Forgot your password?
typodupeerror
Security Software Linux

UNIX Security: Don't Believe the Truth? 520

Posted by Hemos
from the the-flame-war-begins dept.
OSNews has an interesting editorial about security on UNIX-like systems. "One of the biggest reasons for many people to switch to a UNIX desktop, away from Windows, is security. It is fairly common knowledge that UNIX-like systems are more secure than Windows. Whether this is true or not will not be up for debate in this short editorial; I will simply assume UNIX-like systems are more secure, for the sake of argument. However, how much is that increased security really worth for an average home user, when you break it down? According to me, fairly little"
This discussion has been archived. No new comments can be posted.

UNIX Security: Don't Believe the Truth?

Comments Filter:
  • Backup (Score:4, Insightful)

    by biocute (936687) on Monday February 06, 2006 @01:08PM (#14651586) Homepage
    So if an OS is to make a daily backup of user's home directory (or My Documents) automatically and locks it away (until emergency) from user access, it might just win the heart of users.
    • Re:Backup (Score:5, Insightful)

      by RailGunner (554645) * on Monday February 06, 2006 @01:13PM (#14651632) Journal
      So if an OS is to make a daily backup

      Google "How to use cron".

      The OS already can be set up to do this. The premise of the article is flawed; and based on a premise that I reject. Chances are, if you're smart enough to run Linux, then you're probably smart enough to backup your important files.

      Plus, given the author's scenario - let's flip it around: A Windows virus can bork your data and your OS. At least with UNIX, backups notwithstanding, the OS is still there and you'd have a much better chance at recovering your data than you would with Windows.

      Mod article -1, Flamebait.

      • Plus, given the author's scenario - let's flip it around: A Windows virus can bork your data and your OS. At least with UNIX, backups notwithstanding, the OS is still there and you'd have a much better chance at recovering your data than you would with Windows. I fully agree with you. I just had one virus basically roach a friend's laptop. The virus attached itself to EVERY executable image on the hard drive. I had to wipe the programs ( Adaware, Spy Bot, or Avast could not remove the virus and all rec
        • Re:Backup (Score:5, Informative)

          by pmjordan (745016) on Monday February 06, 2006 @01:56PM (#14652158)
          What I continually fail to understand is why everyone I know logs in as an Administrator under Windows, even after falling victim to a virus, spyware, etc. I don't necessarily mean the account with that name, having a personal user in that group amounts to the same thing.

          I'm a fulltime Linux user (4 years on the desktop, 7 years otherwise, so no veteran, and no newbie either) and I'd never even consider using logging in as root for any activities that aren't associated with system administration. (guess where "Administrator" comes from) Typing in the root password to install software isn't something I'd call a nuisance or even mildly irritating.

          The same thing is of course possible under Windows: Make your main login a 'Power User', or if you feel that's not safe enough, put it in a group with the same policies as the 'Users' group and slowly increase its permissions until you can work productively. (there are problems with debugging code and other niggles by default) Recent versions of Windows will prompt you for an Admin password for stuff your user isn't allowed to touch, although in some cases you have to explicitly right-click the link/executable and select 'run as'. I think there even are some utilities around to make the process even less painful.

          If you're doing extensive admin stuff, you can also log in as an Admin explicitly of course, and since XP you can switch between users quite easily without logging out.

          It always astounds me how incredibly adverse peoples' reactions are to this suggestion. Sure, it doesn't provide absolute security (ActiveX springs to mind) but that, together with frequent Windows Updates, an enabled WinXP SP2 firewall, and not using IE, I can't imagine you'll have a problem. You might be able to lose some data if you catch a virus, but you're very, very unlikely to bone your system. I do occasionally boot into Windows to play games (Cedega doesn't really work on ATI graphics cards) and I've never caught a virus or spyware, and I don't have an antivirus program installed, as they slow the system down to an infuriating degree IMO.

          ~phil
          • by khasim (1285) <brandioch.conner@gmail.com> on Monday February 06, 2006 @02:12PM (#14652347)
            What I continually fail to understand is why everyone I know logs in as an Administrator under Windows, even after falling victim to a virus, spyware, etc. I don't necessarily mean the account with that name, having a personal user in that group amounts to the same thing.
            Because too many apps have problems when run by a non-admin.

            This isn't necessarily the fault of Windows ... although Microsoft is one of the prime offenders with IE and MSOffice and so forth.
            The same thing is of course possible under Windows: Make your main login a 'Power User', or if you feel that's not safe enough, put it in a group with the same policies as the 'Users' group and slowly increase its permissions until you can work productively.
            Yep. It is possible. But it is more work than the average Windows user will want to put into it.

            And that is only because the FIRST step is learning enough about the system to know that there is a problem. It's easy for most of us who spend time and read /., but for others, they aren't even aware that there is a problem.
          • Re:Backup (Score:5, Informative)

            by Scoth (879800) on Monday February 06, 2006 @02:25PM (#14652488)
            I recently had to flatten a friend's box and do a restore as it had a similar situation to a previous post - literally every executable on the system was infected with something. I set him up with all the usual security software, got it running, and then switched his user to Limited, made sure his business software still worked properly, and let him run. A week later he calls me back and tells me he's having more problems, and when I go back I find out he's put a virus'd exe attachment on the desktop from his e-mail and used the Run As to run it as the Admin.

            My point about all this is no amount of security or proper setup will prevent stupidity. Although this is a case where Linux/UNIX would suffer from the same problem. Social Engineering is still the greatest exploit out there, for any OS.
          • Re:Backup (Score:3, Insightful)

            by Coryoth (254751)
            What I continually fail to understand is why everyone I know logs in as an Administrator under Windows

            The same reason that Linux users don't have reasonably strict SELinux policies in place on their machines - a lot of applications are still stuck in the older model and don't play nice with Windows if you aren't the Adminstrator, or Linux if you try and confine their access to reasonable least privilege. What I find interesting is that both Linux and Windows have this issue but people keep ignoring the Linu
          • "What I continually fail to understand is why everyone I know logs in as an Administrator under Windows, even after falling victim to a virus, spyware, etc.

