Slashdot Mirror
UNIX Security: Don't Believe the Truth?
OSNews has an interesting editorial about security on UNIX-like systems. "One of the biggest reasons for many people to switch to a UNIX desktop, away from Windows, is security. It is fairly common knowledge that UNIX-like systems are more secure than Windows. Whether this is true or not will not be up for debate in this short editorial; I will simply assume UNIX-like systems are more secure, for the sake of argument. However, how much is that increased security really worth for an average home user, when you break it down? According to me, fairly little"
So if an OS is to make a daily backup of user's home directory (or My Documents) automatically and locks it away (until emergency) from user access, it might just win the heart of users.
Virtual Betting on Facebook for non-geeks.
If "Johnny's first day at school" is more important that system critical resources, perhaps you should have hard copies (CD, DVD, tape, etc.) of this media.
You're right, you should make backups. You have a love-affair-dependency on your hard drive. Everyday you need it to retain the ones and zeros it holds that forms your data. One day, your personal hard drive isn't going to be there for you. That's why you should back up regardless of how secure you feel. Most "normal home users" don't have redundant RAID arrays running. Furthermore, it isn't "secure period," it's touted to be one of the most secure operating systems. Wait, weren't we talking about Unix?
I don't think anyone but Mac users claim that. And anyone that claims that for any processing device is lying to you. There are Linux Viruses out there, just use your favorite search engine.
Oh good, we're back on Unix here (they're not exactly the same, you know). I disagree, both sides (user and system) are more secure in the case of Unix or Linux for that matter.
While this might be true, I think you should take into account the frequency of said viruses. When's the last time a massive virus attack has taken down entire networks of Unix machines? So you talked about Unix security without quoting a single authoritative source on the issue. And to finish off this article, you rely on a one-hit wonder brit pop band to prove your thesis. May Slashdot have mercy on your soul, Thomas. Endure the onslaught.
My work here is dung.
This story was ripped on for being lame on osnews earlier this week. Now the slashdotters get to make fun of it too.
Why is this necessary? How many people actually run UNIX at home and where's the push to get it at home? Linux is another story, but security is only one of many reasons there.
and a triumph for the home user. If you had to choose between having a virus that both destroys your personal files and compromises your system or a virus that only destroys your personal files, which would you pick? He's making light of a very significant thing for most home users--a full wipe and reinstall of the operating system and applications. That's a day's work for your typical user, more if you have a bunch of programs you need to go hunting for.
But what is more important to a home user? His or her own personal files, or a bunch of system files? I can answer that question for you: the pictures of little Johnny's first day of school mean a whole lot more to a user than the system files that keep the system running.
What's the value of Johnny's first day of school photos if you can't boot the damned computer? Again, the author makes light of the value of the system to the home user. Just because John Q. Public cares more about his cup holder than his engine block doesn't mean he won't care when the cylinder head cracks.
Of course, they should make backups-- but wasn't Linux supposed to be secure? So why should they backup? Isn't Linux immune to viruses and what not? Isn't that what the Linux world has been telling them?
Actually, no. I have yet to speak with a single techie who says that you don't need to back up important files under any circumstances. In fact, viruses are almost always a "secondary" reason for backing up files; the primary driving reason behind backing up your files has traditionally been that of hardware failure.
The crux of his entire argument rests on the supposition that, to the home user, the system simply doesn't matter. In a most cosmetic sense, this is true; home users don't give a damn about kernels and drivers. The instant something goes wrong with that system, however, it's a nightmare for that archetypical home user (who, remember, doesn't know and doesn't care how the thing works). When everything works, they can open and print Johnny's files just fine, but what the heck are you supposed to do when the omgwtf32.dll pops up an error message when you try to open Johnny's picture?
Obliteracy: Words with explosions
Open source, maybe?
The ability to change and fix problems within the code? I mean I'm not a top level programmer who is constantly editing his kernel source code, but I have changed quite a few applications to benefit my needs.
Maybe more distros should come with an install routine for Bastille-Linux. The FTA never mentioned this product, although it's more geared toward servers, not desktops. My guess is it wouldn't take much to turn this into a product for all *nix desktop operating systems.
"Powers. I have them."
