UNIX Security: Don't Believe the Truth? 520
OSNews has an interesting editorial about security on UNIX-like systems. "One of the biggest reasons for many people to switch to a UNIX desktop, away from Windows, is security. It is fairly common knowledge that UNIX-like systems are more secure than Windows. Whether this is true or not will not be up for debate in this short editorial; I will simply assume UNIX-like systems are more secure, for the sake of argument. However, how much is that increased security really worth for an average home user, when you break it down? According to me, fairly little"
Isn't that obvious? (Score:5, Interesting)
But why would a home user care about Unix-type security? I'll give you a few reasons of my own.
(a) Smaller target. Yes, that's right, I'm saying that the largest increase in security that home users get is because they're using something that 90% of the home user market isn't. This isn't a feature inherent to Unix, obviously--but I still think it's a reason to switch. "But if everyone switches, won't that get rid of the security increase?" Perhaps a little, but the only way it would completely vanish is if everyone switches to the same flavor of Unix. If we have a Unixy, more secure home computing environment, but slightly different flavors, then viruses and malware will have a more difficult time propagating in such a non-homogenous environment.
(b) Remote exploits. This, I think, is a lesser issue, but not a trivial one--there are a considerable number of remote exploits in Microsoft software, and there have been a non-trivial number of viruses and malware that spread through this vector. Unix-based systems are historically less vulnerable to such attacks, and often the remote processes that are vulnerable run under a different user than the desktop user anyway.
Dlugar
J2ME security (Score:3, Interesting)
Now, J2ME is a flawed platform in many ways, but in terms of security they're light-years ahead of where desktop computing is. There are many things we could learn from it.
Re:Backup (Score:2, Interesting)
Who determines what the emergency is? The system itself? If there really is an "emergency," will the system even be in a state to realize it? The last thing users need is to be lulled into a sense of security by automatic backups that can't be retrieved when you really need them.
Linux at home (Score:1, Interesting)
Not only does she have no difficulty using it, but my wife and 12-year-old son are on it all the time checking emails and websites. The wife's a hard-core Mac user and my son normally uses XP. So while all the tech industry reporters out there muse about "when Linux will be viable for the home desktop," those of us out here who have a clue will continue to quietly use it.
Unix Security: don't believe the FUD (Score:3, Interesting)
Windows situation, While trying to download hotmidgetdonkeypornheaven.exe, Little Johnny accidently picks up uber.worm. Uber.worm deletes Johnny's files, suzie's files, mom's files, dad's files, system files, makes the system useless, and you go from a windows computer to a nice paperweight until you reformat. *nix situation, While trying to download hotmidgedonkeypornheaven.sh, Little Johnny accidentally picks up the uber.deletion.script. Uber-del deletes johnny's entire home directory!
Of course, Mom, Dad, and Suzie are entirely unaffected because Johnny doesn't have permission to overwrite those files.
Wonder why the asshat, er, I mean, article writer didn't bring up that snippet?
Ok, who forgot to put the foot icon on this story? (Score:1, Interesting)
Re:I'll Field a Few Questions (Score:5, Interesting)
I think it is tautologically true. Devastation is a noun, like "unique" that does lend itself to qualification. I think it's also true that Windows users meet with devestation and the hands of malefactors much more often than Unix users; in part this is due to the prevelance of Windows of course. But it hardly explains the mountain giving birth to a mouse response of Microsoft when it comes to improving the situation for their users.
There probably isn't a single kind of vulnerability in Windows that has not been in Unix. The only difference is that in Unix is a choice and Windows is a fact of life. Providers of Unix compete with each other, whereas Microsoft, while it may labor mightily on various things, only works barely hard enough to make life bearable. Nor should we expact it to do "better"; as a business they do what the market tells them to, and if the customer bears much, then the vendor does little. I was fascinated during the MS anti-trust trial of the idea of splitting MS up into competing windows providers. If there were competing providers for Windows variants, Windows would be ust as good as Unix, possibly better.
I expect as more customers desert Windows for Linux (there is no place to go but up), Windows security will improve greatly.
I am reminded of Lord Macaulay's speech on copyright, in which he explains that perpetual copyright is bad for books, "I believe, Sir, that I may with safety take it for granted that the effect of monopoly generally is to make articles scarce, to make them dear, and to make them bad. "
Good article for 1982 (Score:5, Interesting)
Another thing he does not account for is time. Time is a valuable commodity to all users, and anything that can prevent a virus or spyware from reaching further into the computer reduces the amount of time and knowledge needed to remove probelms from the system. That is at the core the value that UNIX brings to the security equation. Not absolute protection but like a teflon pan, easier cleanup when you do create a mess.
