Posted on 03/17/2009 7:16:55 AM PDT by N3WBI3
Nobody questions whether Mac OS X is ready for the desktop. Never mind that switching to it involves learning different assumptions and tools and a new desktop. It has a reputation for being user-friendly, and is backed by a proprietary company, just like Windows.
With GNU/Linux, however, the story is different. For over a decade, columnists and bloggers have been explaining how GNU/Linux isn't ready for the desktop -- and, despite all the progress in the operating system over the last ten years, the arguments haven't changed much. Moreover, increasingly, they're outdated when they're not based on complete ignorance. In fact, I often get the impression that those who pontificate on GNU/Linux's inadequacies have never tried it.
Often, of course, the criterion for desktop-readiness is subjective. What is a bug to one user is a feature to another: for example, having to log in as root to install software is an inconvenience to inexperienced users, but a security feature to those with more knowledge.
Often, too, complaints about GNU/Linux are actually complaints that it is not exactly like Windows. Never mind the fact that, unless it did things differently, there would be no reason to switch in the first place. Or that anyone who expects to use a new application or operating system without a learning period is arrogantly provincial. The fact that GNU/Linux is not completely familiar is more than enough to damn it in the eyes of some critics.
Then there are arguments that involve a rubber ruler. That's where someone claims that GNU/Linux will never be ready until it has a certain feature, then, when the feature is pointed out or developed, changes directions and insists that another feature is essential. You can never win against such arguments, because the criteria for judging them keeps changing.
However, in addition to all these arguments are the ones that invalidate themselves primarily because of error, incompleteness, or misrepresentation. These are nine of the most common factually incorrect ones:
1) Distros are too forked for easy compatibility for developers
This claim is popular among software vendors explaining why they don't make versions of their products for the operating system. It is based on the fact that all distributions do not follow efforts at consistency like the Linux Standards Base, and often put files in different locations. In addition, distributions use a variety of package systems, so that widespread support can mean building packages in several different formats.
These problems are real, but the claim exaggerates the difficulties they create. Universal installers like InstallBuilder and Install Anywhere offer vendors installers that are similar to those on Windows. As for building several different packages, if community projects have no trouble doing so, why should a software company?
But, really, the largest problem with this claim is that it attempts to impose the Windows way of doing things on an existing system. In GNU/Linux, the creators of an application don't support different distributions or packaging formats -- the distribution does.
This system works because, with free software, the distribution can make whatever changes it needs to make the software run. It is only a problem for proprietary vendors. If they aren't willing to work with the system and release their code as free software, that is their choice -- but then they shouldn't complain that the system isn't set up for them.
2) No migration tools exist
True, GNU/Linux might benefit from a wizard that would import e-mail, browser bookmarks, IRC channels and other personal information from Windows. But the same could be said of Windows. At least GNU/Linux co-exists with other operating systems and can read their formatted partitions so that you can manually migrate some of this information.
3) There's no hardware support
In the past, hardware support for GNU/Linux was spotty. More often than not, it existed because of efforts by the community, not the manufacturer, and its early stages were incomplete.
However, in the last three or four years, community drivers have matured, and more manufacturers are releasing GNU/Linux drivers along with Windows and Mac drivers. The manufacturers' drivers are not always free software, but they are free for the download.
Today, cases of incompatibility for basics such as hard drives, keyboards, and ethernet cards still occur, but are rare. The problem areas are likely to be peripheral areas like scanners, printers, modems, and wireless cards. However, you can hedge your bets by a few tactics such as choosing a postscript printer, which always works with the generic postscript driver, or buying from companies like Hewlett-Packard, which has a long history of supporting GNU/Linux printing.
Some people even maintain that, because GNU/Linux generally retains backwards compatibility, it actually supports more hardware than Windows. I wouldn't quite go that far, but, on the whole, driver problems on GNU/Linux seem only slightly more common than the ones I used to find on various versions of Windows.
Today, too, you can sidestep hardware compatibility entirely by buying GNU/Linux pre-installed from companies such as Acer or Dell.