Even if you read the RTFA, which says that rather than computer exploding windows-style, nix hackage will just wreck your home, which is supposedly all that matters to a home user. Still wrong. Think multiple users for a start. But that's totally wrong when it amounts to time lost. If windows gets fucked as it often does i've seen many a user stick in their oem disk, reinstall completely, and then go through painfully reinstalling everything they had before. Say my /home was wrecked? All I'd need to do is fdisk the drive and create a new user? Besides, as in unix only exectuable files can be a source of infection, rather than screwed up images and office files, I can safely copy away anything I want. It's dumb. Sorry OSnews.
I think the phrase "less risk of any holes being exploited" is better than "more secure".
Unix can be hacked/cracked too, just there's less likelihood and there less risk associated with running a *nix based O/S.
This is the false sense of security I am talking about. UNIX might be more secure than Windows, but that only goes for the system itself. The actual content that matters to normal people is not a single bit safer on any UNIX-like system than it is on any Windows system.
This idiot is stating that because some users don't understand the UNIX security model, the UNIX security model is flawed. Apparently, as far as he's concerned, if ~ gets destroyed, the whole system may as well be destroyed. He's blathering about a "false sense of security," but I have never, anywhere, ever, heard anyone say that you don't have to back up your data if you run UNIX.
Sound and fury, understanding nothing. Typical of OSNews, but sad that Slashdot's carrying this crap.
REM Old programmers don't die. They just GOSUB without RETURN.
I think the author of the editorial makes a rather trivial point. (They could have made the point a lot stronger, pointing out that malware, spyware, adware, trojans, etc., are all able to be run from within unprivileged user-space.)
But why would a home user care about Unix-type security? I'll give you a few reasons of my own.
(a) Smaller target. Yes, that's right, I'm saying that the largest increase in security that home users get is because they're using something that 90% of the home user market isn't. This isn't a feature inherent to Unix, obviously--but I still think it's a reason to switch. "But if everyone switches, won't that get rid of the security increase?" Perhaps a little, but the only way it would completely vanish is if everyone switches to the same flavor of Unix. If we have a Unixy, more secure home computing environment, but slightly different flavors, then viruses and malware will have a more difficult time propagating in such a non-homogenous environment.
(b) Remote exploits. This, I think, is a lesser issue, but not a trivial one--there are a considerable number of remote exploits in Microsoft software, and there have been a non-trivial number of viruses and malware that spread through this vector. Unix-based systems are historically less vulnerable to such attacks, and often the remote processes that are vulnerable run under a different user than the desktop user anyway.
Dlugar
Computer Go: Writing Software to Play the Ancient Game of Go
Are the editors even paying attention here? How can a 500-word, Grade 6 public speech-quality editorial makes it to the frontpage? Where is the quality here, folks?
For he today that sheds his blood with me shall be my brother.
Now, J2ME is a flawed platform in many ways, but in terms of security they're light-years ahead of where desktop computing is. There are many things we could learn from it.
When NT 4.0 was coming out the arguments were that it was more secure than the joke that was Unix. I remember top security guys telling me to get my mcse for that reason. This was in 1996.
Its laughable today because it was before the holes in Windows2k were discovered but there is some truth. VMS and MVS were standard and rock solid with security. Unix like Windows was written in C with parts of c++ scattered here and there with userspace apps. Buffer overflows galore are everywhere.
Even MacOS (not Macosx) was more secure for the reason that it did bounds checking on types. Add to that the fact that x86 can not tell the difference between cache stored for ram and cache stored for applications where you can just point to where a program is stored for execution and you have a nightmare on yoru hands.
Keep in mind I am no expert and I dont even have my 2 year degree yet. Perhaps someone more knowledgable can clarify how the compilers work?
Unix is surely better than Windows but VMS is about gone and who uses mainframes anymore besides a selected few users who need them?
Standards are good but there is no diversity left in platforms. Its too bad VMS just died and stayed closed. It would be nice to have something besides just unix and Windows
http://saveie6.com/
Security equals security for *your* files, and Unix can't do that, so Unix must be just as insecure as Windows. Only when you define "security" in your own, narrow way, and then never implicitly say what that definition is in your 'article'.
I wonder why he didn't bring up that Dad has pictures of Little Johnny on his first day of school Mom has all of her and dad's wedding photos. Litte Suzy has all of her papers for school on the hard drive. Little Johnny likes to look up pr0n.
Windows situation, While trying to download hotmidgetdonkeypornheaven.exe, Little Johnny accidently picks up uber.worm. Uber.worm deletes Johnny's files, suzie's files, mom's files, dad's files, system files, makes the system useless, and you go from a windows computer to a nice paperweight until you reformat. *nix situation, While trying to download hotmidgedonkeypornheaven.sh, Little Johnny accidentally picks up the uber.deletion.script. Uber-del deletes johnny's entire home directory!