            I hear this a lot, but there's actually a pretty good reason. Windows feels restrictive as a normal user, because its filesystem and registry permissions are so haphazard. Many programs won't even run in a non-admin account at all. UNIX is designed to make the user feel quite unrestricted as a normal user, and conventions like sudoers take this princip

      • Re:Backup (Score:5, Funny)

        by MandoSKippy (708601) on Monday February 06, 2006 @01:39PM (#14651950)
        My grandmother would like to know what this "cron" you speak of is... it sounds like a old science fiction movie, but she can't figure out the connection between movies and backups....
      • Re:Backup (Score:3, Insightful)

        by ltwally (313043)

        "Chances are, if you're smart enough to run Linux, then you're probably smart enough to backup your important files."

        That's rather presumptuous, isn't it? Not everyone that installs linux on their pc is automatically a linux-nerd... In fact, these days, there are probably just as many people running linux that wouldn't be able to set up a cron script to backup their stuff. The vast majority of linux users that I've known were not professional admins, and would never have had the patience to install lin

      • by autopr0n (534291) on Monday February 06, 2006 @01:53PM (#14652114) Homepage Journal
        Windows does have a fairly intricate permission system, and you can setup non-administrative users just like you can in Linux. The only difference is, lots of old software expects to be run with administrative privileges, so if you want to run those things, you need to run as admin. The main reason people use windows is for backwards compatibility, but these days you can do most of your work in windows with a non-admin account if you want.
        • "The only difference is, lots of old software expects to be run with administrative privileges, so if you want to run those things, you need to run as admin"

          I would agree with your statement, just adding that software written to run only as admin is considered poor programming practice on Windows, even if it is often the norm.
      • Re:Backup (Score:3, Insightful)

        by ArsonSmith (13997)
        I don't think cron is the solution for this. Perhaps LVM and snapshots is what people should be looking into for this type of backups and locking away.
    • Re:Backup (Score:3, Insightful)

      Wow. This snippet of an article really misses the point. If nothing else, it's just mean. It finds this "flaw" which exists not as part of the OS's security systems, but in user behavior. It waves its arms in the air, trying to make it seem like a big deal, and offers no insight into any sollution. Responsible computing has responsible users as a requisite. You have to give users SOMETHING to call their own. If they don't respect this space, backing it up or storing off-site copies of important files
      • Re:Backup (Score:5, Informative)

        by arkanes (521690) <arkanesNO@SPAMgmail.com> on Monday February 06, 2006 @01:48PM (#14652040) Homepage
        The article, and most of the posters here, are missing an even more important point. There are very few viruses that just delete all your files anymore. The two major threats the PCs these days are spyware (a threat Linux has greater resistance to, because modifying plugins and such usually requires root permissions (with some exceptions, such as Firefox plugins - you're down to app level security there, on both platforms) and zombies to add your PC to a botnet, which Linux is more resistant to, again, because of not running as root. Yes, you have roughly the same level of resistance to "delete all your files" viruses, which are rare these days relative to the amount of "take over your machine as a botnet" viruses.

        All that, of course, is ignoring practical differences in the security history of the platforms and common applications, as well as the lower profile of Linux in terms of automated threats. Direct attacks (ie, someone is specifically attacking you) are just as much of a threat, and many distros are vulnerable to attacks in an unpatched state. Linux is *not* a panacea against threats (and only idiots portray it as such), but it is a very different threat profile than a Windows machine.

    • Re:Backup (Score:2, Interesting)

      by Chrismith (911614)
      So if an OS is to make a daily backup of user's home directory (or My Documents) automatically and locks it away (until emergency) from user access...

      Who determines what the emergency is? The system itself? If there really is an "emergency," will the system even be in a state to realize it? The last thing users need is to be lulled into a sense of security by automatic backups that can't be retrieved when you really need them.

    • Look at the risk of being labeled a fanboi, macs are easier to use than windows and when used in the manner that most home users will use it are arguably more secure than Linux. Sure it's possible to make a more secure linux, but not one that's usable to a home user.

      As for locking it away add something like the following to your cron jobs running as root:

      find / -depth | cpio -dpl /backup

      this makes a virtual backup of your files sufficient for most user's anti-viral backup needs. It does not protect you a
    • To be honest, this is an long-overdue idea. What an end user really wants is something like FreeNet (minus the creepy libertarian/spook overtones) where your data is transparently saved, unreconstructable except by you, to a whole raft of peers, with a full local copy that flushes out to the 'Net at the right times. It would be nice to have the whole OS whole OS hosted, but for the pressure that puts on having a reliable and fast internet connection.

      The core technical idea of FreeNet is an excellent one,
    • Re:Backup (Score:5, Interesting)

      by DrSkwid (118965) on Monday February 06, 2006 @01:54PM (#14652135) Homepage Journal
      plan9 does this

      and you get a day by day (or however much you fancy) snapshot so you can roll back your files to any snapshot in time you have recorded, on a process by process basis. I.E. you can have two different days open at the same time in different processes.

      And, to add compliment to health, it doesn't use up extra space but uses Venti [bell-labs.com]

      Venti is also available for Unix-likes via plan9port [swtch.com]

      while I'm here, plan9 is secure BY DESIGN. No super user, networked authentication, networked file storage, diskless terminals etc. et bloody cetera.

    • Re:Backup (Score:3, Interesting)

      by rcpitt (711863)
      You stole my thunder :)

      I have a number of Unix/Linux users who use their systems as desktop workstations and don't use root (at all - I set them up and do all maintenance remotely)

      Their systems do daily backups of home directories to a protected area that is read-only by their IDs. Whether or not the overall systems are less virus/worm prone is not really the issue, the fact is that only an attack that can get root access can actually do (locally) irretrievable damage.

