'WannaCry Makes an Easy Case For Linux'

An anonymous reader writes: The thing is, WannaCry isn't the first of its kind. In fact, ransomware has been exploiting Windows vulnerabilities for a while. The first known ransomware attack was called "AIDS Trojan" that infected Windows machines back in 1989. This particular ransomware attack switched the autoexec.bat file. This new file counted the amount of times a machine had been booted; when the machine reached a count of 90, all of the filenames on the C drive were encrypted. Windows, of course, isn't the only platform to have been hit by ransomware. In fact, back in 2015, the LinuxEncoder ransomware was discovered. That bit of malicious code, however, only affected servers running the Magento ecommerce solution. The important question here is this: Have their been any ransomware attacks on the Linux desktop? The answer is no. With that in mind, it's pretty easy to draw the conclusion that now would be a great time to start deploying Linux on the desktop. I can already hear the tired arguments. The primary issue: software. I will counter that argument by saying this: Most software has migrated to either Software as a Service (SaaS) or the cloud. The majority of work people do is via a web browser. Chrome, Firefox, Edge, Safari; with few exceptions, SaaS doesn't care. With that in mind, why would you want your employees and staff using a vulnerable system? [...] Imagine, if you will, you have deployed Linux as a desktop OS for your company and those machines work like champs from the day you set them up to the day the hardware finally fails. Doesn't that sound like a win your company could use? If your employees work primarily with SaaS (through web browsers), then there is zero reason keeping you from making the switch to a more reliable, secure platform.

This opinion isn't new and is still wrong.

[Aequitarum+Custos]

Virus writers will target the largest market portion. If that's Windows, they'll write viruses for Windows. If it's Mac, they'll write viruses for Mac. If it's Linux, they will start writing viruses for Linux. Just because more vulnerabilities in Windows are known, does not mean there are less total in Linux. And short of taking away admin/sudo access from users completely, malware can always social engineer it's way into administrative privileges during an installer or something similar.

Re:This opinion isn't new and is still wrong.

[dagrichards]

Of course its wrong, the correct answer is of course to run OpenBSD.

Re:This opinion isn't new and is still wrong.

[Junta]

Well, in the macro sense, it won't work. In the micro sense, it will work to some extent, at least until too many other people join you and suddenly things look appealing.

Though having apt/dnf available software mitigates risks in a way similar to having an 'app store', and is one reason why MS is pushing the Windows Store concept hard (the larger reason of course being profit).

Also, even without admin level access, untrusted software can make a mess of things, since all the stuff you care about is owned by you.(oblig https://xkcd.com/1200/). Platforms like Android and IOS that provide some concept of per application permissions mitigate that more, though generally people will click through crazy permissions too.

Re:This opinion isn't new and is still wrong.

[OrangeTide]

Linux has been around enough and is used widely in high-value enterprise servers that it most certainly is attacked by malware, hackers, etc on a regular basis. Much is known about the security of Linux, and multiple vendors work to improve the security of the Linux Operating System and key applications.

Microsoft, Adobe and others have not been doing that great of a job securing Windows and its key applications. And much of the industry that touts that they enhance security on Windows are also trying to sell you virus scanners that significantly impact system performance.

What you fail to understand are two factors at play here:
1. Linux(FreeBSD and Unix in general) have a very different security model than Windows. Unix is a much simpler model and is less flexible, but it is also applied more consistently as a result.
2. Windows is not the top OS in the world in terms of numbers. Virus writers, if they are going only for high-volume attacks, would also aim their sites at Android or iOS as either of those have more installed systems than Windows. And like I said early, Linux dominates the enterprise environment and would theoretically be more valuable of a target to attack than Windows.

Re:This opinion isn't new and is still wrong.

[jandersen]

Well, any way, I think Linux is the best argument for using Linux: the totality of its features, stability, useability, and I could go on. It may well be a matter of mostly taste; I dislike Windows for exactly the same reasons why others like it.

Re: This opinion isn't new and is still wrong.

I keep hearing this argument, but every time Microsoft releases another Windows, I am shocked by the security holes I find open. They just don't care enough. With Linux, more eyes on the source exposes more bugs and the security ones often get fixed before the ink dries on the mainstream media post about it.

Plus, older Linux installs are often maintained for security patches far longer than Windows.