Seriously? You seriously just said that? Please tell me you don't actually believe that.
So now the difference between a virus and a trojan are important ;) gotcha...
You were already given an answer to that in post 43, which you promptly ignored.
Fortunately, I like chutzpah. :)
Here, let me help you out a little.
Viruses self-replicate. Trojans don't. That's the only difference. But hey, don't take my word for it; see what Symantec and McAfee have to say on the matter.
There is nothing in that definition that has anything to do with route of entry. A virus is still a virus if it gains access to your system by tricking you into executing an infected payload.
In fact, that's how the vast majority of viruses work. Even things that Symantec and McAfee explicitly label a "virus", such as the infamous Melissa worm, work by having the user open a file and invoke a macro.
So if you're going to tell me that a virus isn't a virus unless it uses a remote exploit, I'm afraid I'll take the word of Peter Norton and the U.S. court system over yours.
(Let's recap, shall we? I pointed out that desktop Linux is just as vulnerable to viruses as Windows for all the same reasons. You declared that we should simply ignore the field's single most common infection vector because it doesn't match your personal definition of a virus; however, the industry leaders in virus protection disagree. Your argument is semantic; my argument is Symantec. Then, thinking you were on sure footing among the much smaller subset of infection vectors that do matter within your definition, you went on to express shocking naivete about the robustness of *nix systems against said vector, to which I easily provided a litany of counterexamples that you could've easily found yourself if you weren't blinded by unfounded faith. Is anyone keeping score?)
They sure as heck count to the user!
You and MichiganMan both cite the example of tricking a grandma out of her ATM PIN, and saying that doesn't make the bank no safer than a piggybank (or her purse). Well, actually, the bank is in fact no safer than a piggybank for the grandma.
How easy is it to get the grandma's money if it's in the piggybank? Very easy. How easy is it to get her money if it's in the bank? Likewise, very easy.
Neither money storage mechanism poses much of an impediment to a would-be thief to get the grandma's money, because the grandma herself remains the common point of greatest vulnerability. The probability of a thief getting her money does not noticeably decrease as a result of her moving her money to a bank.
The grandma would increase the security of her savings by making it more difficult for her herself to access them, thus reducing the extent to which a thief could leverage her to get her money. This would include refusing to have an ATM card, or storing her money with a trusted broker. However, it makes it much less convenient for her to access her funds, and it makes her less likely to even bother having a bank (or money, for that matter) in the first place. Most grandmas would not find this a suitable security solution, or even a "solution" at all.
She could also educate herself a little more about scams and other thievery techniques, and take proactive steps to keep her knowledge current and her assets protected. Once again, this is not a suitable solution for most grandmas. It takes away from time that she would rather spend with her grandchildren, and it intimidates her to be burdened with the full responsibility of overseeing the security of her assets.
So as long as the grandma expects convenience, and as long as she remains naive, her assets remain vulnerable.
And if you want her to use your bank instead of the competitor's, and you claim that she can retain both her convenience and her naivete, then you cannot in good conscience do so by claiming that your bank is more secure. It doesn't matter to her how thick your vault door is or how many security guards you have on staff. That's not how thieves will steal from her; your vault door and your guards are about as useful as installing airbags on all the teller windows. They'll steal from her by going through her, and your bank does nothing to impede such an attack.
And if you do manage to convince her that your bank is more secure, all you're doing is exploiting her naivete.
Fun Fact: Did you know you don't have to keep moving goalposts or redefining terms when thoroughly pwned online? It's true! You can accept defeat with honor. People believe untrue or incorrect things sometimes, and, hey, that's okay! When shown the error of your ways, nobody will think less of you for it. A simple, "Well played, sir!", or even quiet concession, is better than devolving the discussion into a game of gotchya's in a misguided and ineffectual attempt at saving face.
Of course, if you want, you can shoot for the moon and try to lose in the most spectacular and unintentionally self-effacing way possible. Typically this involves some kind of application of Godwin's Law. In this particular case, this might involve something like, "Oh yeah? Well, you know who else considered the best route of desktop datasystem intrusion to be through socially engineered exploitation of a largely naive but highly empowered userbase? Hitler, that's who!" I leave the specific implementation to your own imagination.