And last of all by not explicitly mentioning how much more inherantly secure UNIX systems are that start off with a base of no open ports are. Sure spyware and viruses can get in through the browser, but it's a much harder attack route than just scanning and finding a hole wide open that requires no effort on the part of the computer user to install.
In the end his rant boils down to noting that users should really back up files often - but even this message is dated, as a few years of sketchy consumer hard drives with short warranties has started to drive home this lesson in spades through failed hard drives. Forget hackers; little johhny's pictures today are in far greater peril from a simple lack of using the CD-burner.
Re:He's just a kid (Score:2, Interesting)
Re:Backup (Score:5, Interesting)
and you get a day by day (or however much you fancy) snapshot so you can roll back your files to any snapshot in time you have recorded, on a process by process basis. I.E. you can have two different days open at the same time in different processes.
And, to add compliment to health, it doesn't use up extra space but uses Venti [bell-labs.com]
Venti is also available for Unix-likes via plan9port [swtch.com]
while I'm here, plan9 is secure BY DESIGN. No super user, networked authentication, networked file storage, diskless terminals etc. et bloody cetera.
Four points. (Score:3, Interesting)
Secondly, as someone who has seen trojaned PC's I can tell you that being used to spam viagra ads to the western world does have a practical cost for non-techs. While some trojans may leave the files alone the fact that a) all security is compromised, and b) your hardware is being used by others without your consent or knowledge; is meaningful to everyone. In this arena *NIX systems do have a significant leg up over windows. It is much harder for an errant e-mail to lead to a full system compromise on *NIX than on Windows. That having been said I can see how a user-specific trojan may do as much damage.
Thirdly, the author seems to be ignoring the truest source of vulnerabilities: applications. While the base OS is an issue the primary source of holes are applications (Outlook) or application-components (WMF). A *NIX system can be as insecure as Windows with respect to these. However a) There is a greater offering of secure forms, and b) *NIX's more modular form and coding traditions (sacrifice features for security) make it (in general) less suceptible to these kinds of problems.
Fourthly, Windows is developed on a different model from *NIX. Microsoft has always put new features first and foremost. This has led to the situation specified above.
That being the case, much of this is tradition. The traditions of Unix Development (Security over Features) versus Windows (Features over Everything) is what has led to the current state of affairs. Microsoft is in the process of learning the long hard lessons of their history and has been attempting to ape the *NIX model more closely. Meanwhile some in the Linux community have begun arguing that they should move to more "Feature Laden" distros like windows. If Microsoft succeeds in its painful changes and Linux distros begin chasing the "I want features now" crowd then the equations may reverse themselves.
The solution is snapshots (Score:4, Interesting)
Now, obviously, we would need a way to prevent a malicious program for also corrupting the backup snapshot - maybe some password that is specifically for the modifying and changing of the system snapshot.
I doubt that MS will ever be able to make an OS as secure as Unix as long as they have to provide the level of backward compatibility they do. What they could do, however, is mitigate the risk by giving us a way to get our PC back to it's pristine state without all of the trouble of app reinstalls and haphazard backups/restores. The limitation always was the hard disk space this would entail and that limitation has been blown away by modern HDs...
Re:Backup (Score:3, Interesting)
I have a number of Unix/Linux users who use their systems as desktop workstations and don't use root (at all - I set them up and do all maintenance remotely)
Their systems do daily backups of home directories to a protected area that is read-only by their IDs. Whether or not the overall systems are less virus/worm prone is not really the issue, the fact is that only an attack that can get root access can actually do (locally) irretrievable damage.
The better thing IMHO about Linux/Unix is that there is transparency about what actually needs to be backed up in most cases (some require a bit of sleuthing but even they can be made transparent) - the home directory and maybe a major application data directory (MySQL for example)
Only these need to be dealt with - the rest of the machine's resources can be replicated/restored/reinstalled and add the data and go on your happy way.
Because it makes things work. (Score:4, Interesting)
This isn't necessarily the fault of Windows
And that is only because the FIRST step is learning enough about the system to know that there is a problem. It's easy for most of us who spend time and read
Linux is only EFFECTIVELY immune. (Score:5, Interesting)
Viruses only spread when their infection rate EXCEEDS the removal/immunization rate.
When the infection rate is lower than the removal/immunization rate, the virus dies.
With most current versions of Linux, the default security configuration means that it is very difficult to infect a machine (not impossible) and very easy to remove the infection.
Before this "InterWeb" thingie, I was cleaning boot sector viruses from DOS machines that required someone to have booted from an infected floppy.
Linux boxes CAN be infected, but the odds of it happening are very, very slim.
Re:Linux at home (Score:3, Interesting)
There is a good wikipedia article on this topic actually. [wikipedia.org]
In my own personal opinion, the generically asked question - "What is Unix?"