'WannaCry Makes an Easy Case For Linux'

An anonymous reader writes: The thing is, WannaCry isn't the first of its kind. In fact, ransomware has been exploiting Windows vulnerabilities for a while. The first known ransomware attack was called "AIDS Trojan" that infected Windows machines back in 1989. This particular ransomware attack switched the autoexec.bat file. This new file counted the amount of times a machine had been booted; when the machine reached a count of 90, all of the filenames on the C drive were encrypted. Windows, of course, isn't the only platform to have been hit by ransomware. In fact, back in 2015, the LinuxEncoder ransomware was discovered. That bit of malicious code, however, only affected servers running the Magento ecommerce solution. The important question here is this: Have their been any ransomware attacks on the Linux desktop? The answer is no. With that in mind, it's pretty easy to draw the conclusion that now would be a great time to start deploying Linux on the desktop. I can already hear the tired arguments. The primary issue: software. I will counter that argument by saying this: Most software has migrated to either Software as a Service (SaaS) or the cloud. The majority of work people do is via a web browser. Chrome, Firefox, Edge, Safari; with few exceptions, SaaS doesn't care. With that in mind, why would you want your employees and staff using a vulnerable system? [...] Imagine, if you will, you have deployed Linux as a desktop OS for your company and those machines work like champs from the day you set them up to the day the hardware finally fails. Doesn't that sound like a win your company could use? If your employees work primarily with SaaS (through web browsers), then there is zero reason keeping you from making the switch to a more reliable, secure platform.

This opinion isn't new and is still wrong.

[Aequitarum+Custos]

Virus writers will target the largest market portion. If that's Windows, they'll write viruses for Windows. If it's Mac, they'll write viruses for Mac. If it's Linux, they will start writing viruses for Linux. Just because more vulnerabilities in Windows are known, does not mean there are less total in Linux. And short of taking away admin/sudo access from users completely, malware can always social engineer it's way into administrative privileges during an installer or something similar.

Re:This opinion isn't new and is still wrong.

[dagrichards]

Of course its wrong, the correct answer is of course to run OpenBSD.

Re:This opinion isn't new and is still wrong.

[Junta]

Well, in the macro sense, it won't work. In the micro sense, it will work to some extent, at least until too many other people join you and suddenly things look appealing.

Though having apt/dnf available software mitigates risks in a way similar to having an 'app store', and is one reason why MS is pushing the Windows Store concept hard (the larger reason of course being profit).

Also, even without admin level access, untrusted software can make a mess of things, since all the stuff you care about is owned by you.(oblig https://xkcd.com/1200/). Platforms like Android and IOS that provide some concept of per application permissions mitigate that more, though generally people will click through crazy permissions too.

Re:This opinion isn't new and is still wrong.

[OrangeTide]

Linux has been around enough and is used widely in high-value enterprise servers that it most certainly is attacked by malware, hackers, etc on a regular basis. Much is known about the security of Linux, and multiple vendors work to improve the security of the Linux Operating System and key applications.

Microsoft, Adobe and others have not been doing that great of a job securing Windows and its key applications. And much of the industry that touts that they enhance security on Windows are also trying to sell you virus scanners that significantly impact system performance.

What you fail to understand are two factors at play here:
1. Linux(FreeBSD and Unix in general) have a very different security model than Windows. Unix is a much simpler model and is less flexible, but it is also applied more consistently as a result.
2. Windows is not the top OS in the world in terms of numbers. Virus writers, if they are going only for high-volume attacks, would also aim their sites at Android or iOS as either of those have more installed systems than Windows. And like I said early, Linux dominates the enterprise environment and would theoretically be more valuable of a target to attack than Windows.

Re:This opinion isn't new and is still wrong.

[jellomizer]

I would actually recommend a diverse network. Windows, Linux and Macintosh. While a little harder to maintain it prevents from having all your eggs in the same basket.
The biggest problem I see is over MS integration. Even doing little things such as using Apache instead of IIS on Windows. Make sure your Web Apps follow the standards and works on different browsers often can save a big headache in the future.

Re:This opinion isn't new and is still wrong.

[TWX]

I partially agree with you.

My main point of disagreement is that many Linux distributions already have better long-term-stable support. Debian as a case-in-point backports security changes to older verisions almost to a ridiculous level, and Ubuntu as a dpkg-based distribution follows suit. If a particular version of a distribution of Linux is necessary for whatever reason, it may well continue to be supported by the distrubtion maintainers for much longer than Windows, with far less reluctance.

Additionally until recently at least it was fairly easy to harden a Linux distribution at the time of install or post-install, and as variation OSes that use the Linux kernel demonstrate, it's also possible to lock-down a Linux-based OS to where the user can't inflict a lot of damage to it without that user him or herself having taken lots of steps to circumvent the security that was designed into the OS.

By contrast, Microsoft likes to stop supporting older OSes as soon as it feels it can get away with it. Microsoft OSes come out-of-the-box poorly configured for security, and it's not always clear how secure any given box is either, or what will break that security down the road. Lastly, since Microsoft has allowed lazy application developers to get away with writing software such that it needs admin privileges to install or to run, users are accustomed to either running their regular user account as a full admin on the box, or to automatically clicking accept on dialogue boxes that prompt to escalate privileges.

Microsoft's software is not the only software that's vulnerable, but it's certainly sitting in a perfect-storm of vulnerability to make it very easy to exploit in addtion to being of a wide marketshare making doing the exploitation valuable.

Re:This opinion isn't new and is still wrong.

[jandersen]

Well, any way, I think Linux is the best argument for using Linux: the totality of its features, stability, useability, and I could go on. It may well be a matter of mostly taste; I dislike Windows for exactly the same reasons why others like it.

Re: This opinion isn't new and is still wrong.

[gweilo8888]

Also, most of my software doesn't run in the cloud. A tiny fraction of what I use my computer for is done online, but the overwhelming majority is still done locally and doesn't even need a constant internet connection. (Wouldn't *need* one at all, except for licensing checks.)

Re:This opinion isn't new and is still wrong.

[flargleblarg]

Virus writers will target the largest market portion.

Bullshit. Virus writers will target every platform they can — starting with the largest and working their way down to the smallest.

Re: This opinion isn't new and is still wrong.

I keep hearing this argument, but every time Microsoft releases another Windows, I am shocked by the security holes I find open. They just don't care enough. With Linux, more eyes on the source exposes more bugs and the security ones often get fixed before the ink dries on the mainstream media post about it.

Plus, older Linux installs are often maintained for security patches far longer than Windows.

Re:This opinion isn't new and is still wrong.

[Kryptonut]

Totally agree.

Hell, Windows is more secure than ever, but you can't fix the users who give malware the rights to infect their machines, or even worse, perform tasks with admin rights.

Re:This opinion isn't new and is still wrong.

[sjames]

Mac seems like a reasonably popular minority desktop, but doesn't seem to be having a problem so far, why would Linux?

Re:This opinion isn't new and is still wrong.

[unrtst]

Virus writers will target the largest market portion.

This tripe is tired. There are more factors at play here, and being blind to them for decades isn't helping anyone.

The size of the installed base does not matter.
An argument could be made that the effectiveness of the exploit may matter. IE. if there are more vulnerable machines of some specific type, that's a bigger target. This could also be skewed depending on the demographic of that target (ex. if it was 90% of the ATM's and the exploit made all accounts using them available, it wouldn't matter if the number of ATM's is much smaller than the total number of Windows machines). This would still be a weak argument because the raw count is far from the only consideration.

My point is, there has to be a whole lot more VULNERABLE Windows machines to make it more attractive than other targets (Mac/Linux/etc). For example, if every Mac OS X install had a remote root vulnerability, but only %1 of Windows 10 installs were still vulnerable to a similarly bad thing, then Windows would not be as attractive based on numbers and impact.

WannaCry sucked extra hard because so many people actively disabled windows update so they could avoid the heavy handed push to Windows 10. People could avoid many of those large issues by moving to Linux - little to no telemetry (depending on distro, and can be easily disabled on those that have it), updates how and when you want them, updates that don't force restarts or delay boot up time, significantly fewer viruses now and for the foreseeable future, and way more freedom to stay current in whatever way suits you (ie. distro/desktop choices).

Sadly, I still think TFS is more of a troll than a real suggestion. It's just begging for people to trot out their favorite justifications.

Re:This opinion isn't new and is still wrong.

[nine-times]

Well, I think the truth is not as simple as you're implying. First, though virus writers are more likely to target the OS with the largest install base (not necessarily the largest market share), that doesn't mean that some operating systems are not more secure than others. Windows, for example, used to have many many large security problems, due to the fact that it basically wasn't originally designed to be secure. However, Microsoft has put a lot of effort into securing Windows in recent years, and it's generally pretty secure.

Also, there are potential arguments as to why Windows is less likely to be secure. For example, some people have argued that unix-based systems were designed with security in mind, and Windows still hasn't caught up, at least partially due to their attempts to maintain backwards compatibility to a time when Windows was completely insecure. Many others have argued that open source products will generally tend to become more secure than closed source products over time, since security experts can access the code more freely and report/fix potential problems. I'm not sure those theories are borne out, and in any event, it certainly doesn't mean that open source products are immune to security threats.

And short of taking away admin/sudo access from users completely, malware can always social engineer it's way into administrative privileges during an installer or something similar.

That argument would hold a bit more relevance if this discussion weren't a worm that installed itself without user interaction. Also, it's possible that Linux users are less likely to install random unknown software, since it has package managers, and most of your software will come from a secure repo. Also, because you can get most of your software and updates from repos, it's more likely that you'll keep all of your software up to date. Finally, Linux security updates generally don't include forced advertising and completely unwanted changes to settings, so users and administrators are less likely to block and avoid them.

That's not to say that Windows isn't secure, or that Windows isn't still a better option for a lot of people. However, it's not true that the only reason Windows has a bad reputation is that they're a bigger target and therefore more heavily targeted. Windows has a bad reputation because they used to be horribly insecure, and they're slowly digging themselves out of that hole. In the meantime, there are a lot of things they could do to improve security, that they won't do because it doesn't serve their business interests.

Re:This opinion isn't new and is still wrong.

[Maury+Markowitz]

> Just because more vulnerabilities in Windows are known, does
> not mean there are less total in Linux.

That misses the point, badly.

The issue is that there is an entire Windows virus ecosystem. Aspiring authors can get everything they need to get started from a huge library of code. WannaCry is a perfect example; the code they added is apparently very simple, and they connected it to a sophisticated exploit.

This market exists because, in the past, Windows was less secure. So the virus writers had lots of easy ways in. MS responded by increasing security but were forced to do so in steps over much more than a decade. With each step, the virus authors had an overlap period in which there were still lots of older systems to infect (as this example demonstrates) while they learned the new system. There may be fewer holes in the current system, but there's more people than ever looking for them.

The same is not true for Linux or the Mac. The "classic" MacOS was even less secure than Windows (as anyone who recalls "nvir" will admit) and was the target of viruses - but in those days viruses tended not to do much and there was certainly no money in it. But then the OS was replaced entirely with what is now macOS. This break with the past meant that everything that used to work simply didn't. There was no continuity, and everyone just left for the PC. Linux is, in essence, the same sort of end result even though the history is different.

So even if the Mac or Linux were to suddenly get all sorts of market share (and iOS has that it appears) it will be more difficult to start up a virus industry for the simple reason that one doesn't exist currently. It's not that it's more difficult to write *a virus*, is that it's more difficult to write *a huge variety of them*, which is what you see on the PC. They would eventually get there, no doubt, but it would take some time during which the companies would be fighting back.

To make the distinction clear, let us consider targetted attacks as opposed to viruses that are spread around. If someone wants into your computer, they'll get there whether it's Windows, Mac or Linux - examples of compromised computers running all three systems are very easy to find - the Dalai Lama's Mac is one example. And that is, as you note, because there are just as many holes - maybe more if you believe some reports.

But the sort of ransomware you see running rampant on Windows is a very different thing - there is a powerful economic model that means you have to make them easily, and to do so you put together existing bits. Those bits don't exist on the Mac and Linux, and the cost of developing them will be huge. Unless there is a leak like the one that led to WannaCry, the cost of building such a system on Linux will be *huge* and the rewards minimal.

Re:This opinion isn't new and is still wrong.

[s1d3track3D]

Virus writers will target the largest market portion.

Your response isn't new and is still wrong. Yes, they will target the largest OS market, yes they will probably find some exploits in whatever the market leader is. The big difference being that Linux is open source and can be fixed faster and be made more secure by more people.

Re: This opinion isn't new and is still wrong.

[Anne+Thwacks]

It is not just an issue of "more eyes". If you ignore Canonical, Gnu/Linux is far more stable internally - I specifically say Gnu, because the issue here is userland culture: The Unix/Linux world has enormous motivation to keep reusing the same code over massively diverse hardware as well as application use cases.

The same code gets more thorough testing in the Unix, with more motivation to fix the problems - because people are able to locate and describe problems better.

I know there are still bugs in Linux - hell, I know there are bugs in OpenBSD - but if I report them, they get fixed - sure it can take a year if the impact is only on me. If I phone Microsoft, all I get is a phone bill and a sore ear.

In the BSD world, some of the code really is over 40 years old, and generations of students have tried to hack it - to improve their game scores or college grades. When they succeed, it is fixed.

In Windows, when a new version is released - it probably comes with more new, improved bugs than bug fixes.

Re:This opinion isn't new and is still wrong.

[catchblue22]

But your argument seems supposes that all (or most) non-Linux-users en masse would switch to Linux. You know that IN REALITY most people are NOT going to switch to Linux, and therefore Linux is NOT going to become the largest market portion any time soon.

Android is Linux based. As is Chrome OS. MacOS is Unix based.

Re:This opinion isn't new and is still wrong.

[OrangeTide]

Seems like applying patches for you too all installed software using a package management system would help tremendously. Having software that is outside of a central package management system, with updates disabled by the user or because the vendor is refusing to patch old versions would lead to these same sorts of issues.

Re:This opinion isn't new and is still wrong.

[UnknownSoldier]

> and therefore Linux is NOT going to become the largest market portion any time soon.

Oh really? Try taking off the myopic PC blinders for once.

Google achieved 2 Billion devices with Linux in 9 years what Microsoft WinCE couldn't do even in 20 years

MS may have 96% of the gamer's PC desktop but that ignores all the servers and virtual machines running non-Windows, let alone consoles.

MS is a total joke on the Top 500 super computers.

Since November 2015, no computer on the list runs Windows.