      The better thing IMHO about Linux/

  • by eldavojohn (898314) * <eldavojohnNO@SPAMgmail.com> on Monday February 06, 2006 @01:09PM (#14651589) Journal
    How much is that increased security really worth for an average home user, when you break it down? According to me, fairly little. Here's why.
    Yes, it is duly noted that you're the only person from which this information is originating.
    But what is more important to a home user? His or her own personal files, or a bunch of system files?
    If "Johnny's first day at school" is more important that system critical resources, perhaps you should have hard copies (CD, DVD, tape, etc.) of this media.
    Of course, they should make backups-- but wasn't Linux supposed to be secure? So why should they backup?
    You're right, you should make backups. You have a love-affair-dependency on your hard drive. Everyday you need it to retain the ones and zeros it holds that forms your data. One day, your personal hard drive isn't going to be there for you. That's why you should back up regardless of how secure you feel. Most "normal home users" don't have redundant RAID arrays running. Furthermore, it isn't "secure period," it's touted to be one of the most secure operating systems. Wait, weren't we talking about Unix?
    Isn't Linux immune to viruses and what not? Isn't that what the Linux world has been telling them?
    I don't think anyone but Mac users claim that. And anyone that claims that for any processing device is lying to you. There are Linux Viruses [viruslibrary.com] out there, just use your favorite search engine.
    UNIX might be more secure than Windows, but that only goes for the system itself.
    Oh good, we're back on Unix here (they're not exactly the same, you know). I disagree, both sides (user and system) are more secure in the case of Unix or Linux for that matter.
    In the end, the result of a devastating virus or other malware program can be just as devastating on a UNIX-like system as it can be on a Windows system
    While this might be true, I think you should take into account the frequency of said viruses [theregister.co.uk]. When's the last time a massive virus attack has taken down entire networks of Unix machines?
    To blatantly copy Oasis: don't believe the truth.
    So you talked about Unix security without quoting a single authoritative source on the issue. And to finish off this article, you rely on a one-hit wonder brit pop band to prove your thesis. May Slashdot have mercy on your soul, Thomas. Endure the onslaught.
    • The article immediately takes the position that any data loss due to malware attack means the system isn't secure. However, the fact that you do not have to rebuild the system because only one user got nailed by the attack is never mentioned. Nor that other users were not affected and could continue using the system without disturbance (most likely).

      So, in effect, the user who was attacked was quarantined, making things _more_ secure.

      • And one more thing:

        Mac users don't think their system is immune (at least not intelligent ones). They just know that because so much OSS software is included, the patches for vulnerabilities tend to come quickly.

        And there's no point in paying Symantec for virus software that quarantines the swapfiles anyway. :-)

    • While I agree with most of your arguments, I think that describing Oasis as a 'one-hit wonder' is a bit far from the truth [wikipedia.org]. Even I've heard of them, and it takes a lot for pop culture to penetrate my little reality-bubble.
    • by xappax (876447) on Monday February 06, 2006 @01:23PM (#14651754)
      redundant RAID arrays

      I don't know if it was intentional or not, but that's pretty funny.
      • I get called out on this a lot and I'm going to point out some key differences between two types of RAID arrays [wikipedia.org]. A RAID 0 (also known as a striped set) splits data evenly across two or more disks with no parity information for redundancy. Therefore, it is an example of a RAID array that is actually not redundant (despite the acronym). Even if a normal user was running RAID 0, a hard drive crash would be catastrophic.

        Still laughing?
      • He was just being redundant, in case you didn't get it the first time.
    • by hey! (33014) on Monday February 06, 2006 @01:29PM (#14651827) Homepage Journal

      >>the end, the result of a devastating virus or other malware program can be just as devastating on a UNIX-like system as it can be on a Windows system

      >While this might be true,


      I think it is tautologically true. Devastation is a noun, like "unique" that does lend itself to qualification. I think it's also true that Windows users meet with devestation and the hands of malefactors much more often than Unix users; in part this is due to the prevelance of Windows of course. But it hardly explains the mountain giving birth to a mouse response of Microsoft when it comes to improving the situation for their users.

      There probably isn't a single kind of vulnerability in Windows that has not been in Unix. The only difference is that in Unix is a choice and Windows is a fact of life. Providers of Unix compete with each other, whereas Microsoft, while it may labor mightily on various things, only works barely hard enough to make life bearable. Nor should we expact it to do "better"; as a business they do what the market tells them to, and if the customer bears much, then the vendor does little. I was fascinated during the MS anti-trust trial of the idea of splitting MS up into competing windows providers. If there were competing providers for Windows variants, Windows would be ust as good as Unix, possibly better.

      I expect as more customers desert Windows for Linux (there is no place to go but up), Windows security will improve greatly.

      I am reminded of Lord Macaulay's speech on copyright, in which he explains that perpetual copyright is bad for books, "I believe, Sir, that I may with safety take it for granted that the effect of monopoly generally is to make articles scarce, to make them dear, and to make them bad. "
    • by Quadraginta (902985) on Monday February 06, 2006 @01:29PM (#14651828)
      The guy skips lightly over the fact that it's the system that mediates interactions between the Big Bad World (a/k/a the Internet) and the user and his precious files, so that if the system is well-designed and set up properly, it will do a great deal to protect the user even from his own actions.

      An analogy one might usefully make is to the highway: good system-level security is like a well-designed, well-lit highway. Sure, the user (driver) can still kill himself, but he has to behave unusually recklessly. On the other hand, poor system-level security is like a rutty, unexpectedly curving dark country road. Even reasonably careful drivers at moderate speeds can get in trouble.

      The guy is focussing on the fact that in both cases the driver can get himself killed. But that isn't the whole story. One "road" (system) makes it easier for a moderately careful "driver" (user) to survive. The other puts even careful "drivers" at risk. And, of course, there's the obvious fact that no "road" (system) can possibly protect the completely reckless "driver" (user).
    • by khasim (1285) <brandioch.conner@gmail.com> on Monday February 06, 2006 @02:25PM (#14652485)
      Isn't Linux immune to viruses and what not? Isn't that what the Linux world has been telling them?
      I don't think anyone but Mac users claim that. And anyone that claims that for any processing device is lying to you. There are Linux Viruses out there, just use your favorite search engine.
      Linux is not completely immune to viruses. It is only EFFECTIVELY immune.

      Viruses only spread when their infection rate EXCEEDS the removal/immunization rate.

      When the infection rate is lower than the removal/immunization rate, the virus dies.

      With most current versions of Linux, the default security configuration means that it is very difficult to infect a machine (not impossible) and very easy to remove the infection.

      Before this "InterWeb" thingie, I was cleaning boot sector viruses from DOS machines that required someone to have booted from an infected floppy.

