False choices. Let's go with the unstated third choice: use some of that 90 billion dollars sitting in the bank to rewrite the OS and fix the damned problems, so we no longer need this "fix".
What OS-level problems do you suggest they "fix" ?
I understand exactly what you mean. But isn't there a fundamental difference in the architecture in Linux (all flavors) that makes it much more difficult for viruses to propogate?
No.
I thought it had something to do with the fact that most Windows users have administrative privileges while using Linux as root is taboo. Again I don't know much on the subject.
This is not an "architectural" issue, it's a "configuration" issue. There is a vast canyon of difference between the two.
It can't be denied, however, that the motivation for releasing a security patch (especially in the absense of high profile media coverage) in a timely manner goes down considerably. I mean, they have to "test" those patches before releasing them, right?
You seem to be missing a rather important point - that antivirus (and antispyware) software, almost exclusively, is protecting you against things that _can't_ be patched, because they're not broken in the first place.
Antivirus and antispyware software is there to stop you shooting yourself in the foot and/or to help you clean up after doing so. It's not there to protect you against things low-level OS security features can.
Suing for bundling everything under the sun with the intention of abusing monopolies is one thing, but bundling (for free), security software to protect the operating system that should be secured in the first place, does not strike me as monopolistic abuse.
"Security software" - ie: anti-virus and anti-spyware programs - are protecting you against the thing that OS security - by definition - cannot. Yourself.
Especially in the case of iloveyou.jpg.exe. Here's how it goes. First, show the extensions, it is a security hazard not to when the extension controls whether or not the file is executed. Second, Give big warnings the first time you run a new executable, and each time the executable has changed, and even more warnings if the executable has 2 extensions such as.jpg.exe. Each executable should need specific permissions for reading and writing files, including the registry, which is a separate case, and executables shouldn't be able to access the hard drive until you give them explicit permission.
So once the user has done all that, so they can see the pictures of $NAKED_CELEBRITY, what stops the malware from destroying their data ?
Also, don't let executables trash system files, and make users log into a non-priviledged account.
"System files" are typically the least most important files on any given system.
NOTHING in GPLv3 disallows implementing DRM with GPLv3 code.
Right, in much the same way the existing GPL says nothing about not being able to sell GPLed software - instead it just makes it practically impossible.
GPL3 makes it practically impossible to use DRM. Sure, you can have it, but you need to give everyone a back door in as well.
He founded a software movement that revolutionized the computer industry.
How so ? Hasn't pretty much all of the "revolutionising" from "free software" come from software that originated out of government projects, universities and the like ?
What GPLed software has "revolutionised" the computer industry ("revolutionised" being a pretty powerful word) ?
Most modern OS X apps (cocoa apps) recompile to multiple simultaneous architectures, including endian changes, with a single checkbox setting.
Unfortunately a rather large chunk of important apps on OS X aren't "modern" yet. There's also the paltform-specific optimisations for things like Photoshop to consider, but they're a relatively tiny part of the codebase.
My point was that all contemporary OSes are quite portable, currently run on multiple hardware platforms and take relatively little effort to switch "primary focus" from one architecture to another. Most applications - not to mention things like hardware and drivers - however, are not - and that's what most customers are interested in, rather than the OS.
Thanks to the miracle of "Intellectual Property", it could be both fast and cheap to manufacture _and_ demand can exceed artificially restricted supply, making it "expensive as hell" (and highly profitable) !
Not that easy - Apple, if you're reading, consider GPLing the source code to OSX. You'll find it a hell of a lot easier to maintain, and you don't make that much money on software compared to your hardware (and future music/video distribution biz)
And 2 -3 years later when your Macintosh and OS X departments are no longer viable, you'll be able to focus more on the iPod !
I did, which is why I said "unmanned vehicles" and not "unmanned aircraft".
The easier it is for the people who decide to go to war to distance themselves from the real consequences of those decisions, the more likely - and more frequently - they are to do it. Unmanned vehicles turn war into little more than an expensive video game, from the perspective of the decision makers, removing any possibility of them taking into account the human consequences (because on their side, effectively, there aren't any).
Way to advocate the pointless loss of human life in order to avoid the "evils" of war....
Not going to war in the first place is a vastly better way of avoiding "pointless loss of human life" than being able to minimise the casualties on your own side by turning war into a video game.
I think this dumb pacifism thing has gotten way out of hand......