Hell, even 33% of Azure runs Linux

In the OS server space things get fuzzy -- are we talking Web Servers? Database Servers? Email servers? Windows be has high as 33% or 20%-- there are no accurate stats.

Let's recap where Linux dominates:

[x] Mobile: Linux
[x] Super computers: Linux
[x] Servers: Technically *nix, due to BSD and OSX.
[ ] PC Gaming Desktop

The only place Windows has a niche in is PC gaming and XBox -- but desktops aren't the only thing anymore.

In the global space MS is slowly becoming irrelevant next to Android, iOS, PS3/4, Servers, Super computers, and Wii/Switch.

Not bad for an OS that "(free) operating system (just a hobby, won't be big and professional like gnu)"

Re:This opinion isn't new and is still wrong.

[AmiMoJo]

Linux will fall to the same things that Windows does these days.

- Users conditioned to enter the admin password and click through warning to get that sweet emoji pack

- Vulnerable applications

- Zero day attacks and slow updates

Nothing about the average Linux distro would prevent ransomware attacks, for example. Exploit the browser, get access to the user's files, game over. Yeah, there are more secure distros, but you can lock down Windows too and no-one does.

Re:This opinion isn't new and is still wrong.

[Altrag]

used widely in high-value enterprise servers that it most certainly is attacked by malware, hackers, etc on a regular basis

The real question is how often those attacks succeed. We're seeing a near-constant stream of companies announcing security breaches. How many more go unannounced? And how many are targeting Linux vs Windows vs some other vector? Those questions are rarely answered with any confidence.

For your two factors:
1) I don't know about that. I suspect its applied more consistently more because Linux has a higher percentage of server vs desktop usage than Windows, and server administrators tend to be better at maintaining the systems than your average home user (and even among home users, Linux people tend to be more technically inclined than their Windows brethren.)

2) Virus writers constantly go after Android and iOS. The difference there is that there's that wall around the walled garden. Google and Apple stand between the virus writers and the end users. Many viruses are written (particularly for Android where its easy to turn off the wall) but few make it through to the storefronts.

Linux dominates the enterprise environment and would theoretically be more valuable of a target to attack than Windows.

And individual enterprise system is certainly more valuable than an individual home PC on average, but that's hardly the full equation: Quantity can beat quality hands down when you're talking a couple of orders of magnitude difference. Not to mention that while enterprise servers are typically locked down fairly tight (even Windows servers,) many enterprise desktops are just as bad as their home user counterparts (sometimes even worse if there's corporate policies against running updates on a whim.) So Windows still gives you a pretty strong attack vector into the enterprise. Even if its not directly to their servers, getting in the door is usually the hardest part.

Basically, as always when one of these "Linux is safe!" stories comes out, the real problem is lack of data. We simply don't know if Linux is inherently safer than Windows or if its just a scaling effect and may become just as bad if it somehow ever manages to catch up to Windows' popularity. The Android case suggests the latter given how rampant the viral load is when you peek outside of the walled garden, though its not a strong case given that Android is a fairly different beast by this point regardless of its Linux roots and thus doesn't directly indicate how secure (or not) desktop Linux would be.

Re:This opinion isn't new and is still wrong.

[war4peace]

That's a helluva "niche" right there.

Re:This opinion isn't new and is still wrong.

Except that, a properly setup and secured Windows server is still junk.

Re:This opinion isn't new and is still wrong.

[war4peace]

I believe this is an opinion, not facts.

Re:This opinion isn't new and is still wrong.

[ctilsie242]

The thing about ransomware, it doesn't need to fight with SELinux, nor escalate to root, to cause damage. It just needs enough access to read/write the user's files, which most web browsers provide. Even having an Internet connection isn't needed, since ransomware can bundle a public key with it that it can encrypt an individualized ephemeral private key, then use the public key from that ephemeral keypair to encrypt all files.

Ransomware is part of a perfect storm. So many companies don't bother with security. Individuals don't care or don't bother. With the lack of consumer-tier tape drives and optical drives of a decent capacity, backup drives and cloud-synced storage are easy pickings for deletion. Not many end users really care to use a program like Mozy, Carbonite, or CrashPlan.

Re:This opinion isn't new and is still wrong.

[vtcodger]

Add to that Microsoft's clever incorporatation of Linux into Windows 10. Now we probably have the spectre of simple bash scripts that will delete, encrypt, or do something else undersirable to all the files a user has access to on Windows. And (once debugged) will do the same thing on Linux or Mac OS, or BSD.

Let me submit that the underlying problem is that we're trying to run computers connected to a world encompassing network with software that has vast attack surfaces. That's probably never going to work.

Shouldn't take more than a couple of decades to figure that out and another couple of decades to fix it.

Re:This opinion isn't new and is still wrong.

[Altrag]

I would be hesitant to follow that advice. If your data is in a shared location (as it almost certainly would be in an organization with more than a couple PCs,) then all you've done is provide three attack vectors instead of one.

If all you care about is individual workstations being operational then sure, get out of the monoculture. But if you care about your operation as a whole being secure then removing as many attack vectors as you can is by far the more useful solution.

Using Apache instead of IIS on Windows has no effect on this at all. Perhaps Apache is generally more secure than IIS (or maybe it isn't I don't know,) but one monoculture is effectively the same as another and while IIS may have slightly more ties into the OS, Apache has plenty enough to do damage if they're not used in a safe fashion.

Now if you wanted to do something like load balancing between an IIS and an Apache server, neither of which have shares or other links to internal sensitive data.. then that's fine -- in that case you ARE more concerned about the particular machine than you are about the rest of the operation. So there are times when breaking away from the monoculture can be helpful. Its just not all the time, and in particular is not applicable in any scenario where the machines in question have shared access to important resources.

Re:This opinion isn't new and is still wrong.

[Archtech]

Except you're missing the point.

Actually I think you are missing the point.

The exploit worked not because of some security lapse at Microsoft, but because the people maintaining the machines didn't lock them down or apply appropriate updates in a timely manner.

But why do you assume that dozens of "appropriate updates" must be applied every month "in a timely manner"? It's not as if the installed software is decaying in some mysterious way. The patches are needed to prevent exploits that should never have been possible in the first place.

Security cannot be added on as a bag on the side of a software system - although that is what Microsoft is forever trying to do. Proper security has to be built in right from the start, from the foundations up. But that does cost money and take a lot of extra time and effort.

Linux can't fix that....

Of course neither Linux nor BSD nor any other operating system can "fix" the problem 100 percent, completely and forever.

But that does not mean they can't be a huge improvement.

Re:This opinion isn't new and is still wrong.

[budgenator]

There are a few things that just plain will not run on Linux, that's why you have windows running in a VM!

Re:This opinion isn't new and is still wrong.

[mysidia]

Virus writers will target the largest market portion. If that's Windows, they'll write viruses for Windows.

Maybe. Where are all the worms targetting Non-Jailbroken iPhones over the network?
Just because your software is a target, doesn't mean you get targeted as successfully, effectively, and broadly as Windows and Flash.

Just because you made one point does not mean the Opinion that switching to Linux will result in fewer worms/Ransomware is wrong.

At best you could say It is untested. Because we have not seen what would happen if a significant % of people used Linux.
So for now it is just a thought experiment, BUT it is a thought experiment where we cannot determine for a fact what the result would be.

On the other hand, switching to Linux in itself may be only part of the solution.

The fact is, we can probably deploy Linux systems to meet all user requirements with a MUCH smaller attack surface than Windows.
Crap like all desktops accepting SMB protocol connections by default is totally unnecessary.

One of the major design defects with Windows that leads to wormability is "Portmapped RPC" services and the Re-Use of port numbers, instead of sticking to one port number per protocol.

With Linux, you're much better off, as long as you don't deploy NFS or Samba on your client devices.

As for social engineering...... start with not running things as root. Use Chromium as the browser.

Re:This opinion isn't new and is still wrong.

[mysidia]

A properly setup and secured Windows network would not be open to most of this junk.

Can you name 3 companies with 100% Properly setup and correctly-secured Windows networks?

(HINT: The number that actually exist in the real world is 0.)

Re:This opinion isn't new and is still wrong.

[TemporalBeing]

That's a helluva "niche" right there.

Yes, the Desktop is large market, but mobile dwarfs the desktop by itself, and servers have a lot of information that would be far more valuable than most desktops.

Re:This opinion isn't new and is still wrong.

[TheFakeTimCook]

Virus writers will target the largest market portion. If that's Windows, they'll write viruses for Windows. If it's Mac, they'll write viruses for Mac. If it's Linux, they will start writing viruses for Linux.

Just because more vulnerabilities in Windows are known, does not mean there are less total in Linux. And short of taking away admin/sudo access from users completely, malware can always social engineer it's way into administrative privileges during an installer or something similar.

I keep hearing this, but here we are at nearly 20 years of OS X/macOS, and there STILL isn't a single self-replicating (Worm-type) Virus for Macs.

Even Linux can't make that claim, and its Marketshare is about five-times smaller than OS X/macOS.

Re:This opinion isn't new and is still wrong.

[ma1wrbu5tr]

More eyeballs are trained on open source projects and as such tend to get patched more quickly. While this is not always the case, we've all seen how walled gardens can at best quickly become gilded cages and at worst targets for malware writers. Removing root privileges does not really secure anything targeted by an exploit in an OS or a piece of hardware.

Re: This opinion isn't new and is still wrong.

[mysidia]

The proportions don't matter.... it is about absolute numbers of users.
Where there are users, there is $$$$ to be made exploiting them.
If there is not malware targetting these users, then there must be some barrier preventing it,
such as better security, or better security awareness.

If there are a large number of users, then they are a target.

There are more than 60 million Mac users today. In 1996 there were only about 36 million computer users.
There was no shortage of worms and viruses back in 1996.

So unless there's a security difference, there should be equally prevalent worms and viruses for Mac in 2017.

iCloud has 130 Million users.... So where are all the worms targetting iCloud devices?

Re: This opinion isn't new and is still wrong.

[ma1wrbu5tr]

What is scary to me is how much of our military is still powered by win 9x and NTs that haven't been patched in over a decade. While these machines are not being targeted by mainstream malware creators, they are tempting targets for state actors and the like.

Re:This opinion isn't new and is still wrong.

[Altrag]

For example, if every Mac OS X install had a remote root vulnerability, but only %1 of Windows 10 installs were still vulnerable to a similarly bad thing, then Windows would not be as attractive based on numbers and impact.

Absolutely true. However, there's basically no instance where one OS will be 100% vulnerable while another is only 1%. Typical numbers will either be about equal (if its a bug in say a web browser that's common to both OS') or it will be on the scale of some double-digit percent vs 0% because very rarely does a bug apply even remotely equally between two completely different code bases.

Also, given that the OS split is a bit above 80% Windows and a bit below 12% Mac (as per the current Wikipedia article's numbers at least,) a Mac virus would need to be about 7-8 times more relevant for your hypothetical scenario to play out. That's certainly a far cry from the 100x you brought up, but its still almost an order of magnitude.

The bigger problem though isn't how many machines are vulnerable -- if a vulnerability is discovered by nefarious types before its found (and fixed) by the OS vendor, it WILL be abused. For any OS. Even Linux with its undiscovered ones are more numerous on Mac.

This is just the dark side of free software's many-eyeballs quip: The more people that are looking, the better chance a bug will be found. But not finding them doesn't mean they aren't there -- it just means we (white hat or black) haven't bothered looking hard enough.

updates how and when you want them,

So your suggestion to avoid Windows' forced updates is that, instead of disabling updates all together you should just move to a system where you can ignore the updates without having to actively disable them? That seems like a bold plan.

I mean I have plenty of issues with the way MS has decided to force updates (especially the ones that are essentially just sales pitches but they call "critical" anyway like that GetWindowsX nagware you alluded to, or constantly pushing you to install Skype and things like that) but ignoring updates on Linux isn't really any better than disabling them on Windows -- at the end of the day, you're still running an unpatched system.

Re: This opinion isn't new and is still wrong.

[TheFakeTimCook]

Mac is not reasonably popular, it is less than 5%.

You're wrong.

It is almost TEN TIMES as popular as Linux.

http://gs.statcounter.com/os-m...

Re:This opinion isn't new and is still wrong.

[StormReaver]

Virus writers will target the largest market portion.

That's been a standard retort for many years, and it's still wrong. Linux has had a massive market share lead over Windows on Web servers for a very long time; yet the vast, vast majority of Web server compromises were, are, and always will be Windows infections

If market share were the driving force behind malware, we'd see a LOT of Linux server compromises. But we don't see that. Instead, most of what we see are Windows infections.

Re:This opinion isn't new and is still wrong.

[0100010001010011]

Seems like applying patches for you too all installed software using a package management system would help tremendously.

It isn't going to help on some of the machines that got hit.

If the X-RAY and MRI machines were running Linux there's a chance it would be an old 2.4 or 2.6 kernel given the time frames needed for medical certification.

I can't speak to Medical specifically but for Aerospace and On Highway vehicles the entire software stack gets locked down for certification and unless you feel like paying for certification again, it doesn't change.

Re: This opinion isn't new and is still wrong.

[Lennie]

If you think the same does not apply to Linux you are kidding yourself.

Re:This opinion isn't new and is still wrong.

[mspohr]

I hear this argument all the time. Even if it was true that virus writers find more Windows flaws because it's more popular, then why would you intentionally go with Windows, knowing that you are more likely to be targeted? It seems stupid to stick with the more popular system and know that you are more likely to be attacked. I'd rather stick with a less popular system knowing that I'm much less likely to get targeted.

Re: This opinion isn't new and is still wrong.

[tlhIngan]

iCloud has 130 Million users.... So where are all the worms targetting iCloud devices?

Well, not worms, but emails... lots of phishes target iCloud daily (and Amazon, and Paypal, and other big sites).

Heck, remember "the fappening"? Same thing - iCloud phish, or other phish obtained iCloud credentials to accounts.

Apple attempts to get hacked probably thousands of times a second, but they secure their servers, so the only attacks that succeed are those that steal credentials. And it seems everytime someone claims iCloud/iTunes/etc was hacked, it was really either reused credentials or some phish - the actual service itself was not hacked.

Re:This opinion isn't new and is still wrong.

[Lennie]

I think we can probably find an easier way to run a browser in a container on Linux than we can do that on Windows. That way we could probably find a way to prevent the malware getting out of the browser container and getting access to the files.

Re:This opinion isn't new and is still wrong.

[AK+Marc]

Taking away admin from users doesn't help. That's a red herring.

