Slashdot Mirror
Worms Jack Up the Total Cost of Windows
rbrandis writes "Dealing with widespread worms like Sasser raises the cost of using Windows, a research analyst said Wednesday. "This is part of the carrying cost of using Windows," said Mark Nicolett, research director at Gartner. "The cost of a Windows environment has gone up because enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology." "The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely," said Nicolett and his Gartner colleague, John Pescatore, in an alert posted on the Gartner site."
I'm switching back to the Commodore 64.
The TCO for Windows for the vast majority of slashdotters however is still steady and holding at "free".
;-)
I keed, I keed!
Quidquid latine dictum sit, altum viditur
I work at a computer science department, and I'm currently compiling a CD of patches that people have to install before they get on the internet. Right now, the number of patches is nearing 30.
Ahem. This is -1, Redundant. No shit viruses/worms raise TCO. This is the case for ANY operating system, not just windows. Of course, the homogenous nature of Windows makes it a lot easier for worms to affect machines in a wide range. But we'd still need to take precautions with any system in use.
This is news? This wasn't included in TCO estimates before? (Actually, that would be news, but not the kind I'd want blasted out to the world about me!). Seriously, how can "common maintenance" NOT be included in a TCO estimate? Isn't that the major ongoing part of TCO? Geez....
The cesspool just got a check and balance.
An when Linux gets exploited, the people fix it for free and very quickly. Then the next person to download this FREE system is a-ok.
Thats just plain sexy.
-- The box said Windows 2000 or better... so I installed Linux
I thought dealing with these Windows consistencies saved money!
;-)
It's nice to know that it took an industry analyst to tell us this.
I wonder if the cost of antivirus subscriptions has traditionally been included in the TCO studies out there comparing Windows and Linux. Somehow I bet not.
Does anyone even know what the service the sasser worm exploits actually does? Most of the perpetually open services on windows are totally opaque to me.
The ultimate stupidity being that under 2000, the famous "switch over to NT and screw over the legacy code" had tons of insecure network services running by default, but their backwards compatibility system (the one that enables "run in 98/95 etc compatibility mode) disabled by default.
At some point somebody (Windows apologist or not) is going to point to Longhorn as the solution to security problems. Is there hard data on whether or not worms have been increasing or decreasing (in frequency and effects) the past couple of years?
We know what problems they've caused and how the media's gone nuts over each virus, making things seem bigger and bigger. But some old viruses were much nastier, and I sure don't hear about those types of infections anymore.
-Rob
Marriage doesn't have to suck!
Not anymore...
http://www.internetnews.com/article.php/3317211
(It's a link to the story about Microsoft including antivirus software in Windows XP Service Pack 2.)
Most people rarely patch their computers until something happens. (Me being one of them) It's something that people really need to be aware of. Prevention is the key.
Does this really come as a surprise? This is something that is quite obvious. The worms sucks up resources and take many man-hours to apply patches (not even counting the testing to make sure the patches don't break other things). I honestly think the rise in cost to dealing with these things is obvious. I would think that this isn't just a Windows thing, but an issue for every OS out there, although I do realize Windows has a large majority of the attacks.
Like my Pappy says..."Never bitch about the guy who signs your paycheck."
1 - Create an OS with more holes than swiss cheese
2 - Deny vulnerabilities as long as possible
3 - Release Patches
4 - Blame Security Vulnerabilities on Patches
5 - ??
6 - Profit!
Lately about 1/3 of my job consists of dealing with Windows vulnerabilities. And there are four other full-time staffers here with the same job description. We're not especially well paid, but that sure adds up. And when you add in the downtime of the people whose computers we're fixing...
http://alternatives.rzero.com/
something that might ease the pain for a network of XP machines is a method to rollout patches, or have machines that were just ghosted to check with the domain controller to see if it is allowed to automatically install the patches into itself. auto-fixing windows... a man can dream can't he?
Well TCO isn't everything...I mean...who cares if you spend hours upon hours patching your systems when you could be watching "Futurama" and "Family Guy" on Adult Swim!
Indecision may, or may not be my problem! -- Jimmy Buffett
Wouldn't you expect the 'leading' OS to always be the target of attack? People want to make their statment, and how much of a statement do you make if you bring down both people running OS/2? So in short, the obvious was just proved. TCO is raised by being the most used OS. It is a bullseye that everyone will aim for.
You mean that Flash ad at the top of the page that says Windows costs 10x less to run than Red Hat isn't true?
:-)
OK, I suppose it's 9x less
Actually, Just install the latest service pack and then install Autopatcher. It has all the updates, hotfixes, and some cool extras all rolled into one scripted install so you can just start the install and walk away. I've used it and I can say that it makes life a million times easier.
There are versions for 9x all the way up to XP. You could fit everything onto one cd, and if you wanted you could even script that install. Thanks Autopatcher guys!
Quidquid latine dictum sit, altum viditur
I'm sure I've seen an ad for linux virus scanners. Is this a rip off, or does it scan for windows viruses on the way through mailservers and firewalls?
# cat
Damn, my RAM is full of llamas.
Scientists confirmed today that water is indeed wet, Abraham Lincoin is dead, and the earth is round.
Well.. maybe. Or Maybe not. But Definitely not sort of.
If the cost keeps going up everytime a worm appears, this will push windows to an unaffordable price. At that point, it'll become a no brainer for IT folks to just deploy linux hopefully. Cost of windows nowadays is just ludicrous.
What makes Linux and its software (generally) more secure is the design and the security consciousness of its developers.
We all know that Lunux's TCO is often lower than windows' but one shouldn't count on the absence of worms.
then the macs would be on many more corporate desktops. they are far esier to maintain and admin. but, businesses are pennywise and pound foolish. admin costs are not necessarily up front costs. so, bottom line bean counters can justify purchase from vendor A because of lower initial cost. also, don't count out the paper mill MCSE's that influence purchasing decisions.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
This in itself is not taken to justify big changes. Like high linux retraining costs (for corporations) or living with an unsupported and hard to interoperate computer (for households).
haven't most /.'s been raving about this for years? How is this News for Nerds in even the vaguest sense?
...from Longhorn to A-patch-eee. Oops... Hope that doesn't offend anyone at Apache.
Free Firefox news reader.
The problem with these costs is that they are probably never added into operating expenses. My fiance's company, a huge conglomerate, got hit with the Sasser worm and basically handed out disks with a virus update on them to manually install. Needless to say her HR department was idled while they tried to fix all the installs that went poorly. You can probably guarantee that her manager has no way, and probably wouldn't think of, adding that cost into their bottom line.
heh. If you want to see the TCO for something increase dramatically, all you have to do is provide support for it over a long enough span of time that people feel comfortable in ceasing to learn.
:(
Perhaps one of the reasons that Linux has an inherently low TCO is because the users who have installed it, configured it, compiled it and made it run on their toaster have taken the time to read the docs. They're familiar with the hardware, the apps they run, the OS under the apps they run, and viola -- things run nicely.
But in the Windows world? Everybody has a support line to call for absolutely everything. Almost every product offered has some form or another of support to it, to an extent that the people who are using these systems no longer have to use any mindshare whatsoever to get their stuff working. At your place of business a PC tech is waiting to coddle you. At your home you can call your ISP, call your PC vendor, call your OS manufacturer, call your application developer, call everybody in order to figure out what's wrong with the system. The suggestions they give you to fix it may seem arcane and strange, but if you follow them assiduously you have a 30 to 40% chance of getting things working... and if it doesn't work out, you can always call back 'til you get ahold of someone who really knows what's going on.
Small wonder the TCO is so incredible. I can understand that worms have an impact on this number - hell, I've logged plenty of overtime hours securing machines against the latest potential threat (the Army is rather proactive in locking things down against explotation - with good reason). I've spent countless nights securing our systems against worms that use ports that are not open on our firewall. I've spent hours updating virus signatures and restoring systems lost because a user thought it was a fine idea to open up an encrypted zip file they received from someone they didn't know. I've spent many a fine weekend and holiday at work restoring people's email because they deleted without consideration for the fact that bringing it back takes serious time.
My site would have far lower TCO if the users exercised a small, trifling fraction of their potential intelligence. Am I overestimating the abilities of the average human, here?
sigh... *Lots* of things go into TCO. My overtime, paid to fix these kinds of problems, is a significant part of it at the site I work for. End of rant.
Actually that is the history behind why that http server was called what it is. It was originally intended to be a series of patches for the httpd process. Ironic, eh?
apt does the job alright.
Black holes were created when god tried to divide by zero
...someone adds the time cost of Windows to the total cost of the operating system. When accounting the total operational cost of a Linux machine everybody counts the time that the sysadmins spend on it, because it's *free* of charge. In the case of Windows most of the researchers think only about the cost of its license. Personally, when I rarely boot in Windows, I spend half the time applying Microsoft patches.
...the fact that this passes for 'news' is a bit underwhelming. I've always been under the assumption that TCO involves andy externalities that affects the bottom line (and relate to the line item - in this case the OS - at hand). It is however, good to see a place like Gartner, of which many PHBs pay attention to...covering it.
What will these analysts discover next?
I've been hearing rumors that MS products cost more than the open source alternatives too. But it's just a rumor...
"Fate favors the bold"
...from his SNL Weekend Update days:
"This, and many other fine articles are available in the current issue of Duh! magazine."
These are some of the large-scale operations that were affected by the worm, some of the frantic preparing for the worm strike. I have never, ever believed for a second that the TCO for Windows is lower than e.g. Linux of BSD, past the first month of switching. Even with higher sysadmin costs, the overall increase in productivity equals this and then some. Christ, potentially sick people had to reschedule their CAT / MR exams because of a fucking Microsoft Worm (TM)?
How much more are we willing to up up with? I made two switches, first from Windows to Linux and then from Linux to Mac. The only thing I regret is not switching earlier.
Today, my employer lost 25 USD, since an article I wrote disappeared when Word crashed and I had to re-write it for one half hour. It seems the defaut Word behaviour in custom OEN installs that our IS get is to NOT autosave for recovery due to "performance issues"
Lower TCO my ass.
If Mac OSX were the dominant OS, then worms would be predominantly written for it, and would drive up its TCO. If Linux were the dominant OS, then worms would be predominantly written for it, and would drive up its TCO. Etc., etc. Sure, OSX or Linux or [insert pet OS here] would be tougher to exploit, but that wouldn't mean much in the long run against people dedicated to making mischief. The fact that Windows' codebase is such a piece of Swiss cheese makes it particularly worm-prone, but the main problem it has with worms and viruses is due to Windows being the monoculture, and not due to Windows' shortcomings as an OS. So maybe the point is, everyone wins if there is less monoculture, and more heteroculture, in the mix of OSes in general use.
First they say you shouldn't use Linux. Now, they don't want us using Windows 'cuz of worms. Tell me, gartner, what should I do? Oh, that's right, you don't ever do anything. You just make stupid recommendations.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
It only raises your TCO if you connect a Windows computer to a network.
I wonder if Gartner or anyone else does any serious quantitative study of the true "value" of having a new distro via the net.
If I go to download Fedora or Debian via ISO images, and burn them, I often have a maintained distrobution that is very young. Less than a month old.
If I go and buy Windows XP via Amazon and have it delivered next day, I still have an OS image which is over a year old, even the new one that rolls up SP1.
I don't have to make a CD up with 30+ patches on it, before it is safe to plug my machine on a network.
If I worked at Redmond, and was thinking about this problem, I think what I may do is work an installation script that combines with the firewall - and keeps all inbound connections out until a "tunnel" is established to Windowsupdate, and all patches are applied before "releasing" the IP stack.
Many of these systematic advantages come from the fact that Linux doesn't need a license key to install the OS. If Microsoft gave Windows away, there would be 0-day distros on their website as well.
Sounds like they are trying to make yet more arguments against disclosure of problems. Either that, or an indirect comment on why proprietary systems could be better, if disclosure of problems were not allowed.
"The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely,"...
We all knew these attacks were likely. Did their timing have something to do with the disclosure? Possibly. Would they have happened without the disclosure? Yes, I think they would have.
The root of the problem, in this case, lies squarely with Microsoft, and the various design decisions they made implementing their OS and other products.
