Viruses and Market Dominance - Myth or Fact? 736
rocketjam writes "An article at The Register, authored by Scott Granneman of SecurityFocus, examines the conventional wisdom that if Linux or Mac OS X were as popular as Windows, there would be just as many viruses written for those platforms. Mr. Granneman bluntly says this is wrong, then proceeds to detail the fundamental differences between those OS's and Windows which make Windows an easy and inviting target for virus-writers, as opposed to the Unix-based platforms."
What about r00tkits? (Score:3, Interesting)
What about root kits? I would consider that a virus, not technically speaking, but it's still along the same lines.
yes, but the effect might be different (Score:5, Interesting)
his worst argument... (Score:3, Interesting)
And the network effect he mentions is really just a more sophisticated version of the "everybody uses Windows" argument he disparages.
I'm not qualified to comment on his technical arguments...
Well, he bluntly says it's wrong... (Score:1, Interesting)
Missing the point? (Score:3, Interesting)
Yes, if Linux _in its current form_ was as common as Windows, it would be be much more secure. But we might as well wish for green eggs & ham
Re:yes, but the effect might be different (Score:5, Interesting)
Symantec Makes It Worse (Score:2, Interesting)
Give them a call and tell how you feel.
1-408-253-9600. Hit 3, and then ask to speak to a senior supervisor.
Re:Linux Is Getting There, too! (Score:5, Interesting)
No.
The very fact that Unix-like OSs have a concept of a "root" account (which the Windows "equivalent", "administrator", does not even come CLOSE to matching in terms of actual separation of permissions), makes it all but invincible to virii.
Yes, if Linux becomes popular enough for virus authors to target it, we'll see a round of trojans using root exploits - But unlike Windows exploits, very few of these exist to start with, and they will (and do) get fixed within a few hours of discovery.
Actually, for that reason, I think more Linux virii would help Linux security overall, as it would expose those root exploits faster than we can discover them normally. Yeah, a few boxes would suffer, but the community as a whole would benefit.
How MS does "security" in Outlook (Score:1, Interesting)
MS added it this feature to Outlook 2002, but you get it together with the famous "activation" which is there not "to protect piracy", but to make you pay for a new Office each time you change machine (since activation IS bound to the hardware)! Talk about MS tax.
Re:Linux Is Getting There, too! (Score:2, Interesting)
Ditto.
His argument boiled down to; linux is more secure because it is harder to deal with. By harder, I mean more steps (save, chmod, etc).
There are plenty of linux servers out there right now that have been 0wn3d by nefarious types, to do their bidding. spamhaus.inc doesn't just 0wn windows servers to do their bidding. But that is not a convenient argument, so I guess we shouldn't go there.
This seems very naive (Score:5, Interesting)
_Really_ think about this one. In order for Linux to become as popular and intuitive [shiver] as Windows, things like "setting execute permissions" need to be automatic. Installing apps should be relatively simple as well. Look at Lindows! You run as root. Tie that in with a couple of "intuitive" features in a mail client, and you have a handful of rootkit'ed machines.
Plus, what if everyone magically rolled to Redhat 7.3 when it came out, ditching Windows all together? Since then, we've had two SSH vulnerabilities. Sure, those using Linux applied the necessary patches / updates and we're all safe again... probably within minutes.
But "Regular User Guy" won't apply that patch. Multiply that by a million users. Now you have millions of machines out there running a rootable linux box.
OSes will have vulnerabilities. They need to be patched. It ALWAYS comes down to the user. Will Linux be 'safer' than Windows (i.e. less vulnerabilities / worms)? Possibly. But it certainly has nothing to do with its difficulty to become root or inconveniences of a mail application.
Re:his worst argument... (Score:3, Interesting)
So you're saying that Linux should make it easier for users to run scripts and executeables they receive in the mail?
TheFrood
Re:Windows viruses and GNU/Linux (Score:5, Interesting)
The platform isn't the issue. RMS said that Free Software developers seem to do a better job. This may be because of peer review, or even the threat of peer review etc.
Ciaran O'Riordan
Some early viruses ran only on UNIX! (Score:3, Interesting)
The part I find ironic about this article (most of which I agree with) is that some of the world first viruses were written for, and designed to run on, UNIX.
