hell of a pain in the ass if you just want to read a text file. Maybe you just don't get that there are a lot of people who don't want/need that hassle. You're a linux user so stfu about viruses that don't affect you anyways. Gee, as a windows user, I think I'll spout off authoratativly about compiling!!
It seems quite a bit of the recent "virus" activity is done thru email clients. Pine has had a number of vunerabilities, and I'm sure the other outlook-clone Linux clients have vunerabilities as well. People want functionality in these stupid mail programs... if all the businesspeople were running Linux and there was some sort of standard to allow cross compatibility with all of the email clients (holding the addressbook) then you might see the same issue. Pack in an exploit and you would nail a good number of linux desktop users, because like Windows users not everyone patches every night. Or every 6 months. Hackers love Ramen? I remember when all of my BSD and beautiful SGI boxes were getting hammered due to a Linux / Solaris worm pounding the shit out of my netblock. There are more viruses on the PC versus the Mac because there are more PCs. And @stake, the company born out of the l0pht is contracted by Microsoft to audit the code. What is really disturbing is how shitty viruses are. Back in the good ol' days they were 3k and stealth. Now what we get is 5000 emails a day with this fucking huge attachment. Oh thank you for sending along VBRUN300.DLL just in case I don't have it and 4 GIF files to display when your evil virus attacks. What the fuck has happened to programmers? No wonder software is so shitty. The Virus writers make Microsoft look *GOOD* with the turds they are sending around. Done with the rant. Till next time... http://users.757.org/~ethan
Southeastern Virginia REPRESENT!
The article asserts that Linux newbies wouldn't even know how to infect themselves. A lot of newbies faced with it-doesn't-open-when-I-click-the-attachment would reach for MS Office via Wine. Some distros even include Crossover in their package and promote installing MS Office.
Same thing goes for OS X users. My iMac came with MS Office pre-installed. Do my infected Word documents stay infected when I open them on the Mac? Probably.
Bottom line, "Install Linux and avoid viruses" isn't the whole picture. Your email software and office suite make all the difference in avoiding spreading viruses.
Default config of OS X is to run as a "wheel" user, which makes it easy to socially engineer root privs.
The fact that the majority of potential customers do not wish to be informed is no excuse for sloppy OS design. Joe average doesn't know the internal operation of a deadbolt, but he does know how to lock and unlock his front door. He may not know how to tune an engine, rebuild a transmission, or do an oil change, but he doesn't need to know how in order to drive a car. All he needs to know is that there are routine maintenance things he needs to do, and if any of the warning lights come on, he needs to see a mechanic. There are plenty of ways computers can be made secure without overly complicating the user experience. Having said that however, the consumer must be trained to NOT to give his keys to strangers, to NOT ignore the warning lights, and to NOT forget the regular maintenance.
"I'm not impatient. I just hate waiting." - My Dad
He could damage his /home directory, but that's about it /tmp? Granted, most of my stuff is in CVS and IMAP (for mail), but few people keep copies of *everything* outside their machines.
Well, duh! Where does he think people keep their documents, mail and source trees?
read, save, become root, give executable permissions, run
How about: save, untar, run? Tarballs carry permission bits, and a "./configure" could carry a payload which infects, say, ~/.bashrc with, for example, a LD_PRELOAD=evil.so... Ooops, there you go trying to infect someone whenever you run something. Or maybe a simple "evil daemon attempting to replicate a-la Blaster". Or even a regular-user shell bound to 4321 (privilege escalation is easier than outside access).
Sure, MUAs won't run attachments out-of-the-box (barring MUA overflows/underruns), but dumb lusers are everywhere. There's lots of ways to use a Unix box without ever getting root permissions. Even if it's just to build some stupid DDoS network or a "cache" of open proxies/relays
The people saying this are missing the point. The idea is, OS are not fungible. The Register writer makes the argument that Linux and MacOS are intrinsically more secure -- that not all of the problems Microsoft suffers comes just from being the biggest target. So even if Linux completely eclipsed MS, the number of exploits and viruses -- and, especially, the cumulative damage -- would not approach current levels... because the operating system is, of itself, more secure.
The Mongrel Dogs Who Teach
They are very different beasties and they are handled in very different ways.
A worm is handled by keeping your patches up to date and by NOT RUNNING ANYTHING YOU DON'T NEED.
A virus is handled by NOT RUNNING AS ROOT.
A trojan is handled by EDUCATION.
Microsoft has made the spread of trojans and viruses very easy by automatically running code. Sometimes without the user even knowing that the code has been executed.
A rootkit usually uses an exploit in a running process to install itself. In this fashion, it is similar to a worm. But it does not automatically spread itself to other machines.
Or it could be a hacked version of ls that is executed because someone was dumb enough to have . in their path. In which case it is similar to a trojan.
Different terms to reflect different attacks that are defeated in different ways.
All the patching in the world will not stop a trojan.
The best security on your email program will not matter if you're running a vulnerable version of sendmail.
Only run what you need to run.
Run with the minimum rights necessary.
Don't run unknown code.
Keep your patches current.
Run tripwire or something similar.
Review your logs.
The reason it asks for a password is that an OS X 'administrator' is not root. It's staff. There is no root account by default. You have to enable that purposely. The point is that if you double click something that looks like a picture file and it asks you for your admin password, you KNOW something is up. On Windows, double click and you're dead. If it doesn't ask and you're running as an Admin, it might wipe out /Applications and ~/, but it can't touch /System or any other user's files. If you run as a regular user, then only ~/ can be hosed.
Wow, very good responce.
Jisho - A Japanese English German Russian French Dictionary for the rest of us.
Much of this article represents widely held ideas about modern Unix-like OSes that are either false now, will change in the near future, or are based on 20 year-old ideas about Unix. These seem to stem from the idea that the *nix OS will be installed on a large, multi-user server running many small limited-function tools such as text-based e-mail clients. This is changing. Many of these operating systems are installed on single-user desktops running large, graphical applications such as Evolution and KMail which attempt to be very user friendly.
/home directory, but that's about it."
/home/foo is the single most disastrous thing that can happen.
... On a Windows system, programs installed by a non-Administrative user can still add DLLs and other system files that can be run at a level of permission that damages the system itself."