Of course, Mom, Dad, and Suzie are entirely unaffected because Johnny doesn't have permission to overwrite those files.
Wonder why the asshat, er, I mean, article writer didn't bring up that snippet?
Evil Walrus >83=
Thomas Halwedra is a young'in with very little real world experience and any practical experience. They kid is in college and has a bunch of machines at home. I think he takes an extremely simplistic view of windows and unix security.
:-)
His 'OSNEWS' bio: http://www.osnews.com/editor.php?editors_id=11
I was doing systems programming on UNIX BSD 4.2 Tahoe when he was born.
I am surprised that his article was even published/posted, I can't really even see his argument or what point is he trying to make. Oh that's right he's a 'managing editor' WTF?
Back to work.
I get called out on this a lot and I'm going to point out some key differences between two types of RAID arrays. A RAID 0 (also known as a striped set) splits data evenly across two or more disks with no parity information for redundancy. Therefore, it is an example of a RAID array that is actually not redundant (despite the acronym). Even if a normal user was running RAID 0, a hard drive crash would be catastrophic.
Still laughing?
My work here is dung.
There is nothing special about UNIX or linux that makes it immune from viruses.
However, in UNIX culture, there is something. The first rules of security.
First, the default installation should not act as a server operating system. The system should not respond to ANY outside requests for anything unless enabled to by the system admin.
Second, no action on the system should be performed with any more than the minimum set of privileges necessary. Everything should be done with user privileges, not system privileges, unless absolutely necessary.
The use of these basic security rules applied more or less throughout the UNIX world, and for MAC OS X as well. Windows INTENTIONALLY ignores these rules in order to "maximize the user experience", and in doing so spawned a multi-billion dollar anti-virus industry.
The guy skips lightly over the fact that it's the system that mediates interactions between the Big Bad World (a/k/a the Internet) and the user and his precious files, so that if the system is well-designed and set up properly, it will do a great deal to protect the user even from his own actions.
An analogy one might usefully make is to the highway: good system-level security is like a well-designed, well-lit highway. Sure, the user (driver) can still kill himself, but he has to behave unusually recklessly. On the other hand, poor system-level security is like a rutty, unexpectedly curving dark country road. Even reasonably careful drivers at moderate speeds can get in trouble.
The guy is focussing on the fact that in both cases the driver can get himself killed. But that isn't the whole story. One "road" (system) makes it easier for a moderately careful "driver" (user) to survive. The other puts even careful "drivers" at risk. And, of course, there's the obvious fact that no "road" (system) can possibly protect the completely reckless "driver" (user).
Still laughing?
Yes, thank you. This time at you.
Err, this isn't security we're talking about here. Security isn't me not losing "my stuff" (a disk crash can do that), secuirty is YOU not stealing "my stuff".
/. we're not a bunch of egotictical morons ;-)
For most home users THAT'S important (bank details, order details, hell even my address and phone number). You imagine how well a phishing attack would work on most users if they knew about open orders (from say Amazon) by reading your files. I think that's much more important to most users!
Of course we all backup our files! Jeesh this is
But what is more important to a home user? His or her own personal files, or a bunch of system files? I can answer that question for you: the pictures of little Johnny's first day of school mean a whole lot more to a user than the system files that keep the system running.
Sure poor computing practice by the user that owns the files could result in their destruction. Nothing gained versus Windows there. But in a family computer scenario, more is gained than the author admits. On Windows systems, many programs are (mis-)designed to require administrator rights even just to run them. This is not generally the case on UNIX-derived systems. As a result, accounts for family members will often be in the local admin group. So on a family computer if you give Little Johnny an account to run his software and play games, and he goes and downloads the latest malware and runs it, it can nuke your data as well as his.
Under a typical scenario under a UNIX-like system he can only destroy his homework and saved games, not your pictures of his first day of school along with them.
That's got to be a non-negligible benefit to the family user that the author completely discards.
.sig: file not found
Security issues have moved on a little since the 80's, where his point of view is from - very few security breaches today result in loss of data, because computers are really more valuable as zombies and so not many viruses really attempt to mess with much (even the most recent public example of a destructive virus on WIndows was pretty much a dud).