. 62,400 repetitions make one truth -- Brave New World, Aldous Huxley
Seriously, though, it's good that stuff like that surfaces on PHB-radar range. Maybe somebody will ask things like "So why should *I* be taking all these measures because *your* software is buggy?" the next time the M$ rep comes in, hawking the latest and greatest from Redmond.
No surprise. They do the same thing to pork.
Thank you, drive through.
(please mod -1, nasty-ass wormy pork reference)
There are also a lot of secondary costs to windows worms as well. Increased network traffic affects those that do not even use windows(or those who are careful). Also, if a windows worm brings down a banking system, there is a cost again to innocent people who may not even use windows. Or for instance, if a supplier for a business goes down, then the buisness itself is adversely affected.
Windows worms(and malware in general) do not just adversely affect windows users, they have the potential to harm society in general(though I don't agree with the figures that some of these anti-virus people put out, they are just looking for sensationalism to sell their products)
Windows worms are everyone's problem, do your part to stop them!
Would Windows still have been attacked by Sasser, if no one had revealed the vulnerability?
Maybe the conservatives are right, maybe we should keep bugs a secret.
I normally don't feel so bitter, but I've been fixing Windows boxes for the past couple days because of it.
-Patrick
"They never stop thinking about new ways to harm our country and our people, and neither do we."
Its interestig that they say it is the worms that cause extra work rather than the security holes. After all, if the security holes weren't there then the worms wouldn't work.
http://www.popularculturegaming.com -- my blog about the culture of videogame players
This is all well and good, but the PHBs still need to be made aware of the ramifactions of their addiction to 'doze in the simplest terms possible. I've been trying to migrate some of my clients off of 'doze for months now and it's a slow painstaking process as they stop me every step of the way and ask why they need to give up their outlook, or their "really easy integration with their iPaq". So, I'm stuck doing part time admin on windowboxen.
I'm not there often enough to make sure they patch their systems every time they should (they don't want to shell out the cash for a full-time IT guy) So the best I can do is email them the reports I get from eEye and bugtraq and just send an all points to patch and hope they do. (They don't of course, I just spent the last four hours rooting out the crap on a machine that hadn't been updated since mid March.) There needs to be maybe a "Windows Patching for Dummies" or something that will get the point across to these guys that the price of a secure 'doze box is eternal vigilance.
But hey, if they want to shell out the extra cash for my emergency services and the lost productivity incurred, who am I to argue?
Mod me down and I will become more powerful than you can possibly imagine...
I've been using and hacking Linux for quite some time but haven't once been tempted to take up the viola.
"Skill shows through where genius wears thin." -Wittgenstein || Religion: uniting aviation and architecture.
Actually, Just install the latest service pack
This costs money for a CD from Microsoft. If the user tries to download the service pack instead of buying the CD, the user will probably get hit with Blaster or Sasser while trying to download the service pack itself, as the size of the service pack exceeds what a dial-up user can download within the time it takes for Blaster or Sasser to shut down the computer.
There are versions for 9x all the way up to XP.
Really? I read from here: "AutoPatcher 2000 is still being worked on."
For sure, this is why they accuired RAV antivirus to implement in windows. Probably they know better how many windows bugs can be found:)
and I have a few possible answers in mind, but I've always wanted to ask:
With all the other things that MS bundles with its OS, why the heck have they never included an anti virus program? I mean really, that would be one of the very few useful things they could bundle, there's been AV software around for ages so they could have easily "innovated" one by now, and it's obviously something every MS user needs. So what gives?
Let the conspiracy theories fly!
Differing discussions on if patches really do break Windows.
In my case, working with 10,000+/- clients, I have seen this on repeated occasions.
Various MS patches would break the following:
Novell client on 2k/XP (but not 98/95)
Some third party business-specific applications (stat software, database, etc.)
Video drivers (easily fixed, but still)
In one case, recently, it BSOD'd several NT boxes (the IE 6 security rollups)
Irritating to be sure, so on one hand, you need to patch immediately (or risk the wrath of a new worm/virus)
On the other hand, patching immediately can lead to loss of productivity
On the third hand (you do have three hands don't you?) you can't wait for an AV package to have the proper updates, as (to my viewpoint anyway) AV products should be the last line of defense, not the 1st.
On the fourth hand, training is key to clients, but as the saying goes, you can lead a luser to enlightenment, but you can't make them think.
I keep waiting for *seriously* damaging viruses to show up in the wake of the leaked (partial) source code to Windows 2000. That may be the last straw to many a business.
So rise up, all ye lost ones, as one, we'll claw the clouds.
Of course it is true that owning and operating a Windows computer costs more because of the need to keep current with patches, to test them and to apply them in a timely manner. Every sysadmin knows this even if their cost-conscious boss doesn't see this big picture.
But, to be fair [and I'm no MS apologist - they need to be taken to task all over the place for lots of reasons], even if you run a MacOS X, Linux or even an OpenBSD system, there are implicit costs associated with maintaining those systems, too.
Since the software cost for FOSS is zero, the single most important cost is this installation and maintenance. As such, it ought to be quantified.
The advantage of doing this is that these kinds of costs are no longer swept under the rug and people can start asking more detailed questions about Windows maintenance costs in terms of sysadmin time- not just estimated costs of downtime on the business.
Then maybe, too, people will start to ask questions about what kinds of implicit future costs they incurred via early decisions to use some vendor's application that locks their valuable business data inside a proprietary format.
"Provided by the management for your protection."
The only worms that attack my Mac are the dumb PC users who are too ignorant to realize it's superiority.
-Imidazole2
Doesn't the O in TCO stand for Ownership? What exactly do you own with Microsoft products? Aren't you really just Licensing them?
My beliefs do not require that you agree with them.
All future patches will be extremely virulent, autonomous self-installing patches. All future worms will have to be encrypted and signed by Microsoft.
Remember to check the box - "Always trust content from Microsoft!"
worms/viruses are currently Windows-only problems.
Emphasis on the "currently." Has everybody forgotten the Sadmind worm, which spread among servers running Solaris OS and defaced web servers running Windows OS and Solaris OS?
I'm not sure if this is old news, or even if i'm just stating the obvious, but i worked out a way to delay the Sasser countdown when it starts.
Once the 60 second countdown starts just open the date and time properties page and roll back the date a month or two and click apply - sorted - you now have 30-60 days before the machine reboots - plenty of time to download the patches, even on a modem.
My PC is set to shut off after fifteen minutes of inactivity and my Mac has been on for nearly a month now. Even though I keep myself patched up to the nines I never quite trust keeping my XP machine on all the time. I figure that when I'm playing a game the machine is so preoccupied with what its doing that most external concerns will be ignored. Then it's off into standby for the machine. And this is behind 2 NAT firewalls and XP's own firewall. What level of paranoia I live with.
Sir, there is a dragon outside with an armful of armor. He's inquiring if we offer free refills.
So SP2 is going to include a Microsoft add-on that monitors third-party add-on's that monitor the Microsoft OS.
Who said these guys didn't know how to design an OS?
Or at least permitted..
Think about it, if the TCO of current windows versions ( and related apps ) are skyrocketing, it gives more weight to the 'you need to upgrade to longhorn' speech we will start hearing in another 3 or 4 years..
Since they cant sell you on so-called new features that are irrelevant, then this might be a successful alternative tactic..
Just a thought.....
---- Booth was a patriot ----
I see one bad thing and two good things here...anyone else with me? I mean, shouldn't we work our best to keep our environments 1) current and 2) as secure as we can afford to?
The patches and the closed-sourcedness are, however, a PITA.
As far as TCO goes, I see the same people just working more salaried hours to fix issues arising from bugs, etc. And they haven't had to have the admittedly more extensive training behind running a *nix environment.
and many wonder why jobs are all going overseas. Lazy admins that don't do squat all day, they can't even install patches. Microsoft never cared about security, it seems system admins never did either. Everytime a new virus comes out they run around like beheaded chickens watching their house of cards fall down.
This isn't just a windows problem, it is an admin problem. There are tons and I mean tons of hacked unix boxes that script kiddies use for distributing warez etc because they are connected to huge bandwidth pipes.
did you forget to take your meds?
it's that Microsoft only tests them with a Microsoft only configuration that the patches when applied may break non Microsoft software. If your depenent on that software it could get pretty messy. Your damned if you do, damned if you don't. Patch the system and break your software, don't patch your system and get exploited.
So, I'm sorry but your statement is a typical linux zealot brain fart.
Netware is still virus/worm free after more than twelve years. Not even Linux can make such a claim, provided it had been around that long.
You could just install an SUS server, point all your clients at it and enable auto-update. Test the patches, put on SUS, play golf.
It's things like this that make me wonder if the "TCO of Windows" is more likely the "TCO of having highly unqualified people working in your IT department who know how to spell XP, but nothing more than that". If you have idiots running your network, you're paying to throw money out the window (no pun intended).
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
Microsoft has priced themselves out of the market.
And it isn't the initial purchase cost. They could give away Windows and it would still be too expensive. Dealing with the virus du jour and the patch du jour is just too much anymore. Add to this (from recent Slashdot stories) large companies' estimates that half of all their Internet traffic was to/from Windows Update and the cost of maintaining Windows goes even higher.
Well, I quit. I am just done with patching Windows. All Windows machines are hidden behind a firewall (Linux based and I do patch it religiously; gee, there's been one critical patch in 1 1/2 years!), we don't use IE or Outlook and I only patch Windows when there are functionality problems.
Now, I know I'm gonna get a lot of flack from everyone here about "firewalls not being the final solution", "you gotta patch every day" yada, yada, yada. But the combination of a firewall, not using IE or Outlook and scanning ANY computer from outside before it is allowed on our LAN works for us. We weathered SQL Slammer, Blaster, Netsky, Bagel, Sasser, etc, etc with not one hiccup in our daily operation.
The key here is not to trust Windows on the Internet. No, one step further: don't trust any Microsoft software on the Internet! Don't use it for e-mail, don't use it to browse the Web and never, ever hook up a Windows machine unprotected to the 'net!
Virus authors have nothing to worry about from this security group.
Some excerpts:
-
While strong out-of-the-box security configurations are preferred, it is recognized that updating existing products to
comply with this requirement can be costly, time-consuming and can result in various incompatibilities with current
and supported versions of the product. As a result, it may not be possible for a vendor to transition a product to a
more secure out-of-the-box state for several years, depending on product release cycles.
...
Whose side are these guys on?In conjunction with the above recommendations, the requirement for medium or higher assurance evaluations (Evaluation Assurance Level 4+ [EAL4+]) for commercial products should be dropped, since the stated reason for higher assurance evaluations by the proponents is the ability to do vulnerability analysis. Higher assurance evaluations for commercial software impose a cost burden that even the largest IT vendors cannot bear or should not bear; they do not substantially improve product security, but may result in vendors paying multiple times for the same evaluation in different markets. Furthermore, finding faults in software that has already shipped is far more expensive and less effective than giving vendors the tools to be used during the development process. ...
In order to promote the evaluation of more products, the U.S. Government should help offset the expenses of CC evaluation through research and development tax credits or paying part of the evaluation costs.
Predicting that multiple recently announced security flaws in windows will be exploited is like predicting the sun won't explode tomorrow.
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
i am starting to beleive that there is such a thing as virus season. Often these big worms come out around summer. I guess it is becasue kids are out of school and ahve nothing better to do
The war with islam is a war on the beast
The war on terror is a war for peace
Windows XP Pro for 200 systems: $30,000
Anti-Virus Software for Windows XP corporate: $7000
The billing rate for 10 contractors to come out and clean your systems: 700$/hour
Seeing the face of your CEO when you tell him linux is free: Priceless
There are some things money is wasted on, for everything else there is linux.
Upgrading IE is a complex process that upgrades most of your major libraries with it. The actual IE executable is quite small but is linked against several crucial libs, which are all available to (and used by) the most of the rest of userland.
All's true that is mistrusted
If OS X were the dominant OS, there would be zero worms wreaking this kind of havoc.
A default OS X installation has exactly zero ports listening for connections, and the root account is disabled. Even administrator-level accounts must authenticate before making any changes of significance to the system. These factors make it nearly impossible for a worm to spread on OS X machines like a Blaster, Sasser, or Slammer can on Windows machines.
Marketshare has nothing to do with the security of an OS. There are way more Apache-based web servers than IIS-based, but IIS gets pwned much more often than Apache.
If you consider worms and virii as "free software that downloads itself off the internet" then the TCO for Windows goes down!