Many vulnerabilities don't bother with privilege elevation.The users must be able to open files in write mode to be able to do work. So just target the user, at user permissions, and most ransomware will still be crippling.

Re:This opinion isn't new and is still wrong.

[mspohr]

Besides the fact that in the real world there is no such thing as a properly set up and secured Windows network, the properly set up and secured Windows network is still full of holes.

Re:This opinion isn't new and is still wrong.

[vtcodger]

The correct answer, grasshopper, is to abjure your computer and cell phone. Sell your car. Buy physical copies of a dozen thick books with real meaningful content. Buy a bag of bean seeds, and a few simple tools. Load the stuff into a backpack and hitch-hike as far into the wilderness as you can get. Then walk a further ten days and set up housekeeping.

You'll be surprised how little you'll care about Unix, Windows, Microsoft, Apple, and similar weighty matters after a year or three of living on beans and roasted lizards.

Re:This opinion isn't new and is still wrong.

[iMadeGhostzilla]

The story is about Linux being better at dealing with ransomware, and ransomware writers target platforms where a huge number of users keep their unique digital files. Mobile devices don't count since most of the user's unique content (pictures, notes) is backed up on the cloud, and same goes for servers to a degree. That really means the only real ransomware target is desktops (and laptops) and that is the place where Windows clearly dominates.

Which really goes to say if Windows desktop/laptop users switched over to Linux they'd be better equipped to deal with ransomware. But we know that's not going to happen for a variety of reasons, some of them quite justified in my opinion.

Re:This opinion isn't new and is still wrong.

[bobbied]

Virus writers will target the largest market portion. If that's Windows, they'll write viruses for Windows. If it's Mac, they'll write viruses for Mac. If it's Linux, they will start writing viruses for Linux. Just because more vulnerabilities in Windows are known, does not mean there are less total in Linux. And short of taking away admin/sudo access from users completely, malware can always social engineer it's way into administrative privileges during an installer or something similar.

Where you are right in a way, you are wrong in other ways. Yes, being a small percentage of the market helps you stay secure, but security by obscurity is not a good policy or a valid rule. Linux IS attacked and it is a pretty juicy target. BUT the rest of your post is wrong.

Linux is more secure by design than Windows, and always has been. Remember Windows was derived from DOS, which was an operating system with ZERO protection from privilege escalation attacks because there was no privilege limits, you had them all. System protections where limited to the write protect tab on the boot floppy. Windows developers suffer from having to support all the legacy security holes or risk breaking something, and have only arrived to a reasonably secure system in the last few releases (and broke a lot of stuff for their users in the process)

Linux/Unix has ALWAYS been a multiple user system without universal privileges given to all. It STARTED more secure and has less legacy baggage. It's not perfect, but it started out life in a much better place and has been maintained with security as a consideration.

Personally, I think Linux IS more secure when properly deployed and operating over a Windows box doing the same job, at least on average. There is a good reason why the majority of webservers are Linux based, especially the non-compromised ones.

Re:This opinion isn't new and is still wrong.

[mark-t]

On point #1, could you explain exactly why that would continue to be a problem in a fully Unix-oriented atmosphere? You don't need to be root to install additional fonts for your own use or to put extensions in your web browser.

Of course there are probably other attack vectors that don't depend on being root which could do nearly as much damage, but it is typically the case that the only time a user really needs root is when they are performing updates to the the OS itself, so there would be less of a habit of using the admin password casually in the first place.

Re:This opinion isn't new and is still wrong.

[Greyfox]

Everyone was bitching about the new windows 10 look anyway, so moving to Linux/X11 with XFCE or something should be pretty refreshing to them. Especially with it not crapping ads and looking like a glorified facebook feed. The Linux game situation is much better than it used to be -- steam and a reasonable number of games run on it now, and you can even get Worlld of Warcraft to work without too much effort via playonlinux. And Chrome and Firefox always look the same pretty much everywhere. The barrier to entry isn't going to get much lower, I think.

Re:This opinion isn't new and is still wrong.

[brantondaveperson]

we've all seen how walled gardens can at best quickly become gilded cages and at worst targets for malware writers.

Have we? When?

Re: This opinion isn't new and is still wrong.

[stooo]

>> If you think the same does not apply to Linux you are kidding yourself.

Yes and no.
In general, a typical Linux installation has much less attack surface than a typical entreprise Windows installation.
Like 10x less ports and protocols open.
That makes a hell of a difference.

Re:This opinion isn't new and is still wrong.

[Ol+Olsoc]

Virus writers will target the largest market portion.

So- you are saying that Linux is every bit as insecure as Windows?

Prove it.

In fact, There are Plenty enough Linux run computers and servers that make a presumed easily compromised Linux OS' an attractive target.

Fact - there have been viruses and malware written for Linux. If your thesis was correct, no one would write any viruses for Linux. At all.

Some random thoughts.

Linux users do tend to be more computer and internet savvy. Most I know know enough not to click on a phishing link. It appears that many users of Microsoft systems have no issue with clicking on them.

If you are correct about the long discarded security through obscurity hypothesis, don't for a minute that I want you to switch to Linux. I want as many people to use only Microsoft products, and to put their fingers in their ears and scream "neeneer, neeneer, I can't hhhhheeeeeerrrrr You!!, And never ever install Linux or Use a Mac. Stick with Windows, use only Microsoft Office and don't abandon the ship.

Re:This opinion isn't new and is still wrong.

[vtcodger]

No offense, but what a user cares about is the data he/she has access to. Yeah, your precious OS may be intact after user-san clicks the wrong link. if you haven't made any errors in setting permissions on files. Your user, and very likely many or all of your users who interact with digitally him/her are, however, screwed.

(And no, there is little basic difference between Unix and Windows file systems or security although a lot of details differ. The latter are pretty much based on the former and neither was intended to provide security in the modern sense. Unix security in its basic form was intended to keep multiple users from inadvertently tromping on each other's files. It does that quite well. One of the Unix creators -- Ken Thompson maybe -- actually wrote a paper many decades ago on the subject of why Unix was not a secure system. I genuinely don't think it's significantly more secure now than it was then)

Re: This opinion isn't new and is still wrong.

[AK+Marc]

And many of those are air-gapped. I worked at a place where a multi-million-dollar system was run on unpatched Win95. They didn't update the PC because when they did, it broke the software. They had two machines in the company with floppy drives. That one and the one next to it. When they needed to use it, they copied the files to the partner PC, then carried a floppy from the partner PC to the legacy PC, to run the un-replaceable and un-upgradeable PC. But, unless someone walks a virus over the air gap on a 3.5 in floppy, it's secure.

Such setups are more common than the purists here seem to think.

Re:This opinion isn't new and is still wrong.

[Ol+Olsoc]

Can you name 3 companies with 100% Properly setup and correctly-secured Windows networks?

You'll notice that whenever the "properly set up" meme is trotted out, that the next sentence invariably describes some thing no one does.

Even then, the number of unintelligent Windows lubbers that spout bullshit is incredible. I just got my ass (presumably) handed to me in a forum when I suggested that people should disable SMB unless for some reason they really had to have it. A Windows expert called me every form of stupid, how SMB is not an attack vector, and that it has to be enabled. I just gave a few cites, bowed out, and let the others pile on the expert like crocodiles on a Wildebeest.

Re:This opinion isn't new and is still wrong.

[AK+Marc]

That's why everyone hit was big. Anyone with a default Windows install (newer than XP)was 100% safe. The attack only worked against organizations large enough to have delayed patches (usually sold as being needed to ensure a patch didn't break something). So the patches are months behind, waiting for testing and such, and so when a 0-day gets patched, the bad guys can look at the exploit, the patch, and design a way through unpatched systems, then attack them, knowing there are millions of them out there.

Re:This opinion isn't new and is still wrong.

[Ol+Olsoc]

Android is Linux based. As is Chrome OS. MacOS is Unix based.

Brutal!

Yet true.

Re:This opinion isn't new and is still wrong.

[AmiMoJo]

Windows already does this for IE, Edge and Chrome.

It's possible already under Linux, it's just that few distros bother and those that do have annoying limitations that ordinary users won't tolerate. Something new will need to be written.

Re:This opinion isn't new and is still wrong.

[TemporalBeing]

you can lock down Windows too and no-one does.

No one locks down Windows b/c it breaks too much when doing so. But then, having developed to the Win32 API in the past - the API itself is just plain broken when it comes to security.

Re:This opinion isn't new and is still wrong.

[Udom]

Windows vs Linux... In Win 10 you can get an Ubuntu linux subsystem through Settings, Update and Security, For Developers, Use Developer Features, Developer mode. Apparently you can even install X and run Gui apps. Says a lot when Windows developers prefer to do their work from within a hosted linux environment.

Re:This opinion isn't new and is still wrong.

[AK+Marc]

But why do you assume that dozens of "appropriate updates" must be applied every month "in a timely manner"?

Why do you assume that no updates should ever be applied?

Sounds more like you are forming a false dichotomy, and asserting blame to Windows. The general policy of "patch fast" or "patch after testing" is the same across all OSs, even if the amount of patches and tests would be different across different OSs.

Re: This opinion isn't new and is still wrong.

[ma1wrbu5tr]

$=motivation

Re: This opinion isn't new and is still wrong.

[ma1wrbu5tr]

Agree. If they're NEVER connected to a network & you can trust the specialist next to you.

Re: This opinion isn't new and is still wrong.

[WolfWithoutAClause]

Yeah, and the STUXNET worm defeated air gap defense, it's been done in the real world.

Re: This opinion isn't new and is still wrong.

[xvan]

What are you talking about? You can't even fucking ping a windows box with it's default firewall configuration.

Re: This opinion isn't new and is still wrong.

[xvan]

Probably, by the collaborative nature and size of the linux kernel project, there are more eyes there than on Windows (more people giving less time to the project). But you're right, it probably means nothing.

Re: This opinion isn't new and is still wrong.

[Daniel+Phillips]

What are you talking about? You can't even fucking ping a windows box with it's default firewall configuration.

And it's still leaky as a sieve. That speaks to basic design flaws.

Re: This opinion isn't new and is still wrong.

[Daniel+Phillips]

So far for 2017, Linux has 128 code execution vulnerabilities whereas Microsoft has 71.

Because each Linux vulnerability is reported for multiple distributions. And because Linux vulnerabilities are found faster and therefore fixed faster. However you want to spin it, Windows is the one getting successfully exploited in multiple ways, so that new Windows vulnerabilities are hardly news any more, whereas its big news any time a hole shows up in Linux, and then very few fall victim to it.... partly because of the early and widespread disclosure, but more because Linux vulnerabilities typically require local access, login shell, etc. Whereas a dodgy flash file is often enough to take out a Windows box.

Re:This opinion isn't new and is still wrong.

[piojo]

A properly setup and secured Windows network would not be open to most of this junk.

Nonsense! Windows is fundamentally insecure, due to the lack of granular permissions. (Linux and MacOS are also insecure in this respect.) For Windows to be a secure OS, you need to be able to install an untrustworthy app and not have it be able to ruin your system. That means AwesomeScreenSaver.exe should not have access to files/documents, and it definitely should not have access to read the screenbuffer. I'm sure there are huge technical obstacles to this--the easy part is letting each app run as a separate user with separate permissions. The hard part is libifying everything so it's possible to grant a permission that allows WRITING to the screen buffer without reading it, or listening for hotkeys without listening to every keypress. Many functionalities which we're accustomed to accessing by calling a low level API will need to be buried inside higher level APIs, and only special-case trusted/must-have applications would be able to call the old insecure APIs. This would let me install unmodified work software and maybe some high performance 3D games, but new software would need to use permission-aware APIs.

The other thing that Microsoft could address more easily is installers that need admin permissions. Every installer is a black box, and most get carte-blanche to do whatever they want. Linux has shown that it's not hard to create installers that run within well-defined parameters. Some may need to execute custom shell code, but it's possible to examine this shell code before it runs.

Inertia and money are what's preventing Microsoft from implementing a strong permissions framework.

Re:This opinion isn't new and is still wrong.

[piojo]

(Replying to myself.) I've remembered that SELinux has a lot of power for application sandboxing (if not granular permissions), so Linux is half way there. I'm reading about it now.

Re:This opinion isn't new and is still wrong.

[jandersen]

There are a few things that just plain will not run on Linux, that's why you have windows running in a VM!

I don't know if I'm just extremely lucky, but I never need anything that requires Windows. In fact, when my wife gets stuck in an office document, because she did something that turned out not to a good idea, I take it over to Linux and straighten out the edges in LibreOffice, so she can get on with her things. MS Office seems to have a number of features that many users can't quite handle, and which they have to learn to avoid, but that's another matter. I'm sure there are useful applications that are only available for Windows, I just can't think of any that are relevant to me.

Re: This opinion isn't new and is still wrong.

[TheRaven64]

CVE-2016-7117. CVE-2016-10229. CVE-2016-3931. That's three remote code execution vulnerabilities from last year in the Linux kernel alone (and just the top three from a 20-second search - there were others). Most of those were in multiple kernel versions spanning several years. Other software that's found in a typical distribution (*cough*openssl*cough) adds to that.

Plus, older Linux installs are often maintained for security patches far longer than Windows

Windows XP was released in 2001 and went EOL in 2014 (2015 if you're the British government). Please can you point me to the Linux distro that's getting security backports for the entire system for 13 years?

Re:This opinion isn't new and is still wrong.

[TheRaven64]

Windows is fundamentally insecure, due to the lack of granular permissions

You mean the ACLs that govern access to every kernel object exposed by the NT kernel?

For Windows to be a secure OS, you need to be able to install an untrustworthy app and not have it be able to ruin your system

This is entirely possible with the NT kernel infrastructure, except in the presence of kernel bugs (and no system is secure in the presence of bugs in the TCB). It's also possible on FreeBSD with Capsicum or the TrustedBSD MAC framework (also used on iOS and macOS for sandboxing), on Linux with SELinux or seccomp, or OpenBSD with pledge.

The other thing that Microsoft could address more easily is installers that need admin permissions. Every installer is a black box, and most get carte-blanche to do whatever they want.

Microsoft has had MSI installers that are not black boxes for well over a decade and are widely used in large-scale software deployments.

Re:This opinion isn't new and is still wrong.

[TheRaven64]

If Android Pay becomes popular, expect to see a lot more interesting Android malware...

Re:This opinion isn't new and is still wrong.

[Opportunist]

Sorry, but no.