      Linux boxes CAN be infected, but the odds of it happening are very, very slim.
  • Haha (Score:5, Funny)

    by BHearsum (325814) on Monday February 06, 2006 @01:09PM (#14651590) Homepage
    This story was ripped on for being lame on osnews earlier this week. Now the slashdotters get to make fun of it too.
  • Pointless (Score:3, Funny)

    by Dashing Leech (688077) on Monday February 06, 2006 @01:10PM (#14651593)
    Why is this necessary? How many people actually run UNIX at home and where's the push to get it at home? Linux is another story, but security is only one of many reasons there.
    • Re:Pointless (Score:3, Informative)

      by Dashing Leech (688077)
      And yes, I note that the article mentions Linux and OSX, but as I mention in the parent post, I would argue security isn't a big reason why people switch. It's just a bonus.
    • Lots of Mac folks now run Unix. Mind you, they may not know it (;-))

      --dave

    • but security is only one of the many reasons there

      I'm not a Super Linux Master(tm) and doubt I ever will be, but I can say that Linux is more fun. Recently I got a copy of DSL, and it's cool. It's quite nostalgic to boot up a computer with only one disk. Reminds me of my old 8086 I used in high school. Two floppy drives, no hard drive, and it even had a dot matrix printer. Computers like that are just more fun...ok, so I'm weird.

  • by American AC in Paris (230456) * on Monday February 06, 2006 @01:11PM (#14651611) Homepage
    That sucks, but: UNIX rocks, the system keeps on running, the server-oriented security has done its work, no system files were affected, uptime is not affected. Great, halleluja, triumph for UNIX.

    and a triumph for the home user. If you had to choose between having a virus that both destroys your personal files and compromises your system or a virus that only destroys your personal files, which would you pick? He's making light of a very significant thing for most home users--a full wipe and reinstall of the operating system and applications. That's a day's work for your typical user, more if you have a bunch of programs you need to go hunting for.

    But what is more important to a home user? His or her own personal files, or a bunch of system files? I can answer that question for you: the pictures of little Johnny's first day of school mean a whole lot more to a user than the system files that keep the system running.

    What's the value of Johnny's first day of school photos if you can't boot the damned computer? Again, the author makes light of the value of the system to the home user. Just because John Q. Public cares more about his cup holder than his engine block doesn't mean he won't care when the cylinder head cracks.

    Of course, they should make backups-- but wasn't Linux supposed to be secure? So why should they backup? Isn't Linux immune to viruses and what not? Isn't that what the Linux world has been telling them?

    Actually, no. I have yet to speak with a single techie who says that you don't need to back up important files under any circumstances. In fact, viruses are almost always a "secondary" reason for backing up files; the primary driving reason behind backing up your files has traditionally been that of hardware failure.

    The crux of his entire argument rests on the supposition that, to the home user, the system simply doesn't matter. In a most cosmetic sense, this is true; home users don't give a damn about kernels and drivers. The instant something goes wrong with that system, however, it's a nightmare for that archetypical home user (who, remember, doesn't know and doesn't care how the thing works). When everything works, they can open and print Johnny's files just fine, but what the heck are you supposed to do when the omgwtf32.dll pops up an error message when you try to open Johnny's picture?

    • When everything works, they can open and print Johnny's files just fine, but what the heck are you supposed to do when the omgwtf32.dll pops up an error message when you try to open Johnny's picture?

      I think you give that author way too much credit :D His article would hold a lot more water if I was the only user on my WindowsXP box. I'm not and share it with two other users. I certainly don't want them to trash my files as well as theirs when they click on some Spanky.mpg link.
    • He's making light of a very significant thing for most home users--a full wipe and reinstall of the operating system and applications. That's a day's work for your typical user, more if you have a bunch of programs you need to go hunting for.

      Actually, for "your typical user", it's a lot worse than that. It's dropping the computer off for a week or more, paying $100 or more, and getting it back not working the way you want it to, and struggling to get your settings and preferences and programs back the way y

    • The point (and this comes up in the opposite direction when pompous Linuxers slam Lindows and other distros that routinely run users as root) is this: the perception of the security advantages of Unix is based on professionally-maintained multi-user systems and is irrelevant to home Linux use.

      On a traditional university or engineering system, files are routinely backed up, and the design of Unix kept anyone but the admin from breaking anything system-wide or for other users.

      On a home system, files are almos

    • Actually, no. I have yet to speak with a single techie who says that you don't need to back up important files under any circumstances. In fact, viruses are almost always a "secondary" reason for backing up files; the primary driving reason behind backing up your files has traditionally been that of hardware failure.

      Amen brother... having personally experienced two catastrophic hard disk failures... I don't want to go down that road ever again... I save important stuff off to cdrw AND usb sticks and also u

    • by poot_rootbeer (188613) on Monday February 06, 2006 @01:39PM (#14651949)
      What's the value of Johnny's first day of school photos if you can't boot the damned computer?

      System files are fungible; user files are not.

      If my OS gets trashed but my photos are unscathed, I can still view them if I rebuild the OS using the install discs -- or I can even switch to a different OS entirely, and the photos will be viewable there. It may take some time to recover, but it's possible and even likely.

      If my photos get trashed, though, and I don't have a a good backup copy, they're gone forever. There's nothing that can be done.
    • If you had to choose between having a virus that both destroys your personal files and compromises your system or a virus that only destroys your personal files, which would you pick? He's making light of a very significant thing for most home users--a full wipe and reinstall of the operating system and applications. That's a day's work for your typical user, more if you have a bunch of programs you need to go hunting for.

      If you get hacked you need to reinstall your OS, no matter what. There's no way to kn
  • Open Source (Score:2, Insightful)

    by wesw02 (846056)
    Open source, maybe?

    The ability to change and fix problems within the code? I mean I'm not a top level programmer who is constantly editing his kernel source code, but I have changed quite a few applications to benefit my needs.
  • Bastille-Linux (Score:3, Insightful)

    by Ransak (548582) on Monday February 06, 2006 @01:13PM (#14651638) Homepage Journal
    Maybe more distros should come with an install routine for Bastille-Linux [bastille-linux.org]. The FTA never mentioned this product, although it's more geared toward servers, not desktops. My guess is it wouldn't take much to turn this into a product for all *nix desktop operating systems.
    • Maybe more distros should come with an install routine for Bastille-Linux. The FTA never mentioned this product, although it's more geared toward servers, not desktops. My guess is it wouldn't take much to turn this into a product for all *nix desktop operating systems.