Another thing he does not account for is time. Time is a valuable commodity to all users, and anything that can prevent a virus or spyware from reaching further into the computer reduces the amount of time and knowledge needed to remove probelms from the system. That is at the core the value that UNIX brings to the security equation. Not absolute protection but like a teflon pan, easier cleanup when you do create a mess.
And last of all by not explicitly mentioning how much more inherantly secure UNIX systems are that start off with a base of no open ports are. Sure spyware and viruses can get in through the browser, but it's a much harder attack route than just scanning and finding a hole wide open that requires no effort on the part of the computer user to install.
In the end his rant boils down to noting that users should really back up files often - but even this message is dated, as a few years of sketchy consumer hard drives with short warranties has started to drive home this lesson in spades through failed hard drives. Forget hackers; little johhny's pictures today are in far greater peril from a simple lack of using the CD-burner.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yes, it is a pompous headline but it's friggn true. I just spent two days on vacation at a relatives house cleaning spyware. 3 AV scanners, 4 spyware cleaners and there is still crap happening. Unix doesn't let you hide crap like that. Worst case I could boot a CD and do a scan as to eliminate kernel-based root kits. That same kind of effort is friggin prohibitive. There is something to be said for YUM and apt-get. I can very quickly assess the basic patch level of a box and ALL of its applications. Windows = Good Luck
I just sent this to the author of the article (slakje@osnews.com):
I'm sure you're probably getting a ton of these emails, so I'll keep this (relatively) short:
It's incredibly naive of you to say that because *nix users have full access to their user space, they are no more secure than on a windows box. Consider, for a second, how malicious software propagates itself on a user's system: The most popular methods include memory resident programs, overwriting system files and libraries, and the unwanted installation of software invisible to the user.
On a standard windows box, those methods are trivial because the user runs in "root" space. On a standard *nix system, however, the user has no admin privileges whatsoever. So a malicious piece of software has much, much fewer options and means-of-entry in to the system to do its dirty work. Now, is a *nix box bulletproof? Certainly not. No one ever said it was. But by default, it's much harder to do real damage. The removal of the users coveted pictures, documents, etc has to be prompted by some piece of code. If it's much harder to implement that code on to the users machine, then yes, that machine is more secure. You're missing the bigger picture.
Not to mention "security by obscurity", which simply points to the fact that windows users make up 80%-90% of the market, so the authors of the malware tend to target windows machines because they're a more target-rich environment.
My point is, to simply say something like "acutally, no, unix is no more secure than windows" and not go in to any real, tangible detail borders on FUDD, and is exactly the type of press that potential coverts soak in.
Thanks for nothing,
Tim
Windows does have a fairly intricate permission system, and you can setup non-administrative users just like you can in Linux. The only difference is, lots of old software expects to be run with administrative privileges, so if you want to run those things, you need to run as admin. The main reason people use windows is for backwards compatibility, but these days you can do most of your work in windows with a non-admin account if you want.
autopr0n is like, down and stuff.
...and want their argument back. The trojans that "just" wipe out your disk are actually quite rare these days. People want your machine to spam, show you ads, use your computer as a platform for new attacks, proxy, dumpsite or any one of a dozen other uses. A machine where you can only trash someone's personal files isn't valuable except to scriptkiddies who are nothing more than online vandals.
As far as the rest goes, the data are very important but people don't protect them well in any case. However, downtime is important - or not really downtime, since they can spend a week to have it fixed - but every time they have to get someone to fix it, that is a big annoyance. If you can keep the system clean (and if you're good, have the Admin/root account take backups to somewhere the user doesn't have access) you're saving yourself a bundle of time and problems.
Live today, because you never know what tomorrow brings
Secondly, as someone who has seen trojaned PC's I can tell you that being used to spam viagra ads to the western world does have a practical cost for non-techs. While some trojans may leave the files alone the fact that a) all security is compromised, and b) your hardware is being used by others without your consent or knowledge; is meaningful to everyone. In this arena *NIX systems do have a significant leg up over windows. It is much harder for an errant e-mail to lead to a full system compromise on *NIX than on Windows. That having been said I can see how a user-specific trojan may do as much damage.
Thirdly, the author seems to be ignoring the truest source of vulnerabilities: applications. While the base OS is an issue the primary source of holes are applications (Outlook) or application-components (WMF). A *NIX system can be as insecure as Windows with respect to these. However a) There is a greater offering of secure forms, and b) *NIX's more modular form and coding traditions (sacrifice features for security) make it (in general) less suceptible to these kinds of problems.