"Hating war" != "Pacifism". I've yet to meet a single veteran who doesn't hate war, nor who is a pacifist.
Why? Because an install of WinXP can be compromised before you finish the installation of Service Pack 2. You are required to connect to the net *before* you have secured your machine.
Turn the firewall on before connecting.
His whole article bypasses the issue of how a virus gets onto the computer in the first place. I think we call all agree it's more likely for a Windows box to be infected.
Windows and Linux could be equally secure, and this would still be true.
If it were possible to comfortably run Windows as a regular user and not an administrator, most if not all of Windows' security problems would be solved.
Maybe for a few months, but it wouldn't take long for malware to be rewritten "properly".
The problem is that many software vendors often write their software for the least common denominator, which for the longest time was Windows 95/98/Me, which had _no_ idea of user security.
This hasn't been an excuse since about 1997, when Windows 9x gained the ability to have per-user profiles and Registries like NT (although, obviously, it couldn't enforce any separation of them). That's how long application developers have had to rewrite their programs to not use the system areas in typical use.
There is no excuse whatsoever for any remotely current application to needlessly require Administrator privileges. None.
On the flip side though, I would thinkthat *nix boxes would be bigger targets because (generally speaking), stuff that's running on the average *nix box is probably more mission critical than the the stuff running on the average Windows box.
They're also typically used by people far more likely to notice weird behaviour, and capable of fixing it quickly - making them exceptionally *un*inviting targets.
I'm one of the idgits that run as admin all the time. (I took no offense to your post, btw.) One of the main reasons I do this (besides the convenience) is that I'm not convinced that it'd actually spare me any security issues.
It will protect you from three things:
1. Your own stupidity (ie: accidentally hitting 'delete' with the wrong thing selected).
2. At this point in time, a lot of malware, as that assumes that users are running as Administrator (this will change over time as LUA accounts become more common).
3. The fallout of either #1 or #2, as only your own files will be damaged on a multiuser system.
Think of running as a regular user as being like the safety on a gun. Won't stop you shooting yourself - or others - in the foot, but makes it less likely to happen accidentally.
It might prevent my girlfriend from installing software, but do Windows permissions actually do anything beyond that that would make my machine the slightest bit more secure? To the best of my knowledge, no. But if somebody could correct me, I'd really appreciate it.
Windows file permissions for non-Admin users are as restrictive as those on just about any unix system.
On thing I tried doing with the "fairly intricate permission system" is deny a user from running an application by placing the user in one group and only that group and not giving directory or file access permission for that group along with removing the psuedo group of everyone (IOW the directory and files had only specific permissions granted to a different user). Of course guess what, user could still run the application. Kinda useless to have a "fairly intricate permission system" when the OS doesn't even obey its own ACL's on directories/files.
Firstly, Deny permissions take precedence over allow permissions, so there was no need to remove the Everyone group.
Secondly, having just tried this (denying Read and Execute for a specific user to an executable), it works as expected - the user couldn't run the executable. So I'm guessing you stuffed it up while trying to over-complicate the situation.
What OS-level problems do you suggest they "fix" ?
No.
I thought it had something to do with the fact that most Windows users have administrative privileges while using Linux as root is taboo. Again I don't know much on the subject.
This is not an "architectural" issue, it's a "configuration" issue. There is a vast canyon of difference between the two.
You seem to be missing a rather important point - that antivirus (and antispyware) software, almost exclusively, is protecting you against things that _can't_ be patched, because they're not broken in the first place.
Antivirus and antispyware software is there to stop you shooting yourself in the foot and/or to help you clean up after doing so. It's not there to protect you against things low-level OS security features can.
What "architectural" improvements are you thinking of ?
Virus scanners don't protect you from "underlying problems", they protect you from things OS security can't.
"Security software" - ie: anti-virus and anti-spyware programs - are protecting you against the thing that OS security - by definition - cannot. Yourself.
No, it can't.
Especially in the case of iloveyou.jpg.exe. Here's how it goes. First, show the extensions, it is a security hazard not to when the extension controls whether or not the file is executed. Second, Give big warnings the first time you run a new executable, and each time the executable has changed, and even more warnings if the executable has 2 extensions such as .jpg.exe. Each executable should need specific permissions for reading and writing files, including the registry, which is a separate case, and executables shouldn't be able to access the hard drive until you give them explicit permission.
So once the user has done all that, so they can see the pictures of $NAKED_CELEBRITY, what stops the malware from destroying their data ?