What exactly is it about Linux that you believe would make desktop Linux systems safer than Windows systems, assuming an equivalent user demographic and an equivalently rich (and richly-featured) application pool?
Why Linux is More Secure Than Windows
Why Windows is a security nightmare
The Structural Failures of Windows
Linux Security: A Big Edge Over Windows
I could post dozens more. THAT is why "Everybody knows" that Linux is more secure by design than Windows. Because it's been documented over and over and over again.
Wishing it wasn't so won't undo that.
"Why Windows is a security nightmare". This article claims that Windows' vulnerability comes from: 1. Application churn (installing and uninstalling apps or app components); which causes 2. Registry rot; which makes the user perform a 3. Clean but unpatched install (such as from disk), which leaves the user exposed to viruses until they can re-apply all their patches. A rather flakey premise, given that it basically means that Windows systems are only really vulnerable in the time period between system installation and patch application; Linux systems are vulnerable during this window as well. As for application churn and registry rot, a desktop Linux system will have the user installing and uninstalling stupid small applications and demos 'n stuff just as often as today's Windows users do. And if you think the Windows registry is prone to rot, take a look in your own /etc, /opt, and /var directories sometime, especially after apt-getting or yumming a few dozen useless packages.
"Why Linux Is More Secure Than Windows". This article enumerates several reasons why Linux is more robust against remote exploits than Windows. These reasons are generally legitimate (modularity, better consideration of third-party patch application, etc.). If the primary route of entry of most attacks today was remote exploitation, this article would be relevant. Unfortunately, the article ends with the reminder:
A knowledgeable user can use a Windows 98 safely, an ignorant user may even compromise OpenBSD based systems.And therein lies the rub. The spread of desktop Linux involves the spread of ever more increasingly powerful and "automatic" Linux applications to a largely naive user base. These users will be exploited just as badly as Windows users are today, and in the same ways; Linux's systemic security protections will do nothing to save them, because that's not how the attacks will come.
"Linux Vs. Windows Viruses". This article, dated 2003, argues that, while both Windows and Linux are of course vulnerable to social engineering attacks, Windows makes it much easier for social engineering attacks to be effective:
Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable.The reason that a Linux user has to go through so many more steps is precisely because Windows, as a desktop operating system, makes more behaviors automatic for the user. In the time since 2003, Windows has gotten less automatic (it no longer auto-launches executables), and Linux has gotten more so. The famous article, How To Write a Linux Virus In 5 Easy Steps", shows how to exploit an automatic program launcher in Gnome/KDE. Why does Gnome have launchers in the first place? To make their Linux system more palatable to the common user as a desktop environment!
"The Structural Failures of Windows". This article gives us a long, long history lesson about Windows. Ironically, it never tells us what exactly is structurally wrong with Windows. Instead, it tells us what has been wrong with Windows historically, and tells us what Microsoft has done in order to fix it. As far as an argument for desktop Linux goes, this article is about as relevant as a security-vs-usability comparison between Windows 3.1 and the Yggdrassil distro. It does, however, paint an overall picture of Microsoft as a company that continuously tries to create more secure and more feature-rich systems while simultaneously striving to retain compatibility with the vast third-party hardware and application base on which its users depend; overall, this article tries to be anti-Microsoft but the "supporting" evidence undermines its own thesis.
"Linux Security: A Big Edge Over Windows". This article, in short, says that it's easier to lock down a Linux system than to lock down a Windows one. This is probably true - if you want to lock it down. Of course, for most users this means no more filesharing apps or YouTube videos, which defeats the purpose of having a computer at all.
James Bottomley, Linux expert and chief technology officer of SteelEye Technology told LinuxInsider. "But just like in your own home, if you leave a door open, you are going to get robbed sooner or later. The way to keep the door closed in Linux is to set policies correctly." ... With most Linux distributions, this is often hard to get right if there is no IT support, cautioned Bottomley.The thesis of the article is that Linux makes it easier for the user to take security into their own hands. This is not what the desktop user wants.