I Am My Own Worst Enemy
no virus writer/hacker is going to spend all of its time to maybe interrupt 5% of the market share. in all fairness if the tables were turned and M$ had only 5% and linux had 90% of the users out there you can bet we'd be seeing virues/trojans/worms and hacks coming from all over the place, and we'd be talking about that instead of windows. think about if we really want linux to b/c the main O/S. in the end we are inviting more hackers to spend more time writing stuff for linux as well as windows. not so sure if that is good for the community..
If I'm not chasing virii and patching systems, I'm removing spyware. It never ends.
Boobies never hurt anyone. - Sherry Glaser.
Three words: Source. Code. Patch.
They're not big. They're not bad. And they're not a problem to compile unless you don't know anything about your Linux box. And if you don't, get a friend who does--just like you do when your Windows machine won't boot because there's a remote-exploit worm out (again).
"America has done some terrible things. But I know that Americans don't cheer when innocents die." -Dave Barry
Total Cost of being 0wnzed
Escher was the first MC and Giger invented the HR department.
in all fairness if the tables were turned and M$ had only 5% and linux had 90% of the users out there you can bet we'd be seeing virues/trojans/worms and hacks coming from all over the place, and we'd be talking about that instead of windows.
And this would only infect people running Linux as root all the time who use email clients that execute scripts sent from complete strangers without telling them. Yes, people would write Linux viruses and worms (they already do), but the effect would be minimal at best.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
I think this qualifies for fark.com with the "Obvious" tag attached!
Like... Derrrr...
Since when is this news? oh yeah, 84
I've endlessly heard the argument that if Linux were the standard OS, there would be just as many worms as there are for Windows. I have no idea why anyone could believe that. When you install a Windows machine, you can pretty much guarantee that ports 135/139 will be running, there are numerous services listening (ex. LSASS.EXE), and on a wide scale, there are thousands of machines with those open. But when you install a Linux/BSD system.. what ports are open? What services are running? Exactly. You don't know. There are soo many different variations durng install, and so many different versions and programs depending on the Distribution. You could not write a "Linux worm". All the worms in existance would target specific applications, such as Apache or WU-FTPD, not the operating system. Sure there could possibly be a kernel exploit, but there are so many different kernel versions. You would not hear headlines such as "Windows virus takes down UK Coast Guard". At most, you would hear "Apache exploit takes down a UK Coast Guard server".
Visit Phrite's Tech News/Security Tools
So if we're all here high and mighty that Linux Will Solve World Hunger because of this, why aren't we doing everything (and I mean EVERYTHING) we can to solve this? It is certainly true that almost everything has been ported to Linux, but many applications have yet to appear on places like Sourceforge and Freshmeat. Sure, yeah, I've started Yenta on sourceforge as a replacement for Act! or Goldmine, but it was only recently started - with little useable code to speak of.
(Yes, I need help with that project.)
Point to this rant is that we still have a way to go before it becomes acceptable to just drop Windows in favor of Linux, but it is also up to us to make sure that if, God forbid, a worm or series of them comes out, we can patch in a hurry.
This sig no verb.
Wrong. Because if Linux had 90% of the market, most everyone would run as root because they'd be sick of not being able to install anything and always having to login as root. "Why not just stay root", they'd say and then do that.
And they laid out some bad trouble. Virus writers DO do this, even if the marketshare is small. Remember Ramen?
And of cours there's the Lion worm, etc..
It doesn't take a lot of computers to cause trouble, and no platform is wormsafe. Windows is prolific, of course, which doesn't help, but it's also got so many ways in. That's the real catalyst.
Rule for ANY operating system; When the default install is weak, you'll see worms. The big catalyst for Ramen and Lion (I hate to say it) was in my observations default RedHat installs that had tonnes of services on by default.
-- The unsig...
well my main point was is that these problems we are facing would be more even if the number of PC's running windows and linux were closer to 50/50. yeah you can log in as root but then someone will come up with a hack, just like everything else..someway someone would write something.
You're doing your job?
Since "Stevey-boy" testified that IE was too tightly tied to the OS to be removed. This was reinforced to me when my file-browser began to display the "yahoo toolbar" that my wife had installed in IE.
In a defensive move I am thinking about redirecting the EI short-cut Icon to Mozilla, but I'm not sure if this is even possible. Mean while I'm glad that we had both a software firewall running on the WinXP machine, and a hardware router running Linux(tm), between us and the mean-old internet.
Apocalypse Cancelled, Sorry, No Ticket Refunds
I always liken Gartner and their ilk as being Oracles sitting a top of some mist shrouded mountain espousing their much vaunted opinion on any topic you ask.
The problem is none of us live on the mountain with the oracle.
Gartner doesn't see a conflict with saying both Linux and Windows and whatever suck. It frankly isn't their problem. Someone asks the question(ie. commisions a report) and you get the answer. Oracles and Gartner don't really care if the answer doesn't make sense.
I'm a long-time Linux user, and Linux does work very well and reliably for me. But no way am I an expert.
Example: Samba setup. I never remember a thing about this fairly complex procedure, and always end up fumbling through the man page and the example smb.conf file to get it working. But once it works, it continues to work forever. The only time I need to do it again is when I get a new machine, maybe 2-3 years later, and far enough in the future to forget whatever I learned.
then that's not a cost of using linux,
that's a cost of trading off good security for a (little) ease of use.
compare that to windows, where the "default" is running as administrator.
people would write viruses, and they would still propagate if linux had 90% of the market share. just not as quickly and wouldn't affect as many people.
You may be proud to be a thief, but fortunately you are not the "majority" of slashdotters. Most of the people at this site actually have some moral conscience and switch to Linux or BSD rather than pay license fees to Microsoft.
You have no excuse to steal Windows. It's only benefit over OSS is it's game library. Then again, you probably steal those, too.
Has it ever dawned on any of you who advocate piracy that you're telling people to steal the same type of work you expect to make a living from? Or do you think whoever cuts your paycheque is going to keep doing so because you once worked on a product or tool that produces no revenue?
I do not fail; I succeed at finding out what does not work.
Here's the URL's to some other updates that'll "patch" things up:
Enjoy!
I'm not tense. I'm just terribly, terribly, alert.
yeah, right. Kinda like building wall after wall around your fortified position, only to discover that the bad guys are just lobbing the shells over the walls and still blastting the crap out of you...
----- One learns to itch where one can scratch.
At least according to Rob Enderle, who thinks
worms and viruses should not count as actual
security problems. Heck, I'm sure his crap
group will have no problem pretending the cost
of removing worms and viruses and the downtime
accordingly should not count to actual TCO.
And then again, if its a problem, I'm sure Bill
will send him some more money.
Why don't we all migrate over to the Mac OS-X and OpenBSD? Linux as well. (Oh - I forgot - Lawyers at SCO may be knocking at your door). Sure, people are clueless on how to best make use of some systems, but that's OK, there are plenty of /. ers who can probably use a little contracting work (if there are any jobs left after they all went to India). It would help the job situation, although it would be painful at first for the person doing the "migration", it would be better all around.
I'm dealing with fed up customers all the time, getting frustrated by having to patch so often, but they ARE wiseing up and starting to take the plunge.
To make it less painful, I find it much easier to setup a parallel system, keeping the older WinBlows systems operational, while slowly putting together their servers and work stations under either Linux or Macs, and using OpenBSD for all the server related work.
It means MORE JOBS here, especially for us Open Source affectionatos.
We've completed a few such "Migrations", and our clients are happy campers now. Of course we still find a need to deploy security patches, but they are much less often, and now becoming a lot more painless.
Hey man - don't shoot the messenger - it's just an idea, and we only have to convince the corporate Phat cats that parhaps M$ may NOT be the solution to all the worlds problems.
I think they refer to computer systems ownership, not actual software. I believe you don't own the software on your GPLed system either, you licensed it.
...to run the software.
Mmmm... that's not entirely true. Lately, a lot of virus writers have just been preying on the stupidity and gullibility of the average user. Hell, I got one of them zipped one day that practically had freakin' installation instructions... and people were STILL getting infected!
However, for this to work on a Linbox, there are two requirements: 1) the user must save the binary and make it executable and 2) the user must then run it. Now, once that happens, there's really not much going to go differently on a Linbox than a Winbox. The thing can still bind to a high port and zombify the machine for spammers, which is what the majority of viruses do as of late. On a desktop, there's no reason to believe that granny Gretchen won't do just that once she learns how to whip out chmod +x on everything's ass. The nice thing, however, is that if you're running in a corporate environment, you can isolate users to their own filesystems to protect them from doing stupid things like this. Yea, maybe they'll trash their own data, but at least they'll be isolated from critical system information and the network (excepting zombification... but you would be smart and block all those ports, right... you don't have chewy on the inside network security... right?). Great for corporate networks, FAR better than the Windows situation (Yea, I know.. you can use Active Directory, but that's not a native part of Windows). However, for desktop users at home... well... they'd still shoot themselves in the foot.
Worms, on the other hand, are another story. First, patching a Linbox is often a matter of grabbing a patch a day or two after the vuln is known and slapping it into the system. Since Linux is built on the Unix philosophy of tools in a toolbox, you don't have to worry that a patch for program x is going to change code that program's y and z also use (unless it's a library or something). Windows? Not the case. If you have to patch MSHTML, anything from IE to your damned titlebars can get fucked up as a result.
On top of that, Linux systems are not (currently) very homogenous. Part of what makes Linux a tantalizing target for manual attacks is that it's just damned hard to write malicious code that will work on a widespread number of systems. Unfortunately, as the dust settles and some companies really do start to take up the mantle of "desktop linux", that heterogeny may just go away for desktop users...
The point is this: Linux CAN be much, much, MUCH more secure than Windows. However, Linux also does the same thing Unix does: "Look, you can make me secure if you want, but you can also use me to blow your toes off one at a time... YOU choose.. I'm not going to decide for you." A lot of geeks forget that. Linux is not inherently secure (OpenBSD is inherently secure... and I don't think it's going mainstream desktop like that any time soon), and it WILL happily let you shoot yourself and your nearby friends if you so choose. Desktop users at home will do just that. It does do some things inherently better, but it still won't protect the world from people who don't bother to learn anything at all about their new toy. You can code against stupid people, but your system isn't going to do much when you're done.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
You don't need root to run a mass mailing email worm. If you could convince a user to run a trojaned executable, regular user permissions will do just fine. It could even open a spam proxy backdoor without root. All you really need root for in network code is for raw sockets and to listen on low TCP ports (below 1024).
Some email worms exploited an autoexecute from the preview pane bug in IE, but most of them were social engineering exercises in convincing the user to run the attachment. I think it's easy enough to launch an attachment in say Kmail or Evolution. The only challenge is delivering an executable that'll run on enough Linux machines (perl? bash? static binary?). The only reason we don't have a mass mailing Linux worm is because noone's tried it yet . It's not THAT hard.
There are lies, damned lies and TCO numbers.
A dyslexic man walks into a bra.
Perhaps one of the reasons that Linux has an inherently low TCO is because the users who have installed it, configured it, compiled it and made it run on their toaster have taken the time to read the docs. They're familiar with the hardware, the apps they run, the OS under the apps they run, and viola -- things run nicely.
It's more like there ARE manuals to read for the rare ocasion an install script does not work or you don't like the default settings. People would customize windoze just as much if the information was easy to get at.
But in the Windows world? Everybody has a support line to call for absolutely everything. Almost every product offered has some form or another of support to it, to an extent that the people who are using these systems no longer have to use any mindshare whatsoever to get their stuff working.
Some companies have call lines. Microsoft charges some outrageous fee for theirs and it's been compared unfavorably with psychic consultation.
My site would have far lower TCO if the users exercised a small, trifling fraction of their potential intelligence. ... I've spent hours updating virus signatures and restoring systems lost because a user thought it was a fine idea to open up an encrypted zip file they received from someone they didn't know.
I got one of them yesterday. Did it hurt me? No. I unziped it and had a look at it. Is it possible to craft such a thing for Linux? I don't think so. You would have to go through a lot to trouble to undo system defaults to make something like that work. Then the author would have to know which of the hundreds of programs I use to look at such things. Unlikely.
All of that "patching" and bandaid application is not required in the reasonable world of *nix. It's a well known fact that you need about five times the number of administrators for Windoze than you do for any flavor of Unix. Those administrators are not the cheap drooling morons Microsoft would have you think can run your network, but they would be much better informed if they were working on any flavor of Unix.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I am never sure of this argument.