      If you are willing to run Bastille-Linux (hardening script, really, and not only for Linux) why not install OpenBSD [openbsd.org]? Hardening scripts not supplied by the Linu distro has a tendency to make administration harder and break your installed

  • Wrong. (Score:5, Insightful)

    by matt me (850665) on Monday February 06, 2006 @01:13PM (#14651639)
    Even if you read the RTFA, which says that rather than computer exploding windows-style, nix hackage will just wreck your home, which is supposedly all that matters to a home user. Still wrong. Think multiple users for a start. But that's totally wrong when it amounts to time lost. If windows gets fucked as it often does i've seen many a user stick in their oem disk, reinstall completely, and then go through painfully reinstalling everything they had before. Say my /home was wrecked? All I'd need to do is fdisk the drive and create a new user? Besides, as in unix only exectuable files can be a source of infection, rather than screwed up images and office files, I can safely copy away anything I want. It's dumb. Sorry OSnews.
    • Re:Wrong. (Score:5, Insightful)

      by vidarlo (134906) <vidarloNO@SPAMbitsex.net> on Monday February 06, 2006 @01:22PM (#14651743) Homepage
      Besides, as in unix only exectuable files can be a source of infection, rather than screwed up images and office files, I can safely copy away anything I want.

      So a libpng buffer overflow, allowing a png image rendered in mozilla to execute code can't be harmfull? Sorry pal, but this is not a problem with the OS, but the applications and libraries.

  • Okay, I won't go on about stuff I am clueless about, *but* wasn't UNIX inspired by MULTICS, and wasn't MULTICS a pretty secure o/s, by design?

    How hard would it be to start fresh, apply the Linux method to MULTICS or something like it, to have a an networking-oriented o/s with comprehensive security?

    I know, I know: commitment of effort and resources is the main issue. I am just hoping someone is already doing it somewhere...
    • Okay, I won't go on about stuff I am clueless about, *but* wasn't UNIX inspired by MULTICS, and wasn't MULTICS a pretty secure o/s, by design?

      Yes Unix was inspired by Multics. I don't know about the security of Multics, Unix was written by Kernighan/Ritchie because they saw defiencies in Multics. I believe Multics didn't have a good scheduler, it slowed down with multiple users, and back then when computer time was alloted, that meant everything. I don't think security was a particular problem like it is

  • by martin (1336) <maxsec@gmai[ ]om ['l.c' in gap]> on Monday February 06, 2006 @01:15PM (#14651661) Journal
    I think the phrase "less risk of any holes being exploited" is better than "more secure".

    Unix can be hacked/cracked too, just there's less likelihood and there less risk associated with running a *nix based O/S.

  • by karmaflux (148909) on Monday February 06, 2006 @01:17PM (#14651679)
    This is the false sense of security I am talking about. UNIX might be more secure than Windows, but that only goes for the system itself. The actual content that matters to normal people is not a single bit safer on any UNIX-like system than it is on any Windows system.

    This idiot is stating that because some users don't understand the UNIX security model, the UNIX security model is flawed. Apparently, as far as he's concerned, if ~ gets destroyed, the whole system may as well be destroyed. He's blathering about a "false sense of security," but I have never, anywhere, ever, heard anyone say that you don't have to back up your data if you run UNIX.

    Sound and fury, understanding nothing. Typical of OSNews, but sad that Slashdot's carrying this crap.
  • Isn't that obvious? (Score:5, Interesting)

    by Dlugar (124619) on Monday February 06, 2006 @01:17PM (#14651680) Homepage
    I think the author of the editorial makes a rather trivial point. (They could have made the point a lot stronger, pointing out that malware, spyware, adware, trojans, etc., are all able to be run from within unprivileged user-space.)

    But why would a home user care about Unix-type security? I'll give you a few reasons of my own.

    (a) Smaller target. Yes, that's right, I'm saying that the largest increase in security that home users get is because they're using something that 90% of the home user market isn't. This isn't a feature inherent to Unix, obviously--but I still think it's a reason to switch. "But if everyone switches, won't that get rid of the security increase?" Perhaps a little, but the only way it would completely vanish is if everyone switches to the same flavor of Unix. If we have a Unixy, more secure home computing environment, but slightly different flavors, then viruses and malware will have a more difficult time propagating in such a non-homogenous environment.

    (b) Remote exploits. This, I think, is a lesser issue, but not a trivial one--there are a considerable number of remote exploits in Microsoft software, and there have been a non-trivial number of viruses and malware that spread through this vector. Unix-based systems are historically less vulnerable to such attacks, and often the remote processes that are vulnerable run under a different user than the desktop user anyway.

    Dlugar
    • If any user honestly uses linux/unix only for increased security they should simply use a mac. Its a whole lot easier, has user friendly software, and fits your argument for case (a).

      From a home user standpoint there is only one reason to use linux/unix when mac is available, if you want a free OS, but if you're coming from windows, you should be used to paying for your os.

      (yes i know mac runs linux whatever underneath, but from a home user standpoint, this is irrelevant)
  • Come on guys (Score:4, Insightful)

    by AutopsyReport (856852) on Monday February 06, 2006 @01:18PM (#14651686)
    Don't waste your time. Read a more interesting article: How Do Computers Work? [factmonster.com]. At least this one has pictures.

    Are the editors even paying attention here? How can a 500-word, Grade 6 public speech-quality editorial makes it to the frontpage? Where is the quality here, folks?

  • J2ME security (Score:3, Interesting)

    by IamTheRealMike (537420) <mike@plan99.net> on Monday February 06, 2006 @01:18PM (#14651691) Homepage
    When this story appeared on OSNews I had a discussion with a friend about it. One security model that provides an interesting contrast to the UNIX/Windows DAC security system is J2ME security [plan99.net], which I wrote an article about.

    Now, J2ME is a flawed platform in many ways, but in terms of security they're light-years ahead of where desktop computing is. There are many things we could learn from it.

  • in *nix, user-level apps don't have write-access to system directories beats the hell out of the Microsoft model.

    Don't even get me started on the stupidity of how installing an app in windows allows it to extend the whole OS.
  • by bahwi (43111)
    Yeah, but who cares about the security of a home user? Get a NAT firewall and a good backup and if your computer crashes, burns, and blow up simultaneously, who cares?

    Now, workstations, with actual valuables on it and that are needed for day to day operations of the company, need to have better security than just a NAT box and Norton.

    And servers, where Unix really excels, let's just say Bank of America ATM's down because of a SQL Server Worm and leave it at that.

    Home users? Who cares? I work from home and h
  • by Billly Gates (198444) on Monday February 06, 2006 @01:21PM (#14651721) Journal
    When NT 4.0 was coming out the arguments were that it was more secure than the joke that was Unix. I remember top security guys telling me to get my mcse for that reason. This was in 1996.