/usr/lib lately? Over 1500 files in mine at last count, including very few subdirectories and lots of symbolic links. The same for /usr/bin. Or is it /lib? Or /usr/local/lib? Or is it /usr/local/bin? Besides for some accepted practices, most applications dump their libraries in /usr/lib and executables in /usr/bin, but without any organization.
Here are the arguments from the article:
"a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable."
The default behavior of *nix mail clients is to save files if instructed, and not executable. However, There isn't anything inherent to *nix which dictates this. A mail client that claims to be more user friendly can also save a file and run it automatically as well. There just hasn't been a popular one in use yet.
"Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his
The configuration that Linux has been trying to increase its numbers with, and OS X's main configuration is the single user desktop machine with no automatic backups. To the home user, blowing away
"Windows XP, supposed Microsoft's most secure desktop operating system, automatically makes the first named user of the system an Administrator, with the power to do anything he wants to the computer.
Ok, I agree with these points. However, as Linux penetrates the home user market, the limited capabilities of the regular user will be increased. Remember Lindows? I believe (all) user(s) run as root. The author address Lindows near the end of the article, but he dismisses it as an exception rather than the rule. Ask yourself *why* the developers chose this route. It's because they want more home user/desktop penetration. Expect more of these types of decisions to be made in the future.
"Even worse, the collection of files on a Windows system - the operating system, the applications, and the user data - can't be kept apart from each other. Things are intermingled to a degree that makes it unlikely that they will ever be satisfactorily sorted out in any sensibly secure fashion."
Ever look at
"Linux runs on many architectures, not just Intel, and there are many versions of Linux, many packaging systems, and many shells. But most obvious to the end user, Linux mail clients and address books are far from standardized."
Again, as Linux becomes more popular with home users, one or two mail clients (depending on if one or two desktop environments will survive in 5 years) could possibly dominate the market, on possibly one type of architecture, the x86. As well, Linux prides itself on supporting standards, across different applications.
"Microsoft continually links together its software, often not for technical reasons, but instead for marketing or business development reasons"
Here I will agree with the author,
"Posessing a degree in science does not necessarily make one a scientist"
and on a single user machine what precisely is the benefit of that?
It would take me a couple of weeks worth of evenings to reinstall my PC as-is, it has data on it that has taken 10 years to accumulate. The relative value of my data compared with the hardware cost of the machine and the effort to rebuild it is astronomical. Now admittedly I have many many CDs of backups of data, but I bet there is some recent stuff that would have slipped through the net.
Losing the system is annoying. Losing my data would be worse than a broken leg.
It's not just the OS. Take the BIOS for the computers at my school. All you have to do it hold down F8 when you turn on the computer, and and a menu comes up, letting you boot from a floppy, CD, etc. You can still boot from something else, even though the BIOS is password protected!
/usr/share/homedef/* ~/*), or something view the screen remotely. (Behold the power of X)
Ha. The teacher was bragging also about the "special stuff" on the computer. Like DeepFreeze, which makes the disk return to a default state whenever it boots up (Linux: rm -rf ~/*, cp
Oh well. The BIOS made it easy to show off Knoppix.
I would say that MS Windows, Viruses, Worms all fall into the same category... after all dont they all pose dangers?
Plus, what if everyone magically rolled to Redhat 7.3 when it came out, ditching Windows all together? Since then, we've had two SSH vulnerabilities. Sure, those using Linux applied the necessary patches / updates and we're all safe again... probably within minutes. But "Regular User Guy" won't apply that patch.
Every install of RedHat I've ever done sure as hell doesn't install and run an SSH daemon by default. And if you turn it on, you can turn it off.
Hundreds of posts, and not one Slashdotter has pointed this out: the most recent RPC vulnerabilities are all the proof you need to show why Windows, in its current incarnations, is far less secure than any Linux distro I've ever seen. An unpatched Windows system on the internet can be compromised within minutes, and it's not because there are "oh so many Windows viruses". It's because the RPC service is enabled by default, "run as root" insofar as Windows does that, and YOU CAN'T TURN THE DAMN THING OFF. So even if I'm clueful, don't open email attachments, only use plain text email, never run foreign binaries, I can still get "rooted" trivially.
Show me a Linux distro that does that. Hell, RedHat goes one further and runs IPtables by default for you these days. I'd love to see you try to root my box without being able to connect to it first. With a Windows machine, you as user leave a half-dozen almost unclosable ports open by default.
(Note: I realize that Apache, OpenSSH, and every other server daemon under the sun has known vulnerabilities. But I'm comparing apples to apples here, and Joe Sixpack doesn't often run a webserver off his WindowsXP box).
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
You should be licensed to work a computer before you're even allowed to touch one. A computer can cause more damage than an idiot in a car. If you can't be bothered to learn how to use a computer, you don't deserve to use one. Of course this will never fly. <dreamer/>
the fact that there are people that write virus just because quite frankly, they hate Microsoft. Not only is it an easy platform to write viruses on, it's because a lot of people outright hate Microsoft, and they want to show how badly their OS really is. However even if that's show Microsoft software is poorly designed, if you compare to other operating systems it looks like a 5yearold wrote it. Then again that's what you get for hiring fresh out of college, no experiance, programmers.
Just in case you didn't know :)
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
I agree with the general sentiments expressed by the author. I think, however, that the piece was very poorly written. Posting it to slashdot directly, I daresay, would have resulted in downward mods aplenty.
The crux of Mr. Grannemans two points, that social engineering and bad software design are more at fault for worm propagation than anything else, can be articulated better in just this way: M$ takes the wrong things seriously. Linux, *BSD systems and MacOS X do not. To wit, M$ has chosen feature-rich clickability over robustness and configurability. Linux, MacOS X and the *BSDs are all about configuration and robustness first.