There is the Apache thing.
Also I am sure there would be some kudos within the hacker community if you were to put in a competent virus for Solaris, GNU/Linux, OS X or whatever.
jacking with your worm makes you go blind too. [Insert an "In Soviet Russia" joke here]
Table-ized A.I.
PaX with its W^X philosophy for memory and its address space layout randomization also helps greatly; giving a process a 100% W^X address space will guarentee that no code injection can take place
What about those few applications that require code injection? Where can I learn about the impact that a non-executable heap has on environments that just-in-time (JIT) code generation, such as virtual machines for Java and Mono? Google doesn't help me much because W^X isn't a good search term.
I ordered this CD almost two months ago!!! It still hasn't arrived. Perhaps they are delalying roll-out until they can include all security fixes???
However, for this to work on a Linbox, there are two requirements: 1) the user must save the binary and make it executable and 2) the user must then run it. Now, once that happens, there's really not much going to go differently on a Linbox than a Winbox.
By LinBox, do you mean Lindows or Linux? Lindows lets the user run as root by default, just like Windows, but Linux generally does not.
So I didn't see the step where the running program gets root permissions, presuming you weren't talking about Lindows. Or are you saying that a user process can open ports without root-level permissions?
Sincerely confused,
--IceAgeComing
I keep waiting for *seriously* damaging viruses to show up in the wake of the leaked (partial) source code to Windows 2000. That may be the last straw to many a business.
Me? I'm scared to death for the worms that could be made based on the "leaks" of vital Linux and BSD kernel secrets! =:>
Why is it that people keep saying stuff like this? You said it, probably without thinking. Gatner gives us:
The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely
as if undisclosed exploit attacks that have happened in the same time were less common.
Publication of a flaw does not make the flaw anymore harmful, it helps. When you know there's a problem, you can decide what needs to be done. When you don't know the problem exists you are going to be blindsided. The script kiddies get their hands on these and other holes.
Free software is the clear answer to these problems and it's as open for inspection and bug disclosure as you can be.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
In the case of Windows, it is You that is owned.
Sent from my ASR33 using ASCII
A liability?
TCL.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
In Soviet Russia, Microsoft licens... ah, fuck it.
I suspect we'll eventually see the ability to "bless" an application with network access.
tasks(723) drafts(105) languages(484) examples(29106)
Not to pick nits, but while the Commodore 64 never had viruses to worry about, its external 1541 disk drive was another story. Unlike PC drives, the 64's was a computer in its own right, with a CPU, memory, and an operating system. They also got hot enough to keep your coffee warm! The viruses were few, but available.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
You do realize that you don't need to stay logged in as root, right? The "su" or "sudo" commands, similar to MS Win32's "runas" command, are available to users (unless you apply additional security by limiting access via access and ownership permissions) so that they do not run as root. Unlike MS Win32 though, just about any process (actually can't think of any that wouldn't) can be run using "su" or "sudo" while logged in with your regular user account. If you need to display a GUI, simply add the "xhost +" (or a more limited argument to the "xhost" command) and your set.
The concept of running with as a priviledged account by default seems to be based on MS Win32 practices. Users didn't want to put up with logout as user, log in as administrator, install/config, log out as administrator, log in as user. For UNIX, that isn't necessary. I do think though that users converting from MS Win32 will likely continue that bad habit, but it's not a fault of the OS, just years of a limited OS.
ROI (Return on Investment) is significantly higher for a Linux system that is for Windows. Think about it, for about the same TCO, you get the whole slew of free ($) servers and desktop applications. Also, when then next version of Windows comes around, while your costs remain steady or even drop a bit, the Win shop next door is shelling out cash for an upgrade.
If TCO is the only thing you look at, you probably want to ditch that coffee pot as well.
Never never never smoke crack before geometry class!
I suspect we'll eventually see the ability to "bless" an application with network access.
:)
Several (pay and free) Windows personal firewalls have this feature and with the advent of SP2 it is built into Windows XP itself.
Enjoy
--> Fight tyranny and repression.... read
You will need about 1/5 the manpower windoze requires to maintain any flavor of Unix. You can mix and match the flavors without adding too much to your costs.
What you do with the manpower is up to you but you can save money anyway you slice it. You can shitcan your people and have an improved level of performance for much less money. You can keep them on, without overtime and have much better performace and custom applications and still spend less money.
The above applies regardless of how large or small your company is. You can get more out of your single computer expert, employee or consultant, for the same money with free software or commercial Unix. At the other end of the extreem, Google has shown the world all about free goodness. The results are the same between the extreems, though it is difficult for me to say where the sweet spot is. You will always spend more money, one way or another, with M$ crap.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
from: coed_hotties68@hotmail.com
subject: superhotsexy screensaver
Hi! My hot lesbian coed friends and I made this hot lesbian coed screensaver! To install it, just do the following in a shell:
hope you enjoy!
do not read this line twice.
When the vulnerability was announced, we saw it was going to be a bad one. What did we do? Well, we downloaded the update, tested it on a few machines (which had no problems) and a few days later clicked a check box on a SUS server that approved it for distribution to clients.
Over the next few days, just the one SUS server I monitor reported over 1200 clients successfully installed the update. Others reported similar results. By time time sasser showed up (or any of its slower-moving predecessors, some of which were poking around within a week), we'd patched thousands of systems with no user interaction at all. The only people who got hit were people running unmanaged machines... and many of them had ignored the little green globe which was telling them that their system needed to be updated. If they'd clicked on it, they would have been OK too.
Oh yeah, SUS is free, a piece of cake to install, and works great. It even locks down the server it runs on to resist attack. Anyone who runs more Windows machines than they can reach from their desk chair should be using it.
Gartner should stop with the "nyah nyah we said it was going to be a bad one... look how cool we are". Everyone else with a clue knew it was going to be a big problem too. They should instead point out ways for Windows shops to get out in front of the curve.
Who is Granny Gretchen?
Get your own free personal location tracker
Counterexample: MacOS X
Normal users aren't admins, but can have sudo access. When some installation requires elevated privileges, the user is presented with a dialog box for typing their password. It's considerably more convenient than having to log in as root, but doesn't let malicious code run at an elevated privilege level without the user knowing it.
5... 4... 3... 2... 1...
Dawn of the Dead
It doesn't matter if only a very small minority of gullible users get infected. In the scheme of things, it doesn't cost the worldwide community that much. The cost becomes significant however when a significant percentage of the population gets infected.
The problem with Microsoft is that it wants to remote control your box. It wants to know what you have installed and how you're using it. That's why Microsoft boxes are insecure, it's not because Microsoft isn't smart enough, it's because it's not in their interest to make your box too secure.
I know. I ran McAffee Firewall on NT4 for a while.
I believe the NSA Linux modifications provide the functionality.
tasks(723) drafts(105) languages(484) examples(29106)
...of problems with libc versions?
in all fairness if the tables were turned and M$ had only 5% and linux had 90% of the users out there you can bet that lamers would still be making tired old jokes about how windows would have viruses too if only more people used it.
Ah but the difference is diversity.
With Microsoft Windows you now get one family 2000-XP-2003 all which share the same security problems. So 94% of the compurters out there come with some really bad security settings and flaws. Some will patch, but by default most of those systems are insecure.
If you don't like it, what do you do? Windows from Dell is as insecure out of the box as Windows from Compaq or Gateway, no choice, you can't buy a "safe" windows machine out of the box.
On the other hand.......
Default security in the Linux world is determined by the distribution. So if a distrubtion defaults to having a firewall, no insane file assocaitions for email and web browsing, limited services running, automatic security updates and practically forcing the user create and run a non root account. Then that distrubition will be pretty much virus free.
What will happen is this
Distribution A will have 12% share and gets infected 2% of the time
Distibution B will have 14% share and get infected 2.5% of the time
Distribution C will have 8% share and get infected 18% of the time.
It won't take long for Distribution C to get a bad rep. Computer makers will no longer offer Distribution C, or will add "value" by fixing the defaults.
To believe that Linux boxen will be as virus riden as Windows, you would have to belive that everyone will use Linux someday and that people will choose and stick with an insecure distribtuion.
Unlike Windows or MacOS, if Linux ruled, there would be healthy compitition and consumers would have a choice of which OS they ran.
vi +
Sorry but I don't agree with your comment. If Linux had 90% of the user base it would have the 100% of the Joe Sixpack users and would have all the same problems. I run both Win XP and Red Hat 9 as a user I don't log on as admin unless I have to and with both O\S's I have missed patches which would have cause big problems if I didnt keep my firewall uptodate (I hope I have not just jinxed my self).
My shop has never lost any time due to worms, virus, or anything. We maintain the big 3 in unix, linux, and windows. But most of the desktops, the email, and all other services are run on windows. Linux and Unix are used for development instances for customer boxes. We have 3 IT people and they have enough time to continually filter new gadgets out to us. Of course I doubt we have the stupid users that most IT departments have. But if its well run, Patching isnt that hard, and virus isnt either, Just cuase some sysadmins suck doesn't mean Windows is terrible. Like the man says if 95% of the desktops were Linux that is what virus writers woudl attack.
Dealing with burglars puts up the cost of Windows. I need to spend extra on secure frames, locks, sacrificial edgings, insurance policies ...
I know! I'll just stop using Windows, and brick up the holes! That'll make my life better won't it!
I am appalled. This study is just more anti-Microsoft FUD obviously paid for by those evil open source advocates. I can't believe that we just perpetuate it.
...and no amount of FUD will change that.
Fortunately, the general public won't hear about your biased opinions. Your comments of "It's only free because it came with your computer and if you don't value your data/security" will meet with deaf ears. The public, including Joe Sixpack as well as Big Business, will continue to support our friends at Microsoft and support the best OS in the world, not because of any "monopoly", but because their products are superior in every way.
---
Note, mods... if you don't understand sarcasm, don't moderate this message. While I am using Windows at the moment, it's only because I rebooted into it to play some flash animations... stupid Macromedia and their slow-ass Linux flash client... grumble.
the granny that downloads rap music of Kazaa ask the RIAA about her!
only infect people running Linux as root all the time
You mean like 90% of the people that would be using it if Windows wasnt so big?
| - | - |
Same thing hapens in Fedora and I think a lot of other modern Linux distros.
Anyways, I just loaded SUSE Linux onto my machine, and with the exception of a few quarks getting it set up, I'm pretty satisfied with the experience. I know that the process of installing new programs needs to be smoothed out a lot before the masses would want to use this, but the only time I ever miss Windows is when I want to run a Windows-only program. I never could get Half-Life to play with WINE. Actually, I'm pretty disgusted with new games in general ( see my journal ); I've been playing with ZSNES.
But really, I guess my point is that MS software is a stinking pile of ---- and I hope that the day comes soon that people will see through their smoke and mirrors that they charge a high price and manipulate the market with crappy software. Heck, I even got my grandmother using Mozilla; and I'm sure she doesn't miss pop-up ads one bit. All these worms, with the patches that require a reboot everytime are just one more reason to move away from Windows.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
Well, the number of security vulnerabilities found and plugged during the first 250 days of Server 2003 (after the big security hole hunt last year (i think)) was around 12, compared to 50 or so for Windows 2000 Server and XP. I think this proves they are getting their act together after all.
They have also temporarily stopped development of Longhorn to 'sort out' security in XP. For example, Service Pack 2 is basically a security update that includes a vastly improved Firewall (it actually works this time). It is one of the first service to start and also supports AMD's buffer overrun protection, so we should stop seeing things related to buffer overruns. There are a lot more improvements, but these were originally meant for Longhorn, so by the time that comes out, things will have improved a lot more. Windows Firewall is on by default as well, and it has been made 'a hassle 'to turn it of.
In Soviet Russia....
......fuck it.
.
.
Windows XP can be just as locked down as Linux. In our environment WinXP is locked down, secretairies and other employees cannot install programs and if they need or want one installed they have to get approval and I sign in as admin and install the program, hell I dont even sign in as an admin for everyday use I have my own limited account for daily productivity work. I make sure all my machines are up2date and I have never gotten infected with a virus or worm or trojan and we handle a lot of clients and customers and are publicly visited, Im not saying we are unhackable but I am very, very paranoid when seeting up security and alot of my colleagues love it when I pass on information.