    Its laughable today because it was before the holes in Windows2k were discovered but there is some truth. VMS and MVS were standard and rock solid with security. Unix like Windows was written in C with parts of c++ scattered here and there with userspace apps. Buffer overflows galore are everywhere.

      Even MacOS (not Macosx) was more secure for the reason that it did bounds checking on types. Add to that the fact that x86 can not tell the difference between cache stored for ram and cache stored for applications where you can just point to where a program is stored for execution and you have a nightmare on yoru hands.

    Keep in mind I am no expert and I dont even have my 2 year degree yet. Perhaps someone more knowledgable can clarify how the compilers work?

    Unix is surely better than Windows but VMS is about gone and who uses mainframes anymore besides a selected few users who need them?

    Standards are good but there is no diversity left in platforms. Its too bad VMS just died and stayed closed. It would be nice to have something besides just unix and Windows
    • There's more to security than buffer overflows, and as for compilers, they can only do so much as buffers can be dynamically sized.
    • Windows NT borrows and builds upon a lot of things that were in VMS. Microsoft hired the lead VMS engineer from DEC to head up Windows NT development. It seems kind of weird to allege that VMS is technically superior to Windows NT, when Windows NT was largely based on VMS and improvements that could be made upon VMS.
  • by sarastro_us (745933) on Monday February 06, 2006 @01:21PM (#14651736)
    Security equals security for *your* files, and Unix can't do that, so Unix must be just as insecure as Windows. Only when you define "security" in your own, narrow way, and then never implicitly say what that definition is in your 'article'.
  • by JTorres176 (842422) on Monday February 06, 2006 @01:22PM (#14651744) Homepage
    I wonder why he didn't bring up that Dad has pictures of Little Johnny on his first day of school Mom has all of her and dad's wedding photos. Litte Suzy has all of her papers for school on the hard drive. Little Johnny likes to look up pr0n.

    Windows situation, While trying to download hotmidgetdonkeypornheaven.exe, Little Johnny accidently picks up uber.worm. Uber.worm deletes Johnny's files, suzie's files, mom's files, dad's files, system files, makes the system useless, and you go from a windows computer to a nice paperweight until you reformat. *nix situation, While trying to download hotmidgedonkeypornheaven.sh, Little Johnny accidentally picks up the uber.deletion.script. Uber-del deletes johnny's entire home directory!

    Of course, Mom, Dad, and Suzie are entirely unaffected because Johnny doesn't have permission to overwrite those files.

    Wonder why the asshat, er, I mean, article writer didn't bring up that snippet?
  • What is wrong with you? Security doesn't matter to home users? I've spent a tremendous amount of time doing 'volunteer tech support' for my friends, family, coworkers, etc fixing windows machines that got hosed by XYZ windows worm. None of them are, I would say, pleased to lose their data on a regular basis. I always tell them that next time they buy a computer, they should consider an apple, because it is the easiest system out there that also has an _acceptible for home use_ level of security i.e. they wo
  • He's just a kid (Score:4, Informative)

    by BlueQuark (104215) on Monday February 06, 2006 @01:26PM (#14651785)
    Thomas Halwedra is a young'in with very little real world experience and any practical experience. They kid is in college and has a bunch of machines at home. I think he takes an extremely simplistic view of windows and unix security.

    His 'OSNEWS' bio: http://www.osnews.com/editor.php?editors_id=11 [osnews.com]

    I was doing systems programming on UNIX BSD 4.2 Tahoe when he was born. :-)

    I am surprised that his article was even published/posted, I can't really even see his argument or what point is he trying to make. Oh that's right he's a 'managing editor' WTF?

    Back to work.

    • Re:He's just a kid (Score:2, Interesting)

      by Ekarderif (941116)
      Saying people are "just kids" are ignoring the fact that they are not. They're college students. After all, a kid eschewed the giant corporation funded operating system and slapped one together (with a fellow kid) to play Space Wars and revolutionize operating system design. A kid wrote the free implementation of Minix. A kid founded both the most portable operating system and the most secure one. A kid cloned an implementation of the Windows network file system onto the *nix platform. It may be surprising,
  • There's a reason most malware doesn't delete files and such. It keeps them from spreading. To spread you need infected hosts out there infecting others. If you clobber a users files you alert them to the problem and they take steps to clean out the problem even if the malware is still running after deleting everything.

    See, for example, this thread [google.com].

    Successful malware tries to hide itself and keep the user from noticing anything's amiss. This is much much harder if you can't subvert the OS.

  • The issue in this piece is that the Unix security model allows viruses and crackers who break into a user account access to that user's personal files, which the editorial presumes are what the user really cares about.

    This is a very good point. Due to the cracker/virus having the same exact privileges as the user who was infected, it/they get access to that user's files via UID. Other than setting up a special account to browse the net with, there is no solution to this problem on a Unix system.

    Or is ther
  • Not true at all (Score:4, Insightful)

    by blakestah (91866) <blakestah@gmail.com> on Monday February 06, 2006 @01:29PM (#14651824) Homepage
    There is nothing special about UNIX or linux that makes it immune from viruses.

    However, in UNIX culture, there is something. The first rules of security.
    First, the default installation should not act as a server operating system. The system should not respond to ANY outside requests for anything unless enabled to by the system admin.

    Second, no action on the system should be performed with any more than the minimum set of privileges necessary. Everything should be done with user privileges, not system privileges, unless absolutely necessary.

    The use of these basic security rules applied more or less throughout the UNIX world, and for MAC OS X as well. Windows INTENTIONALLY ignores these rules in order to "maximize the user experience", and in doing so spawned a multi-billion dollar anti-virus industry.
  • by trauma (62841)
    I've been saying somehing similar for years about various desktop operating systems, but IMHO the author completely misinterpreted the significance. It has nothing to do with the particular OS used in the example; it has everything to do with the difference between machines used in a mission-critical environment and machines used by an individual on his or her desktop at home. For production machines, the integrity of the OS and the uptime that comes with that integrity is of paramount importance. Unfort
  • "One of the biggest reasons for many people to switch to a UNIX desktop, away from Windows, is security."

    Huh? Maybe that's the talk among the amateur kiddies on IRC and Slashdot.

    However, of all the professionals (Software Engineers) and academics (Linguists, Sociologists, etc) I know that use UNIX desktops, not one of them has told me they use it for the security -- they use it for the applications. Security is an afterthought for most people. Instead, they use it because it offers an environment in whic
  • Security?! (Score:3, Insightful)

    by Jezza (39441) on Monday February 06, 2006 @01:42PM (#14651982)
    Err, this isn't security we're talking about here. Security isn't me not losing "my stuff" (a disk crash can do that), secuirty is YOU not stealing "my stuff".