Linux was designed with a multiuser setup in mind. It is way easier in Linux to run software in varying contexts and different user permissions from the same surface (cli or gui). It is trivial to set up a "mail user" that perfectly sandboxes anything and everything away from the normal user that owns all the documents, effectively safeguarding them against a potential execution of malware code that encrypts them, something that can only be done with quite a bit more effort in Windows.

Another point is that "being executable" is a matter of file permission in Linux, not one of file name. The main difference here being that the former is in control of the person using the account and organizing the file, the latter in control of the person naming the file, which is usually the one sending it, not the one receiving it. So the whole "invoice.pdf.exe" spiel would not work in Linux. Not to mention that no Linux distribution I'm aware of is stupid enough to hide part of a file name by default, and instead goes out of its way to ensure that every executable file is very prominently identified as such, even in cli.

Finally Linux allows a lot finer granularity when it comes to elevated permissions rather than Windows' "all or nothing" approach. In Windows, you have to give every program that wants to install something full reign of your computer. Hell, some programs (and I'm not talking about legacy programs but rather usually programs that have some bullshit DRM schemes) require administrative privileges just to RUN. And the privileges you hand out in such cases are full. Basically any bullshit text editor you wish to install also gets full reign to mess with kernel level drivers because it needs to write in c:\programs. This is MUCH easier to handle in Linux. Not only do most distributions come pre-loaded with nearly everything and anything the average user might ever want to install, from a (mostly) reliable source repository that you can put some trust in, most things you wish to install you could technically install without elevated privileges as long as you only want them available for yourself, which is the case for 99% of desktop systems out there. Plus, as stated before, the option to run it sandboxed as its own user.

Which is also the case for many daemons, where you can run various servers with their own users, limiting any damage a bug can have when exploited to whatever that daemon is responsible or. Try, just TRY to configure Windows that way. 9 out of 10 services will simply barf on you if you try to run them as anything but system.

So no. While you're right that as soon as sudo comes into play the gloves are off and you're just as far as you are with Windows UAC, the reason to sudo are few and far between. Unlike Windows, where every other program you want to start and pretty much any you wish to install asks you for the master key to your system.

Re:This opinion isn't new and is still wrong.

[Opportunist]

Actually, most of the recent big exploits in Windows are not directly attributable to MS but rather to widely used third party programs, mostly from Adobe. PDF-Reader and Flash are security atrocities that usually eclipse anything MS does in our monthly security reports.

Yes, believe it or not, PDF and Flash alone usually have more and way more severe security flaws in our monthly roundup than all version of Windows and Office combined.

Re:This opinion isn't new and is still wrong.

[TheRaven64]

It also shouldn't work with a sensibly configured corporate network. Our default config for Windows and *NIX machines other than laptops is to have the home directory stored on a NetApp filer, which keeps snapshots of every home directory, with decaying frequency over time. For several of the FreeBSD machines that have local home directories, we do the same thing locally with ZFS (the NetApp runs FreeBSD but with a proprietary filesystem). A ransomware system on these systems would need root privilege because the users can't modify the snapshots.

Re:This opinion isn't new and is still wrong.

[Archtech]

Why do you assume that no updates should ever be applied?

I am not assuming that, and I did not say (or imply) that I do.

What I did say was that an operating system (and applications) that need continual large-scale patching - as Windows, Office, etc. obviously do - is shoddily constructed in the first place. Just like a skyscraper that always has repair crews clambering around it on scaffolding, replacing bits that have fallen off.

Updates may be required - or at least desirable - to add new features, or to alter existing features in the light of new requirements. That's fine. Note, however, that some (or even most) users may safely choose to decline such updates because they don't need the new features.

Microsoft issues blizzards of "security" patches all the time, because latent security vulnerabilities exist in its software. That, in turn, is because security was way down the list of priorities when the software was written. (At a guess, the top priorities were number and shininess of features and time to market).

So, in conclusion, I agree with the final words of your comment: the number of patches and tests are certainly different across different OSs. That is because some OSs are inherently more secure and better-written than others. And I recommend using those that are better-written and more secure.

Re: This opinion isn't new and is still wrong.

[LordWabbit2]

No dip shit, if I ever bothered writing another virus (last wrote one in school) I would not bother targeting the 10% of the PC's running linux, there would be no profit in it. I would write it for the most common denominator, Windows. Linux has also had it's fair share of "oh fucks", wasn't there a huge SSH flaw just a while back? I would look it up but I don't really give a shit. Linux is still not user friendly enough to "replace all the windows pc's in a company". If you did that productivity would drop a LOT, and then when someone hits a snag with xyz you are going to have to call the local linux support contractors and considering what they charge you will very shortly be a very unhappy company. Wasn't there some municipality in europe that switched to linux and after a year they switched back to windows because they were having so many issues. Not with linux per se, but with usability. That's the problem with technical people, to them it's easy, and they can't seem to comprehend that MOST people are NOT technical. At least not enough to figure out linux, hell sometimes they can't fucken figure out windows.

Re: This opinion isn't new and is still wrong.

[Highdude702]

Which is the better reason to use Unix/Linux. Less attack surface, less chance of hack.

Re:This opinion isn't new and is still wrong.

[bazorg]

Hi. I ran out of mod points so would like to add this: so far, people have pointed the finger at Microsoft, at the NHS, at end users and pretty much EVERYONE except the manufacturers of devices that decided to embed Windows XP in their "solution".

If instead of Windows someone puts a flavour of Linux, maybe Android or anything else connected to the network and the contract doesn't say anything about when the OS is upgraded, then sooner or later the machine will be forgotten in someone's upgrade plans.

Perhaps the machine manufacturer has their ass covered by saying in the contract "this machine should not be on any network" or something like that, but it's a bit lame if companies and hospitals are buying expensive machines that don't get software upgrades in a timely manner.

Re: This opinion isn't new and is still wrong.

[thegarbz]

If you ignore Canonical, Gnu/Linux is far more stable internally - I specifically say Gnu, because the issue here is userland culture: The Unix/Linux world has enormous motivation to keep reusing the same code over massively diverse hardware as well as application use cases.

Yes because systemd, openrc, wayland, pulseaudio, a Gnome rewrite etc were all Canonical's grand scheme.

Sorry but you have your blinders on when looking at Linux. A LOT of the Linux userland world has in the past 30 years gone through either major fundamental changes on the lower end of the system with new APIs new software and new ways of doing things, or in systems that you may call "stable" a lot has actually been changed including many having gone through ground up re-writes, e.g. GCC rewritten in a different language, GIMP's transition to GEGL basically involved a complete rewrite of the GIMP source.

There have been as as many (if not way more) feature additions to the Linux desktop world than in Windows from all corners of the Linux world over the years. The code is anything but stable.

On top of that the most stable code (with the exception of the kernel itself) has turned into a unmaintainable colossal clusterfuck (X11 or everyone's favourite insecure security program OpenSSL).

Not only is your comment off base, but it's also not to a great advantage.

Re:This opinion isn't new and is still wrong.

[piojo]

Are you saying the backend is working for configuring the OS to be hardened against all sorts of malicious software, but the OS isn't configured/shipped that way? Because regardless of ACLs, any .exe that I run can wipe most or all of the important files on my hard disk. This is not granular permissions.

Re:This opinion isn't new and is still wrong.

[thegarbz]

Google achieved 2 Billion devices

Thanks for pointing this out. It speaks perfectly into the OP's point given how actively Android is being exploited and how Android users are being targetted at an ever increasing rate. Still a phone is hardly a target for the destructive power of ransomware.

MS is a total joke on the Top 500 super computers. ..snip..
Hell, even 33% of Azure runs Linux [fossbytes.com]

We're talking about running billions of devices across the world and you're talking about a few hundred machines? Do you have a point or are you just a statistic junkie?

In the global space MS is slowly becoming irrelevant next to Android, iOS, PS3/4, Servers, Super computers, and Wii/Switch.

Come back to me when hundreds of millions of people get actual work done and companies run their entire processes on their phones, computers that don't get touched by users, or a games console.

Get some perspectives. Just because your numbers are right doesn't make your comment any less stupid in the context of the discussion. To think any of the above makes MS irrelevant is completely and utterly disillusion.

Full Disclosure: Posted from a Windows machine provided to me by work.

Re:This opinion isn't new and is still wrong.

[thegarbz]

But why do you assume that dozens of "appropriate updates" must be applied every month "in a timely manner"?

I'm not sure I understand. I'd like to talk to you further but I'm should really go apply the security updates my Linux server just flashed up when I logged in, not to mention the 150 feature updates that are also waiting in the queue which is strange because I recall only updating 2 weeks ago.

Re:This opinion isn't new and is still wrong.

[thegarbz]

The size of the installed base does not matter.

Is that why Linux became one of the most targeted systems for malware in the world after 2bn+ devices now run it on mobile phones?

Sorry you're delusional if you think install base does not matter, especially when we're talking about a self-replicating malware which would instantly die out due to herd immunity on Linux's install base if a similar exploit was available.

The vast majority of attacks don't target machines anyway, they target users. It would make perfect sense to spend effort exploiting the largest target audience than writing malware to attack a handful of people. Hell look at the wide spread of Wannacry and the low profits they have made from it. I'm sure targetting a system installed by 1% of that user base would make financial sense. They criminals stand to profit a WHOLE $3600.

Herd immunity. For some reason Slashdot understands immunisation in the body, but not on the computer. Strange really.

Re:This opinion isn't new and is still wrong.

[TheRaven64]

Are you saying the backend is working for configuring the OS to be hardened against all sorts of malicious software, but the OS isn't configured/shipped that way?

I'm saying that the OS provides all of the features that you're requesting, but they're generally configured in a permissive way because users favour being able to run their legacy code over security.

Because regardless of ACLs, any .exe that I run can wipe most or all of the important files on my hard disk

Only if the files are writeable / deletable for the combination of application and user (the two keys in Windows ACLs). You can configure a default policy of no access for all apps other than whitelisted ones, and Windows 10 S does this, but then you won't be able to download a random app and have it able to access arbitrary files. Oh, and on vaguely recent Windows installs, the system files are not modifiable by normal users, so they can't wipe most of the files that are important to the system, only files that are important to the user (who explicitly or implicitly granted the app the right to do so).

This is not granular permissions

No, this is not granular permissions configured with the policy that you request. Don't conflate policy and mechanism. The mechanism is there.

Re:This opinion isn't new and is still wrong.

[Wootery]

Just because more vulnerabilities in Windows are known, does not mean there are less total in Linux.

Indeed. But there are other reasons to believe it.

Re:This opinion isn't new and is still wrong.

[piojo]

Nice, thanks for informing me. That's a hell of a lot more progress than I was aware of. I don't suppose the system can be administered by a typical user? I couldn't find any documentation that was comprehensible to this guy, who hasn't administered a Windows system since he was a kid. I'm hoping for UIs that would dynamically prompt me about permissions, with the right amount of granularity, so I wouldn't have to read hundreds of lines.

Re: This opinion isn't new and is still wrong.

[cyber-vandal]

As soon as this flaw was disclosed it was fixed by MS. There's been a patch available for 2 months.

Re:This opinion isn't new and is still wrong.

[F.Ultra]

Yes and no. On Gentoo for example they have a SELinux policy in place for Firefox and Chrome so ransomware utilizing holes in a browser there still have to fight with SELinux. On Ubuntu there are Apparmor policies for both but they are disable by default for some reason.

Re:This opinion isn't new and is still wrong.

[F.Ultra]

Well the thing is that there are very few remote exploits for even a 2.4 or 2.6 kernel, and the ones that does exist often require you to first enable various network protocols that most people don't use anyway. Local root escalation exploits are unfortunately common but if you have no listening daemons on those machines with an exploit then you cannot use the root escalation exploits either.

The main problem with Windows on embedded devices such as this is often not the NT kernel but that a typical Windows installation have tons of open network ports while the Linux/BSD equivalent would none unless you explicitly install some server daemon.

I.e looking at my own machine the only open network port for external connections are Mediatomb which I have explicitly installed and told to do so:

f.ultra@ubuntu:~$ sudo netstat -ltnp
[sudo] password for f.ultra:
Aktiva internetanslutningar (endast servrar)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:50500 0.0.0.0:* LISTEN 1634/mediatomb
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 1314/dnsmasq

dnsmasq which is installed by Ubuntu by default listens only on 127.0.0.1 so it cannot accept external connections. Compare that with the output from a default Windows install and you will have lots of open ports accepting external connections.

Re: This opinion isn't new and is still wrong.

[F.Ultra]

And the open source nature of Linux the various components means that we have things like OSS-Fuzz from Google (https://threatpost.com/googles-oss-fuzz-finds-1000-open-source-bugs/125545/) or i.e Coverty (https://scan.coverity.com/o/oss_success_stories). I.e companies developing source code checkers and other such tools can use the vast amount of available open source as input to their project and pays back by posting the found problems upstream. The same does not happen for closed source software.

Re:This opinion isn't new and is still wrong.

[Highdude702]

That person sounds to me like somebody that has invested their entire life into Windows without looking at other options. I have used both os's since the late 90's and have been using Windows since the early 90's when my father introduced me to computers. There are things that both do well. Although I feel Linux does everything better except gaming. Which is the main reason I even have Windows computers in my house. And that could be changed with a few well placed dev teams. Steam has been doing nothing wonders in the last 4 years with this. And hopefully in just a few years more there will be no need to be tied to either os. As far as servers go a UNIX base is will always be superior to Windows.

Re:This opinion isn't new and is still wrong.

[david_thornley]

I keep seeing this "properly", and it frequently means "when done by inerrant and superintelligent entities", which isn't real helpful. I prefer it to have some real-life meaning. My definition of properly written C++ is C++ that conforms to a good style that can be enforced by a combination of code scanners and reasonable code review. For example, properly written C++ doesn't double-free memory, but can have a race condition or off-by-one error or use an element from an empty vector.

Re:This opinion isn't new and is still wrong.

[david_thornley]

Desktops and laptops aren't just for games. There's a lot of important software that is Windows-only. Lots of software developers really like Visual Studio, for example, and Microsoft Office is vital for many organizations. Microsoft dominates on desktops and laptops, which is a pretty good niche, but not the majority of personal computing devices.

Re:This opinion isn't new and is still wrong.

[david_thornley]

The exploit worked not because of some security lapse at Microsoft, but because the people maintaining the machines didn't lock them down or apply appropriate updates in a timely manner.

Microsoft has taught people that Windows updates are not to be trusted, and most people's computers will never become more locked down than they were when shipped. Businesses can have competent people administering their machines, but individual computer owners typically don't. Everything here was pushed by Microsoft: unreliable updates, computers shipped not locked down, distribution of computers to people who don't have clue one how to administer one.

