The question isn't whether users will or will not do silly things. The question is what silly things will the OS let them do.
And the answer, of course, is anything they want - because otherwise those computers wouldn't be very useful.
"Silly" - like "malicious" - is a matter of context. Computers aren't very good with determining context.
Also, on your previous claim that script kiddies will try to get users to compile executables, good luck trying to resolve the library dependencies (or will the script kiddies include their own libraries?).
I made no such claim.
And you really have not explained how they will exploit the rich scripting/programming environment of Linuz.
Firewalls are such a band-aid solution to the problem of unknown processes running on your own computers.
Firewalls have nothing to do with processes running on computers. They are for filtering network packets.
The right way to solve the problem of rejecting incoming and outgoing requests is to make it easy to see which processes are accepting and making connections on which port.s
No, this is the right way of identifying which processes are sending and receiving information, not whether or not those packets are getting to and from the mahcine.
Look at how small Be's development team was, yet somehow they managed to create a 64bit file system with many of WinFS' features back in what? 1998-1999?
There's very little - if anything - BeFS was capable of that NTFS wasn't back in 1993.
The problem is that just as Microsoft takes Apples ideas [...]
Are you able to conceive of two (or more) entities idependently coming up with the same idea ?
While they ultimately did rewrite (most or all of) the code for it (maybe completely by version 5), they didn't come up with the innovation themselves.
In fact IE was mostly rewritten by version 3, and the "innovation" was making it an embeddable, reusable "library" rather than a standalone application.
The only reason IE took over market share is BECAUSE IT WAS INCLUDED FOR FREE IN EVERY OS IN 95% OF THE COMPUTERS.
Except the versions of IE that took over Navigator's market share - at the time they did so - were only available via download, not bundled with the OS.
IE killed Navigator because it was better. More people wanted to use it. Fewer people wanted to use Navigator. Netscape chose to stop trying to improve their product and paid the price.
If Mr. Ballmer says he hasn't seen much in the way of technical innovation in Open Source, he's either not looking in the right places or he's telling porkies.
What "technical innovations" are you thinking of ?
They can even just look at one of the Open Source OS's and SEE how others have solved those problems.
What "problems" are you thinking of ?
I still have to ensure that the DAILY anti-virus/anti-spyware downloads happen.
Maybe you should embrace some basic security principles then.
The same virus that was known to infect Win98... will STILL infect Win2003.
THAT is the problem.
No, it's the price of compatibility. You want your 10 year old applications to run on today's OS ? That means 10 year old malicious code will run as well.
Microsoft's security model PREFERS for you to run ADDITIONAL 3rd party software because the OS itself does not (without massive amounts of work and testing on the part of the HIGHLY TRAINED administrator) provide any way of stopping viruses, worms, trojans, spyware, etc.
Oh, bullshit. The vast majority of problems in running as a non-Admin in Windows are the responsibility of *application developers*, not Microsoft.
So Microsoft lied when it said that Internet Explorer was part of Windows?
No.
Also, if executables aren't compatible across systems, doesn't that mean that Linux is not a monoculture?
I have already explained how Linux is enough of a monoculture. Applications standard to just about every unix machine on Earth provide more than enough functionality for malware.
Also, do you have any real evidence that Linux users would act this way, or are you merely extrapolating from Windows users?
Users do silly things. The platform they choose to do them on is but a minor detail. Linux will not magically make people stop doing silly things.
No. The shell script they received in an email and executed would.
It may be possible to get unsuspecting users to compile programs, but why bother? Why not just have them load the executable instead?
Because the executable might not be compatible across systems.
Again, the same with sendmail and such. Would these users run mail servers (as opposed to clients)?
Most unix systems have a mailserver running to handle local mail delivery, even if the end user never knows about it nor deliberately enables it.
Sendmail - or equivalent - is the rough unix equivalent to those MAPI APIs that allow Windows applications to send mail.
As for the naivete of the users, doesn't Linux have better separation between regular users and root?
It's irrelevant. You don't need root access to do just about everything malware wants to do. Most malware/today/ breaks with a regular user account because it is written under the assumption the user is running as Administrator. However, higher privileges are rarely a functional requirement - expect to see more malware in the future start working under regular user accounts.