MicroSofts first mistake is to assume that every user is a novice (of the twenty or thirty so XP and or W2K installs I've done this calendar year, each has that annoying, nay infuriating pop-up..."take a tour of XP" and/or "learn how to keep your computer current with Automatic Updates". That was semi-informative the first time. Annoying the second and very quickly -and continuously- infuriating after that) As such they start with a baseline configuration that is very generic. The second mistake is in assuming that everyone will want a 'wizard' to do the 'advanced' configuration neccessary once they realize the generic baseline isn't cutting it for them. 'Wizards' are just middleware written to avoid having the user come into direct contact with a config file or the registry. I'm a master sysadmin. I've seen config files. They don't scare me. Nor does the registry
The real, and most important difference between Windows and almost all other OSes is configurability. Consider this:
I can take a Linux, BSD or MacOSX box and, within an hour, tweak the config it into an unrecognizable shape and still remain with the use of the thing. It will be a unique, workable, computer, running the same software, but with different parameters and purposes as other unix boxen. It will serve the purpose for which I built it, and none other, unless I say so.
I can take a windows box and tweak the config all the livelong day... and at the end of the day I'll have a windows machine that remains very close to most other windows boxes in the entire world. That machine will continue to try to open my attachments for me, run 'wizards' to do my config work for me, and generally get in my way trying to add more 'gee-whiz' features I neither want nor need.
Then, when I've 'patched' the thing, I'll find all the unwanted services I just turned off, back on!
Why is configurability important? Because it leads to diversity. Diversity is the first and best defense against viruses, worms, plaques and pestilence. Diversity - mutability- is what has allowed the human race to survive the many scourges visited upon us... until M$ that is... =-)
Just do what you do best
Arnold "Red" Auerbach.
Enabling root is totally non-trivial.
Applications/Utilities/Net Info Manager:
Security >> Enable Root User
Didn't even have to touch the command line or restart or anything. But for the most part you're right about it not being necessary.
In addition...I like the idea of having a pure System directory. For those of you who don't know, as a programmer you never have to touch the System directory in OS X save kernel extensions.
HA HA HA, BeOS has no viruses written for it. But on the other hand it has no other applications written for it either.
to write a Linux Virus, there would be hundreds a month coming out of Redmond.
With all the resources and the lack of ethics that M$ has shown, don't you think that they will be writing virus for Linux?
Obviously they've already forgotten the Great Worm of '88. This was certainly not confined to the laboratory, unless you consider the whole internet, at the time, as a big lab
But that point aside, the article makes many good points. The only thing it really left out, was the homogeny of server software (it did mention client software, though). This is what made the '88 worm possible. All servers at the time were running sendmail, because it was the only thing available. Now, with the proliferation of different mail services for Unix, it's nigh impossible for this to happen in a widespread way on Unix.
So basically, it seems diversity of software and hardware is the real answer to making the internet more secure. This obviously goes against what Microsoft try to achieve, but fits in very nicely in the open source world.
Yes, but you've missed my point, even if Linux is 10x better than Windows, Linux will still have as many subverts; because it's not the number of bugs, it's the number of virus writers. Only if Linux has massively less bugs than virus writers will the number of viruses be reduced because then the number of ways to stick exploits together will be restricted. But it doesn't have enough less bugs; it's better, but not enough to matter.
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"Even without the Internet with the common user, you'd still get Word viruses on floppy. Why? Because someone at Microsoft thought "wouldn't it be great if Word didn't just do plain word processing? Wouldn't it be great if Word could also do OTHER THINGS?" So they give Word some executable power on the system... and always running essentially as the super-user means it can do pretty much what it pleases.
So these are two lessons:
1) FORCE the user/admin consciously choose to become the super-user BEFORE making any system changes
2) Make programs conceptually simple which accomplish useful tasks. And if you do give programs some kind of executable power, restrict it.
I disagree with an earlier post that said UNIX's and Windows are opposite because in UNIX the exploits are in the apps and in Windows the exploits are in the OS. Windows exploits are in the apps too. Sure there is ANOTHER LAYER of protection (the OS) which Windows also is deficient--but basically Windows is worse on both sides of the equation.
On another note: the mention of Lindows making root password optional--all I can say is I hope they disable ssh.
"he drew his sword Ringil that glittered like ice... and he wounded Morgoth with seven wounds..."
That's a lot of if's though... I can't see it ever happening.
File under 'M' for 'Manic ranting'
10 * 0 = 0
His point is that those exploits that allow rootkits were obviously not counted, and the "perhaps 40 for Linux" statistic is therefore entirely misleading when taken out of context, like it was.
The other misleading issue about the 60,000 Windows viruses statistic is that it includes every variation of any virus written for Windows since Windows 1.0. After eliminating variations on a theme and duplicates, the total number of unique exploitable holes in Windows is some smaller number. And nearly ALL of those are eliminated when using a permissions-based filesystem like NTFS and restricted user logins, both of which have mainstream since NT 4.0 in 1996.
A upgrade via ports, portage, apt-get, what-have-you doesn't require any restarts/reboots.
Everything in memory will continue running. You update. Next time you reboot, boom, everything is updated for you.
Even a kernel upgrade doesn't require you to reboot after it's installed. Just because you have a update doesn't mean you have to restart. Sure, it's not as safe as it should be, but it's safer than the example you provided, that of not upgrading ever.
Microsoft makes that easy to happen. OS X and Linux don't. And there are OE viruses that you don't even have to open attachments - previewing them is enough. But even if an Apple or Linux user did launch an attachment, they aren't going to be doing it as a priveleged user.
It remembers root authorizations....
What the hell am I saying. Computers should be easy to use! Doh!
Um, two conflicting ideas....*BZZZZTZTTTTTTTTT*
*BOOM*
The subject line above pretty much covers all of the article's "social engineering" blah blah. As an IS/IT manager I can assure you that no amount of click boxes, pop-up warnings, etc. will prevent some users from doing "bad things" (tm).
Except that Microsoft makes it easy for a super genius with 300 iq points and 24/7 vigallence to get infected, much less a shmoe user. Contrast that to OS X, where you would have to have some knowledge and do a great deal of work to make it vunerable.
For one thing, the root account is disabled. It is not trivial to enable the root account, and it isn't even necessary.
On the other hand, he doesn't mention that all you have to do is convince someone to enter their Administrator password, and all hell can break loose. I would say you are far more likely to sucessfully socially engineer someone to do that (Check out this wicked screen-saver; you just need to enter your administrator password to install it (a common install procedure)) than to get a *NIX user to run something as root.