    For most home users THAT'S important (bank details, order details, hell even my address and phone number). You imagine how well a phishing attack would work on most users if they knew about open orders (from say Amazon) by reading your files. I think that's much more important to most users!

    Of course we all backup our files! Jeesh this is /. we're not a bunch of egotictical morons ;-)
  • by petard (117521) * on Monday February 06, 2006 @01:43PM (#14651989) Homepage
    But what is more important to a home user? His or her own personal files, or a bunch of system files? I can answer that question for you: the pictures of little Johnny's first day of school mean a whole lot more to a user than the system files that keep the system running.

    Sure poor computing practice by the user that owns the files could result in their destruction. Nothing gained versus Windows there. But in a family computer scenario, more is gained than the author admits. On Windows systems, many programs are (mis-)designed to require administrator rights even just to run them. This is not generally the case on UNIX-derived systems. As a result, accounts for family members will often be in the local admin group. So on a family computer if you give Little Johnny an account to run his software and play games, and he goes and downloads the latest malware and runs it, it can nuke your data as well as his.

    Under a typical scenario under a UNIX-like system he can only destroy his homework and saved games, not your pictures of his first day of school along with them.

    That's got to be a non-negligible benefit to the family user that the author completely discards.
  • by Cytlid (95255) *
    Author, you took one facet of security and tore it apart. Good for you. Yes, Windows can be highly secure, let's say, given the correct group policies.

    Ooooh but wait a minute. A typical home user wouldn't be concerned with group policy. Let's please compare apples to apples, or at least try.

    I think we should replace the word "security" with "awareness". I am aware of certain things, so I run my Windows XP pro laptop a certain way. I choose Linux for my home workstation. A typical home user isn't awar
  • by SuperKendall (25149) * on Monday February 06, 2006 @01:45PM (#14652015)
    Security issues have moved on a little since the 80's, where his point of view is from - very few security breaches today result in loss of data, because computers are really more valuable as zombies and so not many viruses really attempt to mess with much (even the most recent public example of a destructive virus on WIndows was pretty much a dud).

    Another thing he does not account for is time. Time is a valuable commodity to all users, and anything that can prevent a virus or spyware from reaching further into the computer reduces the amount of time and knowledge needed to remove probelms from the system. That is at the core the value that UNIX brings to the security equation. Not absolute protection but like a teflon pan, easier cleanup when you do create a mess.

    And last of all by not explicitly mentioning how much more inherantly secure UNIX systems are that start off with a base of no open ports are. Sure spyware and viruses can get in through the browser, but it's a much harder attack route than just scanning and finding a hole wide open that requires no effort on the part of the computer user to install.

    In the end his rant boils down to noting that users should really back up files often - but even this message is dated, as a few years of sketchy consumer hard drives with short warranties has started to drive home this lesson in spades through failed hard drives. Forget hackers; little johhny's pictures today are in far greater peril from a simple lack of using the CD-burner.
  • If someone runs Windows like almost everyone runs Linux (not as system user) and also run Anti-Virus and Anti-Spyware products they might even be up to par on security holes and how long until they are fixed. How important the bugs/holes are and how fast they are fixed in Linux vs Windows is hotly debated. There are various reasons why IMHO Linux is ahead there (OSS, secure by design, ...). But because Microsoft is spreading a lot of "information" on that I can see many people believing and writing that Win
  • by dangermen (248354) on Monday February 06, 2006 @01:48PM (#14652047) Homepage
    Yes, it is a pompous headline but it's friggn true. I just spent two days on vacation at a relatives house cleaning spyware. 3 AV scanners, 4 spyware cleaners and there is still crap happening. Unix doesn't let you hide crap like that. Worst case I could boot a CD and do a scan as to eliminate kernel-based root kits. That same kind of effort is friggin prohibitive. There is something to be said for YUM and apt-get. I can very quickly assess the basic patch level of a box and ALL of its applications. Windows = Good Luck
  • by Kjella (173770) on Monday February 06, 2006 @01:56PM (#14652159) Homepage
    ...and want their argument back. The trojans that "just" wipe out your disk are actually quite rare these days. People want your machine to spam, show you ads, use your computer as a platform for new attacks, proxy, dumpsite or any one of a dozen other uses. A machine where you can only trash someone's personal files isn't valuable except to scriptkiddies who are nothing more than online vandals.

    As far as the rest goes, the data are very important but people don't protect them well in any case. However, downtime is important - or not really downtime, since they can spend a week to have it fixed - but every time they have to get someone to fix it, that is a big annoyance. If you can keep the system clean (and if you're good, have the Admin/root account take backups to somewhere the user doesn't have access) you're saving yourself a bundle of time and problems.
  • Four points. (Score:3, Interesting)

    by Irvu (248207) on Monday February 06, 2006 @01:58PM (#14652183)
    Firstly he ignores the important distinction between file corruption and system corruption. Let us assume that personal files are equally insecure on both systems, they aren't but will deal with that below. In that event the likelyhood of a personal-file-loss is equally likely. Okay but, as the author noted the likelyhood of a system loss is less likely on Unix. While I do place a higher value on the retention of my personal files I find that:
    1. The cost of repairing a totally-destroyed system is nonnegligeable.
    2. It is easier to securely backup and recover said files on a working system.


    Secondly, as someone who has seen trojaned PC's I can tell you that being used to spam viagra ads to the western world does have a practical cost for non-techs. While some trojans may leave the files alone the fact that a) all security is compromised, and b) your hardware is being used by others without your consent or knowledge; is meaningful to everyone. In this arena *NIX systems do have a significant leg up over windows. It is much harder for an errant e-mail to lead to a full system compromise on *NIX than on Windows. That having been said I can see how a user-specific trojan may do as much damage.

    Thirdly, the author seems to be ignoring the truest source of vulnerabilities: applications. While the base OS is an issue the primary source of holes are applications (Outlook) or application-components (WMF). A *NIX system can be as insecure as Windows with respect to these. However a) There is a greater offering of secure forms, and b) *NIX's more modular form and coding traditions (sacrifice features for security) make it (in general) less suceptible to these kinds of problems.

    Fourthly, Windows is developed on a different model from *NIX. Microsoft has always put new features first and foremost. This has led to the situation specified above.