Re: This opinion isn't new and is still wrong.

[TWX]

Maintain a local mirror. update that mirror after testing packages on a test box, using the test box's own saved packages as the source to pull from for the mirror.

Re:This opinion isn't new and is still wrong.

[mysidia]

I keep seeing this "properly", and it frequently means "when done by inerrant and superintelligent entities"

If "properly" requires you to do anything that is Not-Obvious, for example to open a CLI, Registry Editor, ADSIEditor, or other Advanced Tool, to setup the environment which is not common practice OR not described clearly by the Vendor in a simple Setup or QuickStart Guide, then it's not really "Properly"; it's application of an Advanced Hack or Workaround, and the "Properly" is someone's personal opinion about what extra steps should be taken.

The problem with Windows environments is there are a million personal opinions, and 900,000 of them miss some aspect, or ignore some other thing, or blah blah blah, blah blah blah. There is no "properly" it don't exist, and any Windows environment is insecure, even if you think you have a clever workaround which you just call "Properly" setting it up, as opposed to what? Clicking through an AD setup Wizard, and "I should be done now"

For example, properly written C++ doesn't double-free memory, but can have a race condition or off-by-one error or use an element from an empty vector.

C and C++ are subject to errors even the best coders have difficulty avoiding.....

Re:This opinion isn't new and is still wrong.

[Ol+Olsoc]

That person sounds to me like somebody that has invested their entire life into Windows without looking at other options.

I would agree. I'm in another conversation in the same group where there has been a problem with Windows 10 updates. We're all still sussing out the problem, its looking like the main issue is Windows force feeding some drivers. Some dude comes in yapping about how we should expect to do complete uninstalls (like revo deep scan type, not a regular uninstall) every few weeks, even keep rolling back, because "that's just how it is". Bolshy Yarblockos! There's some low expectations for ya!

There's another thing, in that some of these people would be out of work without Windows machines. I spent a lot of the last part of my career fixing screwed up Windows machines, and it was 90 percent of the time because of an update. I wasn't even a computer support guy, I was just a lot more comfortable with suits than most IT guys, and I was already in the meetings.

And that could be changed with a few well placed dev teams. Steam has been doing nothing wonders in the last 4 years with this. And hopefully in just a few years more there will be no need to be tied to either os. As far as servers go a UNIX base is will always be superior to Windows.

Unix is why I like MacOS, and when I got into Linux, it was an epiphany, if you can do in-depth Mac, you can do Linux.

And I'm certain some Windows fan will parrot the meme that MacOS is for hipsters. Um hum, People who don't even know what a command line is often spout that.

Re:This opinion isn't new and is still wrong.

[ebvwfbw]

Apparently you still don't know why you're wrong. It isn't market share, it's the underlying operating system. A basic computer security course would teach you that. Linux is based on Unix and that was made with security in mind from the beginning. Windows never was. They had to retro-fit security and support their old crap. That's why it's easy to compromise it. The Dumb user plays a role in this as well. How to allow a dumb user to install something in privileged mode. The major problem remains, the old poorly engineered OS.

Supposedly Windows 10S changes all of this. Gone is the old 32 bit API. So is IE, and all the stuff that runs on WIndows today. It's not nearly secure enough to run on 10S. So this will be interesting. Will they be successful with 10S or not. Rumor is that 10S is really Linux under the hood.

Re:This opinion isn't new and is still wrong.

[ebvwfbw]

You missed the point. LInux didn't have the security bug in the first place.

Re: This opinion isn't new and is still wrong.

[Brockmire]

Wait, what? In what fucking universe is Linux security updated more than 10 years? That is only a recent change for distros like RH and I'm not aware of any over 10 years right now. When a distro changes support, the repos are never updated and so you must hunt down new/old repos for said updates. Then there's a shit ton of incorrect documentation that is out of date. It was all about needing to do new clean install to a currently supported release.

Re: This opinion isn't new and is still wrong.

[Brockmire]

BlackBerry announced partnerships in fuzz testing years before I ever heard of Google doing it. Not saying who was first, but likely.

Re: This opinion isn't new and is still wrong.

[F.Ultra]

Which proves my point, they have to negotiate deals with said companies in order to do so while millions of lines of source code was available to those projects when they where developing their methods. Without the vast amounts of source code it's even likely that projects such as Coverty wouldn't even exist.

Re:This opinion isn't new and is still wrong.

[Highdude702]

A lot of the time its also people that didn't or dont use computers a lot. and they think because its not what they're used to, that it cant be good. A lack of basic computer knowledge as you're saying.

Re:This opinion isn't new and is still wrong.

[david_thornley]

C and C++ are subject to errors even the best coders have difficulty avoiding...

C++ is subject to a lot fewer errors than C, although there are some. C++ memory management is generally fairly painless (although you have to pay some attention to detail) until you get a circular shared_ptr list. Even that just leaks memory rather than corrupting anything.

Re:This opinion isn't new and is still wrong.

[zwarte+piet]

Thanks. Now I'm hungry.

Every... time...

[Bizzeh]

Every single time any sort of media coverage comes up about a non-event (didnt affect real users, only affected organisations which delayed the installation of a critical update), fanboys leap on the opertunity to say how much better linux is.

Linux has its fair share of these, and runs on its fair share of critical infrastructure, and is run by its own fair share of idiots, but it is never really media worthy, because it isnt Windows and it isnt something the general public will relate to.

Give it a rest...

Re:Every... time...

[Cyphase]

Linux ... isnt something the general public will relate to.

Who is this general public of which you speak? This is Slashdot!

2017

I heard 2017 is the year for desktop Linux. Any day now.

Re:2017

[OrangeTide]

And programmers?

Programmers are always dying. We're not immortal, you must be a project manager.

Re:2017

[Anne+Thwacks]

And programmers?

They will be replaced by robots.

Re:2017

[FudRucker]

yup, nowadays everybody is drooling on their smartphones waling around bumping in to things like zombies searching for brains

Re:2017

[rastos1]

The future is now. WannyCry runs on Linux!

Re:2017

[brantondaveperson]

specialized workers like artists, musicians, engineers and scientists

That's a pretty general group of specializations. It's pretty much everyone I know.

Re:2017

[brantondaveperson]

No they won't. Compilers do the 'robot' part, and we're no closer to robotic code generation from high-level requirements declarations than we were when these ideas were first mooted.

Re:2017

[Tyger-ZA]

For me it is. I installed it yesterday (because I got fed up with some Windows 10 policies). I went with Ubuntu 17.04. First thing I wanted to do was install Chrome because that's what I'm used to using. But when I tried to install it, it didn't install. I don't know why. I'm sure I'll figure it out with enough time spent on it because I'm fairly tech savvy (or just stick with Firefox) but I don't think the average person would be able to deal with stuff like this. It's not ready for the desktop.

I typed this into a browser: google.com/chrome/ There was a download link to get chrome: https://www.google.com/chrome/... The only difference here is using a .deb or .rpm file for Linux instead of a .msi or .exe file for Windows Once it's installed it will get updates via apt if you're on ubuntu

Re:2017

[Lord+Crc]

Given the direction of Windows 10 I though I should check out the state of desktop Linux again. So I installed it on an Intel NUC I borrowed and hooked it up to my secondary monitor.

Been using it for a couple of weeks now with KDE Neon and it's fairly nice.

However one thing is sorely lacking compared to Windows: decent remote desktop software seems to be non-existing. By decent I mean near-native speeds on good (100Mbit) lines, bidirectional clipboards and sound-to-client. Without that, I can't replace Windows.

Re:2017

[Wolfrider]

--Ever tried Nomachine NX?

Re:2017

[david_thornley]

There have been numerous attempts to cut programmers out of the software business, because we've always been expensive. IIRC, the first "automatic coder" was an assembly language.

Now, suppose we have robotic code generation from high-level requirements declarations. There's two scenarios.

First: The high-level requirements declarations have to be a formal system to allow them to be robotically translated, which means you need the equivalent of programmers to write them, and the robot is a compiler.

Second: The robot can understand vague and contradictory requirements and make sense of them. At that point, we have strong AI, and it's Singularity time, so society is going to change beyond all recognition, and losing one's job will be par for the course and not the biggest thing to worry about.

Re:2017

[OrangeTide]

You should expand your circle of friends. A lot of my friends and classmates are going to find their careers are gone in a few decades, hopefully they will have retired by then. Truck drivers, short order cooks, manufacturing, and possibly even nursing. I think we'll see some industries go to a place where 1 person can do the job of 100 today using automation. Other industries might be 1 to 20 or 1 to 5. For example, nurses may find that some aspects of geriatric care can be automated and one nurse can monitor and care for five or ten times as many patients as they do today. That seems great from a technology stand point, but it does mean some people will have to find new jobs.

Re:2017

[OrangeTide]

"Desktops are enough for anyone" is how your simile would follow.

Count of 90...

[djbckr]

This new file counted the amount of times a machine had been booted; when the machine reached a count of 90, all of the filenames on the C drive were encrypted.

That should only take a few minutes, right?

Re:Count of 90...

[matbury6017]

A few minutes? Don't you remember how long Windows takes to boot up?

Re:Count of 90...

[dysmal]

Isn't that how many times Windows XP restarted while you're installing it?

Re:Count of 90...

[ilsaloving]

That's clearly an oversight on the malware author's part. Usually you have to reinstall windows long before you get to the 90 reboots mark.

Re:Count of 90...

[lactose99]

"Your mouse has moved, Windows needs to restart your PC."

Depends on the company, doesn't it?

[gfxguy]

My father runs an accounting business. His tax software is only available on Windows, and not as a service.

I work in a media company. Yes, some have Macs, but most of the software is only available for Windows, so most users must use Windows. Now the other departments could possibly use something like Linux, but then it's another system that needs to be supported (given that we still must support Windows, anyway).

I'm sorry Linux fans (of which I am one... the web servers I set up for work are Linux, and I'm typing this on Linux as my desktop right now), but there's a lot of proprietary software that many companies use that is only available on Windows. Most of it has no serious competition on Linux.

Re:Depends on the company, doesn't it?

[matbury6017]

Unfortunately, that's true. I still have dual boot (Win7/Linux) because there are some packages, especially for multimedia, that I still need for work. However, there's a huge number of PCs in the world in govt. departments, schools, colleges, and universities (the public sector) that never use anything as exotic as multimedia editing software or generic accounting software (GNU cash is more than adequate for most businesses). Technically and financially, it would make sense for those millions of PCs to be switched over to Linux. The difficulty is at the human end of things; workers who don't care about computers and operating systems and just want to get their work done. Switching OS, to any OS different to the one they use now, would not make them happy.

The best solution? Probably to start with PCs used in education rather than letting Google, Apple, and Microsoft attempt to indoctrinate school pupils into only using their OS'. If pupils grow up understanding that there are different OS' that superficially look different but do pretty much the same things, from most users' perspectives, then switching between OS' won't be such an issue later on in life at work and at home. How about ICT classes in schools that are platform neutral? How about making transitioning between OS' part of the curriculum? It'd also reinforce their learning, according to the learning sciences ;)

Re:Depends on the company, doesn't it?

[grumpy-cowboy]

What was the last time you heard about a company who sued Microsoft for Word/Excel/... file corruption?

Re:Depends on the company, doesn't it?

[DontBeAMoran]

You don't even need file corruption (wait, Word/Excel/etc can corrupt files?!), version incompatibility is annoying enough.

Re:Depends on the company, doesn't it?

[gfxguy]

Now that I can actually agree with. Most people are just browsing; they use email and perhaps every once in a while need to type something up. You can watch your online streaming, listen to your online streaming, and pretty much do everything you need to in Linux... but then I suspect most people in that boat would be happy with a Chromebook.

Re:Depends on the company, doesn't it?

[what+about]

Your argument really sound like the anti waxers "I cannot get vaccinated since... I cannot"

Yes, the Windows zealot will reply to this post saying that it is true, he is really stuck.

At the end of the day it is just effort you have to put, you have a choice
- Apparently easy choice now and windows spyware and viruses
- Harder choice now but no spyware (stay away from NSA sponsored systemd) and viruses

Freedom, such a nice thing when you have it.

Re:Depends on the company, doesn't it?

[D'Arque+Bishop]

Your argument really sound like the anti waxers "I cannot get vaccinated since... I cannot"

No, it doesn't. He specifically said: there's a lot of proprietary software that many companies use that is only available on Windows.

Yes, the Windows zealot will reply to this post saying that it is true, he is really stuck.

At the end of the day it is just effort you have to put, you have a choice
- Apparently easy choice now and windows spyware and viruses
- Harder choice now but no spyware (stay away from NSA sponsored systemd) and viruses

Freedom, such a nice thing when you have it.

No, in his case, the choice is:

- Run Windows and be vigilant about malware but still be able to function as a business
- Run Linux on the desktop and go out of business because he cannot use the tools he needs

I've been working in IT for nearly twenty years and am a big Linux geek (I even helped introduce Linux on the server side at a previous employer), but make no mistake: with maybe one exception, every company I worked for had mission-critical software that was only available on Windows and to this day does not have a Linux equivalent.

Just my $.02...

Re:Depends on the company, doesn't it?

Run the accounting app under a dedicated Windows VM on Linux with only access to a file share on the Linux side. No need to patch or do anything to that Windows VM as it is isolated. I did this for a number of years as QuickBooks was the easy way to keep books and get my CPA the exact reports needed.

Many corp apps can be run under virtual terminal servers in a centralized fashion. Users access what they need, spinning up that app as needed. Patching Windows is easily centralized and done by patching the unused vms, testing them, and then putting them into the production pool and removing the unpatched servers until all is patched.

Just by isolating you gain huge security advantages. Yes, there are some hurdles to overcome. Yes, there may be some folks with a dedicated Windows-only box for some specific need that cannot run under a VM, but set it on a restricted VLAN that can only get to the Linux file server it needs to move files in and out. Never letting Windows machines have access to email or the Internet solves 99% of the security problems these days, and having an A/V + isolation solution for thumb drives solves the rest (hint: never put a thumb drive directly into a Windows machine).

Re:Depends on the company, doesn't it?

[brantondaveperson]

That's partly true. But Linux has no decent photo management software, because there exists no photo management software that touches iCloud photo library (prove me wrong, please, I'd love to see it). And the music player's integration with a music store in OSX and Windows is also something that Linux can't match. Both of those things are a shame, since there's nothing magical about iCloud photo library, and iTunes can certainly be a bit of pig, but if I want to buy an album online and have it show up on all my devices without dicking around at all, iOS and OSX is my only choice. If I want my photo library, including non-destructive edits, to show up on all my devices, even if I don't have enough space on them to download everything, iOS and OSX is also my only choice.