You can be the most intelligent and vigilant person ever to walk the earth and still get bit in the ass by Microsofts half assed security. Put a smart user in front of a Windows box and a dumb user in front of a Mac, and the smart user will always be the one to get infected. Every. Single. Time.
Yes, but a virus that hoses your /home directory probably doesn't have the privileges to spread as well as a virus that hoses your entire system. Actually a virus that does either would be recognizable right away, and would kill its host quickly, making it difficult for it to spread. A good virus would have to run as a hidden service, and continue to propagate itself unbeknowst to the user, such as klez did, which modified executables and ran ontop of them whenever they were run, continuing to reinfect files. A virus that could have similar powers on a Linux machine would have to run as root to modify global applications, but could also affect your /home directory scripts and applications also. I envision that linux viruses will become a combination of rootkits, worms and viruses, like klez. Of course the virus would have to contain multiple root kits because of the variations in linux distributions (or one could create a self probing / modifying rootkit system, could be done if the source was available on the machine to recompile versions of ps, rm, ls, etc.). And most likely, because of the level of interaction with the user, most linux "virii" i would probably assume would be more worm like and trojan like in nature (auto infecting, without user intervention). Of course, when linux or OS X becomes common, it will be a mono culture of its own, since I don't see corporations deploying various versions / distros of the OSes unless they want a tech support nightmare.
So will viruses and virus like software begin to be developed for these systems as they become more popular... Yes. Will they be as widespread, possibly, depending on the exploit. Will it be more difficult to write "successful" viruses, most definatly.
Several people have said that making it easy to run executables is necessary for Linux to be popular.
This is wrong: instead it must be easy to run executables in a *sandbox* where it cannot do anything other than perhaps draw in it's own windows.
This is not easy, but it is possible. Under Linux it would involve changing to nobody (requiring I think changes to the system so that it is legal for a program with any permissions to change to "nobody") and settings of local environment variables containing keys to things like the X server connection.
I know that many slashdot readers are linux admirers. I am one of them, but I think I am quite different than a typical slashdot reader.
I read the article and it has so many misrepresentations of the facts.
First of all, let's talk about social engineering. As he points out, social engineering is important, because many viruses spread through making someone do something which he/she shouldn't do. In this case however, he claims that Linux is safer. He is right in a sense, but this is because Linux is harder to use. There aren't programs like Outlook or Outlook Express which are easy to use for Linux. So it is quite hard to do things which make it easy for viruses to spread.
Also he talks about file extensions, gives information about them and somehow magically without giving any reason he claims that windows' having executable and non-executable file extensions is a security problem. That's quite stupid I believe, because Linux doesn't have extensions, and this confuses users a lot. When people come across a file name without extensions, they don't know what type it is. Is it a word document, a jpeg file, or what? In addition, you can have any file executable, by simply chmodding it. So in essence you can easily argue that, this is a bigger security risk, since people may get used to running arbitrarily named programs, and then they can be trickked into executing a virus, because its name looks like a photo. Like photo.jpg can be executed when double clicked on an explorer like browser. Author simply omits this fact, and makes a wrong claim without even backing it up.
Also the argument that, it is harder to trick people for email in Linux is mostly because Linux doesn't have Outlook type programs. On windows world, many things are extremely easy to do. On linux however, people are still using pico, and there is no possibility of viruses there. Of course you lose tremendous amount of productivity by using such a limited email client, but that's fine for simple email usage.
Administration argument is also weak. If he was right, then why lindows chose to make the user root user automatically. Obviously, they thought about the security issue, but since they are targeting mass number of users, they decided to go with the root user. So the author doesn't even consider usability issue.
Lastly, the author talks about monoculture. When there is a dominant email program, that program will capture the market no matter what. For example, if evolution is the best program, nobody will be able to compete with that. So, every linux platform will use it. There is no inherent rule in linux that says people will use different email programs. The author, at this point becomes really ridiculous. If you apply the same argument to other software segments, or other protocols, then you will have a problem too.
The author argues that since Outlook uses IE to render, outlook is suspect to IE's flaws. He may be right only because IE had some flaws, but he doesn't go into detail, so we don't know whether any IE flaw can effect Outlook users. However, aside from that, he argues that Mozilla and KHTML have excellent security records. Now, we can apply the same idea that, they have better security records because IE is the dominant browser. The author doesn't prove anything on this issue again.
He gives Kmail as an example, but I believe that, he could have given pine as an example too. Less functunality always mean better security, and there is nothing suprising for this. Nobody forces you to use Outlook, by the way. And given all those email programs for Windows, I would pick Outlook, personally, despite all the FUD around it.
This is rather a stupid argument if you think about it. With the rise of options like Knoppix, damaging your OS files becomes less and less important, while damaging files in /home, i.e. the manifestation of most of your hard work, received communications, time spent setting preferences, etc., becomes the worst that could happen!
Sure, on true multi-user systems, there is the benefit of not being able to damage others' files, and there is the benefit of not being a tool in the propogation of the virus, but for the likely use of a home linux desktop, the data is everything, and is precisely what would still be vulnerable to a malicious program.
I'm a Unix expert. I know of at least ten different attack lines to hack unix not least of which is to use the fact that to install pretty much any program you have to become root (something that, sadly, windows is starting to emulate).
Every single piece of software written by MS in the rencent years works without any problems under non-Admin accounts. The problem with Winamp is not a problem MS can address. If you're concerned about privacy you'll have to sacrifice winamp and use Windows Media Player (with winamp skin if you want).
How can he work for securityfocus, must be an intern or something, this review is ridiculously short sited. Certainly there is something to be said for the internals of the operating system, however it all comes down to the biggest fact of the problem:
The USERS.
They are the problem, uneducated in the ways of the computational facets of modern technology they go about their daily business without thinking about every action they take. To click or not to click, to give permissions and then execute or not, most of them turn a blind eye because they don't know what the #!*@ they are doing!
Windows has made it easy to use the computer, try getting grandma to sit down login to her unix account, start using vi and send an email. It's preposterous! Wake up people!