At least the early work by Dr. Fred Cohen [all.net] was certainly done on a variety of boxes, and UNIX figured prominently.
The shell viruses were particularly interesting to me.
His book A Short Course in Computer Viruses, ASP Press (1991) is a fantastic read, even for it's age.
Re:his worst argument... (Score:3, Interesting)
Some people say that number of virii per platform will be roughly equivalent to that platform's marketshare. They are wrong. Windows is different to the other platforms because:
1) On Windows, applications share architecture making cross-contamination easier.
2) On other platforms, there are more steps to perform to accomplish simple tasks than on Windows (implying that users really need to work at it to get infected).
3) On Windows platforms, most people run with admin rights because that's the default.
4) On Linux, most people don't because they're smart.
I have to say that I am an OSS advocate and Linux user, but I disagreed with almost everything this person says. To take his points on two basic levels:
1) The fact that 'consumer' applications and operating system are largely lumped together conceptually by users on Windows platforms is something the Linux community aspires to, not their key differentiator.
2) The idea that 'most' linux users don't run as root/admin, and 'most' Windows users do is not related to the operating system at all, but to the level of knowledge of each platform's user base. If Linux were to reach the unwashed masses' desktops then most there would either run as root, or have a very simple one-click method to run things as root (ie: to install stuff).
At the end of the day the social engineering of a trojan/virus on a linux box comes down to nothing more than writing a "hey check out this screensaver" perl script with an ascii encoded payload which prompts for the root password "to install it". Bada-boom, 'one-click' linux infection for the masses.
Re:his worst argument... (Score:3, Interesting)
Sounds like Lindows...
Re:What about r00tkits? (Score:5, Interesting)
Even if you think that one-click installs are necesarry, take a look at MacOS. It allows for one-click installs, but if you the program is going to change OS code/settings, then you are warned about it and prompted for a password (a la sudo.) Of course the MS-programming-kernel that used to be your brain will probably respond that having to put in a password makes the OS "broken"
Imagine some software engineer saying "hey you know what would make things really easy for our users, if we could remotely take control of their computers, install patches/extensions, and optimize some of their hardware settings." There you go. That could make installing/setting up/maintaining complex software so much easier, right? Hey there are some really obvious security implications, but eaiser is always better right?
Re:yes, but the effect might be different (Score:2, Interesting)
The ONLY reason that Linux has fewer viruses (Score:2, Interesting)
J/K
It is an interesting point that the author inadvertently brings up: As Linux becomes more talerable to the masses, security is likely to suffer. Or, as security suffers, Linux will become more tolerable to the masses.
Most users will point to the new shiny things on their desktop and go 'Looky at what I can do!!'. Security takes a far second even if they are aware of the problem.
Making things hard to do is not the answer. Making things easy to accomplish while maintaining some semblance of security would seem the desirable path. I understand this can be a difficult proposition but trying to leverage the users ignorance to form some sort of security model is just plain counterproductive.
I think this article points out a shortcoming in the Ease Of Use dept. The rest wouldnt appear all that insightfull.
Re:40 Mac Viruses (Score:3, Interesting)
Re:his worst argument... (Score:3, Interesting)
Analagous claim:
You are less likely to get food poisoning from home-cooking than eating in a restaurant.
Analagous argument:
It is more difficult to prepare a meal at home than to order one in a restaurant, therefore you are less likely to do it, and therefore less likely to get food-poisoning.
My response (to both article's and analagous argument):
I agree with the claim, but the fact that something is more difficult is not always a positive feature that is fundamental to that thing. By learning to cook or hiring a chef, home-cooked meals become easier. And by Linux software maturing beyond nerd-oriented "mail readers" into productivity suites that normal people will actually use (wherein you CAN actually click on something to run it without jumping through hoops with temp folders, chmods, and sus), so will Linux begin to fall victim to the same ease-of-use that the author holds in his crosshairs.
Re:interesing (Score:5, Interesting)
I suspect that the commercial implications are minimal at least for a year or three. For a start, a lot of IT decision makers, i.e. accountants and people who have been promoted from middle management with little technical ability will still swallow MS's bullshit. They will also buy Server 2003, optimistically believing that it will be cure all the problems of Server 2000 in the same way they believed 2000 would cure the problems of NT.