Also, don't let executables trash system files, and make users log into a non-priviledged account.
"System files" are typically the least most important files on any given system.
Unlikely. There's _way_ too much value in developers being able to work with VMs for Microsoft to make them unusable.
Right, in much the same way the existing GPL says nothing about not being able to sell GPLed software - instead it just makes it practically impossible.
GPL3 makes it practically impossible to use DRM. Sure, you can have it, but you need to give everyone a back door in as well.
How so ? Hasn't pretty much all of the "revolutionising" from "free software" come from software that originated out of government projects, universities and the like ?
What GPLed software has "revolutionised" the computer industry ("revolutionised" being a pretty powerful word) ?
Unfortunately a rather large chunk of important apps on OS X aren't "modern" yet. There's also the paltform-specific optimisations for things like Photoshop to consider, but they're a relatively tiny part of the codebase.
My point was that all contemporary OSes are quite portable, currently run on multiple hardware platforms and take relatively little effort to switch "primary focus" from one architecture to another. Most applications - not to mention things like hardware and drivers - however, are not - and that's what most customers are interested in, rather than the OS.
Thanks to the miracle of "Intellectual Property", it could be both fast and cheap to manufacture _and_ demand can exceed artificially restricted supply, making it "expensive as hell" (and highly profitable) !
And 2 -3 years later when your Macintosh and OS X departments are no longer viable, you'll be able to focus more on the iPod !
The porting "problem" typically isn't with the OS, it's with the applications.
I did, which is why I said "unmanned vehicles" and not "unmanned aircraft".
The easier it is for the people who decide to go to war to distance themselves from the real consequences of those decisions, the more likely - and more frequently - they are to do it. Unmanned vehicles turn war into little more than an expensive video game, from the perspective of the decision makers, removing any possibility of them taking into account the human consequences (because on their side, effectively, there aren't any).
Not going to war in the first place is a vastly better way of avoiding "pointless loss of human life" than being able to minimise the casualties on your own side by turning war into a video game.
I think this dumb pacifism thing has gotten way out of hand......
"Hating war" != "Pacifism". I've yet to meet a single veteran who doesn't hate war, nor who is a pacifist.
...Is that they make it easier to go to war. None of those politically inconvenient body bags to bring home.
Turn the firewall on before connecting.
His whole article bypasses the issue of how a virus gets onto the computer in the first place. I think we call all agree it's more likely for a Windows box to be infected.
Windows and Linux could be equally secure, and this would still be true.
Maybe for a few months, but it wouldn't take long for malware to be rewritten "properly".
The problem is that many software vendors often write their software for the least common denominator, which for the longest time was Windows 95/98/Me, which had _no_ idea of user security.
This hasn't been an excuse since about 1997, when Windows 9x gained the ability to have per-user profiles and Registries like NT (although, obviously, it couldn't enforce any separation of them). That's how long application developers have had to rewrite their programs to not use the system areas in typical use.
There is no excuse whatsoever for any remotely current application to needlessly require Administrator privileges. None.
They're also typically used by people far more likely to notice weird behaviour, and capable of fixing it quickly - making them exceptionally *un*inviting targets.
It is flawed. It has a class of user to which no restrictions are applied, nor ever can be.
It will protect you from three things:
1. Your own stupidity (ie: accidentally hitting 'delete' with the wrong thing selected).
2. At this point in time, a lot of malware, as that assumes that users are running as Administrator (this will change over time as LUA accounts become more common).
3. The fallout of either #1 or #2, as only your own files will be damaged on a multiuser system.
Think of running as a regular user as being like the safety on a gun. Won't stop you shooting yourself - or others - in the foot, but makes it less likely to happen accidentally.
It might prevent my girlfriend from installing software, but do Windows permissions actually do anything beyond that that would make my machine the slightest bit more secure? To the best of my knowledge, no. But if somebody could correct me, I'd really appreciate it.
Windows file permissions for non-Admin users are as restrictive as those on just about any unix system.
Uh, yes it can. You can easily emulate the u/g/o model of unix with Windows ACLs.
Firstly, Deny permissions take precedence over allow permissions, so there was no need to remove the Everyone group.
Secondly, having just tried this (denying Read and Execute for a specific user to an executable), it works as expected - the user couldn't run the executable. So I'm guessing you stuffed it up while trying to over-complicate the situation.
Define "haphazard". What filesystem and Registry permissions do you find strange from the perspective of running as a regular user ?