You are partially correct, and partially mistaken. Let me clarify:
You are correct that it is very difficult to run Windows NT, 2k, or XP without administrator privileges. It is a pain in the butt (I do it, and 99% of apps assume they have admin priveledges). Microsoft knows consumers don't want to be sysadmins.
You are incorrect when you that people want to run with admin priveledges all the time. What people want is security without hassle. Apple does far better market research in this area, and Apple systems do prompt for an admin password. So does linux, and the Java VM.
The problem here is that someone looks at a problem statement like "Running Windows without admin priveledges is difficult." and concludes "Users should run with admin priveledges." The correct solution is the find the cause of the problem, and fix it. In this case the real problem is "Windows does not prompt for a password when admin priveledges are required." Macintosh, Java VM, and many Linux distros have solved this problem in a way that is user friendly.
You may disagree with the post, and with this one as well. But none of this is FUD. Can we stop applying that term to anyone we disagree with?
But you go on to describe a typical spam message, 99.999% of which have forged headers, and most of which are easily filterable. I would be willing to bet that the majority of Linux advocates use some sort of filtering on their email, so where's the overconfidence/laziness? You weren't actually going to click that link, were you?
Good. Maybe this will shutup a good portion of the Microsoft apologits who always start of posts with "I'm no fan of M$ either, but ..."
The original article at SecurityFocus.
The thing is that no attachment is supposed to be code that is to be run.
On windows all you have to do to make a file executable is to give it a magical name ending in .exe on Linux you need to change its permissions.
Normal users will never need to manually change permissions on a file, because normal users never create programs.
They download them from official sources and install them using official installers (like rpm or apt).
This all means that there is no reason for a user to ever go around setting the executable bit on a file, so it's only good that it's hard for users to do that.
Making everything hard does not make Linux more secure, but making the right, safe operations easy and the unsafe operations slightly harder (and rarely used) does.
-- To dream a dream is grand, but to live it is divine. -- Leto ][
Using one single checkbox. Don't be ridiculous. The fact that some third party pieces of software don't work under non-Admin accounts is not a problem MS can address. And it is not their problem at all! It's the problem of respective software manufacturers.
in the Butt
The whole point of personal computers is that you don't share them. Having spent the last3 or so years migrating from OS9 to OSX. I find it is the biggest pain of my day. And I atleast understand what they are, God help those with no idea at all (most users) If you are talking servers then fine. But now days where hardware is at the point of becoming disposable then it is just a bloody nuisance. The old mac OS nine had it right, only folders had permisions not files.
OS 9 was very secure probably more secure than OSX
His main argument is that it takes many steps to install and run a virus in linux, therefore it makes it more secure. This argument may hold true, but it's the same reason that Linux isn't on the desktop in the home of Joe Sixpack. We're talking about people that don't even have the most basic word processing skills, let alone knowing about what application will open what file type. Once you start dumbing it down enough to appeal to the masses, these "security" measures go right out the window. It's one of the reasons he says Lindows is less secure.
What would really make a difference would be if software was designed with security in mind from the start. Outlook (Express) was not designed this way, and thanks to a set of spectacularly stupid decisions on the part of the developers and no doubt management and marketing as well, it functions better as a virus delivery system than it does an e-mail client. Internet Explorer doesn't help either.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
I'd rather wipe out my system, and not touch /home than the other way around.
/home directory untouched while a keylogger is watching your online Ebay transactions, ?. login, Amazon.com transactions, online banking, etc... You want all the bounced mail from your now open mail proxy? Identity theft is more damaging than anything in my /home directory. I would rather rebuild my /home directory than rebuild my credit report.
Are you kidding? You want your
The truth shall set you free!
"Check out the wicked screensaver! Just install the package!"
owned.
This has nothing to do with anything remotely Slashdot related, but I need to do something before my head explodes...
As I type this, my roomate and my best friend/recent lover are fucking in the next room over. WHAT THE FUCK. After 10 years of friendship and built-up sexual tension, we finally hooked up and now less than a week later she's banging my roomate. I am so fucking incensed right now I can't think straight. I wouldn't mind if they went to a hotel or otherwise didn't make it known, but she just FUCKING WALKED PAST MY ROOM TOPLESS AND SHUT THE DOOR IN MY FUCKING FACE. How fucking insensitive can you be?!
This sucks. It's 3AM and I'm telling strangers (GEEK strangers, no less) about my personal problems. I am a big pussy and will most likely not say anything to either one of them so I expect this to go on for a while. Fuck.
Feeling low? There's someone else out there that's having a worse day than you. Trust me.
Microsoft has Windows Update which informs you of and downloads many OS patches in a timely manner. Red Hat's up2date gives you warnings about everything that is supported by Red Hat but you must opt to download. After the vulnerabilities with non-OS Microsoft software (MS SQL, Outlook, Word). In the unlikely event there was a security problem with Abiword, Evolution or whatver, it would be picked up by Red Hat.
If you don't mind 'pulling' new versions and don't have a Red Hat subscription, there is always apt-get. AGain it updates applications as well as OS, with an even wider coverage than up2date.
See my journal, I write things there
Interesting article, but I think this guy has some problems in his logic. The dude complains about how everyone on windows uses Outlook or OE and how on linux that people use.... "KMail, Mozilla Mail, Evolution, pine, mutt, emacs ... the list goes on." Yes obviously because of the many different programs, distros, and what have you, linux viruses do and will "fizzle out quickly."
In order for linux to flourish, they HAVE TO get some standards. People hate change and won't switch to linux until it is easy to use.
I am NOT saying MS doesn't have their major problems, I am just saying IF linux becomes a major player on the desktop they first must make their software easier to use for the average user. This ease of use results in what Scott Granneman calls "Poorly designed software".
I belive if Linux were to make it big on the desktop-oxSere would be a lot more damaging viruses for linux.
Further, due to the strong community around Linux, new users will receive education and encouragement in areas such as email security that are currently lacking in the Windows world, which should help to alleviate any concerns on the part of newbies.
As a member of this strong, supportive Linux community, allow me to provide you now with the aforementioned Linux education.
(You'll probably want to write this down.)
"RTFM!!!"
I can rest assured that any of your former concerns have just been alleviated. If you ever forget the education you received here, don't panic! Just seek out a highly regarded linux guru on the net, and he will invariably and unselfishly re-educate you in the same manner as shown above.