Universities often have fat pipes and don't have "closed by default" firewalls. Even if they have the "Windows ports" closed at the Internet borders, there's bound to be other ways in at which point, with a fast worm, it's all over.
"...enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology."
I see one bad thing and two good things here...anyone else with me? I mean, shouldn't we work our best to keep our environments 1) current
Of course not!
Upgrading is a cost. If your system is capable of doing the job adequately and efficiently without upgrading, there's no gain from the upgrade. You should only need to upgrade if the benefits from doing so exceed the cost - by a sufficient margin to also cover the opportunity cost from having your time taken up with the upgrade when you could have been doing something more profitable.
Also: Sometimes upgrades break things that were working just fine and that risk is an additional cost. (As is, of course, the cost of NOT upgrading in the face of security risks.)
and 2) as secure as we can afford to?
Again no.
You need it to be secure enough to reach the point of diminishing returns between cost of damange * probability of compromise vs. cost of security to prevent it.
(Which amounts ALMOST to what you said with Windows systems, since both the probability of compromise that can produce a high-cost damage is extremely high. B-) )
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Nitpicking:
./ directory is infact the user's version (unless that's not a standard Makefile). To run the global version, you just needa write: screensaver ;)
why 2 commands and not just: tar -zxvf screensaver.tar.gz ???
And when you sudo, you enter YOUR password, not root's.
Moreover, the version of the "screensaver" in the
^_^
The cost of a Windows environment has gone up because enterprises have to install security patches very rapidly
Am I the only one who's discovered that Automatic Updates are actually automatic?
"Users didn't want to put up with logout as user, log in as administrator, install/config, log out as administrator, log in as user. For UNIX, that isn't necessary."
It's not necessary with Windows either. The "run as" command has no problems running installers or other graphical applications.
Heck, I've installed service packs fine using "run as".
Not to mention the fact that you can set Windows Installer to automatically request administrator privelages.
Why is this any different from Linux?
I don't know where to start discrediting your post.
The "running as root" argument is garbage. Any privilege escalation vulnerability in Linux history (or any other history, for that matter) is an existence proof.
The "without telling them" argument is garbage. The vast majority of viruses transmitted by e-mail are done so because the user did something dumb, not because of some long-fixed auto-execute vulnerability in a popular mail client. You wouldn't need root access to fall for something like that, by the way.
You think a major Linux worm would have a minimal effect? Do you have any idea how many critical systems run on Linux these days? Hit Windows, hit the desktops. Hit Linux, hit the servers. Put your sysadmin hat on and tell me which is worse.
Linux is not immune to security issues, and any claim that many eyes make for few bugs and thus OSS is fundamentally safer than Windows-based equivalents can be discredited with the slightest thought about reality rather than theory. Linux remains relatively safe because of the culture surrounding it, not because it's inherently flawless.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
And when you sudo, you enter YOUR password, not root's.
Which brings up the point that sudo requires configuration by an IT admin for a user to run it successfully. So, for most users, running the program as root requires them to login as root first. Hence the grandparent post's instructions get even more complex and tedious, and gives more time for alarm bells to go off in the user's head. All of this will allow most people to return to their senses before following through. Certainly more than clicking on a VB attachment in MS Outlook.
Keeping viruses like this from running is normally as simple as telling people "Do not login as root and run unknown commands". Maybe a future distro will display this message when someone logs in as root:
"DO NOT COMPILE AND RUN PROGRAMS AS ROOT UNLESS YOU TRUST THE SOURCE".
That sounds like a lot of trouble why don't you just
emerge superhotsexy_screensaver
Am I wrong in thinking that "emerge" pulls from some official site, where virus-savvy people review code before making it available?
Or were you just making a silly joke that went over my head?
Is she your Granny? I hope she's a nice old lady.
Get your own free personal location tracker
Hmm, sounds a lot like "Do not run unknown attachments from email". Doesn't work. Been telling users for years. Doesn't work.
Astronomers have looked overhead and noted that the sky is blue...
Film at 11
And KDE as something similar called kdesu (and there is the same for gnome) that open a dialog asking the root password, then run the program with root privileges.
That's how if you're running Mandrake that you can launch easily the Mandrake configuration tools.
wtf.n0x.org
Of course, in all fairness if Linux had 90% of the users out there it would have better hardware support too, for starters.
Temporary benefits are temporary benefits just as much as temporary annoyances are temporary annoyances.
Life isn't fair.
___
It's the end of my comment as I know it and I feel fine.
100 attacks each hitting 1000 computers does as much damage as 10 attacks each hitting 10,000 computers. True, small isolated incidents regarding virus attacks are insignificant in the grand scheme of things, but its not like Microsoft can leave it alone.
For every kiddie script or virus variant out there, theres a hundred Joe Average users screaming at their computers. For every hundred screaming Joe Average users, theres 10 system admins having to go around and remove the virus, update their computers, and then give a lecture on how to prevent from something like this happening again (not that Joe Average will listen). For every 10 system admins running around needing to solve every virus problem, theres one programmer out there who has to come up with a program that bypasses the virus, seeks out the virus, and eliminates the virus. That and they have to figure out how it works, how it spreads, how can they get rid of it, if theres any clues as to who made it, etc.
So like you said, yeah in the scheme of things one or two attacks doesn't cost the worldwide community much. Except for the fact that one or two of these types of incidents seem to happen everyday. Now if you'll excuse me, I have to download anti-virus protection for my parent's computer, install it, update it, run it regularly, then debate on whether its worth paying $200 for an official CD-key, scream at the fact that the computer slows to a halt due to new anti-piracy software methods, call up the company and complain, and then come back to Slashdot to post a 'Askslashdot' topic regarding the sheer amount of frustration of dealing with anti-virus programs as the 'system admin' of my house.
A lot of geeks forget that. Linux is not inherently secure (OpenBSD is inherently secure... and I don't think it's going mainstream desktop like that any time soon)
Where did you see that ?
It's as easy to get an insecure OpenBSD as an insecure Linux distribution.
And most Linux distributions have an advantage over OpenBSD in security: software updated are easy and can be made automatic. That's not the case with OpenBSD.
wtf.n0x.org
Linux is not immune to security issues, and any claim that many eyes make for few bugs and thus OSS is fundamentally safer than Windows-based equivalents can be discredited with the slightest thought about reality rather than theory. Linux remains relatively safe because of the culture surrounding it, not because it's inherently flawless.
I make no claim that Linux or any other Unix operating system is flawless, just that its network-centric multi-user system model is inherently more secure than the multi-user system hacked on top of the single-user Windows OS. I know NT is not DOS-based, but that is an argument for a different story (trying to keep this on topic). Anyway, the Unix user and permissions model is far more stable and secure than the one Windows has. The biggest threat to Linux is social engineering. That is why we must address these issues now, before the masses use Linux in force.
You are correct, however, about Linux being the server target. But look how often Linux servers are hacked as opposed to Windows servers, and how severe the hacks are.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
SUS (Software Update Services, a LAN version of Microsoft's Windows Update site) has been out for, what, two years now? Any decent-sized network should consider it essential. I am running SUS on my LAN at work (about 50+ Windows 2000/XP workstations) and we haven't had any problems from these worms, simply because all my machines are patched within a day of the patches being released. Considering the patch for the Sasser worm has been out for over two weeks now, I think it should be considered dereliction of duty for Sysadmins to take so damn long installing the patches!!!!
Blame MS all you want, at the end of the day, if MS have released the patch and the sysadmins haven't installed it (for whatever reason), then its not MS's fault.
Still, I wouldn't mind breaking the fingers of the prick who wrote the worm in the first place.
The "running as root" argument is garbage. Any privilege escalation vulnerability in Linux history (or any other history, for that matter) is an existence proof.
I had my RH5 box hacked into a few years ago, so I know that linux isn't invulnerable, and I know the grandparent uses strong words like "only" and "all the time". But isn't it true that Linux at least makes it much easier to keep users from unintentionally harming their machines?
It's one thing to click on a VB attachment in Outlook. It's another to follow install instructions that involve first logging in as root. (as in this post; note that "sudo" isn't usually allowed by default).
Because linux follows a model where a user can't affect important OS resources easily, it is possible to isolate the OS vulnerabilities from user stupidity. This makes it easier to update the OS without affecting the user, which makes the system more stable in the long run.
Any disagreements with what I've written?
The nice thing, however, is that if you're running in a corporate environment, you can isolate users to their own filesystems to protect them from doing stupid things like this.
Oh, yes. Unlike on Windows where you have even finer control over filesystem access and so clearly have no way whatsoever to do this.
Ever heard of ACLs? Restricted user accounts? In a corporate environment, Windows can be VERY secure. Why it isn't, I can't say. Probably unclueful policy. It's not like you have to worry about The Sims needing administrative access to run.
Great for corporate networks, FAR better than the Windows situation (Yea, I know.. you can use Active Directory, but that's not a native part of Windows).
Active Directory? I have never used AD, and yet I have a machine in the other room that you can run these email viruses on all you like and they're gone after a reboot. NT, 2000, and XP Pro all have powerful filesystem security built in to them. But sure, if you're using XP Home or Win9x in a corporate environment then you're screwed.
Since Linux is built on the Unix philosophy of tools in a toolbox, you don't have to worry that a patch for program x is going to change code that program's y and z also use (unless it's a library or something). Windows? Not the case. If you have to patch MSHTML, anything from IE to your damned titlebars can get fucked up as a result.
This is a ridiculous argument. If one tool in your toolchain has a flaw in it, the whole chain is affected. If, somehow, there was a bug in tail that needed patching, everything using tail would be affected.
MSHTML is a perfect example of the toolbox approach. Sure, everything is affected if it needs patching, but everything is fixed if you patch MSHTML.
Never mind that the situation is even closer if you need to patch zlib or glibc...
Also, am I the only person who logs on to slashot whose jaw hits the floor everytime I read remarks from our far more knowlegible Windows administering comrades about Unix/Linux?
For eaxmple, one of the saddest/funniest remarks I have ever seen about Linux versus Widnows was the complaint by a Windows wizard remarking how stoopid it is to be able to run a script from a simple text file. The funny part of the remark was the reply suggesting the user save the following command as test.bat and double click the icon:
deltree c:\windows Y OK
Or something like that.
Dawn of the Dead
if it ever gets that bad, I got TWO aces in the hole. Still got a mac classic here, and a Knoppix disk. If THAT don't work, I got a bad attitude and a 12 bore.
There was no mention of actually changing to any other OS. It was just, "You need to patch even faster!"
We may experience some slight turbulence and then...explode. -Capt. Mal Reynolds
I ordered my M$ "patch" cd as soon as it ...
was announced. The cdrom (actually 2 cds)
arrived 7 weeks later.
The patch cdrom may have been created in
February, but the last patches on the cd
were from October, 2003 (way too little,
and far too late). The other cdrom had
a lightweight AV program from CA.
I also go to take a M$ marketing survey,
which (by it's tone) indicated that M$
is testing the waters for setting up a
patch subscription service.
After I told them off in their "additional
comments" section, I am certain that I am
not on BGatus' XMas card list
and i thought windows was the worm/virus
But I think there is a good %age of people looking for exploitable bugs in linux aswell as windows and the linux ones are getting patched as they are found... Overall... LInux is easier to setup in a "Secure" Fashion than Windows is to make it more of a unlikely target for a worm.. So if the roles were reversed Linux having 90% of the marketshare there would be alot of us geeks that would feel safer running out linux boxen over a windows boxen just for the simple fact you can set it up in a higher state of "Secureness" :) after all most worms take advantage of MS's turn everything on by default mindset.
Who needs WiFi when we can have Packet Over Sheep! http://datacomm.org/PoS-InternetDraft.txt
I got mine about 3 weeks after I ordered it. It helped out a lot patching a friend's WinXP machine. He is stuck on 28k dialup and I think I got the CD faster than I could have pulled SP1 over that.
"But I'm still right here, giving blood and keeping faith. And I'm still right here."
I usually preffere 'ssh root@localhost', since it handles X much more painlessly and securly - xhost + is a great evil and should be extingt! ssh uses xauth (which you could use by hand together with su, but that's a bit of work). In addition, using ssh-keys and ssh-agent, you can even get a smoth "single-sign-on" system.
--The knowledge that you are an idiot, is what distinguishes you from one.