For an example cop this survey [theregister.co.uk]. It apparently shows that Europe's IT directors place consistency higher than security and reliability and the human tendency to submit to fear and one's own insecurity rather than to break ranks and try something new will lead a lot of people who have no real faith in their own abilites to stick with what they know, i.e. Windows, regardless of how shit it may be, how many viruses it catches, how many customer's credit card numbers get stolen etc.. They crave stability even if what they have is flawed, at least they know where the buttons are.
In all honesty, I don't see single OS networks as being a good idea regardless of what your using. There are millions of lines of code in a modern OS and it only takes one cock-up to open a crack through which it can be broken. A lesson in genetics suggests that diversity gives you the best hope of survival when under attack or it can at least slow the attacker as they, or their virus, try to find vulnerabilties in each system.The only way that will be achieved is by opening file formats so that all platforms can exchange data with 100% transparency. This will also create a truly free market causing companies to develop software based on quality, performance, security and reliabilty rather than how pretty the GUI is and how clever this years bunch of graduate marketing twats are. The obvious side effect is the breaking of MS's monopoly and the burgeoning of a new software market that will develop ports and alternatives to existing "industry standard" stuff like AutoCad. Proprietry software companies fear this the most as they will then have to wrestle with real competition.
I still think that Linux, BSD and Mac are inherently more secure and better coded than Windows though. I also suspect the rot is so deeply set into MS stuff (with a 20 year legacy of putty eye candy before security) that they will never sort it out without a ground up rewrite, somthing they will not do unless forced to.
Linux developers on the other hand have given a security a starring role since day one and even though there are bound to be flaws they're fixed in short time by developers who don't spend the first week denying a problem exists. It's free, it does what I need and it's users give a shit. What more can I ask for.
OS X Administrator != root (Score:4, Interesting)
Re:yes, but the effect might be different (Score:2, Interesting)
This is exactly what the article seems to be saying -- the author is trying to make lemonade out of lemons that a lack of functionality entails.
This article is generally clueless, and often contradictory, claptrap. It's hardly surprizing that it was "published" on the Register. Let me summarize the article:
-Linux is more secure because it has less features, forcing the user through more steps to accomplish what they are trying to do, thereby weeding out the clueless.
-Linux is more secure because most clueful admins run as non-root, while most Windows boxes run as admins. Of course when user friendliness comes into play, users end up running as root too (Lindows).
-Windows sucks because it pushes code and component reuse, such as the use of Internet Explorer as the HTML rendering engine in Outlook and Outlook Express. This is unlike Linux, oh except for Konquerer and Mozilla that both use modern software reuse, but they're better anyways.
What is the point of this article? If he simply wants to say "Linux users in general are more clueful", or "lack of features keep out the clueless", or "Linux software is just written better", then he could just say that. Instead it's some ramblings that don't add up. Real security is something like the sandboxed Java or
Re:whatever (Score:2, Interesting)
Re:I hate this argument. (Score:3, Interesting)
Since this article is about the spread of virii on popular systems, let's concider for the moment how most people use computers. Most people have one computer to themselves. They will set up an account for themselves, and probably their entire family uses that one account. They store a year's worth of data on it, and then a virus comes along. Now, you are saying, well, it's only limited to the one account. For most people, this is everything. The OS can be reinstalled. Everything is reproducable, *except* for the data in the user's home directory. And this is precisely the stuff the virii will delete.
Now, concider the action of spreading. What about being an unpriveleged user stops the spreading of the virii? Blocking of ports below 1024? Doesn't affect sending an email to everyone on the address book.
The guy also talks about how the lack of a dominant monoculture means virii will never spread under linux (despite the argument being that when Linux is dominant, virii still won't spread). Intel vs AMD vs alpha vs MIPS, whether the user uses mozilla or kmail. Well, condider that when Linux is popular, most people will settle on the program that gets set up by default on the default desktop, using the most popular distribution. We don't see a monoculture *today*, because most Linux users use what they prefer, not what comes by default. Oh, and of course, on an Intel box.
Re:his worst argument... (Score:2, Interesting)
People keep saying this, but it totally ignores all of the escalation of privilege bugs that are floating around. See for example here [securiteam.com] for a recent example on OS X.