Not that root access is particularly hard for a program to obtain with the fancy new GUI sudo programs that get around these days conditioning users into typing in their password whenever a box pops up. Just raise a password request with a vaguely authentic sounding reason and voila, you've got root.
If Linux develops Microsoft levels of market share, more experienced users will have to warn newer users about such issues.
Pffft. "More experienced users" rarely deign to try and impart wisdom _today_, let alone in the future when they're even more outnumbered.
Your inherent assumptions that regular users will be prepared to listen, or that the "advice" will come in an understandable form, is also rather optimistic.
Maybe what malware needs more than scripting languages are mail clients and browsers that have deep hooks in the OS. Linux doesn't have these.
These "hooks" are no "deeper" in Windows than they are in any other OS.
And how many vulnerabilities do perl, bash, gcc, etc have? Also, even here one has alternatives (python vs. perl, zsh vs. bash). And what is the level that matters? Does Microsoft Windows need these to attract malware?
You miss the point. It's not the vulnerabilities, it's what all those tools allow you to do. There's more than enough capabilities - just from the basic tools installed on nearly every unix box you'll ever use - to do the things most pieces of malware want to do.
When you say sendmail (or equivalent), do you know if other mail servers would share sendmail's vulnerabilities, if any?
Nope, but I bet they've nearly all got a sendmail-compatible mode for $PROGRAM to generate and set a shitload of emails.
Even if gcc has no alternatives (is the kernel ANSI compliant?), is it the sort of thing that script kiddies could exploit?
It makes it pretty easy to get whatever software you want running on the machine.
Software vulnerabilities are not the primary problem - on all platforms they're relatively uncommon (particularly remote exploits). The biggest problem is end users, and their penchant for doing anything a random email or web page asks them to do so they can get at teh free b00bies. This is the point I was trying to make - from the perspective of end users running "stuff", linux (indeed, unix in general) is more than homogenous enough.
The purpose of the GPL is to ensure that the code will always be open.
No, the purpose of the GPL is to ensure *other people's* code gets GPLed when it touches yours. The GPL is not about *your* code, it's about *other people's code*.
The LGPL is about *your code*.
The purpose of the BSD license is to ensure the authors are given proper credit, not necessarily to keep the code open.
Any code that is released under the BSD remains open. Derivatives of that code, however, may not.
The GPL motivates development because DEVELOPERS are enticed by the idea that derivatives of their code will REMAIN open, and that their projects will flourish.
Unless you subscribe to the loony definition of "derivative code" that RMS does, the GPL encompasses a hell of a lot more than "derivatives of their code".
I've seen a bunch of projects that chose to go with the BSD style licence and it's bit them in the ass. People are using their code left and right, but hardly anyone is contributing back since they don't have to.
If this is/really/ "biting them in the ass", and not just something they expected, but you happen to find personally disagreeable, then the people in those projects deserve every bit of pain they receive. The whole *point* of the BSD license is so derivative code remains under the control of the people writing it.
they really aren't as stupid as we accuse them of being
Yes, they are. A depressingly large amount of malware requires the user to do something stupid - or at the very least questionable - before it can get onto the computer.
I have programs I like to use in Windows I've actually begun to offset by creating my own similar linux functionality (thank Goodness I can code) just because I can't stand the 15 minute preamble to getting up and running in Windows.
I'm having difficulting conceiving WTF you could possibly be doing in Windows that requires 15 minutes of rebooting just to get started.
[...] it's that Linux itself is not a monoculture.
It is at the level that matters for this sort of thing. How many Linux machines do you see without perl, bash, sendmail (or equivalent), etc installed ? Heck, it's not often you find a Linux machine without gcc installed.
Unreal Tournament 2004 can't save your info for single player unless you are in admin mode, and pretty much any other game that saves progress. And you can't download patches for MMORPGs without running them in admin mode. (At least they have a run as option so I can just run those few things as admin)
A safer way (at least with regards to saving, may not work for patching) is to find the files/directory the games try to write to that they shouldn't be (will probably be in the program's directory) and make them writable by your user. That way you can still run the game as a regular user and not worry about any network related exploits in that game making your whole system vulnerable.