    That being the case, much of this is tradition. The traditions of Unix Development (Security over Features) versus Windows (Features over Everything) is what has led to the current state of affairs. Microsoft is in the process of learning the long hard lessons of their history and has been attempting to ape the *NIX model more closely. Meanwhile some in the Linux community have begun arguing that they should move to more "Feature Laden" distros like windows. If Microsoft succeeds in its painful changes and Linux distros begin chasing the "I want features now" crowd then the equations may reverse themselves.
  • by KidSock (150684) on Monday February 06, 2006 @01:58PM (#14652191)
    The advantage of UNIX is it's simplicity. The common APIs found on UNIX systems haven't changed in many many years. This sounds like a weakness but from a security prespective it is a great strength. This is because the vast majority of bugs are in relatively new code. If you recall the end of NT4's life it was pretty stable (relatively speaking). That's because all new development work was on other products. Now with the introduction of XP and Sharepoint and .NET and all the other new stuff, there's a mountain of new code to find exploits in. Windows is much more sophisticated than UNIX but whether or not that's a good thing depends on what you're using it for.

    In fact, you could debate this for any OS. Here's how I see the best use of each OS:

    Linux - Great development platform. You can easily install it on a laptop and get most things to work like they would even though it was "designed for XP" (e.g. power management). Linux is also a great virtual private server. A VPS is a Linux instance running in a VM like User Mode Linux. You can serve Webmail, SMTP, php apps, mysql, imap, etc for your personal use for $20/mo. As car analogies go, Linux is a Ford F150 pickup.

    Windows XP - Required corporate desktop. XP provides integrated security with ACLs on a wide variety of resources with all groups managed by a central authority with UIs to manage accounts. As a car XP is a like a fully loaded Mercury Montego sedan (it has all the amenities but don't expect it to be running in 5 years).

    Windows Server - Good corporate application, file and print server. It has a rich highly integrated set of libraries. Required for running server side applications for XP clients such as Exchange and AD. Windows Server is also like a Mercury Montego sedan except it costs a lot more.

    Solaris - Rock solid server application platform with world class support. If you don't need the sophisticated APIs provided by Windows Server then Solaris is a very good choice. Solaris is like a large Frietliner flatbed truck with GPS tracking and 24 hour roadside assistance.

    Mac OS X - Home PC desktop. OSX is ideal for the casual home user who wants to create a web page from the photos on their digital camera or play their guitar with sound loops in Garage Band. Mac OS X is like a Lexus RX 330. Every respectable yuppy has one.

    FreeBSD - Good HTTP server for the Internet. It's also a good alternative to Solaris as an application server platform if you're trying to save money and don't need it to scale to 16 processors. FreeBSD is like a Toyota pickup.
  • by Deviant (1501) on Monday February 06, 2006 @01:59PM (#14652197)
    I have found the ultimate solution to such issues in my VMWare testing environment - snapshots. We really beat on and hose our testing machines and, to make sure we were getting an acurate test, we would always have to reimage them from a Ghost image every time we went in there. We replaced that solution with running our testing in VMWare where reverting to a previous snapshot just takes a few seconds. Not to mention that you can branch off them in a tree fashion to track and test under various changes and conditions. I really don't understand why MS can't develop a simpler version of something similar for the OS. HD space on the vast majority of user's machines is plentiful and the ability to be able to make a snapshot of your system when it is exactly the way you want it that you can go back to later quickly and easily would solve myraid problems. If you could back up that snapshot to a DVD or external HD in such a way as the hypothetical snapshot manager could restore your PC config from it in the event of a physical HD failure all the better.

    Now, obviously, we would need a way to prevent a malicious program for also corrupting the backup snapshot - maybe some password that is specifically for the modifying and changing of the system snapshot.

    I doubt that MS will ever be able to make an OS as secure as Unix as long as they have to provide the level of backward compatibility they do. What they could do, however, is mitigate the risk by giving us a way to get our PC back to it's pristine state without all of the trouble of app reinstalls and haphazard backups/restores. The limitation always was the hard disk space this would entail and that limitation has been blown away by modern HDs...
  • by Greyfox (87712) on Monday February 06, 2006 @02:23PM (#14652461) Homepage Journal
    He does have a point, but it's an easy problem to address. Currently it's pretty easy to run potentially untrusted programs (Web browser, email clients, etc) as another user. Sure you still need to give them access to X, but they won't have direct access to your home files. I'd like to see this process made easy enough for a newbie user to be able to do it, and possibly even the default method of invocation of untrusted applications for the desktop distributions of Linux. If a distribution was doing it, the users who need it the most would never even know it was happening.
  • by aristotle-dude (626586) on Monday February 06, 2006 @03:05PM (#14652916)
    Why is marketshare mentioned in these cases and used as a crutich to defend windows? The exploits in windows or any other OS exist due to programmer error regardless of the size of the marketshare. Some could argue that a greater marketshare makes an OS a more visible target but that alone does not explain why the viruses exist. There has to be an other reason why people are motivated to write viruses for windows. Could it be that they do it because they hate how MSFT gained their monopoly?

    But this does not explain why the exploits which provide vectors for attack exist. Perhaps marketshare plays into this as well where developers at MSFT have become lazy and complacent with their commanding market position.

    Let's stop blaming users for security problems and lay blame squarely on the developers themselves. If any company deserves a class action lawsuit, I would say MSFT does when you consider the amount of money spent compensating for their incompetence.

  • by HermanAB (661181) on Monday February 06, 2006 @03:17PM (#14653031)
    if your time is worth nothing...

    I repair many of desktop and notebook machines. Three last week - this is Monday and I already have two machines waiting for this week. This is not my main business - people only bring me machines after other people already tried and failed to fix them.

    To fix a borked notebook PC and remove all spyware crap, takes 3 to 10 hours. Repairing a desktop takes 2 to 3 hours. The problem being that notebook PCs are slooooowwww, so the repeated scans take forever and Spyaxe and similar crapware requires multiple passes and multiple reboots with multiple scanners to remove. Consequently, I spend 10 to 20 hours per week removing crapware from Windows PCs.

    In contrast, I never have to remove crapware from Linux PCs and notebooks - they just keep working - chalk up zero hours to Linux repairs. This means that in practice, Linux is infinitely more secure than Windows.

    Nuff sed.

If money can't buy happiness, I guess you'll just have to rent it.

Working...