You present a number of historical arguments about why Linux has been more secure than Windows, and present-day arguments about why Linux today is more secure than Windows. Both of these arguments include, in part, the fact that, compared to Windows, Linux, both historically and presently, has a base of users that are both more technically competent and more willing to take it upon themselves to ensure the security of their systems - part of which involves being willing to forego certain features and automatic behaviors.
Evolving Linux into a desktop system will belie this premise. In order to claim that desktop Linux will be more intrinsically secure than Windows, you effectively have to prove that it will protect users from running "bad" code while keeping them fully empowered to run all the "good" code they want, even when the users themselves can't tell the difference. None of these articles prove any such thing, because such a system cannot exist.
Hey, that’s pretty cool! :)
I don’t think this is particularly relevant to the question of whether or not desktop Linux would be more secure than Windows, though.
1. DoS doesn’t count. I’m not allowed (by policy, not by technical restrictions) to DOS the machine. There goes my strategy of writing a small program to dump /dev/random into all 1024 lowest ports. :)
2. Launchpads don’t count. I’m not allowed to launch attacks from this machine to other hosts.
3. Snooping doesn’t count. It’s a foregone conclusion that everybody on this machine under the root account can see each other’s data and watch each other’s activity.
This leaves the hacker with nothing to really play with. I mean, why on Earth do I want to break into your box in the first place? To spy on you, steal your data, and then use your box to go do the same thing to other people. Duhhhh. :P
No. Try again. Historically, Unix has been more secure than Windows because Windows design has emphasized ease-of-use and system performance over security. That Linux can be made even MORE secure due to the ability of technically savvy users has nothing to do with that basic concept. Windows privilege escalations remain ludicrously simple to this day. Microsoft shows no inclinations to rip out the rotten guts and replace it so it will continue to remain a security cesspit until they decide to do so.
Evolving Linux into a desktop system will belie this premise. In order to claim that desktop Linux will be more intrinsically secure than Windows, you effectively have to prove that it will protect users from running "bad" code while keeping them fully empowered to run all the "good" code they want, even when the users themselves can't tell the difference. None of these articles prove any such thing, because such a system cannot exist.
Too bad your entire premise is wrong. Linux needn't be "evolved" into a desktop operating system. Linux is already a desktop operating system. There is no functional difference between a Linux server serving up Apache requests and a Linux desktop used to browse the web. They run the same kernel, the same userland systems and the same libraries. The only difference is that a Linux desktop starts less software on bootup.
I also note that while your ramblings are long on wind, they are markedly short of something else. Data.
While your posts exude many claims, most of them are wrong. Let me describe a couple:
As for application churn and registry rot, a desktop Linux system will have the user installing and uninstalling stupid small applications and demos 'n stuff just as often as today's Windows users do.
Factually incorrect. Linux systems do not use a registry. Uninstalled software on a Linux system is GONE and leaves no mess behind. Whether using the command line or apt, both contain options to purge all files. There is no such thing (and there cannot be) in Windows.
Instead, it tells us what has been wrong with Windows historically, and tells us what Microsoft has done in order to fix it.
Except that time and again, Microsoft says that they've "fixed" it, yet get exploited again and again through the same design flaw.
The Shatter Attack is the most prominent of Windows design flaws. And while Microsoft patches vectors into the design, they have yet to patch the actual flaw. The Shatter Attack has been debated on almost every security site out there.
And it doesn't seem to be getting any better. For instance:
...shows that rampant structural problems continue to exist in Windows Vista and Microsoft continues to deny that the problem exists...until the next exploit. Which they patch and claim once again that all is well.
Recently a security expert (pay attention, this is what one looks like) wrote this paper outlining the flaws in the Win32 API and Microsoft's response.
Rather than actually fixing the problem...
"When Microsoft saw a copy of this paper, they sent me a response stating clearly that they are aware of these attacks, and they do not class them as vulnerabilities...