Fourthly, Windows is developed on a different model from *NIX. Microsoft has always put new features first and foremost. This has led to the situation specified above.
That being the case, much of this is tradition. The traditions of Unix Development (Security over Features) versus Windows (Features over Everything) is what has led to the current state of affairs. Microsoft is in the process of learning the long hard lessons of their history and has been attempting to ape the *NIX model more closely. Meanwhile some in the Linux community have begun arguing that they should move to more "Feature Laden" distros like windows. If Microsoft succeeds in its painful changes and Linux distros begin chasing the "I want features now" crowd then the equations may reverse themselves.
Windows NT borrows and builds upon a lot of things that were in VMS. Microsoft hired the lead VMS engineer from DEC to head up Windows NT development. It seems kind of weird to allege that VMS is technically superior to Windows NT, when Windows NT was largely based on VMS and improvements that could be made upon VMS.
The advantage of UNIX is it's simplicity. The common APIs found on UNIX systems haven't changed in many many years. This sounds like a weakness but from a security prespective it is a great strength. This is because the vast majority of bugs are in relatively new code. If you recall the end of NT4's life it was pretty stable (relatively speaking). That's because all new development work was on other products. Now with the introduction of XP and Sharepoint and .NET and all the other new stuff, there's a mountain of new code to find exploits in. Windows is much more sophisticated than UNIX but whether or not that's a good thing depends on what you're using it for.
In fact, you could debate this for any OS. Here's how I see the best use of each OS:
Linux - Great development platform. You can easily install it on a laptop and get most things to work like they would even though it was "designed for XP" (e.g. power management). Linux is also a great virtual private server. A VPS is a Linux instance running in a VM like User Mode Linux. You can serve Webmail, SMTP, php apps, mysql, imap, etc for your personal use for $20/mo. As car analogies go, Linux is a Ford F150 pickup.
Windows XP - Required corporate desktop. XP provides integrated security with ACLs on a wide variety of resources with all groups managed by a central authority with UIs to manage accounts. As a car XP is a like a fully loaded Mercury Montego sedan (it has all the amenities but don't expect it to be running in 5 years).
Windows Server - Good corporate application, file and print server. It has a rich highly integrated set of libraries. Required for running server side applications for XP clients such as Exchange and AD. Windows Server is also like a Mercury Montego sedan except it costs a lot more.
Solaris - Rock solid server application platform with world class support. If you don't need the sophisticated APIs provided by Windows Server then Solaris is a very good choice. Solaris is like a large Frietliner flatbed truck with GPS tracking and 24 hour roadside assistance.
Mac OS X - Home PC desktop. OSX is ideal for the casual home user who wants to create a web page from the photos on their digital camera or play their guitar with sound loops in Garage Band. Mac OS X is like a Lexus RX 330. Every respectable yuppy has one.
FreeBSD - Good HTTP server for the Internet. It's also a good alternative to Solaris as an application server platform if you're trying to save money and don't need it to scale to 16 processors. FreeBSD is like a Toyota pickup.
I am fairly sure that UNIX is more secure than Windows for a number of reasons.
1. While there is a great deal more Windows around than UNIX, UNIX is where the money is. If you want to extract large sums of money or steal swathes of identities then UNIX servers tend to be the systems hosting these backend services. So UNIX should be the target of hackers wanting to make serious money while much of the Windows activity is concentrated on hacks designed to produce the maximum public impact most of which cost because they down systems rather than extract cash from systems. The fact that almost all the money making hacks concentrate on Windows is testiment to the factthat it is difficult todo on UNIX.
2. Much of UNIX is OpenSource or available as source code, despite this there have been very few examples of ethical hacks or demos of vunerability that have been viable generated by security research companies or ethical hacking groups.
3. Stack overflow holes account for a huge chunk of the Windows vunerabilities mainly because Windows and x86 lack generic protection against these specific overflows. This is not true of UNIX particularly if it isn't running on Intel. Solaris for example has specific controls which limit the options for stack overflows as does the SPARC processor. These controls make it more difficult for hackers to generate exploits that remain viable.
