Slashdot Mirror
UNIX Security: Don't Believe the Truth?
OSNews has an interesting editorial about security on UNIX-like systems. "One of the biggest reasons for many people to switch to a UNIX desktop, away from Windows, is security. It is fairly common knowledge that UNIX-like systems are more secure than Windows. Whether this is true or not will not be up for debate in this short editorial; I will simply assume UNIX-like systems are more secure, for the sake of argument. However, how much is that increased security really worth for an average home user, when you break it down? According to me, fairly little"
I think the author of the editorial makes a rather trivial point. (They could have made the point a lot stronger, pointing out that malware, spyware, adware, trojans, etc., are all able to be run from within unprivileged user-space.)
But why would a home user care about Unix-type security? I'll give you a few reasons of my own.
(a) Smaller target. Yes, that's right, I'm saying that the largest increase in security that home users get is because they're using something that 90% of the home user market isn't. This isn't a feature inherent to Unix, obviously--but I still think it's a reason to switch. "But if everyone switches, won't that get rid of the security increase?" Perhaps a little, but the only way it would completely vanish is if everyone switches to the same flavor of Unix. If we have a Unixy, more secure home computing environment, but slightly different flavors, then viruses and malware will have a more difficult time propagating in such a non-homogenous environment.
(b) Remote exploits. This, I think, is a lesser issue, but not a trivial one--there are a considerable number of remote exploits in Microsoft software, and there have been a non-trivial number of viruses and malware that spread through this vector. Unix-based systems are historically less vulnerable to such attacks, and often the remote processes that are vulnerable run under a different user than the desktop user anyway.
Dlugar
Computer Go: Writing Software to Play the Ancient Game of Go
I wonder why he didn't bring up that Dad has pictures of Little Johnny on his first day of school Mom has all of her and dad's wedding photos. Litte Suzy has all of her papers for school on the hard drive. Little Johnny likes to look up pr0n.
Windows situation, While trying to download hotmidgetdonkeypornheaven.exe, Little Johnny accidently picks up uber.worm. Uber.worm deletes Johnny's files, suzie's files, mom's files, dad's files, system files, makes the system useless, and you go from a windows computer to a nice paperweight until you reformat. *nix situation, While trying to download hotmidgedonkeypornheaven.sh, Little Johnny accidentally picks up the uber.deletion.script. Uber-del deletes johnny's entire home directory!
Of course, Mom, Dad, and Suzie are entirely unaffected because Johnny doesn't have permission to overwrite those files.
Wonder why the asshat, er, I mean, article writer didn't bring up that snippet?
Evil Walrus >83=
I think it is tautologically true. Devastation is a noun, like "unique" that does lend itself to qualification. I think it's also true that Windows users meet with devestation and the hands of malefactors much more often than Unix users; in part this is due to the prevelance of Windows of course. But it hardly explains the mountain giving birth to a mouse response of Microsoft when it comes to improving the situation for their users.
There probably isn't a single kind of vulnerability in Windows that has not been in Unix. The only difference is that in Unix is a choice and Windows is a fact of life. Providers of Unix compete with each other, whereas Microsoft, while it may labor mightily on various things, only works barely hard enough to make life bearable. Nor should we expact it to do "better"; as a business they do what the market tells them to, and if the customer bears much, then the vendor does little. I was fascinated during the MS anti-trust trial of the idea of splitting MS up into competing windows providers. If there were competing providers for Windows variants, Windows would be ust as good as Unix, possibly better.
I expect as more customers desert Windows for Linux (there is no place to go but up), Windows security will improve greatly.
I am reminded of Lord Macaulay's speech on copyright, in which he explains that perpetual copyright is bad for books, "I believe, Sir, that I may with safety take it for granted that the effect of monopoly generally is to make articles scarce, to make them dear, and to make them bad. "
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Security issues have moved on a little since the 80's, where his point of view is from - very few security breaches today result in loss of data, because computers are really more valuable as zombies and so not many viruses really attempt to mess with much (even the most recent public example of a destructive virus on WIndows was pretty much a dud).
Another thing he does not account for is time. Time is a valuable commodity to all users, and anything that can prevent a virus or spyware from reaching further into the computer reduces the amount of time and knowledge needed to remove probelms from the system. That is at the core the value that UNIX brings to the security equation. Not absolute protection but like a teflon pan, easier cleanup when you do create a mess.
And last of all by not explicitly mentioning how much more inherantly secure UNIX systems are that start off with a base of no open ports are. Sure spyware and viruses can get in through the browser, but it's a much harder attack route than just scanning and finding a hole wide open that requires no effort on the part of the computer user to install.
In the end his rant boils down to noting that users should really back up files often - but even this message is dated, as a few years of sketchy consumer hard drives with short warranties has started to drive home this lesson in spades through failed hard drives. Forget hackers; little johhny's pictures today are in far greater peril from a simple lack of using the CD-burner.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
plan9 does this
and you get a day by day (or however much you fancy) snapshot so you can roll back your files to any snapshot in time you have recorded, on a process by process basis. I.E. you can have two different days open at the same time in different processes.
And, to add compliment to health, it doesn't use up extra space but uses Venti
Venti is also available for Unix-likes via plan9port
while I'm here, plan9 is secure BY DESIGN. No super user, networked authentication, networked file storage, diskless terminals etc. et bloody cetera.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I have found the ultimate solution to such issues in my VMWare testing environment - snapshots. We really beat on and hose our testing machines and, to make sure we were getting an acurate test, we would always have to reimage them from a Ghost image every time we went in there. We replaced that solution with running our testing in VMWare where reverting to a previous snapshot just takes a few seconds. Not to mention that you can branch off them in a tree fashion to track and test under various changes and conditions. I really don't understand why MS can't develop a simpler version of something similar for the OS. HD space on the vast majority of user's machines is plentiful and the ability to be able to make a snapshot of your system when it is exactly the way you want it that you can go back to later quickly and easily would solve myraid problems. If you could back up that snapshot to a DVD or external HD in such a way as the hypothetical snapshot manager could restore your PC config from it in the event of a physical HD failure all the better.
Now, obviously, we would need a way to prevent a malicious program for also corrupting the backup snapshot - maybe some password that is specifically for the modifying and changing of the system snapshot.
I doubt that MS will ever be able to make an OS as secure as Unix as long as they have to provide the level of backward compatibility they do. What they could do, however, is mitigate the risk by giving us a way to get our PC back to it's pristine state without all of the trouble of app reinstalls and haphazard backups/restores. The limitation always was the hard disk space this would entail and that limitation has been blown away by modern HDs...
This isn't necessarily the fault of Windows
And that is only because the FIRST step is learning enough about the system to know that there is a problem. It's easy for most of us who spend time and read
Viruses only spread when their infection rate EXCEEDS the removal/immunization rate.
When the infection rate is lower than the removal/immunization rate, the virus dies.
With most current versions of Linux, the default security configuration means that it is very difficult to infect a machine (not impossible) and very easy to remove the infection.
Before this "InterWeb" thingie, I was cleaning boot sector viruses from DOS machines that required someone to have booted from an infected floppy.
Linux boxes CAN be infected, but the odds of it happening are very, very slim.