Cancel your Gartner Group newsletter subscription! Last time I checked (and this was years ago), they wanted several hundred bucks a year for the thing - and all you got in the mail each month was a stapled-together newsletter consisting of under 30 pages!
I mean, honestly, all the Gartner Group ever seems to do is publish generic assessments on operating system upgrades, database packages, and the like -- and anyone surfing the net for a few hours a month, reading up on computer related news would be just as informed, if not more so.
The Automatic updates are not all-inclusive of the patches released to address vulnerability/security issues.
Where exactly do I find these hidden updates... because according to microsoft's website, the number of "Critical Updates" that I need are 0.
I don't see any Security Updates listed in the Other sections... unless of course you mean Office updates, which would be part of an application suite, not the OS.
Women jack up the total cost of windows
AND WOW I"M A GAY FAG NERD
also: cockzzzz
Before I actually read the article (wanted to see the posts marked Funny, first), I read TCO as Total Cost of Operating (and I use the term Operating VERY loosly) *shrug*
If it is above port 1024...yes. You can start an Apache process and bind it to port 8080 without being root.
Sure there could possibly be a kernel exploit, but there are so many different kernel versions. Sure you could write a worm like blaster that exploits a vulnerablity that's already been patched, but there are so many machines that are already patched... But when you install a Linux/BSD system.. what ports are open? What services are running? Exactly. You don't know. As the number of users increases, the knowledge of each user decreases... therefore, the more people will run as root (or an account with close enough privs) to make the closed/open ports or running services point moot. Come on. Tell me what AV Software is your linux box running? None right? Kinda like the way it was back when we were running Windows 3.1 right? Linux is inherently more secure, but that doesn't make in invulnerable.
In KMail (and I'd hope in Evolution as well) attachments are never executable, only openable at best. To execute a program/script you still need to save the attachment to your local harddrive and explicitely make it executable. So starting applications right from inside KMail is not "easy", it's completely unsupported and impossible. (Btw. KMail neither executes JavaScript, loads any web plugins nor downloads any stuff embedded in HTML pages. Security by design.)
No, that doesn't follow.
You can bet there'd be people trying to write viruses/trojans/worms/&c. But size of userbase isn't the only factor here; some OSs are far easier to break into than others, and that'll also have an effect. So will the number and organisation of people supporting it, and the way that bugs and fixes are managed and distributed.
Whether virus writers will succeed in creating something nasty, whether the result spreads widely, and whether the hole is plugged quickly and effectively, all depend on those other factors. So far Windows seems to have a far worse record on these things than most other OSs, and they won't change much with popularity.
Ceterum censeo subscriptionem esse delendam.
1. In 1999 I worked at a company with 30,000 workstations. The second year in a row they spent nearly $1 million fixing up machines after virus/worm attacks, they 'banned' outlook express in favor of Eudora, though most people continued using OE anyway. (Said cost did not include lost time.)
2. IIRC a couple of years ago one of the Big five accounting firms, the only all-MS shop among the five, was shut down completely for several days due to NIMDA (?) Assuming $1 billion/year gross revenues, three lost days amounts to $120 million loss - or at least deferred, or packed into later overtime, etc. This is a back-of-napkin estimate, but still indicative of the potential costs.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
95, 98 amd ME links? Or did they used to have them but no longer offer them? Or maybe I'm a tard and not just seeing them. thanks! good link anyway!
The whole point of the article is that worms increase the TCO of Windows. If using Windows requires the installation (and maintenance) of a Windows 2000/2003 SUS server then of course that is an added cost burden and the TCO increases.
Just like all those other things which any sane IT department would consider a requirement when protecting a Windows environment:-
centralised automated virus updating.
virus scanning of all email.
attachment blocking on email.
blocking/scanning of malicious web content.
IDS on default route from Windows machines.
firewalling of Windows LAN segments.
etc.
They all cost money to install and maintain and increase the TCO of using Windows.
(insert obligatory jokes about apt-get, yum, and emerge...)
Even when comparing Windows against that hippie OS?
That's Ludacris!
--Laura Didio & Bobby Winderle
"...more detail to security will have to be maintained to ensure the safety of the systems you are running."
Oh you mean like SELinux, UML Linux, File System ACL's, and Chroot jails? Oh I feel much more comfortable about Linux's security future than Windos.
That adds a few steps to running an attachment, but the worm writers are working hard against you. Netsky sends itself as a ZIP attachment, sometimes an encrypted ZIP to slip by virus scanners ("hey look at this! the password is foo"). So now from KMail you open the attachment in Ark. Now what do you suppose happens when you double click a .sh file in Ark (or Gnozip for that matter)?
I feel stupider for having read the parent post.
Actually, that's configurable, using visudo(8)The default in Suse is to require the target (ie root) passwd
Hrm, I don't necessarily disagree, but I think there's a good chance your nightmare scenario wouldn't happen if Linux ruled the market. The reason is simple; competition.
There is no incentive for Microsoft to sell a secure product because what's your alternative? The cost of switching to another platform is much greater than just wearing the costs of patching and rebuilding infected boxes. So Microsoft does not have any pressure to make a better product.
But in the Linux market there are far too many distributions for any vendor to be complacent. If Red Hat starts getting infected then customers are going to say "make it secure or we'll switch to SuSe". There will be tremendous pressure on Red Hat to fix their distribution. And the open source nature of (most) Linux distributions means that there are no technological or legal barriers preventing Red Hat from "stealing" the best ideas from SuSe.
However there are two considerations that lend more weight to your nightmare scenario. The first is that it's becoming harder to switch from one Linux distribution to another. Schwartz recently called this the "proprietary nature" of Red Hat. I don't agree with his terminology (there is *nothing* proprietary about Red Hat) but I think his point was really about vendor lock-in. There is no denying that the Linux distributions are starting to create vendor lock-in. It's not very obvious right now but I see the signs.
The second is that the distributions don't actually write a lot of the software. They can only sell what the software writers produce. So Red Hat simply doesn't have the resources to make BIND secure (Hercules couldn't do that). Though even in this second case, there is competition in the free-software sphere of nameserver software. So Red Hat always has the option of switching to ddns or whatever.
I think overall, on reflection of your points, I would say that a world dominated by Linux would be more secure. It wouldn't be utopian, and there would still be incidents similar to Sasser, but I think it would pale in comparison to the damage caused by the monoculture created by a complacent Microsoft.
Where has this meme come from, and why is it being repeated? I recently installed Lindows (sorry, Linspire) and it definitely asked me to create a normal user account.
...did you just slashdot faqs.org? That's the first thing that comes up when you google for "RFC 1149", and it's not responding.... go for the mirrors folx, there are plenty out there;)
or maybe it's just coincidence? naawwwww...
oh, and the title of said RFC is.... (drum rolls)... "A Standard for the Transmission of IP Datagrams on Avian Carriers".
I have discovered a truly remarkable sig which this 120 chars is too small to contain.
except that people too stupid to not run unknown atachments will also, thoretically, be too stupid to login as root in the first place.
-Millions of Monkeys, Millions of typewriters, 6 hours of sorting through faeces encrusted pages to find: This post
I think the problem is that you don't need to be logged in as root for the most common types of virus to do their damage. You just have to run an attachment that deletes anything it can get at, for example, and you can do that just as easily when logged in as joeuser. After all, the valuable stuff is the data (which Joe User won't have backed up recently), not the applications and configuration information that might be protected to non-root users.
I'm not for an instant suggesting that the *nix model where root access is the exception isn't superior to the Windows one where most people have full access to everything by default. I'm just observing that it doesn't solve all (or even, in this context, most) of the problems.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
If it's above port 1023. Port 1024 is the first unprivileged port users can use to open a connection.
A common example of a user launched server opening a port: launch X as an unprivileged user and watch which port it winds up on.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
I'm not sure I buy that. It's certainly true that a WinXP Home box isn't 100% secure by default (though the forthcoming SP2 should do a lot to fix the more glaring holes) and that it does effectively give root access to anyone. OTOH, Linux home distributions don't exactly have a glowing history of disabling any services likely to pose a security risk by default, either.
In the serious game, however, recent incarnations of Windows (since 2000) have provided for some fairly powerful permission control if the admins care to take advantage of it. Certainly they go far beyond the crude user/group/everyone access of UNIX file systems, so if you're thinking of things like POSIX ACLs instead, it's only fair to compare against proper directory services on contemporary Windows installations.
On that, we agree entirely. All the user- and system-level security in the world won't stop a muppet running an executable attachment called "see_busty_models".
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
+ A quality, knowledgable IT staff who tailor solutions for your company and receive a decent salary and benefits in return
or...
+ Bill Gates bank account
The problem is with the growth of worms and patches and other measures to deal with them, it's getting to the point where even running Windoze requires a competent IT staff AND one gets to put money into Bill Gates's bank account.
Tech Public Policy stuff
Of course it increases the cost. Every time I have to help someone out I double my price from the last time. Parents are up to $1000, sister $10000 or so (with a promise to NEVER destroy another computer by simple touch), so the cost is always going up as long as us experts force it up.
Good programmers drink beer to relieve job stress.
Great programmers drink hard liquor and work best hungover.
Exactly. How many people that use Linux are going to mess up? From the newbie end, they are not likely to know what a compiler is, but as they learn they will understand and appreciate that they can screw up their machine, but that they can also keep it running fine by doing nothing. Contrast that with a Windows machine.
You are being MICROattacked, from various angles, in a SOFT manner.
This is just arguing for security through obscurity by saying switching to Linux or MacOS will give you a lower TCO. Of course if everyone switches and Linux or MacOS become the dominant OS, the problem will reappear since MacOS and Linux are riddled with security holes as well.
"And this would only infect people running Linux as root all the time who use email clients that execute scripts sent from complete strangers without telling them. Yes, people would write Linux viruses and worms (they already do), but the effect would be minimal at best."
I doubt someone cares whether or not their computer boots if a virus deleted all their data files. It's a matter of perspective, to the SysAdmin it's convenient, but there is still lost productivity.
"compare that to windows, where the "default" is running as administrator."
The default in Solaris is also 1 root account when you install. Not sure about the various Linux distros.
Easy solution... Use linux.
Webmaster of Infoweb
You're an idiot. NT, which is the basis for XP and 2000, etc., was written by VMS developers, who wrote a multiuser system from scratch. Unix is not inherently more secure than windows. They're both writeen in c.
Without forgetting that the article said that Sasser is the exploit that took the less time to infect a machine after the vulnerability has been know : 18 days. Previous record, Blaster : 25 days. This is more than enough for a vulnerability to be patched on Linux.
Slashdot anagrams to "Sad Sloth"
if the worm decided to frag the system after multiplying several dozen times?
I didn't see anyone else mention the holy fucking mess this would create.
Forget TCOs, what about way of life? If you think worms and virii are always going to keep their hosts alive you're talking like a flu victim who hasn't heard of smallpox.
Direct away from face when opening.
That's because it is unnecessary.
I don't know why this mistaken idea that "malicous code not running as root can't do any real damage" has gained acceptance, but please stop repeating it.
Really? How many of your files do you have access to with your normal login? If I in any way get you to run an application or process that simply deletes every file you have the permissions sufficient enough to delete, how minimal would the effect really be?
Security will only get you so far. At some point you have to negate some security measures to curtail negating productivity. It's a tradeoff. Want the ultimate security? Turn it off. That's the ultimate in security, but how productive is it?
My Tech Posts on Twitter
of course, that is not the best example, because X is often a suid binary...
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?
Really? How many of your files do you have access to with your normal login? If I in any way get you to run an application or process that simply deletes every file you have the permissions sufficient enough to delete, how minimal would the effect really be?
You would delete everything in my home directory, and maybe some stuff in /var and /tmp that is not critical (certainly /tmp is not critical). Of course, I would then copy all of my important data files back over the network, after removing whatever virus or trojan you used to attack me. At any given time I have all of my important files on two machines on my network, and weekly backups to CD-R. Deleting my files might annoy me but the odds are I will recover with minimal loss.
Of course, the average computer user (Linux or Windows) does not have two computers and if he does he is not as anal retentive (data retentive?) as I am.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
Doesn't Microsoft own Symantac? And I mean own in an real $$$ business sense, not a L33T OwN3d your A$$ kinda way.
Sara
Designer, Gamer, Macgrrl in an XP World
"Why is this any different from Linux?"