If an ordinary UNIX user can be tricked into running a program, that program can then look for one of the hundreds of common bugs that allow escalation of privilege, and then install itself as root. This can be prevented by keeping current on your patches, and being careful about your configurations, but then you can keep a Windows box relatively secure by the same process. The trouble is that it's a lot of work and seems to be beyond the resources of most casual users regardless of which OS they use.
Re:What about r00tkits? (Score:5, Interesting)
[scoff!]
You think the reason car thieves haven't taken advantage of weaknesses in remote unlock systems is because they're so well designed? Think again, man. The reason no one's making black-market code-grabbers for remote door lock systems is because the slim-jim class of opening tools still work. There's no reason to attempt to exploit a complicated electronic system on the front door when the back door is secured with a plastic padlock labeled "do not cut off this padlock"! If you ask me, Windows is just like cars. They add on all sorts of fancy things but don't fix the security holes that are already there.
Re:What about r00tkits? (Score:3, Interesting)
Let me break it down to you:
a trojan horse is code you run on your computer that doesn't do what you thought it did. In my opinion, these are mostly user stupidity.
a virus is code being injected into a program you run normally. How it gets there is not really part of 'viral activity'. Technically, we have very few virii left these days, most fall into the trojan horse category. Virii were especially popular back in the days of DOS, when modifying a file was rather easier than trying to hide it somewhere (just cause back then you had 3 files on a 5.25" floppy and a fourth file name "DOSKill.com" would arouse suspicion. (now, people just go ahead and hide a file deep inside the windows directory.
Worms on the other hand are completely external attacks. They propagate themselves without needing user help. Rootkits are 'manual worms'. Worms only work because of security flaws.
That's the main difference: virii can infect *any* system, so long as the user acts stupid enough. Worms can *only* infect systems which have flaws.
As far as I'm concerned virii are user responsability. I've never been infected with a virus or trojan horse (mainly because I never run as admin), and really a system is not really at fault if it gets a virus infection. It certainly can't be considered at fault for "making a virus writers job easier" by having easier APIs. After all, one of the ten security commandments are: If your enemy gets you to run code on your computer, it's not your computer anymore.
Re:What about r00tkits? (Score:3, Interesting)
software installation isn't a daily chore.
that some software you talk about unfortunately sucks, and should be pressured (by voting with dollars, or by complaining) to be fixed. Blaming OS is not the solution. Said software would run improperly on any system that has a security subsystem.
PS. as much as it is a PITA for me to run as non admin too, I do get by. Here's two pieces of advice:
Shift right clicking on an executable will allow you to "Run As...". You can't complain about that because it's basically the equivalent of typing su in *nix and then typing your password. And with WindowsXP they've even made it intelligent enough that the interactive user's environment is loaded.
Also, the only time you really do need to run as power user or admin is if you want to attach debuggers to other process. Now, I think it's not well known by most people, but in WinXP, you still have the plain vanilla user managment MMC. By default now, users are in the Users group (where as in NT/2k they were in Power Users). You can always add users to the power user group in XP. You can also grant SE_DEBUG_PRIVILEDGE manually to a user group via the security policy manager.
Last point is loading device drivers. Again only Power Users and up can do that... and you can make yourself a power user, but you should realize you are basically allowing any code to tamper with your kernel by having this priviledge - use at your own discretion. Again, normal programs shouldn't have to load device drivers. The only real annoying thing I've seen is software that requires dongles... But even then, they generally run a seperate service with a different user credential that is in charge of loading the DevDriv.
All in all, really, there is absolutly no excuse for running as admin.
Re:Operating System bugs vs Application level bugs (Score:2, Interesting)
I'm not so sure. Lots of errors are introduced simply because programmers write too much new code. Programmering as it is done today is not a branch of engineering, its a craft. One way to industrialize programming would be to go the same way as say civil engineering.
A civil engineer doesn't design new building elements each time she designs a new structure. Buildings and bridges are constructed from standardized elements with known characteristics and which can be manufactured efficiantly and with high quality.
Doing the same in programming would perhaps be along the lines of using higher level languages for application development, using real, standardized component frameworks with immutable components and perhaps use a bit of computer science and make (mathematically) sure that what we do will work.
All this will limit the flexibility that e.g. coding everything from scratch in C will give, but it could also help reducing the number of defects in common software. Bottom line is: if we want to be an industry, we better start behaving like one!
Re:interesing (Score:2, Interesting)