If you go back to that article (vain hope) you will find tha the company that issued that study is completely discredited as a source of trustworthy information.
IANAL but write like a drunk one.
Why do everyone assume linux is the best competitor for windows? Common folks wake up, I mean I love as much as the next guy, but all my linux boxes belong nowhere else than in my server room. OS X is far superior and other desktop OS, and thats a fact!
btw: Ofcourse AC on this on, or my karma dies...
Which is why even as a home user you store nightly backups of all important data to two machines on opposite ends of your home, machines which for all other purposes are essentially "non-executable".
Keep once a week backups going back 3 months, and nightly backups for the past 7 days.
If you can, include an offsite (i.e. a neighbor's house) backup.
.sig Realistic fines for copyright in
Wow, man! You're out of date there!
Pine's something I used when I first got onto the web. Try evolution now - it's about as easy as Outlook, but still more secure.
I have a hybrid setup and have wondered about the same thing. CrossoverOffice allows me to run several Windows programs under Red Hat 9 Linux. I use Word 97, Excel 97, Powerpoint 97 and Winzip under Linux. I have deliberately avoided installing Internet Explorer and Outlook Express because of security concerns. I do not feel a desire to use those two products anyway.
Codeweavers who makes CrossoverOffice recommends that it only be installed while logged in under my ordinary user name not while logged in as root. I installed it that way, so I would assume none of these Windows programs are running as root. However, I still wonder if it is totally safe. Several friends occasionally send me MS Word files. MS Word files sometimes contain macro viruses. Would they pose any significat threat to my computer? Would it be better if I opened those MS Word files with the Linux version of Textmaker instead of with Word 97?
The open-source community knows that the only way to ensure market share is taking the virus monopoly from Microsoft.
Disclaimer: If I disagree with you I'm probably trolling...
I read this article, or at least most of it, thinking I would actually get some new insight into why the Linux was "Safer" than Windows when it came to Viruses. But all he offered was: "It's harder to do stupid stuff on Linux, so if Linux rulled the world people wouldn't do stupid stuff."
False Assumption: If Linux rulled the world at some point in the future, it would look/feel/act the exact same was it does today.
If Linux rulled the world it would be because the user community (ie: Windows users of today) accepted it. If Linux continues to disallow "stupid" stuff to happen, users will continue to reject it, so it won't rule the world. Therefore, it must change. The user community has enjoyed a high-degree of freedom, and they will no give it up in HOPES that their computing lives will be safer from viruses, etc. The majority of consume-grade computers run Windows today because it does what they want, not because it's the only choice.
The author clearly has no understanding of the role usability plays in acceptance of an OS. If it's not easy to use out of the box no one is going to pick up the box. Period. Oh yeah, except of course for that small, 3% of the desktop user-space that enjoys the challenge. But those folks don't really matter since they aren't spreading viruses anyway.
Error:
Sure sure he makes valid points about how people are stupid and want things easy, which is why microsoft has been and will continue to be so successful in obtaining majority OS Marketshare. But if I know most people like most of the technically inclined out there I know do, people are inherently lazy. If it takes more than one step to open their email attachment they won't open it, or they'll find something that will let them do it in one step. The only reason Linux is really starting to gain some sort of foothold in the end user market is because the gui interfaces booted by default with versions like Mandrake and Red Hat make it easier and more fun to do the things the average end user wants to do. Given that logic, it's easy to agree with the majority on the fact that if the Linux OS were more widely used, the balance sheet for virii available for different OS's would be a little more even keeled between the Linux and Windows fronts. On another note, check out this cool band I found the other day: http://www.ridalyn.com
A very excellent point. But consider this: Not everyone running *nix is running that vulnerable application - all Windows users are running the OS. The application can be uninstalled or turned off (or easily patched), whereas for the OS it is a different story.
My beliefs do not require that you agree with them.
I risk being modded as redundant (maybe I browse too high) but there's another thing needing to be accounted for: Linux is the kernel, all around it is a distro. Vendors choose their packages, and not all of them choose the same. And this also works for the kernel version.
So, if there happens to be a virus out there that makes use of an exploit, my guess is that you won't see most machines vulnerable, as in the Blaster incident. Diversity inside Linux itself may make it harder to write a global-target virus or something, and even disencourage virus writers, since they can only affect a minor number of computers.
Just a thought. I'd like to be corrected if I'm saying something stupid.
none of the *nix viruses where important my arse.
There are some valid points here, but most go away when the use is the average computer user. not worth elaborating - the author is a linux bigot.
I personally dont use OE and prefer Linux over Windows, but the points he made in this article are well.....pointless.
You can get a secure enviroment under Lindows as under any "standard" Linux if you set up an user account. Lindows 4.0 make it very easy to set up a non-privileged user account.
If the user doesn't know he/she has to do it, we are in the same case as Windows, an uneducated user could damage your system no matter what OS you are using.
Regarding recomending Lindows to newbies, I would do it, but telling the user to set up an user account.
DNA in your Linux: DNALinux
I think he made some very valid points. However, I also think that regardless of how valid his points are, his conclusion was flawed, thereby resulting in the idea that he probably shouldn't have written that article in the first place, and instead ended up exposing himself as a complete idiot.
From the article:
Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his /home directory, but that's about it.
Oh, so the virus can't damage the system, only my /home directory? Is that supposed to be some sort of consolation? If the OS gets damaged, I can reinstall. But if my /home directory gets destroyed, it's a complete catastrophe. (Or rather, it would be if I didn't back up compulsively.) That's where all my email and chat archives, digital photos, and the code and other documents I've written all live. That data is literally priceless, in my eyes.
Foul up my system, and all I've lost is the few hours it takes me to reinstall. Destroy my /home, and you've taken away my primary record of my travels and other activities and my creative output for the last several years. Only a total gearhead with no sense for how and why normal people use their computers could value the 'system' over the personal data that resides in /home.
Amen. People think I am crazy for using pine as my primary mail program. But I have yet to see a reason to stop using it. Just because there is something newer? Nope. Prettier? Nope. Provides more functionality? 'Fraid not. Allows me to create HTML emails? I think I will stab your eyes out now...