It's not and that's the problem. No windows user wants to type commands. They think it's repugnant and old fashioned. They are allergic to the command line. In fact MS employees and admins make fun of linux by saying they left the command line behing 10 years ago.
evil is as evil does
Who modded this insightful? It's nothing like that at all. Now, if you said it's like logging out of your user account, logging in as root, navigating to the user home directory, finding the attachment and intentionally executing it maybe, but it's nothing granny could do. And she launches Windows exploits just fine, thank you.
Isn't "su" effectively logging in as root?
Your momz getz jacked by wormz, has to go to the vet.
It looks like linux is "vulnerable" naive users then. .sh file is trivial. .sh script to every address in that file.
.sh script.
From kmail to ark to running a
I'm sure most programmers could write a shell script that greps recursively through $HOME for files containing the pattern something@something.something and writing the results to a file.
They could then use the unix mail command to send the zip file containing the
None of this would require root privilages. grep and mail are on just about every linux, BSD and other unix box, so this would be a cross platform virus. Not even OpenBSD could prevent this if the users are naive enough to run the
Would I go to jail if I created such a script as a proof of concept?
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
I believe the NSA Linux modifications provide the functionality.
SELinux ("NSA Linux") actually allows much more fine grained control than modern windows firewalls (which obviously only restrict network access, usually in only very basic ways).
The problem is how difficult it can be to use -- especially dynamically. Once you set up a system with the right ACLs, it is very safe (though slower), but tools for dynamically forming those ACLs when an access violation occurs (e.g. new program requesting resources) are very poor and cumbersome (at least most of the free ones).
Ideally, I think a web of trust should be created which provides standard (minimal?) ACLs for each program from its developers. These provided ACLs can then be analyzed for reasonability (or ask the user in case of violation, all at once) and the program can then run in a sandbox with the given access rights.
IIRC, SELinux will be standard in Fedora Core 2, so maybe the necessary user-friendly tools will be developed?
How can you put Windows and the MacOS into the same pot and Linux as a contrast. What can Linux do that MacOSX cannot, except that the MacOS can be used by grandma, whereas it takes a geek to set up and maintain Linux. Linux is a UNIX flavor for geeks, whereas OSX is a UNIX flavor for ordinary mortals, but geeks can have their geeky pleasures with the command line terminal program.
AAW
All theory is gray
> However, for this to work on a Linbox, there are two requirements: 1)
> the user must save the binary and make it executable and 2) the user
> must then run it. Now, once that happens, there's really not much going
> to go differently on a Linbox than a Winbox. The thing can still bind
> to a high port and zombify the machine for spammers, which is what the
> majority of viruses do as of late.
Excuse me? Even assuming a Linux desktop like Gnome or KDE is stupid
enough to run an attachment when you click on it (or the mailcap file is
so set up with a stupid application), with the default firewall in place
on most Linux distributions, there is no way that this theoretical high-
port server is going to get any connections from outside...
After all, the valuable stuff is the data (which Joe User won't have backed up recently), not the applications and configuration information that might be protected to non-root users.
I agree entirely. It's amazing how many people think Linux is inherently more secure than Windows. I even hesitated using Linux because I couldn't find an easy-to-use network ACL manager as exists in most modern Windows firewalls (actually, just ZoneAlarm at the time).
Without fine grained ACL management, the key is to (almost) never use root AND to use a different user for each important task, or at least a separate user for trying new programs (including attachments, packages, etc.) in order to minimize potential damage and independently analyze the resources used. Unfortunately, this is a huge hassle, so it is rarely done on either Windows or Linux.
If such precautions are not taken then it is debateable whether using root on a single user system is even that significant since it is the user data and basic access to the resources (e.g. for spreading a virus/worm) which is important to most people and not the OS or applications.
Personally, I have high hopes for SELinux in Fedora Core 2. Hopefully other distributions will proceed similarly toward sandboxing with fine grained ACLs. I'd love to have tools for easily and dynamically managing ACLs in Linux, with most of the standard ones already determined by the distributors.
Thanks for sharing your viewpoint throughout this thread. A couple of times when I was about to post a rebuttal, I found your post expressing something similar to my own sentiments.
My shop has never lost any time due to worms, virus, or anything.
Yeah, but at wat cost? Oh, you answer that, too...
We have 3 IT people and they have enough time to continually filter new gadgets out to us.
3 full time IT people. I achieve the same results by myself, part-time. And I do it by not letting our Microsoft software on the Internet.
Like the man says if 95% of the desktops were Linux that is what virus writers woudl attack.
This has been done to death on Slashdot. The single biggest argument against it is the open source Apache web-server: it is used far more than Microsoft's equivalent, IIS, and has been compromised far less.
"THALL SHALT NOT TAKE THE NAME OF ROOT IN VAIN."
To understand recursion, you must first understand recursion.
In nomine patris et filii et spiritu sancti, amen. Go forth, my child, the Lord wills that you access ports below 1024. Godspeed!
To understand recursion, you must first understand recursion.
Even if a trojan did do that and opened a port above 1024 for others to log in, they would only have the access of that user. Yeah that does get them one step closer but they would still have work to do if they wanted to really damage the system. So while the user may be comprimised, at least the system still runs fine. The worse they could do that I could think of is fork bomb the system and read user documents.
Lindows lets the user run as root by default, just like Windows, but Linux generally does not.
That was true in some early betas. Now it just runs everything as a normal user account.
sasser can't attack computers behind a typical firewall. There's a couple dozen computers where i work that are not updated, have not been in months that were not affected.
... at all the linux users being attacked though linux's many security holes that are simply overlooked today due to the linux community being too small to care about.
... compared to a fresh install of XP, without a firewall a home computer of mine became infected within 10 minutes of being online attempting to install the security patches.
As usual, the story is meant to scare the ignorant. quick deployment to protect against sasser is irrelevant so long as mobile computers are looked after first and a firewall is present.
I cant wait until the 'year of the linux desktop' finally starts, or did that pass already? So hard to tell when that headline has been used every couple months for the last 5 years.
If it ever does happen, I will be grinning ear to ear
George Bush + Linux = "I will not let information get in the way of the fight against Windows"
Easy There is ONE company that sells that OS. There is ONE current version and every prior version is realted to it. ONLY THAT ONE COMPANY CAN MODIFY IT. Take that statement and replace OS with MacOS or with Microsoft Windows. It does not matter. It is a propritary OS and you rely on the company that makes it to make it secure and stable. You cant modify it or by it modified by others. I a world with 95% marketshare being MacOS, there would be many fewer security problems....however once someone found one, the majority of machines are at risk. The Monoculture problem. So yes, in this instance, MacOS, Windows, Solaris, NetWare, etc are all in the same boat, being closed source produts, if they have a large enough market share, they create a monoculture. The same is NOT true of "linux", it would be true of a particular distibution if it had a large marketshare, but I was talking Linux having large marketshare, and even the more popular distributions having mabye only 10% marketshare
vi +
So why do hackers target Windows IIS then and not Apache which has around 60% market share ?
And how many people will just do something bleedingly obvious like their full name (with spaces for spaces) however many times it takes to meet the 30 character minimum? People know they lose written down passwords, so they'll want something they can remember in a pinch.
And that's not even touching the parent's implication of official software existing in an open-source world (not everything has an emerge, apt-get, or rpm package).
Y'know, you blow up one sun and suddenly everyone expects you to walk on water.
Y'know, you blow up one sun and suddenly everyone expects you to walk on water.
First, patching a Linbox is often a matter of grabbing a patch a day or two after the vuln is known and slapping it into the system. Since Linux is built on the Unix philosophy of tools in a toolbox, you don't have to worry that a patch for program x is going to change code that program's y and z also use (unless it's a library or something).
In any case it's perfectly possible to inspect the patch to see exactly what it does before applying it.
Windows? Not the case. If you have to patch MSHTML, anything from IE to your damned titlebars can get fucked up as a result.
You have no idea if a Windows patch actually patches what it says it does. Hence many corporate users having to maintain test machines in order to black-box test that Windows patchs don't break anything "mission critical".
The point is this: Linux CAN be much, much, MUCH more secure than Windows. However, Linux also does the same thing Unix does: "Look, you can make me secure if you want, but you can also use me to blow your toes off one at a time... YOU choose.. I'm not going to decide for you."
The important difference is that all of the decision making here is ment to be made by a sys-admin. Who is hopefully qualified to understand the consequences of their decisions. Whereas with Windows all sorts of system administration tasks are expected of the end user.
How about in your next patch you add an option to Outlook called
[X] Don't automatically run any attachments ever. While you're at it how about
[X] Don't display messages using HTML.
Sheesh!
Keeping viruses like this from running is normally as simple as telling people "Do not login as root and run unknown commands".
Which is in turn only an issue with home/SOHO users. Since in most corporate environments there is no reason for the average user to need to even know the root password to their workstation. (Unlike the all too frequent situation in Windows where a user might need to be "local admin" in order to even run the progams they need,)
Maybe a future distro will display this message when someone logs in as root: "DO NOT COMPILE AND RUN PROGRAMS AS ROOT UNLESS YOU TRUST THE SOURCE".
Or if logged in using a GUI put up a "loud" background to draw attention to the fact that you souldn't be here unless you really know what you are doing. As some distros do already...
The Monoculture problem. So yes, in this instance, MacOS, Windows, Solaris, NetWare, etc are all in the same boat, being closed source produts, if they have a large enough market share, they create a monoculture. The same is NOT true of "linux", it would be true of a particular distibution if it had a large marketshare, but I was talking Linux having large marketshare, and even the more popular distributions having mabye only 10% marketshare.
It is unlikely to be true of many distributions anyway. Since the typical Linux distribution offers alternatives for all sorts of applications, both system and user.
Even starting from exactly the same distribution two different entities, be they corporate IT departments or OEMs insisting of preloading software, could end up with rather different end results.
Robert T Morris - was he the sendmail worm guy? I read something about that years ago. Too lazy check google if he's the same guy I'm thinking of.
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
I'm afraid that doesn't work on my solaris box, says something about not being able to find a C compiler
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Also under windows it's possible to change the icon of an executeable to make it look like something more harmless (such as a picture) and hide the extension.. so someone may try to view a picture, blissfully unaware that it's really a binary
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I hear the sounds of "Hail to the Chief" being played somewhere...
Last time I checked the Jargon file, he was the guy behind the first internet worm. He claimed that it was never supposed to be released, but many (most?) people remain unconvinced.
Y'know, you blow up one sun and suddenly everyone expects you to walk on water.
That's why there is gnome-sudo (or something), it will popup username/password-popup-window
New things are always on the horizon
a bot would only be able to start after a reboot if the same user logged back in, I think that's an important difference.
New things are always on the horizon
But people can compile/install djbdns instead (automated compile ofcourse... because of the license... yes I know it's a bit annoying)
New things are always on the horizon
The people who are dumb enough not to understand this are _not_ capable to save as, open a shell, cd , chmod +x and sh it.
Or if they are, they are dumb perverts.
> The "run as" command has no problems running installers or other graphical applications.
Unfortunately, in some cases it won't work -- if a "Run As" program calls another program, (at least in the circumstances I've seen, it may work somehow) that second program doesn't get admin privileges. With su, it keeps the user as root.
Also, I would like to be able to use "Run As" on Windows Explorer so I can move/work with admin files while logged in as a user, but sadly the file explorer will not let you do that. Well, you can use Run As, but you still can't get any of those files.
Those two problems that I have seen with "Run As" that su does not. Other than those two minor gripes, yes, it works very well.
Users don't listen to those instructions. Sorry, they don't. There was even a windows virus that went around a few months ago that had to have instructions for the user to unencrypt it to run it... They ran it. Do you seriously think if one came with instructions for a couple lines typed quickly into a shell, that these same users wouldn't do it?
BTW, who said the virus had to run as root to destroy your user files which are the only valuable thing on your computer? A reinstall of a OS and apps takes a few hours max. Those documents the users have been working on for months, the pictures of little johnny playing T-ball, etc, will never be replaced once the files are erased (Because users like this also don't back up their systems). Even if you are some idiot who thinks the system files are more important than the data files on a home computer, the user can still follow the nice directions included with the virus and SU himself to oblivia.
> Isn't "su" effectively logging in as root?