Re:Depends on the company, doesn't it?

My father runs an accounting business. His tax software is only available on Windows, and not as a service.

If he's stuck with some software then is he taking precautions for his business? Off-site backups, duplicate records, printed copies of contracts, licenses, etc?

Today's computer technology isn't like 1985. We have virtualization in the 21st century. And not just things like Playstation or Nintendo emulators. With risks like malware you need to be able to wipe your environment and re-create it if some asshat tries to lock up your business at gunpoint.

You can take that Windows instance, virtualize it, run as a VM on your Linux desktop.

Why?

Then you can backup the VM. Snapshot the VM. Migrate it to a cloud provider. You can even wrap a horribly unpatched OS instance that software could require behind a carefully tuned server firewall on a VM host.

Move the VM from hardware to hardware with guarantee this sh*tware accounting package will run exactly the same as before.

Infrequently used software? Put it in a VM and only run that fake machine when you need it. VMs boot in a lot less time than physical hardware.

As for cost, with Linux this is for free in terms of additional license cost over the cost of the original Windows license. VM software on most Linux Desktops is a click away. With tools like clonezilla or paid for disk imagers, the virtualization process is less time-intensive than setup of a regular backup solution. (A backup solution a business may be legally required depending on the market.)

there's a lot of proprietary software that many companies use that is only available on Windows. Most of it has no serious competition on Linux.

Not being beholden to someone else is a reason to run your own business. Otherwise you might as well be working for someone else.

Captive markets are the best. For profit and for control. Tax packages are some of the worst, with their required frequent re-purchase to keep up to date with the laws. Office software with horribly complicated and incompatible formats are close behind. Gamers are tied to whatever their games run on but as I mentioned with emulators they will switch when options are available. But gamers are consumers, but business people.

This is different from using the best platform for the best purpose. This is where someone else has made that choice for you.

People like the poor guy running a these tax packages not "running" an account business. He is actually just re-seller of that tax software who pays for that privilege. If he cannot do so for cheap enough then he won't be able to "run" his own business. If the tax software company makes it easy enough for the end-users then his business goes away, too.

Unlike a carpenter who can use whatever wood is best, this account uses what the tax company offers, possibly only in the way that they offer, on the tools that they require. The tax company can even pay the government* to mandate he does so only in their way.

This lack of freedom is what certain people were complaining about decades ago. It may look like he is his own man on the surface. But in reality the modern proprietary software world makes a sharecropper out of him. He turns his customer's money into profits for the tax software company and some spreadsheet company and some photo editing company. He has no choice in the matter.

Enterprise-level (read BIG companies) don't have these problems. If they don't want to run software XYZ on platform ABC they can pay to build what they want on their own schedule. That's often how software like AWS come into existence. But small shops and SAP "customers" don't get freedom like this.

Complaints about Windows-only software isn't really about GNU/Linux. It has been about free

Re:Depends on the company, doesn't it?

[Wolfrider]

...so you find out who else in your industry uses this "mission critical" Windows-based software, sit down and have some meetings, and all band together. Contact the software maker as a group to port the software to Linux and/or MAC. It's not rocket science... People just don't want to spend the money.

Re:Depends on the company, doesn't it?

[david_thornley]

Okay, so:

1. Figure out who your vendor's other customers are.
2. Talk to them. Find out that they don't see any reason to move off Windows.
3. Talk to them some more. Convince them somehow that they'd be better off on Linux if the common software and the other three things they absolutely need that run only on Windows ran on them.
4. Help them organize a similar campaign to enlist the support of the companies using the other three things.
5. Tell your CIO, and find you need a cost-benefit analysis. Your friends at the other companies also find that out.
6. Try to defend your estimates for the cost of staying on Windows.
7. Research the cost of tighter Windows security.
8. Give up. Take next year's server budget and your own savings and hire the mob.
9. Tell the mob to kidnap all the CIO's close families and hold them for ransom, ransom being agreement to switch to Linux if humanly possible.
10. Form an industry group to tell VLC that you want Linux versions.
11. Realize that you've got to keep paying for their stuff if you want to stay in business, so you have little leverage.
12. Conduct mob hits on all Windows zealots at your vendor's place of business.
13. Get estimate of how long it will take X to be rewritten to run on Linux.
14. Get estimate of how much it will cost you to keep the mob guys holding the hostages all that time.
15. Find pictures of your CEO, CFO, and a goat in bed together. Blackmail them to cough up the money the mob will need.
16. Profit!

Re:Depends on the company, doesn't it?

[david_thornley]

GP's father's computer doubtless came with an OEM Windows license. IIRC, that isn't good for running in a VM, and non-OEM licenses are fairly pricy when compared to the cost of the computer. Moreover, you now expect a small business to run Linux (given the right distro, it's about as easy as running Windows), run and administer a VM, run and administer Windows on the VM, accept any performance hit, and try to figure out how to set up a VM to be safe running Windows software on a Windows VM.

Most computer owners don't have a cue about Free vs. proprietary software. They have something they want to do, and they pick what looks like the best choice to do that with. Any choice that requires computer sophistication and significant extra expense is not going to fly.

Re:Depends on the company, doesn't it?

[tepples]

3. Use the software in Wine on Linux if compatible
4. Switch to a competitor's application that runs on Linux

WannaCry Makes Easy Case for Firewalls

Firewalls and security updates. The Windows server firewall is locked down by default. The Windows desktop firewall has a million ports open. Many are to localsubnet, but it's still open.
What I really want MS to do is make their firewall scoping easier to use, like icefloor: allow grouping of IP ranges as a common name, and allow scopes to use that name. They started to do that with predefined networks, but stopped for some reason.

Re:WannaCry Makes Easy Case for Firewalls

[mea2214]

AFAIK, to protect yourself from Wanncry simply block 445 in the Windows firewall. Don't even need to update. I haven't used smb in years and was surprised Windows 10 had that server process running listening to 445..

There is no cloud

[Xoc-S]

There is only other people's computers. If you move to relying on "the cloud", all you are doing is delegating your security to someone else. Now you have two points of vulnerability: Your local Linux machine, and the "cloud" server, either of which could be infected with malware. You have not fixed the problem, and you have actually doubled your exposure.

Re:There is no cloud

[Stormwatch]

But it also offers a point of redundance. Say, if your hardware fails and you lose your local files, you still have them online.

Re:There is no cloud

[BradleyUffner]

You can have that without the cloud too.

Re:There is no cloud

[DaHat]

True, without the cloud on a Linux system, running the wrong binary/script can see you accidentally encrypting your personal files/folders with some distro/NIX specific malware... that can happen on almost any system where a regular app has read/write to user files.

Relying on the cloud for a backup only works well if you've got A) non-automatic syncing of local changes to the cloud, B) remember to do manual syncs on a regular basis, and C) enough history in the cloud that if encrypted versions do end up elsewhere, that you have a way to go back to an encrypted version.

Re:There is no cloud

[Altrag]

Yes and no. If your data isn't stored locally, then any malware you pick up will at best only be able to monitor your real-time activities (keyloggers and the such.) Something like ransomware is irrelevant since you don't have anything worth ransoming on your local PC.

It is highly predicated though on the cloud provider being better at security than you are. If they suck just as much as you do, then you're absolutely right you've just opened up a second attack vector with no real benefit.

Something like Dropbox which attaches a pseudofolder to Windows kind of crosses the bound here. I would hope that they have some protection against ransomware just hooking up that folder and treating it like any other shared folder.. but if they can't or don't then again its absolutely just a second attack vector for the same problem.

On the other hand, something like Google's Docs is significantly more secure (assuming Google is more secure than your PC, which is a pretty safe assumption.) Nothing is ever stored locally and there's no direct local access either (or at least there wasn't last time I checked) -- everything is done strictly through their website. I guess an attack specifically targeted at grabbing your Google password and then interfacing with their website to mangle your documents would be possible but it would have to be individually coded for each cloud service, so you're still better off than if it was able to blindly encrypt your entire hard drive.

Re:There is no cloud

[rebelwarlock]

I'm guessing you're the sort of person who says "there is no darkness, only the absence of light". Calling it something else doesn't make it cease to exist.

Can't tell if serious...

[nyquil+superstar]

For real. I read these submissions, and I wonder if it's just a big troll. I mean, does anyone have a real company that uses 100% cloud offerings? I mean, I get that it's theoretically possible, but it's just not practical. Because, reasons. I mean, really, does anyone actual think this?

Re:Can't tell if serious...

[lgw]

100%? Common in start-ups.

90%? Lots of large companies, especially social media and content distribution. There will be some control stuff in-house, but all the heavy lifting is in the cloud.

And then there's the cloud providers, how much they "use cloud offerings" is a philosophical question, and Facebook/Google, which similarly "use the cloud" just their own cloud.

Re:Can't tell if serious...

[jezwel]

Some of us are here. It doesn't matter what's better, it matters what the execs want. If they want a shiny new Microsoft surface Book/Pro, that's what they (eventually) get. If we tried to push Linux, there would be a backlash and demand for what they are familiar with. Since we have to support it, and licence it, and all the other BS about it, Windows is the primary desktop OS.
Of course, there's the 8 figures annually of software development we do for our in-house stuff, which is still in the process of migrating to web based SaaS. Eventually we can become OS agnostic for a large % of our users, but not yet.

You need hard-to-erase disks

[davidwr]

If disk access were managed by code that was "lower than the operating system" and the disk management made it very difficult to actually delete data without waiting a week or more, it would make writing ransomware much more difficult. Such code could live in the drive firmware and/or in an isolated/low-surface-attack portion of the kernel or in a microkernel server.

Yes, there would be a cost, in that you couldn't scrub data or recover disk space for re-use at the drop of a hat, but it would be worth it for most people.

Also, such a system could be defeated but the number of ways it can be defeated is small enough to be manageable.

Re:You need hard-to-erase disks

[BradleyUffner]

Data on disk often IS managed by software "lower than the operating system", especially on SSDs. The OS just issues SATA commands to the disk, and gives it a buffer full of data. It is completely up to the firmware of the disk (running on the disk its self) how to handle that command. The OS never directly accesses the drive. In fact, the only computer I can name off the top of my head where the OS directly controlled the disk was the Apple II line of computers.

Re:You need hard-to-erase disks

[davidwr]

You didn't read part 2: "and the disk management made it very difficult to actually delete data without waiting a week or more." I don't know if any drive- or drive-bus-controller firmware that intentionally protects data from erasure until a certain time period has passed.

Yes, part 1, "If disk access were managed by code that was "lower than the operating system," is trivially true in today's environment where drives have their own firmware and even hosts have the host-half of the drive bus (be it USB, SATA, or what-not) with its own firmware or equivalent, but good luck updating all of that firmware. There is room for host-side non-firmware code that logically lives "beneath" the operating system or, perhaps, "beside" the operating system in a manner similar to a microkernel service, that can provide this function.

I've written a very high level, back-of-a-paper-napkin idea in this journal entry. Scroll down to the part I added today. There are no doubt holes in the proposal as listed, but I hope it gets people thinking about ways to make it harder for malicious software to delete data "on short notice," thereby making ransomware harder to write and easier to intercept before it erases data for good.

Re:You need hard-to-erase disks

[epyT-R]

made it very difficult to actually delete data without waiting a week or more

Yeah, it's called a backup.

Linux UX makes an easy case for windows.

As someone who uses linux for work....it is FAR from the utopia it is "sold" as.

Even being "free" does not redeem the cost of using it in terms of personal time and sanity.

Re:Linux UX makes an easy case for windows.

[presidenteloco]

Agreed:

If mass market adoption of Linux as desktop/laptop OS is to happen, Linux UX needs to adopt principles like this:

1. One way of doing something is better than many

2. The default shall be good, and easy. Then you can add configurability as long as there is a dead-simple and safe way to get back to default, even after you broke everything.

3. These days, with the complexity of OSes and updates, an OS should update itself to the latest by default. Experts can turn that off. Going along with this, it should be possible for multiple versions of whatever to run multi-tenant on the OS (e.g. Docker containers done by default).

In summary...

4. The needs of the many outweigh the needs of the few, or the one.

Re:Linux UX makes an easy case for windows.

[Anne+Thwacks]

You might have had a point or two in 1990, but the reality is, not only can the world cope with more than one car manufacturer, all of them do fine selling a whole range of different models. I survive the fact that on my Nissan you flick a stick sticking out of the steering, while on my in-laws Fort, you turn a knob on the dashboard, despite the fact that the Ford I used to have, you turned a stick like the Nissan one, but on the other side of the steering. (Hell, that was almost as tough as remembering whether to use the left mouse button or the right one).

One size fits all, eh? On your premise, I am supposed to deliver pallet-loads of food using a Ford Ka?

Apply now for a brain transplant - stock are limited.

Yes I know some CAD software only runs on Windows. That is a very good reason for using other CAD software. Do you think I would willingly walk through waist high stinging nettles wearing shorts, just because you are standing in the swimming pool?

Re:Linux UX makes an easy case for windows.

[epyT-R]

1. Most times, the reason there's more than one way of doing something is because they're actually ways of getting slightly different results. One size fits all is not a solution.

2. Maybe. Not one OS has achieved that yet.. or if it was at one point, it was shit-canned long ago to make way for new and shiny. DOS was dead simple and easy to use. We don't use it anymore for obvious reasons.

3. That's pretty much what they do now, with pressure to remove control from the user.

4. Not always. Having freedom to set up your own workflow is important. This is why having sane defaults for the stupid makes more sense than forcing such configurations on everyone with little or no ability to change (eg: windows 10 window metrics).

Re:If we all followed this logic

[nukenerd]

Windows is targeted because it's popular. If we all switched to Linux as our primary workstation at home and work, it would be just as targeted. ... the argument to move away from one insecure platform to another platform which is probably just as insecure isn't one I find very motivating.

I find your argument curious. The motivation discussed here (there may be others) is the fact that Linux is not popular, because as you say it is less likely to be targeted. (Assuming for the sake of argumant that their inherent vulnerabilies are equal). Of course you could question the sense of the guy evangelising Linux on these grounds as it could be self-defeating.

An analogy: if everyone in the world sat on the same chair as I am on, I'd be crushed to death. So should I not sit on it?