4. There have been vanishingly tiny numbers of viable reported UNIX virii, none in the case of Solaris.
I have found the ultimate solution to such issues in my VMWare testing environment - snapshots. We really beat on and hose our testing machines and, to make sure we were getting an acurate test, we would always have to reimage them from a Ghost image every time we went in there. We replaced that solution with running our testing in VMWare where reverting to a previous snapshot just takes a few seconds. Not to mention that you can branch off them in a tree fashion to track and test under various changes and conditions. I really don't understand why MS can't develop a simpler version of something similar for the OS. HD space on the vast majority of user's machines is plentiful and the ability to be able to make a snapshot of your system when it is exactly the way you want it that you can go back to later quickly and easily would solve myraid problems. If you could back up that snapshot to a DVD or external HD in such a way as the hypothetical snapshot manager could restore your PC config from it in the event of a physical HD failure all the better.
Now, obviously, we would need a way to prevent a malicious program for also corrupting the backup snapshot - maybe some password that is specifically for the modifying and changing of the system snapshot.
I doubt that MS will ever be able to make an OS as secure as Unix as long as they have to provide the level of backward compatibility they do. What they could do, however, is mitigate the risk by giving us a way to get our PC back to it's pristine state without all of the trouble of app reinstalls and haphazard backups/restores. The limitation always was the hard disk space this would entail and that limitation has been blown away by modern HDs...
----- /home/$USER
#
# Nasty file deleting virus thingy
#
#!/bin/sh
rm -rf
echo "Hahahahahaha"
-----
He seems to have entirely failed to understand that if viruses (or other unwanted nasties) can't gain access at system level it's much harder for them to replicate themselves round the network automagically (something which is true for all OS's, inc Windows). This means that whilst you might lose your files, everyone else on your network doesn't have to join you in your misery.
The article seems basically to be a complaint that unix doesn't stop you deleting your own files, which is roughly equivalent to complaining that your gun didn't come with a mechanism to prevent you from shooting yourself in the foot.
This isn't necessarily the fault of Windows
And that is only because the FIRST step is learning enough about the system to know that there is a problem. It's easy for most of us who spend time and read
He does have a point, but it's an easy problem to address. Currently it's pretty easy to run potentially untrusted programs (Web browser, email clients, etc) as another user. Sure you still need to give them access to X, but they won't have direct access to your home files. I'd like to see this process made easy enough for a newbie user to be able to do it, and possibly even the default method of invocation of untrusted applications for the desktop distributions of Linux. If a distribution was doing it, the users who need it the most would never even know it was happening.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Viruses only spread when their infection rate EXCEEDS the removal/immunization rate.
When the infection rate is lower than the removal/immunization rate, the virus dies.
With most current versions of Linux, the default security configuration means that it is very difficult to infect a machine (not impossible) and very easy to remove the infection.
Before this "InterWeb" thingie, I was cleaning boot sector viruses from DOS machines that required someone to have booted from an infected floppy.
Linux boxes CAN be infected, but the odds of it happening are very, very slim.
I wonder if the shareholders have a case for mismanagement?
I got a call from my brother the other day - he told me he was going to dump his very capable, $200 Linksys wireless router in favor of another one - simply because it wasn't on Microsoft's "approved" compatible Xbox 360 router list. that is, he cannot get files to share between his 360 and his PC seemlessly (which is strange because when I was there for christmas I had no problem doing so.)
At any rate, I had a sort of epiphany: Users don't want to learn - they don't want to tweak. Most users just want it to _work_. They don't care about bells and whistles, if it doesnt do what they want it to do in a quick fashion, they dont want it.
Its sad, but true. Secure or not, I find it very difficult to believe that linux, unix, or any other OS will take away Microsoft's advantage - they intend on getting things to work automatically so _anyone_ can use it. I've been using computers for 9.5 years myself, and some of the things I have to do in LInux take a long time to do for me (partially because I'm not familiar with it) becuase I have to read the extensive documentation.
And there are times that I have just wanted it to 'effin' work without havnig to RTFM of 60 pages
That starts you off on shares and setting the time/date.
Do you want to know one of the coding practices lead to this problem?
http://blogs.msdn.com/aaron_margosis/
You might want to spend some time looking up Powerpoint 2003, too.
But this does not explain why the exploits which provide vectors for attack exist. Perhaps marketshare plays into this as well where developers at MSFT have become lazy and complacent with their commanding market position.
Let's stop blaming users for security problems and lay blame squarely on the developers themselves. If any company deserves a class action lawsuit, I would say MSFT does when you consider the amount of money spent compensating for their incompetence.
Jesus was a compassionate social conservative who called individuals to sin no more.
if your time is worth nothing...