Re:This opinion isn't new and is still wrong.

[sjames]

Mac seems like a reasonably popular minority desktop, but doesn't seem to be having a problem so far, why would Linux?

Re:This opinion isn't new and is still wrong.

[unrtst]

Virus writers will target the largest market portion.

This tripe is tired. There are more factors at play here, and being blind to them for decades isn't helping anyone.

The size of the installed base does not matter.
An argument could be made that the effectiveness of the exploit may matter. IE. if there are more vulnerable machines of some specific type, that's a bigger target. This could also be skewed depending on the demographic of that target (ex. if it was 90% of the ATM's and the exploit made all accounts using them available, it wouldn't matter if the number of ATM's is much smaller than the total number of Windows machines). This would still be a weak argument because the raw count is far from the only consideration.

My point is, there has to be a whole lot more VULNERABLE Windows machines to make it more attractive than other targets (Mac/Linux/etc). For example, if every Mac OS X install had a remote root vulnerability, but only %1 of Windows 10 installs were still vulnerable to a similarly bad thing, then Windows would not be as attractive based on numbers and impact.

WannaCry sucked extra hard because so many people actively disabled windows update so they could avoid the heavy handed push to Windows 10. People could avoid many of those large issues by moving to Linux - little to no telemetry (depending on distro, and can be easily disabled on those that have it), updates how and when you want them, updates that don't force restarts or delay boot up time, significantly fewer viruses now and for the foreseeable future, and way more freedom to stay current in whatever way suits you (ie. distro/desktop choices).

Sadly, I still think TFS is more of a troll than a real suggestion. It's just begging for people to trot out their favorite justifications.

Re: This opinion isn't new and is still wrong.

[Anne+Thwacks]

It is not just an issue of "more eyes". If you ignore Canonical, Gnu/Linux is far more stable internally - I specifically say Gnu, because the issue here is userland culture: The Unix/Linux world has enormous motivation to keep reusing the same code over massively diverse hardware as well as application use cases.

The same code gets more thorough testing in the Unix, with more motivation to fix the problems - because people are able to locate and describe problems better.

I know there are still bugs in Linux - hell, I know there are bugs in OpenBSD - but if I report them, they get fixed - sure it can take a year if the impact is only on me. If I phone Microsoft, all I get is a phone bill and a sore ear.

In the BSD world, some of the code really is over 40 years old, and generations of students have tried to hack it - to improve their game scores or college grades. When they succeed, it is fixed.

In Windows, when a new version is released - it probably comes with more new, improved bugs than bug fixes.

Re:This opinion isn't new and is still wrong.

[OrangeTide]

Seems like applying patches for you too all installed software using a package management system would help tremendously. Having software that is outside of a central package management system, with updates disabled by the user or because the vendor is refusing to patch old versions would lead to these same sorts of issues.

Re:This opinion isn't new and is still wrong.

[UnknownSoldier]

> and therefore Linux is NOT going to become the largest market portion any time soon.

Oh really? Try taking off the myopic PC blinders for once.

Google achieved 2 Billion devices with Linux in 9 years what Microsoft WinCE couldn't do even in 20 years

MS may have 96% of the gamer's PC desktop but that ignores all the servers and virtual machines running non-Windows, let alone consoles.

MS is a total joke on the Top 500 super computers.

Since November 2015, no computer on the list runs Windows.

Hell, even 33% of Azure runs Linux

In the OS server space things get fuzzy -- are we talking Web Servers? Database Servers? Email servers? Windows be has high as 33% or 20%-- there are no accurate stats.

Let's recap where Linux dominates:

[x] Mobile: Linux
[x] Super computers: Linux
[x] Servers: Technically *nix, due to BSD and OSX.
[ ] PC Gaming Desktop

The only place Windows has a niche in is PC gaming and XBox -- but desktops aren't the only thing anymore.

In the global space MS is slowly becoming irrelevant next to Android, iOS, PS3/4, Servers, Super computers, and Wii/Switch.

Not bad for an OS that "(free) operating system (just a hobby, won't be big and professional like gnu)"

Re:This opinion isn't new and is still wrong.

[AmiMoJo]

Linux will fall to the same things that Windows does these days.