Somewhat broken logic

[cmeans]

If one is doing all their work in the cloud, then more likely than not, that's where the files are as well...so not local and not subject to a local Ransomware attack. Wouldn't matter what the local OS is.

Found the LUDDITE!

Only LUDDITES use LUDDITE Windows! Modern app appers use Appdows 10 S, the appiest apperating app!

Apps!

Issue is user diligence not the OS

[JoeyRox]

Putting aside older Windows XP machines which did not have the fix (and for which users who care about security shouldn't be running since there is no longer patch support for the platform) - Microsoft had rolled out the fix for their other Windows platforms well before WannaCry came out. What difference does the OS make if the user isn't going to be diligent in keeping their OS updated with security patches?

Re:Issue is user diligence not the OS

[JoeyRox]

But the same would be true if the NSA found a vulnerability in Linux and didn't tell anybody.

Wrong!

This is a very poor case for Linux. I run Linux and I couldn't get WannaCry to run at all. Linux will need to step it up if they want to compete with Windows.

Re:Wrong!

[rastos1]

Try harder. WannaCry on Linux

Cause net neutrality is dead

[budsetr]

SaaS is about to be shat all over

Re:Cause net neutrality is dead

[Altrag]

Not dead. Just get more concentrated in the hands of Google, Microsoft, Amazon and similar who are able to afford the extortion fees that we'll expect to see.

Also probably not right away. ISPs are unlikely to begin extorting on day one -- that would look bad enough that even Pai's FCC would have to stop and rethink their decision.

Likely it will be a slow erosion that will start a year or so from now after the hubbub has died down and continue until either its so ubiquitous that its accepted as the way of things (and internet users finally complete their reclassification to strictly internet consumers,) or a new government is elected that starts eyeing up the possibility of reintroducing net neutrality and the ISPs will go back to laying low for a while, maybe even rolling back in a few small ways to make it look like they're being good guys rather than just biding their time.

There is negative benefit to removing net neutrality for end users (we're slowed or barred from sites we like who don't or can't pay up.) There is little- to no-, and sometimes even negative, benefit for most companies, depending on their size and internet needs. There's a huge benefit for ISPs who will be given essentially free reign to abuse their (near-)monopolies. Its absolutely ridiculous that we allow industry talking heads to be in charge of overseeing their own industries. But not only is this allowed under Trump, it seems to be his preference across the board (FCC, EPA, education, probably others I don't recall off the top of my head.)

Please clarify your comment...

[Eric+Freyhart]

"then there is zero reason keeping you from making the switch to a more reliable, secure platform."

More reliable, secure platform? Prove that statement or clarify what you mean.

20+ Years of Experience

[gregarican]

I have used various Linux distros going back to 1997. And various Windows versions going back to 3.1. Servers, clients, etc. And I can say that a lot of Linux offerings have improved the front end UX. And installing/updating/configuring apps is a lot easier nowadays with current Linux distros.

But that being said, I still can't see Linux taking over the typical home user's environment. I am a techie, and I like to noodle around. So working around quirks, compilation issues for third party drivers, and the like is a challenge that I don't mind. But it still very much has the look and feel of a hobbyist's experience. Not talking about server-end aspects of Linux. Talking about the enduser's aspects.

Plus as others have noted, there are a fair amount of software packages that are Windows-only. And in those cases, the typical home user might not be willing to start digging into WINE to try to see if they can crowbar their package to port over. And I can perform unbiased side-by-side comparisons, since I have a Macbook Pro, a Windows 7 Pro, and a Debian 8 laptop trio sitting at home :)

Re:20+ Years of Experience

[ebvwfbw]

I think if we could just stop fighting ourselves we would have owned the desktop years ago. KDE, Gnome... and so on and so forth. Windows - well you have just Windows. Don't like it? Tough. With Linux if you don't like it? Make yet another distro.

So use Linux until it has conquered the desktop:).

[ext42fs]

Subject says it all. Even if virus writers just go for the largest market instead of the least secure OS then it's just another argument to use Linux.

100% cloud software??? Yea, right.

[DidgetMaster]

Just like everyone these days drives an electric car. Oh, wait...something like .001% do.

Re:100% cloud software??? Yea, right.

[Altrag]

If you could lease an electric car for $100/mo, and leases for all other types of cars were unavailable for some reason (meaning you'd have to pay the full price outright,) you'd certainly see a hell of a lot more electric cars.

SaaS vs local software isn't exactly the same as cars. Or even an analogy that makes sense.

Never mind the additional benefits that SaaS can have (if the service is built to do so) such as live document sharing in Google Docs, the ability to access it from anywhere with a simple web browser -- no dicking around with VPNs and remote desktop or other similar techniques to access your home/office PC while on the road. Those sort of aspects take your car analogy from not really making sense to being just flat out incorrect all together.

Re:100% cloud software??? Yea, right.

[DidgetMaster]

I never said that SaaS or electric cars are bad. There are definite benefits to both but they are still just getting going and have a tiny fraction of total market share. I was just laughing at the assertion that all software can be in the cloud today and there is no valid reason to buy it for your computer anymore. Just like regular cars will still be around 50 years from now, desktop software will be as well.

Re:Total fucking bullshit

[wed128]

Tens of users affected! Not relevant.

Re:Get to work, then.

[wed128]

Hmmm...guess I haven't been using any computers since about 1999 (my last windows machine). There aren't any alternatives! I guess i'm posting this message using my brain or something.

Re:If we all followed this logic

[glenebob]

An analogy: If everyone in the world sat on the same chair as I am on, I'd be crushed to death. So should I not sit on it?

A better analogy: if everyone in the world sat on the same chair as I am on, I'd be crushed to death. I better invite everyone in the world to sit on my chair.

Re:Patches exist & so do workarounds... apk

Dude, if you guys visit the first link in his google results, you can find a forum post with HIS PICTURE!

Holly crap, I can see what APK looks like! After all this time I thought he would look so different.

Direct image link: https://www.neowin.net/forum/uploads/av-241875.jpg

Everyone say hello to APK!

Re:If we all followed this logic

[Anne+Thwacks]

Most people that run Linux do so because they cannot afford to spend money on a professionally written OS.

They may think that, but those that know what they are talking about run Linux on their high end servers, because the core is a bloody sight more professionally written than windows. The rest of us run BSD.

Doesn't really matter nowadays

[Solandri]

A decade ago I would've agreed with you. But modern computers have become so fast you can be OS-agnostic and just run stuff in virtual machines.

• I run Windows on my laptop, but only because the 3D games I play are the only things that don't run well in a VM.
• My other Windows programs run inside a virtual machine (I got tired of having to reinstall all my Windows programs every time I upgraded laptops).
• I run FreeBSD in a VM for my file server and backups.
• I run Linux Mint in a VM for when I do stuff with Linux.
• I have a separate Win 10 VM for if I need to do anything risky (e.g. investigating a suspicious email attachment). If it gets malware and blows up, I just revert it to a snapshot.
• I have Win 8, Win 7, and Win XP VMs that I fire up when a client wants my help with one of those legacy OSes.
• I also had an OS X VM (Apple prohibits it in their license, but it's trivial to remove the software block) when I had a couple Mac clients.

Re:Doesn't really matter nowadays

[gfxguy]

I run Windows on my laptop, but only because the 3D games I play are the only things that don't run well in a VM.

As I pointed out, I work for a media company. We run real time 3D software; I do live virtual applications. I've tested Linux software from a vendor and I liked it a lot - but it was NOT ready for production use. Most of the tools we also require a lot of 3D performance. Maya, AfterEffects, and a number of programs you've likely never heard of. It's still just how it is right now.

Now if you want to support my fathers small accounting business, you can go ahead and set up VMs for his tax software. It's just not practical.

Re:Doesn't really matter nowadays

[Kjella]

Most of the tools we also require a lot of 3D performance. Maya, AfterEffects, and a number of programs you've likely never heard of.

Maya runs on Linux, BlackMagic has released Linux versions of DaVinci Resolve and Fusion but as long as you're tied to Adobe? When hell freezes over. I know quite a few people who would drop Windows in an instant if Adobe decided to release Creative Cloud for Linux. I think the problem is Adobe knows people buy the OS that their products run on, not the other way around. While there's many that would switch OS, there's very little new business in porting everything to Linux so it's not worth it. It's available for both Mac and Windows so they must have done most the heavy lifting to make it cross-platform, it's a lack of incentive.

Re:Doesn't really matter nowadays

[thegarbz]

and just run stuff in virtual machines.

So your solution to prevent the problem is run Linux and then Windows in a virtual machine?

What are you trying to do? Combine all the benefits of an extra layer of slowness and compatibility with the wonders of being able to run ransomware and have it lock up the files on your Linux host? I mean since you're talking about running only specific software in a virtual machine by extension that machine must have access to the host files right?

yeah right..

[SuperDre]

It's not like Linux is any more secure than Windows currently is. Linux has just as much exploits in it, but most of them aren't still known (at least not publicly). The more people will use it, the more it will be targeted by malwaremakers and hackers..
Don't think for a second Linux is so much better secured than any other OS..

Re:If we all followed this logic

[im_thatoneguy]

An analogy: if everyone in the world sat on the same chair as I am on, I'd be crushed to death. So should I not sit on it?

No it's like saying "This pie is REALLY GOOD! You should try this pie!" Now you have no pie because everybody wants a slice. As you say, it's self-defeating to evangelize something on the basis of "it's good because it's unpopular."

I don't need to outrun the bear... just you...

[dskoll]

If everyone switched to Linux, virus writers would target it. So no-one switches. So it makes sense to switch because nobody else will, so you'll be ahead of the game.

Just don't tell anyone else that...

(My company has run completely on Linux since 1999. We're well ahead of everyone else that the bear is chasing.)

it makes an easy case for ditching your old OS

[vm]

If you or your org are vulnerable to WannaCry then I would argue for upgrading your OS or setting up mitigating controls if you have a valid business case for not doing so:

SMB 1.0 – The version used in Windows 2000, Windows XP, and Windows Server 2003 & 2003 R2
SMB 2.0 – The version used in Windows Vista (SP1 or later) and Windows Server 2008
SMB 2.1 – The version used in Windows 7 and Windows Server 2008 R2
SMB 3.0 – The version used in Windows 8 and Windows Server 2012
SMB 3.02 – The version used in Windows 8.1 and Windows Server 2012 R2
SMB 3.1.1 – The version used in Windows 10 and Windows Server 2016

2016 Is teh year of teh Linux!!

[filesiteguy]

I was honestly expecting someone to post this and how we should all be using slack with everything done using the CLI.

I worked hard to use Linux (either openSUSE or Ubuntu) as my main OS for several years. There are things that just don't work well, and other things that don't work in VM's which force me to use Windows. As it is, Win10 is as good - if not better than - Windows 2000. I'll still fire up Ubuntu for various things but mostly use Windows just fine.

Oh, and i can use Bash in Windows

Re:Oh God....

[desdinova+216]

when netcraft confirms that windows/slashdot is dieing again.

Vulnerabilities, auditability, and upgradability

[phorm]

It's not just about the vulnerabilities themselves.
Let's take the current scenario: you've got a large health entity using scores of machines with an extremely old, outdated, and out-of-support OS. Part of the reason is
a) The software doesn't work on the newer OS
b) Cost of upgrade

B may or may not apply depending on the hardware involved, and is probably roughly equivalent exempting the cost of the OS itself. So let's look at something on a Linux system. Yes, I have software that no longer works on newer Linux versions. SystemD was actually a fairly big nail in this coffin as it changed parts of the underlying system. BUT, all those parts are visible to the user, and there exists at least the possibility to tweak stuff in the OS to get it to work. Make the actual software also OSS and your ability to get updated is that much better.

Now down to the OS itself. Many users were dependent on Microsoft to release a patch for their old OS. For XP, 2003, etc users MS actually came through pretty nicely on this and provided a patch. Win2k users were still out of luck. In Linux-land, the code of the underlying OS and most of the software is available. If it's a matter of fixing a bad call, it's again possible to self-service or at least hire somebody to rebuild it.

Now to the source of the attacks. A known vector used by the FBI. Along with that playbook comes a slew of vulnerabilities that make it hard to believe aren't deliberate. Again, in a closed OS you don't know one way or another, nor do you have the ability to audit. In FOSS there may be vulnerabilities, but there's also much greater audit-ability.

Does Linux have vulnerabilities. Of course. There's heartbleed and numerous cases of broken or buggy crypto. The thing is, these also get fixed in a fairly timely manner, and with a good patch/vulnerability management you're not so much at the mercy of a vendor to do so.

The funny part though is that even for windows, it looks like disabling File and Print Sharing components kills off the components the vulnerability needs (remove F&PS, port 445 goes bye-bye), and there was probably NO NEED to have those enabled, or even installed on most of the machines in question. It was there by default but had the machines been setup properly it would have been disabled, at least removing the one vector for infection.

Re:If we all followed this logic

[nukenerd]

Most people that run Linux do so because they cannot afford to spend money on a professionally written OS.

Windows comes with most PCs so Linux users could run it with no expenditure anyway, but choose not to except maybe to dual boot it for games. these people

aren't going to be throwing money around chasing after their files either; they didn't have any to start with.

They might have more money, saved from not spending it on Windows apps and earlier Windows-based scams. FWIW, I've got plenty of money but it does not mean I'm happy to give it to Gates or Wannacry, shits all of them.

It's All Smoke & Mirrors

[JenovaSynthesis]

Security is only as strong as its weakest link and that is the end user. It doesn't matter if they're running MacOS, iOS, Linux, Windows, or DOS. Period. If they're not running updates, the OS doesn't matter.

And if you want to get into the pissing contest, Linux has had a few major bugs with some of its components. Sendmail has had bugs that allowed someone to get root access by simply sending an e-mail to/through the server. Last year Google found a bug in glibc that would cause a buffer overflow and thus allow arbitrary execution. Oh, and let's not forget the privilege escalation vulnerability known as "Dirtycow" that apparently has been around for a decade in the Linux Kernel itself.

You can fault Microsoft on its processes for getting updates out there, but how many Linux boxes patched glibc or the kernel automatically?

Upgrading

[maroberts]

I'm not going to make the argument that Linux is invulnerable to viruses, because it isn't.

However, with Linux, you generally tend to upgrade regularly and continuously. You stay up to date. I doubt many people are still running Linux '95, or more accurately any version of Linux that came out in 1995. They'll be running a fairly recent version, and they'll be doing that because the upgrade costs are fairly minimal or are integrated into ongoing support costs.