I can associate applications to open attachments, but *I* choose to open them. I can check my email from virtually anywhere, and I don't have to download all my messages. Download PuTTY, ssh in, check email, get out. Bing bang boom. Or, I could check it via my webmail account, nothing to download there either, unless I want to view an attachment.
I hate to sound like some old crusty dude, but you don't need all that fancy-pants stuff to use email.
My beliefs do not require that you agree with them.
He claims that Linux is more secure because it makes it harder to open email attatchments. I remember when my grandma first started using computers to email the family. She specifically told me that she wanted the most difficult email program possible.
All of the "Windows vulnerabilities" dealt with common windows software. If I used any other mail client on my windows machine, I'd be more secure. But why do most windows users use Outlook Express? Because it comes pre-installed on the system and is easy to use. Yes, if MS installed many email clients by default, there would be a smaller user base for attackers to exploit.
But we're once again forgetting that John Q. Moron likes things to be easy to use. "Which email program should I use? Why isnt there just a button that says email?" Or, even worse, John Q Moron will check his mail with one program once, then use another the next time. "Where's my old mail?"
John Q. Moron also likes to say, "What do you mean, I have to be root to do this? Why is my computer telling me what i can and can't do?!" So then he goes and logs on to root permanantly (I know that's why I'm always an administrator on my Windows machine). For the same reason, he also doesn't want his email program warning him about HTML. I can just see my mom calling me up now. "Oh no, I have a virus on my computer." "How do you know this?" "My email program told me there was some virus called 'HTML' in my mail, and all of these wierd characters are on my screen! I think that means its corrupting my files!" Once I had finished laughing at her, she would be humiliated enough to set her mail program to always open HTML mails.
As for the "it can only affect my home directory" thing... The big viruses recently have all damaged systems by causing massive amounts of network traffic. Unless Linux says "Hey, stop using so much bandwidth when you're not root," A common user can still propogate one of these. Sure, the traditional "delete your files" style virus will only screw over the moron user, but they'll still be able to propogate email worms just as easily.
that's right, you give them yOUR monIE (aka 'investing'), & it goes so far away it cannot even be found DOWt with the pateNTdead eyecon0meter.
the infactdead BugWear(tm) blight suppLIEd buy the felonious kingdumb of FUDgePackers, is a worse fate than debt. yOUR monIE's not coming back. lookout bullow.
need just the facts? consult with/trust in yOUR creator...
First off, I agree completely that Linux and MacOS are more secure and less likely to allow virus infection. But my complaint here is the same one I make to all my Linux using friends... right now there are too many steps to easily infect your system, but it might not be that way if Linux was as wide spread as Windows. Think about this, why is it so easy to shoot yourself in the foot with Windows? Because of normal day to day users who simply want to make their email work. If Linux was as popular, these built in automatics of Windows would work their way into Linux so that the simple users who think root is something in their gardens can make their email work. And application designers will happily write these automatics in to make their customers happy. So for those of us who use Linux and are more than simple users... yeah it will never happen. But for the rest of the 99% of the world, they are gonna make it happen. Just something to think about.
Photo Editor (which comes with Off2k) will not work quite properly in a default Win2k install for non-admin users. There's a registry permissions issue which prevents Office graphic filters from being accessible by unprivileged users. It usually manifests itself with an error when you double-click on a JPEG file; Photo Editor will pop up, but then tell you that it can't get the format information (or something; it's been a while since I've seen the error). There's a Technet article on this issue that tells you how to do a workaround (basically, assign more liberal permissions to that particular registry key), but MS basically states that it won't be providing a real fix because Photo Editor is not considered a "core component" of the Office suite.
We are rolling out thousands of Win2k/Off2k systems here over the next few months, and I discovered yesterday that the standard build does not have the registry fix.
"The best security on your email program will not matter if you're running a vulnerable version of sendmail."
what are you talking about ? please re-read that sentence and make sure you don't have to qualify it with some other facts to make it true.
what does it matter to a desktop machine's security if sendmail is totally rooted ?
It seems to have removed the Outlook Express binary itself (or moved it somewhere else), but there are a bunch of DLLs still in c:\Program Files\Outlook Express. I don't know enough about Windows to know whether that would be enough for malware. To be fair, the entry in the "Add/Remove Programs" box does say "Removes access to Outlook Express from the Start Menu".
You can do the same thing to IE, but it certainly doesn't remove it. This is a big problem; why MUST a server have a Web browser? I know that they've tied their auto-update system to it, but in my opinion that is also wrong (when up2date first came out, I thought it was incredibly stupid that it required Netscape 4, while AutoRPM only needed a few Perl libraries).
WMBC freeform/independent online radio.
Two reactions:
1:
"In order for Linux to become as popular and intuitive [shiver] as Windows, things like "setting execute permissions" need to be automatic"
I really really disagree with that statement. It can be very easy without being automatic.
On my Mac, I'm prompted to fill in my Admin Password when installing software. That's really a very very small thing.
But so far it does the trick in two ways:
1) It gives me pause. If I'm asked my password, I know something "deep" is going to happen. And I'm more likely to remember this event when strange things start to happen.
2) It keeps significant others from messing up my system for me. They can happily do anything they like, but can't install stuff behind my back.
2:
"But "Regular User Guy" won't apply that patch. Multiply that by a million users. Now you have millions of machines out there running a rootable linux box."
Again, on my Mac, I have an extremely friendly updater. It tells me I need to install something. I click "OK" and it installs it. That's a two step process.
One: read their message,
two: click "OK".
And notwithstanding the new geeky crowd, the majority of mac users couldn't tell you the difference between Root and Admin. This foolproof update mechanism has kept the overwhelming majority of macs up to date. Although Windows Update is not bad at all (and was there before us Mac-heads had a tool like that), it still is beyond regular user's understanding or too much of a hassle.
Both mechanisms can be adopted by other OS's. There's no reason why good ideas can't be copied, happens all the time. I know OS X isn't everybody's cup of tea (coffee, java, cool aid) but it's an example of a secure desktop system that proves you wrong: the system can be secure without being demanding. I want to hear the first person to state his mac is more difficult than his windows machine.