- Users conditioned to enter the admin password and click through warning to get that sweet emoji pack

- Vulnerable applications

- Zero day attacks and slow updates

Nothing about the average Linux distro would prevent ransomware attacks, for example. Exploit the browser, get access to the user's files, game over. Yeah, there are more secure distros, but you can lock down Windows too and no-one does.

Re:This opinion isn't new and is still wrong.

[war4peace]

That's a helluva "niche" right there.

Re:This opinion isn't new and is still wrong.

[ctilsie242]

The thing about ransomware, it doesn't need to fight with SELinux, nor escalate to root, to cause damage. It just needs enough access to read/write the user's files, which most web browsers provide. Even having an Internet connection isn't needed, since ransomware can bundle a public key with it that it can encrypt an individualized ephemeral private key, then use the public key from that ephemeral keypair to encrypt all files.

Ransomware is part of a perfect storm. So many companies don't bother with security. Individuals don't care or don't bother. With the lack of consumer-tier tape drives and optical drives of a decent capacity, backup drives and cloud-synced storage are easy pickings for deletion. Not many end users really care to use a program like Mozy, Carbonite, or CrashPlan.

Re:This opinion isn't new and is still wrong.

[Archtech]

Except you're missing the point.

Actually I think you are missing the point.

The exploit worked not because of some security lapse at Microsoft, but because the people maintaining the machines didn't lock them down or apply appropriate updates in a timely manner.

But why do you assume that dozens of "appropriate updates" must be applied every month "in a timely manner"? It's not as if the installed software is decaying in some mysterious way. The patches are needed to prevent exploits that should never have been possible in the first place.

Security cannot be added on as a bag on the side of a software system - although that is what Microsoft is forever trying to do. Proper security has to be built in right from the start, from the foundations up. But that does cost money and take a lot of extra time and effort.

Linux can't fix that....

Of course neither Linux nor BSD nor any other operating system can "fix" the problem 100 percent, completely and forever.

But that does not mean they can't be a huge improvement.

Re:This opinion isn't new and is still wrong.

[mysidia]

A properly setup and secured Windows network would not be open to most of this junk.

Can you name 3 companies with 100% Properly setup and correctly-secured Windows networks?

(HINT: The number that actually exist in the real world is 0.)

Re:This opinion isn't new and is still wrong.

[TemporalBeing]

That's a helluva "niche" right there.

Yes, the Desktop is large market, but mobile dwarfs the desktop by itself, and servers have a lot of information that would be far more valuable than most desktops.

Re:This opinion isn't new and is still wrong.

[Greyfox]

Everyone was bitching about the new windows 10 look anyway, so moving to Linux/X11 with XFCE or something should be pretty refreshing to them. Especially with it not crapping ads and looking like a glorified facebook feed. The Linux game situation is much better than it used to be -- steam and a reasonable number of games run on it now, and you can even get Worlld of Warcraft to work without too much effort via playonlinux. And Chrome and Firefox always look the same pretty much everywhere. The barrier to entry isn't going to get much lower, I think.

Re: This opinion isn't new and is still wrong.

[stooo]

>> If you think the same does not apply to Linux you are kidding yourself.

Yes and no.
In general, a typical Linux installation has much less attack surface than a typical entreprise Windows installation.
Like 10x less ports and protocols open.
That makes a hell of a difference.

Re: This opinion isn't new and is still wrong.

[Daniel+Phillips]

What are you talking about? You can't even fucking ping a windows box with it's default firewall configuration.

And it's still leaky as a sieve. That speaks to basic design flaws.

Re: This opinion isn't new and is still wrong.

[Daniel+Phillips]

So far for 2017, Linux has 128 code execution vulnerabilities whereas Microsoft has 71.

Because each Linux vulnerability is reported for multiple distributions. And because Linux vulnerabilities are found faster and therefore fixed faster. However you want to spin it, Windows is the one getting successfully exploited in multiple ways, so that new Windows vulnerabilities are hardly news any more, whereas its big news any time a hole shows up in Linux, and then very few fall victim to it.... partly because of the early and widespread disclosure, but more because Linux vulnerabilities typically require local access, login shell, etc. Whereas a dodgy flash file is often enough to take out a Windows box.

Every... time...

[Bizzeh]

Every single time any sort of media coverage comes up about a non-event (didnt affect real users, only affected organisations which delayed the installation of a critical update), fanboys leap on the opertunity to say how much better linux is.

