Slashdot Mirror
Viruses and Market Dominance - Myth or Fact?
rocketjam writes "An article at The Register, authored by Scott Granneman of SecurityFocus, examines the conventional wisdom that if Linux or Mac OS X were as popular as Windows, there would be just as many viruses written for those platforms. Mr. Granneman bluntly says this is wrong, then proceeds to detail the fundamental differences between those OS's and Windows which make Windows an easy and inviting target for virus-writers, as opposed to the Unix-based platforms."
I think Windows systems suffer more from vulnerabilities at the operating system level (possibly because it tried to integrate so many things) than application level (though they do exist). In Unix like environments, it is the opposite. The operating system is generally secure against remote attacks but it is the applications that run on top of the OS that introduce vulnerabilities.
As long as there is software there will be bugs, no matter where it is run.
Since many Linux distributions are trying hard to get convert desktop users, they are also diminishing the steps required for the launching of an executable virus thus, diminishing security.
If Linux becomes more popular, media recognition and increasingly "dumbed down" distros will make it a good platform virus writers.
For us oldsters, who were around when Microsoft finally woke up to the significance of the internet, the security problems that M$ faces coincide with their desire for market dominance.
MS quickly created some powerful internet enabled applications. Outlook is the best example. In order to provide so many 'innovative' goodies and features they had to sacrifice security. Deep system hooks and then trying to justify their inclusion of Internet Explorer forced them to tie IE deeply to the system. A great example of short term profiteering at the cost of long term credibility.
Just my opinion. But I am 37 and my degree is in International Relations!
ONE LOVE!
Grampy
I'm not sure if this is a troll or not, but Linux is indeed UNIX-based. It is "inspired by" UNIX (as opposed to having code in common).
Linux uses all of the old UNIX concepts of fork(), inodes, etc. For non-UNIX inspired systems, see OS/400, VMS, etc. These do not have UNIX primatives.
As a Linux user, I am proud that Linux is a UNIX derived (at least in spirit) system. It has a base of history, knowledge and experience from which to build. Would starting purely from scratch be better? I hardly think so.
I learned UNIX programming on SunOS. My SunOS knowledge works just fine on Linux (although not on OS/400 and hardly on Windows... unless you count what little POSIX compliance they barely put in).
Long live UNIX/Linux!
Sarcasm and hyperbole are the final refuges for weak minds
Rootkits are probably more like a trojan than virus.
Personally, I consider viruses, worms and trojans to all fall into the same genus. The differences between the three aren't too important and blurry anyways. They are all hostile code that can affect any system.
Isn't the fact that Windows's vulnerabilities are well known a product of its widespread use? I mean, this just sounds like a self-fulfilling prophecy of sorts.
Not that it matters to those of us who never patch, no matter what OS you're running. I administer a Win2K based server that has remained stable because I patched it religiously and made sure that it was not easily compromised, and so far nothing has happened to it. (In fact, I had a "white hat" come in and try the usual round of exploits on the box, and none worked.)
OTOH, a friend of mine administering a Linux server was too busy bragging about his non-stop uptime to upgrade to a non-exploitable version of Apache and got his site defaced. Twice.
It's not the OS, it's what you do with it.
Honorary Member of Jackie Chan's Kung Fu Process Servers
RMS commented on this issue earlier this year:
There are several reasons why GNU/Linux has few viruses:
If everyone switches to GNU/Linux, reason 4 will go away, but not the others. Therefore, people can expect to have much fewer virus problems in a world of GNU/Linux users than then have now with Windows.
--END-OF-RMS-TEXT--
Expert in software patents or patent law? Contribute to the ESP wiki!
If people just stopped using Outlook and only used plain text email there'd be much less of a security problem... I doubt Gabe over at Valve is going to be using it again any time soon.
Luckily I've already responded to the author in person before this became /.ed.
As I've pointed out to the author, being just a "normal user" is enough to let the virus spread and to destroy the "normal" users documents.
I keep seeing this argument over and over again when talking about system stability. But my system would be next to useless if all my documents and configurations would be gone. Maybe it would be easier to recover from backup instead of a full reinstall, but that would be it.
Most pc's out there are single user (or single family) computers, instead of the old multi-user mainframes. All the important data are in reach of the virus.
If I get a response I will let you know...
Yeha, I love this quote:
Further, due to the strong community around Linux, new users will receive education and encouragement in areas such as email security that are currently lacking in the Windows world, which should help to alleviate any concerns on the part of newbies.
Yeah right. I garuntee if my Mom started using Linux all she'd be doing the same things she's doing now. You can lead a horse to water but you can't make them check if it's contaminated first...
My new catch phrase is: "I NEED A NEW CATCH PHRASE, BABY!"
it isn't the OS's fault, it is outlook and if linux blows up, then "outlook for linux" would be just as vunerable
Outlook Express isn't removable from Win2k onwards. MS considers it part of the OS. So it is the OS's fault.
If Linux came with unremovable email clients, then your argument would be valid.