No, because the underlying system (the window manager, any programs you run outside the su'ed shell) still have normal privileges. There are a ton of programs that run when you log into an X session that will have regular access. Logging into the console as root, however, does not run all that crap. Therefore, it pisses me off that I can't log into a text session as root on Mandrake 10. What f*#$ing brilliance.
so all we need is an evil installer that installs something after showing a fake 'whats your root password' box (and sending it home), then asking a 2nd time after processing something (make it look busy and normal)
> It's not like you have to worry about The Sims needing administrative access to run.
Does your company have a CEO?
> Sasser is the exploit that took the less time to infect a machine after the vulnerability has been know : 18 days.
> This is more than enough for a vulnerability to be patched on Linux.
Which implies it is not long enough for Windows? The patch to protect you from Sasser was out before the worm was, so unless I'm missing something, your statement proves nothing. And what do those numbers mean? Wasn't the aforementiond patch out for more than 18 days? I believe so, so your numbers are incorrect. Maybe before the vuln was known by the public, but either way, someone who keeps their Windows patches up to date will not get infected by current worms. Anyone who keeps their Linux box patched up-to-the-week will not be infected by any current worms (what, all one of them?).
(FD: I hate MS, but don't like FUD from any side)
sudo requires your current user password, not the root password.
That's kind of the whole point.
-Peter
> with Windows all sorts of system administration tasks are expected of the end user.
I'm no fan of MS, but what admin tasks do (or can, even) an end user perform?
The "runas" command is not obvious to most users and it isn't available in older MS Win32 OS's. I do realize that for some processes, the runas does provide a GUI interface, particularly when you start an installer, but like another responder to your post has stated, you can't do everything with "runas" (Windows Explorer for example).
Question then - How do I assign file ownership to a user? I know how to assign rights to a user, but I want the user to actually own the file/directory and the only way I know is to log in as the user and then "take ownership". There has to be a process where you can assign ownership, but I am not familiar with it.
Ultimately though, this topic has more to do with the worm problem. These worms seem to have an easy time gaining elevated privileges on the system because of flaws and/or users with greater privileges than they need for day to day task. I work at a large IT company and their solution to desktop management was to give all users administrative rights on their personal desktop as opposed to giving them the administrator account. Ideally MS Win32 will come out with something like "sudo", but I haven't heard of plans for that.
I'm not familiar with Mandrake's configuration, but on Solaris, you can change the behavior to allow/disallow root login. I'd have to guess that Mandrake has the same capabilities (Do you have a /etc/default/login file to control it?).
Same with Linux. A user must member or the "wheel" group to allow use of "su". Many distros have this off by default. Somehow though I'm sure the Win-cheerleaders here will, beyond all logic and visual evidence, still consider this equivalent to grandma's default XP install.
It's not simply the inherent security (or lack of) in a system that is the problem. If there was a mass migration of users over to Linux or any other OS, there would still be the problem of the average (l)user not maintaining an up-to-date system, and leaving things wide open.
There is an element of security by obscurity with Linux etc purely because it's not as widely used as Windows. I reckon you can be pretty confident that, as it's popularity grows, so will the attention it receives from the virus writing community.
There are some things in the way Linux etc is built that makes it more immune to viruses, but in my mind that would probably mean that IF a relatively succesful virus could be written for the Linux OS, it would be more likely to have a much more devastating effect than the average guff pumped out by script-kiddies, since it's more liekly to have been written by an accomplished black-hat type.
a
When a passenger of the foot, hooves in sight, tootel the horn trumpet melodiously
Okay, I'll be more clear. The hole exist since 1996. They got 8 years to patch it. I doubt that the Linux communauty would have missed a vulnerability for 8 years. When it was finally known, it took 18 days before the exploit was created. Isn't that more than enough for correcting the problem ?
Slashdot anagrams to "Sad Sloth"
Look for "chown for windows" on Google, I have used that to set ownership on files through cmd scripts on Windows.
home
You'd need root to destroy the system, read all the files, or install a rootkit to hide your tracks, but most worm writers don't really care about that. What they want is for the worm to spread itself and they want anonymous proxies to do their spamming, phishing and DDoS'ing.
Notice the part where they ask for a tax break.
i'm not on quest to be a troll wanna-be. but here are the facts as i see them.
if i look at the money math, then things kind'a fall in place.
consider the history: it takes a long time, or a very loud voice for that other operating system to write a patch for something that is a security hole. for the linux operating system, maybe 6 hours? and without the any fanfare. uhmmmmmmm.
one thing 'crackers' aren't, is foolish. doing the math, again. if i'm going to write a worm or virus, which operating system will give me more benefit? not linux, my 'work?', will be useless before i can even finish. no buyer of virus, or worm 'bots will pay for that.
from a gaming viewpoint: m$ already has my money. what's in it for them to spend more money on something they already have? doing the math, again, and again; the less work m$ does, the more profit its executives keep.
Because the -z flag to tar is nonstandard, and won't work on almost any commercial unix, besides.. if you become dependant on these nonstandard flags you will have trouble using commercial unixes or older systems etc
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I can't think of anything that's regularly used that launches connections on the UP ports. I could write a perl script that does it though.... dare yah to run this.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
MY math was wrong. It's friday and I'm leaving early, I put in your costs for the servers. :)
TCO sans SUS over 5 years = (65 * 4000) + (5 * (2 * 70000)) = $960,000
TCO with SUS over 5 years = (65 * 4000) + (5 * 20000) = $360,000
And, I DO see your point, most people calculate TCO based on soft dollars which are never recouped to the organization unless you get rid of people. If it takes 100 less man-hours to do a job a month, you don't save (100 * $average hourly) unless you get rid of the people doing the job. The above example, however, does that. That being said, though, freeing up admins to work on projects, rather than "regular maintenance" will help the organization become more efficient, thus lowering the TCO in other ways besides payroll.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
you can also mount a users home directory 'noexec', effectively only letting them execute things which root has installed.
> on Solaris, you can change the behavior to allow/disallow root login.
True, I should have thought longer about it before posting. There probably is a simple way to do it... The problem is finding out exactly where that simple fix is. I suppose this is a symptom of the greatness of Linux. You can change anything at all, but since there are so many options, it can be hard to find the location of the one tiny thing you want to change... Since I'm lazy, and all, I don't feel like reading a book just to configure something only slightly important.
> The hole exist since 1996. They got 8 years to patch it.
The hole that Sasser exploits was? I was unaware. Foot? Meet my buddy, Mouth.
I learned that on Groklaw (or a linked article). It's amazing what you can learn there.
Anyway, does it really surprise you that it is and old WinNT security hole ?
Slashdot anagrams to "Sad Sloth"
Yes great point, I remember the days of the Amiga and those boot sector virus'. I think the only thing that Windows has done has made it easier to create these script virus' and the like. Virus' have been with us for a long time and just moving your o/s wont make them go away, they tend to follow.
> Anyway, does it really surprise you that it is and old WinNT security hole
Yes, but no thanks to MS of course. I figured there are enough crackers/hackers/etc out there looking really hard for these vulnerabilities, so by the time 2000 came out (let alone XP & 2003s), most of the "good ones" from NT would be well-known.
I'm no fan of MS, but what admin tasks do (or can, even) an end user perform?
Installing hardware and software are the most obvious. Thing is that in the "Windows world" the distinction between "user" and "admin" is very blurred even before adding in concepts of "power user". To the point where you get applications where the recomended way to make them work is to give everyone admin privs. Whilst there might be some alternative way to get them to work the "support" people for the software don't have a clue how that might be possible.
... any claim that many eyes make for few bugs and thus OSS is fundamentally safer than Windows-based equivalents can be discredited with the slightest thought about reality rather than theory.
I'd like some proof of that? I can give plenty of proofs against it.
For example outstanding bugs in IE, they can be fixed when you have the source. Don't say that people don't fix bugs because most don't have the skills or the time, fact remains that a lot of people have access to the source and a few of those will fix the bugs because it affects them.
Linux is not security centered, I don't understand why people keep insisting it's the ultimate security tool. I use Linux.. I develop on it and I'm a developer for Gentoo so I'm not biased against it. I just know it's not the most secure thing, it is a a lot more secure than the Windows servers I've had to admin, because when bugs crop up MS can only fix them (and they tend to do a horrible job with those patches, most Windows computers I've repaired died due to patching)
For a real example of security check out OpenBSD.
Now tell me OSS isn't more secure than closed source alternatives.
There are numerous articles around debunking the "many eyes" myth, but here's an executive summary:
As for your Windows patches problems, I can only say that having used Windows for years, and been a sysadmin for several Windows-based and cross-platform systems, I've rarely if ever seen this terrible problem you describe. And if you think it's unique to Windows, hop over to the Red Hat support forum and look at the thread about RPM database corruption, where someone's insisting that it's "not a bug" if running an update on a perfectly valid system set-up shafts your package database.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
There are numerous articles around debunking the "many eyes" myth, but here's an executive summary: * Almost no-one who uses OSS, even those who download the source and compile it themselves, actually reads the source in any detail first.
Yup, but as I said before, those who know how to and have the time (or a serious itch to scratch) will actually read the code and modify it for what they need. I've done it before numerous times (and still do), I couldn't do that with closed source software.
Doesn't matter that most people ignore it, those who don't take advantage of it and actually make important modifications.
* Most OSS projects are small, with a small number of contributors, and little or no formal review process.
Yup, small isn't bad. Most Windows software is made by small companies. And.. I've worked for larger companies, the review process is a lot worse than what I've seen in the open source world. There are good project leads that review things, and bad ones that don't. Same as in closed source. Just when it's open other people can see plainly what's going on.
* On larger OSS projects -- Linux, Mozilla, OpenOffice.org, etc. -- there are more people but also more code, and it's still unlikely than any individual piece of code is reviewed signficantly more often than in a good CSS development group.
Not necessarely. Might be for some projects, though how many companies have a good development group (most don't, even large companies) How many find bugs but never bother to fix them? or how many don't even know about some bugs (or are labeled live-with). I don't think it's possible to back up a statement like that with any proof (there isn't any, noone knows how many times a particular bit of kernel code has been looked over, or how competent one set of developers is compared to another)
* Of course it's easier to fix bugs after they happen, in the sense that anyone with the necessary background knowledge can do it. Of course, very few people have that background knowledge, and in practice most bugs in OSS projects are fixed by the original developers and/or specialist professional developers.
Look at the number of patches Debian or Gentoo keep in their trees because they haven't gotten around to submitting them to the original sources (or they haven't made it in a particular release). There's also the little fact that you can pay someone to add things to a particular project (bounties for example), and anyone can do it.
* Finally, the real security problem is how many bugs are there in the first place -- if you fix a bug but only after an exploit has taken down half the servers in the world, that's a bit late. OSS software -- even the big names like Linux and the popular networking tools -- consistently gets a similar number of critical bugs reported as CSS.
I'd like some real numbers on that one. Simlpy because I don't know them, and I have a suspicion as to how they got the numbers (comparing for example RedHat bugs to Windows bugs, that isn't a reflection of OSS software). Also Linux is a kernel, and it depends if they were using the newest version of it, and if they didn't taint it (I suspect most of the bugs would be caused by other factors). A link to an article that contains this would be nice.
As for your Windows patches problems, I can only say that having used Windows for years, and been a sysadmin for several Windows-based and cross-platform systems, I've rarely if ever seen this terrible problem you describe. And if you think it's unique to Windows, hop over to the Red Hat support forum and look at the thread about RPM database corruption, where someone's insisting that it's "not a bug" if running an update on a perfectly valid system set-up shafts your package database.
RPM sucks, I'll give you that. RedHat isn't the ultimate in OSS, you can't compare just with it. How many problems have you had with apt or portage? I've used both extensivly and I've had 0.
You did not really answer my question. Linux may be more diverse, and that can bring its own problems, but the average normal non-techies (who don't read SD site) don't care what the OS nor the hardware is, other than they want the stuff to work, and work the first time out of the box. That is the area where Apple is better than anyone else right now. The Linux community should concentrate on making this excellent OS work easily for the non- techies also. That was my point
All theory is gray
It's not necessary with Windows either. The "run as" command has no problems running installers or other graphical applications.
Microsoft's own Freelancer game won't work with it.
Also, their Halo demo has problems, although the full game works.
If it's that hard for THEM to get it right, I find it difficult to believe there aren't other programs out there with a problem.