Linux has its fair share of these, and runs on its fair share of critical infrastructure, and is run by its own fair share of idiots, but it is never really media worthy, because it isnt Windows and it isnt something the general public will relate to.

Give it a rest...

2017

I heard 2017 is the year for desktop Linux. Any day now.

Count of 90...

[djbckr]

This new file counted the amount of times a machine had been booted; when the machine reached a count of 90, all of the filenames on the C drive were encrypted.

That should only take a few minutes, right?

Re:Count of 90...

[matbury6017]

A few minutes? Don't you remember how long Windows takes to boot up?

Depends on the company, doesn't it?

[gfxguy]

My father runs an accounting business. His tax software is only available on Windows, and not as a service.

I work in a media company. Yes, some have Macs, but most of the software is only available for Windows, so most users must use Windows. Now the other departments could possibly use something like Linux, but then it's another system that needs to be supported (given that we still must support Windows, anyway).

I'm sorry Linux fans (of which I am one... the web servers I set up for work are Linux, and I'm typing this on Linux as my desktop right now), but there's a lot of proprietary software that many companies use that is only available on Windows. Most of it has no serious competition on Linux.

Re:Depends on the company, doesn't it?

[matbury6017]

Unfortunately, that's true. I still have dual boot (Win7/Linux) because there are some packages, especially for multimedia, that I still need for work. However, there's a huge number of PCs in the world in govt. departments, schools, colleges, and universities (the public sector) that never use anything as exotic as multimedia editing software or generic accounting software (GNU cash is more than adequate for most businesses). Technically and financially, it would make sense for those millions of PCs to be switched over to Linux. The difficulty is at the human end of things; workers who don't care about computers and operating systems and just want to get their work done. Switching OS, to any OS different to the one they use now, would not make them happy.

The best solution? Probably to start with PCs used in education rather than letting Google, Apple, and Microsoft attempt to indoctrinate school pupils into only using their OS'. If pupils grow up understanding that there are different OS' that superficially look different but do pretty much the same things, from most users' perspectives, then switching between OS' won't be such an issue later on in life at work and at home. How about ICT classes in schools that are platform neutral? How about making transitioning between OS' part of the curriculum? It'd also reinforce their learning, according to the learning sciences ;)

Re:Depends on the company, doesn't it?

[brantondaveperson]

That's partly true. But Linux has no decent photo management software, because there exists no photo management software that touches iCloud photo library (prove me wrong, please, I'd love to see it). And the music player's integration with a music store in OSX and Windows is also something that Linux can't match. Both of those things are a shame, since there's nothing magical about iCloud photo library, and iTunes can certainly be a bit of pig, but if I want to buy an album online and have it show up on all my devices without dicking around at all, iOS and OSX is my only choice. If I want my photo library, including non-destructive edits, to show up on all my devices, even if I don't have enough space on them to download everything, iOS and OSX is also my only choice.

WannaCry Makes Easy Case for Firewalls

Firewalls and security updates. The Windows server firewall is locked down by default. The Windows desktop firewall has a million ports open. Many are to localsubnet, but it's still open.
What I really want MS to do is make their firewall scoping easier to use, like icefloor: allow grouping of IP ranges as a common name, and allow scopes to use that name. They started to do that with predefined networks, but stopped for some reason.

Re:If we all followed this logic

[nukenerd]

Windows is targeted because it's popular. If we all switched to Linux as our primary workstation at home and work, it would be just as targeted. ... the argument to move away from one insecure platform to another platform which is probably just as insecure isn't one I find very motivating.

I find your argument curious. The motivation discussed here (there may be others) is the fact that Linux is not popular, because as you say it is less likely to be targeted. (Assuming for the sake of argumant that their inherent vulnerabilies are equal). Of course you could question the sense of the guy evangelising Linux on these grounds as it could be self-defeating.

An analogy: if everyone in the world sat on the same chair as I am on, I'd be crushed to death. So should I not sit on it?

Somewhat broken logic

[cmeans]

If one is doing all their work in the cloud, then more likely than not, that's where the files are as well...so not local and not subject to a local Ransomware attack. Wouldn't matter what the local OS is.

Found the LUDDITE!