You should also file a big report with any developer stupid enough to write their software such that day-to-day usage requires writing to files outside the user's home directory.
While doing that, I accidentally clicked on a certain part of the web page. Bingo slammo, my system was infected with spyware, this nasty Aurora and nail.exe [netrn.net]
Your biggest mistake is running as an admin and not a regular user.
Your other mistake was using IE for something other than Windows Update.
What do they give you that the registry does not ?
You just wrote three sentences (and that's disregarding the prior post) explicitly implying IE is "tied to the kernel".
NTFS indexes attributes (ie: metadata).
If there was business in it, this wouldn't matter.
Why do so many Microsoft fanboys have such a poor grasp of the law?
I have quite a good grasp of the law. What I lack is a belief it is infallible.
And the answer, of course, is anything they want - because otherwise those computers wouldn't be very useful.
"Silly" - like "malicious" - is a matter of context. Computers aren't very good with determining context.
Also, on your previous claim that script kiddies will try to get users to compile executables, good luck trying to resolve the library dependencies (or will the script kiddies include their own libraries?).
I made no such claim.
And you really have not explained how they will exploit the rich scripting/programming environment of Linuz.
Much the same way they do on any other platform.
Firewalls have nothing to do with processes running on computers. They are for filtering network packets.
The right way to solve the problem of rejecting incoming and outgoing requests is to make it easy to see which processes are accepting and making connections on which port.s
No, this is the right way of identifying which processes are sending and receiving information, not whether or not those packets are getting to and from the mahcine.
If there was business in it they _would_ have continued.
Why do so many Linux zealots have such a poor grasp of economics ?
NTFS had this in 1993. Even earlier, if you want to go from when it was designed/implemented rather than when it was publically available.
There's very little - if anything - BeFS was capable of that NTFS wasn't back in 1993.
The problem is that just as Microsoft takes Apples ideas [...]
Are you able to conceive of two (or more) entities idependently coming up with the same idea ?
In fact IE was mostly rewritten by version 3, and the "innovation" was making it an embeddable, reusable "library" rather than a standalone application.
Except the versions of IE that took over Navigator's market share - at the time they did so - were only available via download, not bundled with the OS.
IE killed Navigator because it was better. More people wanted to use it. Fewer people wanted to use Navigator. Netscape chose to stop trying to improve their product and paid the price.
What "technical innovations" are you thinking of ?
What's your definition of "innovation" ? Name "5 innovations" on some other platforms.
What "problems" are you thinking of ?
I still have to ensure that the DAILY anti-virus/anti-spyware downloads happen.
Maybe you should embrace some basic security principles then.
The same virus that was known to infect Win98 ... will STILL infect Win2003.
THAT is the problem.
No, it's the price of compatibility. You want your 10 year old applications to run on today's OS ? That means 10 year old malicious code will run as well.
Microsoft's security model PREFERS for you to run ADDITIONAL 3rd party software because the OS itself does not (without massive amounts of work and testing on the part of the HIGHLY TRAINED administrator) provide any way of stopping viruses, worms, trojans, spyware, etc.
Oh, bullshit. The vast majority of problems in running as a non-Admin in Windows are the responsibility of *application developers*, not Microsoft.
No.
Also, if executables aren't compatible across systems, doesn't that mean that Linux is not a monoculture?
I have already explained how Linux is enough of a monoculture. Applications standard to just about every unix machine on Earth provide more than enough functionality for malware.
Also, do you have any real evidence that Linux users would act this way, or are you merely extrapolating from Windows users?
Users do silly things. The platform they choose to do them on is but a minor detail. Linux will not magically make people stop doing silly things.
No. The shell script they received in an email and executed would.
It may be possible to get unsuspecting users to compile programs, but why bother? Why not just have them load the executable instead?
Because the executable might not be compatible across systems.
Again, the same with sendmail and such. Would these users run mail servers (as opposed to clients)?
Most unix systems have a mailserver running to handle local mail delivery, even if the end user never knows about it nor deliberately enables it.