I repair many of desktop and notebook machines. Three last week - this is Monday and I already have two machines waiting for this week. This is not my main business - people only bring me machines after other people already tried and failed to fix them.
To fix a borked notebook PC and remove all spyware crap, takes 3 to 10 hours. Repairing a desktop takes 2 to 3 hours. The problem being that notebook PCs are slooooowwww, so the repeated scans take forever and Spyaxe and similar crapware requires multiple passes and multiple reboots with multiple scanners to remove. Consequently, I spend 10 to 20 hours per week removing crapware from Windows PCs.
In contrast, I never have to remove crapware from Linux PCs and notebooks - they just keep working - chalk up zero hours to Linux repairs. This means that in practice, Linux is infinitely more secure than Windows.
Nuff sed.
Oh well, what the hell...
"Yep. It is possible. But it is more work than the average Windows user will want to put into it."
Then you asked:
So I provided you with specific links describing the specific problems and even HOW those problems arise.
So you replied:Yeah. No one ever said that it was IMPOSSIBLE.
What I said was that it was more work than the average Windows user was likely to put into it.
Did you understand it that time? Do I have to repeat it again for you? I do? Okay, I will.
Under Windows, it is far easier for the average user to just run as adminstrator than it is for them to fix the apps that don't work right as a non-administrator user.
NOT "impossible".
And the reason that is it far easier is because the average user must, somehow, FIRST learn why running as administrator is a BAD THING.
Back in the old days, we had real trolls. We had trolls who knew MORE about the systems than the admins. We had trolls who could tear apart a TCP/IP packet.
Now, all we have are these "search Google for me" trolls. It's a sad day for trolls everywhere.
The article, and most of the posters here, are missing an even more important point. There are very few viruses that just delete all your files anymore. The two major threats the PCs these days are spyware (a threat Linux has greater resistance to, because modifying plugins and such usually requires root permissions (with some exceptions, such as Firefox plugins - you're down to app level security there, on both platforms) and zombies to add your PC to a botnet, which Linux is more resistant to, again, because of not running as root. Yes, you have roughly the same level of resistance to "delete all your files" viruses, which are rare these days relative to the amount of "take over your machine as a botnet" viruses.
All that, of course, is ignoring practical differences in the security history of the platforms and common applications, as well as the lower profile of Linux in terms of automated threats. Direct attacks (ie, someone is specifically attacking you) are just as much of a threat, and many distros are vulnerable to attacks in an unpatched state. Linux is *not* a panacea against threats (and only idiots portray it as such), but it is a very different threat profile than a Windows machine.
[PARENTHETICALLY: I'm giving up Mod Points to reply to you because no one else seems to want to make this point...]
Every single thing you wrote would be true if you were to exchange the word "Windows" for the word "Linux" [and vice-versa].
In fact, Windows has a vastly, almost prohibitively more elegant security infrastructure than "Linux": File rights of "Full Control, Modify, Read & Execute, Read, Write," file attributes of "Read-Only, Archive, System, Hidden," very finely-grained ACL-based system security "Policies", a global Kerberos-based directory authentication scheme in Active Directory, etc etc etc.
"Linux" has rwx-rwx-rwx. That's it. [Now Linux combined with Novell Directory Services and a Novell File System would be an entirely different cup of tea, but that's a whole 'nother discussion. Although, I'd ask: Does Novell even have a "Policies" ACL-based security infrastructure for KDE or GNOME yet? Are they working on such a thing?]
The reason that "people" [the great unwashed masses of the bell curve ten or twenty or thirty IQ points below geniuses like yourself] don't use Windows security is because SECURE SYSTEMS ARE A PAIN IN THE ASS and no one wants to be bothered.
If Linux had 95% market share and you had retards surfing the web as "root" [just like the Windows retards surf the web as "Administrator"], then you'd be seeing the same damned thing with Linux that you see now with Windows.
Maybe even worse.
There is a good wikipedia article on this topic actually.
In my own personal opinion, the generically asked question - "What is Unix?"
I hear this a lot, but there's actually a pretty good reason. Windows feels restrictive as a normal user, because its filesystem and registry permissions are so haphazard. Many programs won't even run in a non-admin account at all. UNIX is designed to make the user feel quite unrestricted as a normal user, and conventions like sudoers take this principle even further without compromising the overall security of the system.
Working in a DevOps shop is like playing in a band made up entirely of keytarists.