Only LUDDITES use LUDDITE Windows! Modern app appers use Appdows 10 S, the appiest apperating app!

Apps!

Re:Get to work, then.

[wed128]

Hmmm...guess I haven't been using any computers since about 1999 (my last windows machine). There aren't any alternatives! I guess i'm posting this message using my brain or something.

Re:Doesn't really matter nowadays

[Kjella]

Most of the tools we also require a lot of 3D performance. Maya, AfterEffects, and a number of programs you've likely never heard of.

Maya runs on Linux, BlackMagic has released Linux versions of DaVinci Resolve and Fusion but as long as you're tied to Adobe? When hell freezes over. I know quite a few people who would drop Windows in an instant if Adobe decided to release Creative Cloud for Linux. I think the problem is Adobe knows people buy the OS that their products run on, not the other way around. While there's many that would switch OS, there's very little new business in porting everything to Linux so it's not worth it. It's available for both Mac and Windows so they must have done most the heavy lifting to make it cross-platform, it's a lack of incentive.

Outrun the bear

[Lost+Race]

You don't need to outrun the bear, you only need to outrun the other campers.

It appears that Windows will be a far bigger and softer target for the foreseeable future because most people need some Windows-only app or other. That's great for those off us who can use an alternative that's easier to secure and much less tempting to malware developers.

So if you can, you should switch to Linux, not because it's popular, but at least in part because it's not popular, and probably never will be.

Everything since Windows 10

[XSportSeeker]

Everything since Windows 10 happened has been a case for Linux, it's just still not an easy one by any means to your average Windows user unfortunately.

Let's see here. Shady strategies to force users to upgrade, horrible advertisement schemes, forced telemetry, always on always listening always dialing back strategies... not to mention how Microsoft keeps persisting on ideas like Windows 10 S because what they really want is to copy Apple and the walled garden model.

Malware, vulnerabilities and ramsonware have been there for the longest time, and arguably for regular users the horrible experiences of the past with Vista, BSoD, among several other problems have been a far more convincing case for Linux. We don't even have that many shovelware as we did in the past.

It just won't happen. Sorry. It's not your fault, but this has never been a convincing argument, not for regular Windows users. It won't start being because of WannaCry. And defeatingly enough, other than our own tech circles, it's likely that most people haven't even paid much attention to WannaCry anyways... it'll be forgotten, if it isn't already, as fast as stuff like Mirai Botnet, among others. I mean, even techies, do most people remember the most publicized malware attacks of 2016? I have to admit I don't.

And yes, I know Android exploded in popularity, I know over half of servers these days uses Linux, I know almost all supercomputers also do... but your regular non-techie consumer will, for the foreseeable future, always run to Windows, or at most Macs. In fact, if WannaCry was really going to do any substantial push for migration (which let's admit it, it won't), it'd be for Windows users going for Macs.

The unsolvable problems that Linux will seemingly never be able to overcome are:
1. Advertisement and marketing. An image problem;
2. Community. Even for folks like my mom who avoids using computers like the plague, if she has a problem with it, there's bound to be someone near her that can help. Linux? I wouldn't even know were to start. Neither I nor her friends would be able to indicate a repair shop or something with someone who could deal with command line configuration. I perhaps have a couple of friends who could help, but which would most likely be working with no free time to help.

And this isn't only about OS, it's about apps. Sure, Linux have plenty of basic office level apps and whatnot, but it's not about having an app that works in a similar way, it's about having people around to help with specific tasks as they arise. This is also why Microsoft Office still dominates while open source alternatives like LibreOffice or OpenOffice never catches on.

The needs non-computer geeks have around computers are often misunderstood, underestimated, and superficially analized. I feel bad because I'd really love for everyone to move to Linux. With enough people there, developers would be forced to migrate too. I'd love to have a fully functional Ubuntu smartphone. A Debian desktop with all I need. A Mint tablet to go around. Well, actually I have an Ubuntu laptop and tablet. But it's not something that I'd recommend for family and friends who don't know much about computers, because the whole thing makes no sense to them. Basically all of them (and I come from a big family) have no friends or relatives that would be able to help either to make their regular stuff work, or to solve problems when they come up. Among my multiple uncles, aunts, cousins, nephews and nieces... I must be the only one to have had contact with Linux. And I don't even know how to handle it properly myself.