Sendmail - or equivalent - is the rough unix equivalent to those MAPI APIs that allow Windows applications to send mail.
As for the naivete of the users, doesn't Linux have better separation between regular users and root?
It's irrelevant. You don't need root access to do just about everything malware wants to do. Most malware /today/ breaks with a regular user account because it is written under the assumption the user is running as Administrator. However, higher privileges are rarely a functional requirement - expect to see more malware in the future start working under regular user accounts.
Not that root access is particularly hard for a program to obtain with the fancy new GUI sudo programs that get around these days conditioning users into typing in their password whenever a box pops up. Just raise a password request with a vaguely authentic sounding reason and voila, you've got root.
If Linux develops Microsoft levels of market share, more experienced users will have to warn newer users about such issues.
Pffft. "More experienced users" rarely deign to try and impart wisdom _today_, let alone in the future when they're even more outnumbered.
Your inherent assumptions that regular users will be prepared to listen, or that the "advice" will come in an understandable form, is also rather optimistic.
Maybe what malware needs more than scripting languages are mail clients and browsers that have deep hooks in the OS. Linux doesn't have these.
These "hooks" are no "deeper" in Windows than they are in any other OS.
You miss the point. It's not the vulnerabilities, it's what all those tools allow you to do. There's more than enough capabilities - just from the basic tools installed on nearly every unix box you'll ever use - to do the things most pieces of malware want to do.
When you say sendmail (or equivalent), do you know if other mail servers would share sendmail's vulnerabilities, if any?
Nope, but I bet they've nearly all got a sendmail-compatible mode for $PROGRAM to generate and set a shitload of emails.
Even if gcc has no alternatives (is the kernel ANSI compliant?), is it the sort of thing that script kiddies could exploit?
It makes it pretty easy to get whatever software you want running on the machine.
Software vulnerabilities are not the primary problem - on all platforms they're relatively uncommon (particularly remote exploits). The biggest problem is end users, and their penchant for doing anything a random email or web page asks them to do so they can get at teh free b00bies. This is the point I was trying to make - from the perspective of end users running "stuff", linux (indeed, unix in general) is more than homogenous enough.
No, the purpose of the GPL is to ensure *other people's* code gets GPLed when it touches yours. The GPL is not about *your* code, it's about *other people's code*.
The LGPL is about *your code*.
The purpose of the BSD license is to ensure the authors are given proper credit, not necessarily to keep the code open.
Any code that is released under the BSD remains open. Derivatives of that code, however, may not.
Unless you subscribe to the loony definition of "derivative code" that RMS does, the GPL encompasses a hell of a lot more than "derivatives of their code".
If this is /really/ "biting them in the ass", and not just something they expected, but you happen to find personally disagreeable, then the people in those projects deserve every bit of pain they receive. The whole *point* of the BSD license is so derivative code remains under the control of the people writing it.
Yes, they are. A depressingly large amount of malware requires the user to do something stupid - or at the very least questionable - before it can get onto the computer.
I have programs I like to use in Windows I've actually begun to offset by creating my own similar linux functionality (thank Goodness I can code) just because I can't stand the 15 minute preamble to getting up and running in Windows.
I'm having difficulting conceiving WTF you could possibly be doing in Windows that requires 15 minutes of rebooting just to get started.
Windows doesn't REQUIRE you to either - I've been running as a regular user in Windows for nearly 10 years now - it just defaults to it.
It is at the level that matters for this sort of thing. How many Linux machines do you see without perl, bash, sendmail (or equivalent), etc installed ? Heck, it's not often you find a Linux machine without gcc installed.
A safer way (at least with regards to saving, may not work for patching) is to find the files/directory the games try to write to that they shouldn't be (will probably be in the program's directory) and make them writable by your user. That way you can still run the game as a regular user and not worry about any network related exploits in that game making your whole system vulnerable.
You should also file a big report with any developer stupid enough to write their software such that day-to-day usage requires writing to files outside the user's home directory.
Your biggest mistake is running as an admin and not a regular user.
Your other mistake was using IE for something other than Windows Update.