Re:Upgrading

[sl149q]

Linux in IOT devices rarely if ever gets updated and forms the backbone for Botnets. Not as sexy as discussing the latest Windows fuckup but long term probably a worse problem.

Re:Upgrading

[Cro+Magnon]

IMO, upgrading is the key. If you can't easily upgrade (IOT and to an extent Android), you're a target. If you shut off upgrades because you don't trust your vendor (Windows), you're a target.

Re:Patches exist & so do workarounds... apk

[nukenerd]

I can see what APK looks like! After all this time I thought he would look so different.

From the date of his post on that page, he must be at least 10 years older than that by now. He is seen looking down his nose at us. His writing style is unmistakable.

Re:Wishful thinking...

[Guybrush_T]

Nobody said all machines could move to linux. Just like today some specific jobs require a Mac or even Linux, there can be jobs requiring Windows (and a powerful workstation).

But most company computers are laptops used to do emails/web browsing/office. The reason they still run Windows is office, and with cloud services gaining traction, that may soon be no longer a good reason to stick to windows.

Re:If we all followed this logic

[Altrag]

If you know apriori that everyone in the world is going to sit on the chair and crush you, then I would indeed highly recommend not sitting on it. Unless you favor suicide by ridiculous analogy.

Re:If we all followed this logic

[brantondaveperson]

A chair analogy. That's a new one. Please argue below about the relative accuracy of this analogy within the context of existing car analogies, rather than actually talking about the issues, which we are all capable of understanding here without talking about furniture.

Re:If we all followed this logic

[Altrag]

Many people that run Linux already spent money on a "professionally" written OS that came preinstalled on their system and was included in the price tag. Not sure if that goes into the territory of "most" (I mean I'm sure Linux enthusiasts are more likely to also build their own PCs but its hardly a one-to-one correspondence and its near impossible to find a consumer-grade prebuilt that doesn't already have Windows on it.)

Re:If we all followed this logic

[brantondaveperson]

hackers are seriously motivated to find a way in, but for the most part can't

Most of the world's web infrastructure is run by professionals, paid to secure the machines that they administer. Put Linux in the hands of millions of home computer users, and see how long that security lasts.

Only nerds care about OSs

[marcle]

OK, I'm a nerd, and I do appreciate the empowering qualities of Linux, even if it's a PITA. And I do dislike the bloat and insecurity of Windows.
But at the end of the day, I use my computer for 2 things (aside from surfing, email, etc.), and that is pro audio and graphics.
Furthermore, I can't afford the Mac universe.
So it's Windows for me.
I understand the politics, market forces, etc. that prevent a robust audio ecosystem from existing on Linux (even if I wanted to use less capable Linux software, few high end audio hardware manufacturers bother with Linux drivers).
And there's no Linux equivalent to the 1-2 punch of Photoshop + Illustrator (which I have managed to acquire without payment).
And that's not to mention many other audio and graphics programs I use, none of which have Linux equivalents.
So. Do you own/use a computer for the OS, or for the applications?

Linux is just better

[discowriter]

I think everyone knows this and is making excuses for Microsoft Windows because they're used to it and it's just easier for them to keep doing the same stupid things over and over ~ like in everything else in this world. But Windows is stupid because it's poorly designed and caters to that very same lazy, stupid attitude. Linux or UNIX was well-designed. It runs the world's servers and is therefore a much more powerful target. But it's really because Windows users are more often incredibly stupid and lazy (and that Microsoft can't or won't make up for these qualities, only exploit them) that Windows will always be a mess, security-wise. If Linux was put in the same position of market dominance, not only would it have all the benefits it has now but it would make far better use of the whole world watching Linux for problems and ACTUALLY FIXING THEM. Frankly, WannaCry is just taking advantage of stupid, lazy Windows users and their employers. The world deserves WannaCry because it's just taking advantage of all its opportunities. Just like Microsoft. You deserve each other. You were made for each other. Linux users might not be better, but they're more likely to be. And their initiative will serve them well when they're using their computers or even playing around with the code. While others are shelling out more money to the bad people and companies built specifically to exploit their vulnerabilities and keep them open. BECAUSE IT MAKES THEM MORE MONEY. If people were responsible and intelligent, this wouldn't be an issue. But they're not and it is. Enjoy your bloatware, idiots!

No virus can hit a nonexistent OS

[Kormoran]

Can you tell me of a software installing and running smoothly (just install and work) on each and every Linux distro? No? Thought so.

So why do you suppose a mere virus can achieve such feat? "The LINUX(tm) operating system" does not exist. Linux is a kernel, a piece of an OS. Debian, CentOS, RedHat are operating systems. AND they are all different.

The great pain of software houses with Linux is supporting distros. A developer can guarantee his product on the distro he's using and maybe another two or three. Don't you use one of them? Good work and good luck with manual install (and/or building from source). Same with viruses: a Linux virus can't rely on a particular OS and its infectivity would be a lot lesser. This is IMHO the main security bonus of the linux OSes.

Dumbest statement I've seen in a while

[blackpaw]

Most software has migrated to either Software as a Service (SaaS) or the cloud. The majority of work people do is via a web browser. Chrome, Firefox, Edge, Safari; with few exceptions, SaaS doesn't care

Just wrong. Another dumb ass ignorant article form a twerp who think they have some work experience.

Give credit where it's due.

[Sir+Holo]

Let's give credit where it is due.

FTA: The first known ransomware attack was called "AIDS Trojan" that infected Windows machines back in 1989. This particular ransomware attack switched the autoexec.bat file.

I wrote a trojan (spread by BBS) in 1986 that swapped the autoexec.bat file. It would wipe the hard drive of some necessary system files, but did not stoop to the level of scum-baggery of asking for a ransom. Those ransom-ware guys are the absolute worst.

Outrun the bear

[Lost+Race]

You don't need to outrun the bear, you only need to outrun the other campers.

It appears that Windows will be a far bigger and softer target for the foreseeable future because most people need some Windows-only app or other. That's great for those off us who can use an alternative that's easier to secure and much less tempting to malware developers.

So if you can, you should switch to Linux, not because it's popular, but at least in part because it's not popular, and probably never will be.

With SaaS it wouldn't be vulnerable anyway...

[KreAture]

If they were really doing all their work through browsers and using SaaS the original issue would not exist so no reason to switch OS.
The data would be safe as the data is not stored on it, not accessible to the virus/trojan. The encrypted machine could just be reimaged and off you go.

A man without feet does not need new shoes.

Everything since Windows 10

[XSportSeeker]

Everything since Windows 10 happened has been a case for Linux, it's just still not an easy one by any means to your average Windows user unfortunately.

Let's see here. Shady strategies to force users to upgrade, horrible advertisement schemes, forced telemetry, always on always listening always dialing back strategies... not to mention how Microsoft keeps persisting on ideas like Windows 10 S because what they really want is to copy Apple and the walled garden model.

Malware, vulnerabilities and ramsonware have been there for the longest time, and arguably for regular users the horrible experiences of the past with Vista, BSoD, among several other problems have been a far more convincing case for Linux. We don't even have that many shovelware as we did in the past.

It just won't happen. Sorry. It's not your fault, but this has never been a convincing argument, not for regular Windows users. It won't start being because of WannaCry. And defeatingly enough, other than our own tech circles, it's likely that most people haven't even paid much attention to WannaCry anyways... it'll be forgotten, if it isn't already, as fast as stuff like Mirai Botnet, among others. I mean, even techies, do most people remember the most publicized malware attacks of 2016? I have to admit I don't.

And yes, I know Android exploded in popularity, I know over half of servers these days uses Linux, I know almost all supercomputers also do... but your regular non-techie consumer will, for the foreseeable future, always run to Windows, or at most Macs. In fact, if WannaCry was really going to do any substantial push for migration (which let's admit it, it won't), it'd be for Windows users going for Macs.

The unsolvable problems that Linux will seemingly never be able to overcome are:
1. Advertisement and marketing. An image problem;
2. Community. Even for folks like my mom who avoids using computers like the plague, if she has a problem with it, there's bound to be someone near her that can help. Linux? I wouldn't even know were to start. Neither I nor her friends would be able to indicate a repair shop or something with someone who could deal with command line configuration. I perhaps have a couple of friends who could help, but which would most likely be working with no free time to help.

And this isn't only about OS, it's about apps. Sure, Linux have plenty of basic office level apps and whatnot, but it's not about having an app that works in a similar way, it's about having people around to help with specific tasks as they arise. This is also why Microsoft Office still dominates while open source alternatives like LibreOffice or OpenOffice never catches on.

The needs non-computer geeks have around computers are often misunderstood, underestimated, and superficially analized. I feel bad because I'd really love for everyone to move to Linux. With enough people there, developers would be forced to migrate too. I'd love to have a fully functional Ubuntu smartphone. A Debian desktop with all I need. A Mint tablet to go around. Well, actually I have an Ubuntu laptop and tablet. But it's not something that I'd recommend for family and friends who don't know much about computers, because the whole thing makes no sense to them. Basically all of them (and I come from a big family) have no friends or relatives that would be able to help either to make their regular stuff work, or to solve problems when they come up. Among my multiple uncles, aunts, cousins, nephews and nieces... I must be the only one to have had contact with Linux. And I don't even know how to handle it properly myself.

Re:Everything since Windows 10

[The123king]

ReactOS 0.4.5 was released today, and that runs Office. I think ReactOS could have a bright and promising future in the next few years, especially since it's very hard for Linux to shake its reputation as a complex and finicky system for "nerds" and people in IT. Android dodged the whole issue by blatantly distancing itself from the Linux name.

Except the data doesn't back it up

[TheLongshot]

Looking at the CVE database, the top three OSs with the most vulnerabilities on the list are Linux distributions.

https://www.cvedetails.com/top...

Just because there was a high profile attack doesn't inherently make one OS more insecure than another.

Re:Except the data doesn't back it up

[The123king]

The question is, do Linux distros have more vulnerabilities listed because more are found, or because more exist? Does less known vulnerabilities mean it's more secure, or that no-one can be bothered to find them?

Variables like that make it much harder to correlate the cause with the effect.

Linux ISN'T secure!

[The123king]

The long-held belief that Linux is somehow a much more secure OS than Windows is a long-held fallacy. Linux is just as vulnerable to viruses and hacking as any other system. In fact, a mis-configured Linux server can have more holes in it than a colander. The only reason Windows get's targeted so often, is it's ~90% market share of desktop PC's. If linux had that sort of market share, all the viruses would target Linux instead. Everyone would be singing the praises of Microsoft and how their black-box proprietary OS makes it hard for hackers as they have no access to source code.

Re:Linux ISN'T secure!

[ebvwfbw]

And a comment from someone really clueless. On so many levels.

Re:Linux ISN'T secure!

[The123king]

Explain how?

Re:No practical reason for linux on the desktop

[The123king]

I think this is what you're looking for, sure it's not Linux, but it does exactly what you're asking for: https://reactos.org/

On the point of macOS, many users like it because it's UNIX-like, without the maintenance issues seen in Linux. However, i would like to see a project, like WINE, for /any/ version of Mac OS, and given the open-source nature of Darwin and OpenStep, i'm suprised no-ones tried to do it.

Re:If we all followed this logic

[davidshenba]

Why those paid professionals are choosing *NIX systems in first place? To make their job any tougher?

Re:ransomware need suitable victims

[davidshenba]

I am still waiting for all the major servers running *NIX systems to get affected.

Re:Your opinion isn't new and is still wrong.

[Opportunist]

Sorry, fallacy.

Servers, at least when used professionally, usually not only have administrators that at least have a hint of an idea what they're doing, often these people also have patching schedules and processes to follow. Not to mention that few of those servers, even when running Windows, are used to surf to questionable sites, open mail attachments or engage in other activities that result in a compromised system.

Also, these servers are usually guarded by firewall systems that make such attacks way harder and less likely to succeed.

Compare this to the average home PC, "administrated" by someone who thinks TCP is the Chinese secret service and who would gladly trade security for more dancing pigs. If its patch level is current, then mostly because Win10 doesn't offer any choice. This PC is used for everything the server is not, i.e. engaging in a lot of insecure and potentially harmful activities.

And there is many, many more like this one. Insecure, used by idiots that click everything and anything you send them. And since you're, as an attacker, usually more interested in identity theft and compromising a large number of systems. Consumer PCs are the low hanging fruit, all right, but more due to the users than the OS used.

Windows machines in 1980?

[Big+Hairy+Ian]

The first known ransomware attack was called "AIDS Trojan" that infected Windows machines back in 1989.

Windows 3.0 didn't come out until May 1990 and nobody seriously used the earlier versions because they were crap. Also it said it infected the autoexec.bat file which is an MS DOS file not a Windows file.

Re:Windows machines in 1980?

[zwarte+piet]

Windows ran on top of msdos as recent as windows 98

Re: So use Linux until it has conquered the deskto

[Cro+Magnon]

Except the consequence of following that advice is that it becomes the target market for malware... Which still makes it bad advice. It's like saying, "Hey the Titanic is sinking, thousands of people jump in to my life boat!"

The thing is, the vast majority are sticking with the Titanic, and there's no sign of that changing. So, until it does, you're still better off on the lifeboat.

10% of PCs run Linux? 2%, at most

[Brannon]

nt

But Linux is so HAAAARRRDDDD...

[whitroth]

Of course malware writers aim at the largest target. They also go after the easiest target. The only people who go after hard targets are state actors.

However... Linux is yet another, and the most successful version of UNIX. And it's inherently a much harder target, because of its architecture, and the way it works. Admittedly, you can *make* it vulnerable, by things like giving root a password of jesus, or love, or 12345678... but the separation of authority, along with the structure (X is *NOT* in ring 0, for example) makes it a harder target.

I've got VLC running on X on my Xubuntu box

[tepples]

Form an industry group to tell VLC that you want Linux versions.

I don't see the problem. I thought VideoLAN was already putting out both GNU/Linux and Android versions of VLC media player.

sudo apt install vlc

Get estimate of how long it will take X to be rewritten to run on Linux.

Xubuntu already includes X Window System in the default install.

unattended-upgrade

[tepples]

You can fault Microsoft on its processes for getting updates out there, but how many Linux boxes patched glibc or the kernel automatically?

Ubuntu Desktop has unattended-upgrade in a cron job, and I imagine that its derivatives do as well.

Re:unattended-upgrade

[JenovaSynthesis]

Which has to be installed separately and then configured to run. So it's a moot point.

Re:unattended-upgrade

[tepples]

[Ubuntu's unattended upgrade support] has to be installed separately and then configured to run.

Fortunately, the default install of Ubuntu installs and configures as such.