One of the things the author touches on, but fails to grasp fully, is that, part of the reason Linux is not now, and won't be for some time, adopted by Joe Sixpack, is that it is a complex PITA to install and run stuff on. Average people like simple. They want to get an email from George down the hall, with an attachment, click on it and have it run. If this means that they have to login as root all the time, and just give everything execute permissions, they will. The author recognizes that most of the problems exist between the chair and the keyboard, but then gives some nebulous, hand wavy, excuse that, if the world ran Linux, people would be better educated. Bullshit. People are going to be just as lazy, and just as ignorant about computers as they are now, they are going to do those dumb things that get them in trouble now, no matter which OS they are running. Even the added complexity will give way eventually. Someone will realize that they can make money selling a version of Linux that is "easy to use". And people will buy it, because they don't want to deal with the hassle. While I realize this is anethma to the /. crowd, most people don't care about the ability to modify the kernel if they want to (they don't!). They just want that 'puter thingy to show them the screen saver their friend sent them, and if they have to choose between a really secure OS, and one that just does it, they will pick the one that just does it. They will install programs that allow them to just run executables in an email, hell most of them will probably install a mail client that automatically launches executables if they think it will make things even eaiser on them. Face it, most people are scared of computers, and if they have to do anything more complex than launch OE and solitare, they are lost, and the author expects them to change, why? Because the Linux advocates will teach them better, he says this while ignoring the fact that many of us who deal with Windows on a daily basis have been trying rather hard to get people to lock up their Windows boxes a little better, without any success. Heck, my own girlfriend bitches about Mozilla on my machine, because it actually does things like block cookies, pop-ups, and java-script, unless you tell it otherwise. And she's probably a bit better about computers than the average person. Sure, the viruses will be different if/when Linux takes over the desktop (and establishes its own monoculture, probably be either RH or Lindows), but there will always be a security hole in the chair/keyboard interface.
Necessity is the mother of invention.
Laziness is the father.
I would state that it depends on the distrubution.
For example, OS X installs the first user as an Administrator (though several tasks require they enter their password as a sort of sudo command - but most users would simply do so without thinking of the consequences).
The last time I installed Red Hat (7.2 I believe), it had you set the root user, then create a new normal user - assuming the user logs in as themselves, and not root, then the protections will work.
I think the best note is "if users act like they should" (which is easier in an office environment than a home one), then virses onto UNIX based systems (GNU/Linux, BSD, or otherwise) won't get very far and will find quick death if spread using the standard "social engineering" ways of the MS Windows world.
The difference between UNIX systems and Windows ones is that there are fewer protections on Windows to prevent System-level commands from being run. On a UNIX box, if I'm signing on as me (non-admin type), then I can feel pretty good about general security. If I'm on a Windows box, I'm going to have to be double cautious with everything that crosses my email or my browser - whether I actively run it or not.
So I'd say he made some fallacies, but overall his point is more correct than the cries of "Well, there are less viruses on GNU/Linux and OS X because nobody runs it! Nyah!"
52 Weeks, 52 Religions with John Hummel
Most of the arguments presented by the article can be dismissed once the lowest common denominator is taken into account. Your average *CONSUMER* does not like having computers being more complicated than they 'really need to be'.
If and when the so-called great Linux revolution occurs, distros will have to keep the needs of the average consumer in mind. Y'know, the people who outnumber your average slashdot reader in droves? Most of these people have no desire or need to really learn anything beyond what it takes to turn on the machine, open a browser and check their email, maybe running an IM client and the occassional game. Having any expectations of them learning commandline tools such as chmod is pushing it. Microsoft's design choices weren't always out of their own stupidity so much as knowing the majority of potential customers -- the customers with the biggest numbers, thus ones you'd need to be a dominant OS -- aren't informed and *don't wish to be*.
Feel free to wring your hands over it.
I don't like the way he keeps mentioning OS X in the same breath as Linux, but neglects to point out the differences.
OS X was designed from the beginning as a desktop OS, and the designers have taken these issues into account. For one thing, the root account is disabled. It is not trivial to enable the root account, and it isn't even necessary.
Secondly, even though OS X ships with a standard mail client it's a good mail client. It can't run applications or scripts with a single click, HTML email is limited to display, no JavaScript can run, and plug-ins don't work.
I wonder if Apple should thank Microsoft for setting such a bad example!
www.lucernesys.comHorizon: Calendar-based personal finance
broken? how so? Preventing users from installing stuff is extremely useful on a multiuser system. I've seen way too many networked windows boxes with just about every piece of spyware, adware and other useless crap installed on it to believe that letting the average user install anything they want is a good thing. Just because users want to be able to install anything on their computer with no safeguards doesn't mean it's a good idea. The current system isn't broken, it was put there to prevent exactly what has happened on Windows boxes.