And as an afterthought: both the article and some posts have rightfully pointed out that by adhering to some sound design principles, even very simple, useable mail-clients can be a lot safer than outlook.
Again: on my mac I use Mail which is quite acceptable. It's extremely easy to handle attachments, even for the totally clueless.
Disclaimer: I like outlook, always did. Simple and powerful at the same time. But running exe's and other doodahs without my permission is totally unacceptable.
I think, therefore I am...I think.
I need to run every attachement that comes with my e-mail.
Any OS is NO MORE secure than the user.
That doesn't mean that all OS are equally insecure.
Obviously, the dominant OS will be the prime target. The question is how soft that target is. Windows is the prime target because it is dominant. It is an easy target for other reasons.
The stupid user can always be hit, the security obsessed will always be hard to hit. But there are a lot of people in the middle, and Windows security does not serve them well.
We apologize for the inconvenience.
SecurityFocus fires Scott Granneman for his anti Microsoft comments after disavowing all connection with his statements. :)
> what does it matter to a desktop machine's security if sendmail is totally rooted ?
I can't read the poster's mind, but if sendmail is r00ted, most likely the rest of the machine is at risk as well.
I'm really suprised when patches arent integerated into the main release and the release remastered. I accept this with free or almost free software, but why do I get it when I'm paying too much money to Microsoft?
On your point about switch DNS, Red Hat signs their updates (nice touch). Do you get the same with OS X?
See my journal, I write things there
I would say that anyone running an SMTP server on their desktop deserves to get rooted.
Maybe Linux is less "monoculture" prone than Windows however the point stands that diversity prohibits infection and similarity encourages it. If everyone in the world used Linux, we would see more linux viruses, although maybe not nearly as many as Windows.
He also seems to ignore the fact that the average computer skills of a Linux user are vastly superior to the average skills of a Windows User. The worst propogaters of viruses, chain mails, and worms (due to unsecure computers) are the family computers and uneducated users who use Windows for its ease of use. I don't know if the marketing dept. would be able to survive if all computers in the world instantly started running Linux instead of Windows tomorrow.
Very amusing.
...."
Mr Granneman's point: Linux doesn't have many viruses because the wildly diverse, complex, and inconsistent ways of doing even simple tasks such as e-mail on a Linux system make virus writer's jobs harder.
Of course, the wild diversity, complexity, and inconsistency involved in doing simple tasks is exactly the same reason why the general population isn't demanding Linux on their desktops! Can you imagine explaining how to execute a _legitimate_ e-mail attachment to Grandma over the phone if she used a Linux box?
"Grandma.. ok, now we've saved the attachment, so click the little icon at the bottom that looks like a window. No, it's black with a little frame around it. Grandma, pretend it's a window at night. Yeah, that one. Now, click twice on it. Grandma? No, I know it says 'bash%', but please don't hit the computer again. Now, type 'chmod +x foo/bar'; that's 'c', 'h', 'm',
And of course, since the Lindows people are actually trying to make a distribution of Linux that ordinary mortals can use without going insane, guess how they're configuring things? Wide open, so that everything "just works".
Despite the author's claims, there's nothing about Linux itself that makes it more secure than Windows (well, Windows XP, anyway) other than the wise choice of default settings, which is something Microsoft can and should address. Of course, most people will still turn things off to make their lives less annoying.
OS X has similar sets of features (yea, even chmod is present) yet I would far rather give my grandmother a Mac than a Windows box. They figured out a good balance between locking things down in the UNIX way and letting programs have higher level access when needed with an admin password (as in during installs) which is pretty much just a really easy to use Sudo.
Here's an alternate question - would you rather explain chmod or Windows Update?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I've had an SMTP service, FTP service, ssh service and NFS service running on my workstation.
It's a lot easier to handle things like that than to have those services running on other machines. Except for the ssh service. Instead, I'll have the clients on the other machines so they can connect to my workstation.
Fewer services running on those machines means reduced chances for worms.
My friend and I have a rivalry going on.. reguarding Linux vs Windows. I sent him the link, he sent me a retort.. My point-by-point response to this article.
.... let's compare the numbers. ...
... Virus writers use social engineering to convince
people to do stupid things, .... Poorly designed software makes it easier
for social engineering to take place, but such software can also subvert
the efforts of a knowledgeable, security-minded individual or
organization.
... It's easy to run executables in the
Windows world, and users who get an email with a subject line like
Check out this wicked screensaver! and an attachment, too
often click on it without thinking first, and bang! we're off to the
races and a new worm has taken over their systems.
Jack Clarke, European product manager at McAfee, said, So we will be seeing more Linux viruses as the OS becomes more common and popular.
Mr. Clarke is wrong.
There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux. Most of the Windows viruses are not important, but many hundreds have caused widespread damage. Two or three of the Macintosh viruses were widespread enough to be of importance. None of the Unix or Linux viruses became widespread - most were confined to the laboratory. >>Editor's note: unfortunately we have been made aware that this quote by Dr. Peeling and Dr. Satchell is incorrect; the independent WildList organization produces a monthly in the wild list of viruses. While the vast majority of viruses in their report are Windows-based, there are still some Linux-based viruses (listed as Other) found in the wild as well.>>
So, the very basis for stating that Mr. Clark (a high ranking official with a well-known anti-virus company) is wrong is flagged by the editor as being invalid. Am I the only one who thinks this is not a small deal? It's also worth nothing that this is the first of two such statements that the editor had to mark as being factually unsound or misleading.
First, look at the two factors that cause email viruses and worms to propagate: social engineering, and poorly designed software.
Can anybody explain the use of the word but in the previous sentence? (Look at the sentence again if you're wondering what I mean.)
Even worse, Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email! Don't believe me? Take a look at Microsoft Security Bulletins MS99-032, MS00-043, MS01-015, MS01-020, MS02-068, or MS03-023, for instance. Notice that's at least one for the last five years.
There is an upcoming editor's note about this along with the following sentence.
And though Microsoft's latest versions of Outlook blocks most executable attachments by default, it's still possible to override those protections.
So, the complaint here is that it is possible for somebody to manually override the security settings put in place by Outlook? Does the autho
Within the arms of tragedy, there is little comfort in being right.