Most Unices are good about preventing average users from accessing the core files in the OS, whereas Windows just puts a nice little warning on the screen and lets you go right ahead.
read my blog
musings on politics and technol
While I agree with the gist of his article, there are a couple of obvious problems:
Further, due to the strong community around Linux, new users will receive education and encouragement in areas such as email security that are currently lacking in the Windows world
That's unlikely. As Linux takes over corporate desktops, the users are not going to be joining LUG's or mailing lists. This has been mostly true up to this point, but mass acceptance will change the demographic of the user community to be more like that of Windows.
Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his /home directory, but that's about it.
It's mind-boggling that this stupid line of reasoning is still used. First, my home directory is the part of the system that I'm most concerned about protecting. Holy shit! That's where my files are. The rest of the OS can be downloaded off the internet or from any CD that I have. But what about the files that I have created? A program destroying my home directory is a far larger problem than a program that mucks up executables or something.
Second, the modern worm/virus on Windows doesn't need any elevated privileges. The whole point is to spread, and there is absolutely nothing about that process that needs or uses any elevated privileges. Being root is not terribly relevant for the modern worm.
With all the lost money and productivity over the last decade caused by countless Microsoft-borne viruses and worms, you'd think the company could have changed its procedures in this area, but no.
And it wouldn't have made a damned bit of difference for the most destructive email worms. Is the author from another planet? I have to wonder.
Do you have ESP?
I'd rather wipe out my system, and not touch /home than the other way around. I can reinstall most of the system in short order, but my /home directory contains all the important stuff.
.tar.gz, .rpm or .iso files for the download.
Remember, it is the *DATA* that is important, not the programs. There are boxes and boxes of the same program on most computer store shelves -- or tons of
Learning HOW to think is more important than learning WHAT to think.
> the conventional wisdom that if Linux or Mac OS X were as popular as Windows...
The very features which make Linux less vulnerable to virii also insure that it will
never be as popular as Windows.
Try explaining 'chmod' to your mother-in-law.
A very interesting article, but the author leaves out one very important point: the difficulty of writing a virus for Linux is much higher than writing one for Windows, so fewer people will do it. It takes much greater skill and effort to screw up a UNIX-based system than a winodws system because of the much clearer distinction between user files and system files. Today, a large percentage of Windows viruses are just slight modifications of others, and there even exist "virus toolkits" to generate viruses without much technical knowledge at all. In short, the "script kiddie" factor of relatively clueless people whipping up viruses based on a few instructions received in IRC is much less under UNIX.
The author does point out, quite correctly, that even if Linux viruses became more widespread, most of them would probably only affect the user space and not currupt the system itself.
That article has all the typical anti-linux trolls rolled into one, along with several new ones. For example to those who don't feel like reading it, he compares linux users to terrorists and communists all in the same article. He also blames the majority of viruses and malicious hackers on linux, and p2p software theft as something caused by the linux community. Truly an overdramatized troll.
True genius is grasping a situation like a peice of fruit, and peircing it just right so that it drains dry.
I think that was the first sentence:
It could be analogous to blaming the engineers if they had painted a big target on sensitive areas of the building, and provided planes a lighted approach for hitting them.
But, it gets even better:
When are you notified that you may need a kevlar vest? Again, this would be a more fitting analogy if the person not wearing a vest was in, say.. Iraq 8 months ago and had a US Army emblem stitched on their uniform. If you buy software, I think it's a reasonable expectation that it won't be broken due to negligence. If I purchased a car, I'd be pretty pissed off if I found out the company made it very easy to open it without my keyless entry fob. That's a much more fitting analogy. Analogies suck to argue with, so lets just keep on the real subject:
Yes, this is why we demonize Microsoft. Not because they violate HTTP, SSL, CSS, and countless other standards. Not because they violate business laws, and are sued for it. We demonize them because they attract idiots better than us. I'm glad he cleared that up for me, because I was wondering why I didn't run Windows. It's not just my surprise, Ed has one too:
I suppose I'm part of the culture, and I don't glorify nor justify. In fact, I say it's wrong. So do a lot of people. So, again, half-baked claims with no factual backing. Yes, I'm sure several people did say that Half-Life will now have Linux binaries. If any of them said it seriously, I doubt they have the capabilities to build them anyway. Any joke taken out of context can make someone look like a dick. Or a Communist, right Ed?
I didn't realize that thieves were happy only getting what they need and no more. Perhaps you should ask Microsoft since it's documented that they have stolen a few things. I can definitely see how they take only what they need. Like $40B in cash reserves.
But when we talk about P2P, that's when Communism really rears it's ugly head. Not Capitalism and market dominance nor supply and demand, which is the very cornerstone of capitalist economics:
The replacement to the RIAA? I'm not sure, how about CDBaby or the other houses that are opening up? Why are there so many famous artists that loathe the RIAA? How many famous artists have you sat down and talked to about record contracts. I can name one, and he makes more money now touring as a legendary band (from the 60s) than he ever did from his 6 platinum records. Even he wants to get on the internet distribution bandwagon. But,
Dacels Jewelers can't be trusted.