I agree completely that in both of these scenarios, 0wning the machine is pretty easy. However, they've missed the point. These are techniques that an attacker can use to escalate their privileges. If they can get guest-level access to a machine, these attacks allow you to get localsystem privileges from any user account."
So once again, rather than fix the actual problem, Microsoft just refuses to acknowledge that the problem exists. Nice.
In the interim we wait breathlessly for your published paper on Windows security.
Until then, readers can rely on dozens of security organizations and professional publications such as SANS, eWeek, Security Focus, The Inquirer, The Register, Linux Insider and CERT or they can rely on you.
The Shatter Attack is the most prominent of Windows design flaws. And while Microsoft patches vectors into the design, they blah blah blah blah blah blah
Okay, you're evidently having a little trouble wrapping your head around this, so I'll try to go slow.
The vast majority of malware on desktops today didn't get there through an errant message or a malformed packet or a buffer overflow. It got there because the user clicked on something they didn't know they weren't supposed to click on.
Because of this, I really, really don't care how quickly Microsoft or Red Hat issue patches, nor what those patches are. I'm happy to grant you the premise, for purposes of this discussion, that Linux systems are less buggy and less vulnerable to 0day remote exploits than Windows. It's irrelevant, because that's not how attacks come.
My Debian box at home is not vulnerable to attacks by the Downadup worm. It is also not vulnerable to attacks by velociraptors. But at the end of the day, when I go install some shareware game on my Debian box, I put myself at just as much risk as I would on Windows.
Historically, Unix has been more secure than Windows because Windows design has emphasized ease-of-use and system performance over security.
Yep, and as you improve the ease of use and UI richness in a Linux distro, you will render it vulnerable to many of the same security failings.
Linux needn't be "evolved" into a desktop operating system. Linux is already a desktop operating system.
Hell, why stop there? You can claim that Linux has been a desktop system ever since the development of the X11 GUI. You can go even further and say that Linux has been a desktop system ever since Linus Torvalds' first successful run on a desktop computer.
But we all know that's not the point. To be ready for primetime, a desktop operating system needs to be usable by people who know next to nothing about computers. And most importantly, it needs to enable those users to find, install, and use applications that aren't simply "by geeks for geeks". That means chat clients, filesharing apps, games, office software, and so on.
Naturally, these things do in fact exist for Linux, but they're harder to use than their Windows counterparts. When the Linux community reduces the usage complexity to make these things just as easy and automatic as they are on Windows, they will also open the door to the same kind of exploitation.
Recently a security expert (pay attention, this is what one looks like)
Heh. You think you can condescend me regarding my familiarity with the computer security community. That's funny.
You're seriously trying to post this as fact? FYI that is THE VERY DEFINITION of a "virus". Talk about clueless, don't even waste anyone's time trying to argue either.
http://dictionary.reference.com/browse/virus
"a true virus cannot spread to another computer without human assistance"
Meanwhile, back in reality the world’s defacement archive Zone-H (which runs on Linux and has been hacked itself) shows more Linux being hacked every single day than any other webserver O/S.
http://www.zone-h.com/archive/special=1
Impossible! Don’t you know that no virus has ever existed for a *nix system of any kind!?
:)
(Watch him say that BSD isn’t “really” a *nix system...)
Yes, sigh. Because your opinion, no matter how dearly held, is not the same as facts.
Hell, why stop there? You can claim that Linux has been a desktop system ever since the development of the X11 GUI.
X11 predates Linux by many years. You need to understand the subject matter at hand before you make pronouncments from the depths of your experience.
Naturally, these things do in fact exist for Linux, but they're harder to use than their Windows counterparts.
In your opinion. Factually, numerous studies have indicated that Linux usability is actually better than Windows. You seem to not be able to understand that just because something is different doesn't make it harder. It's just different. Users that have never used a computer tend to find distros like Ubuntu and Mandriva easier than Windows.
When the Linux community reduces the usage complexity to make these things just as easy and automatic as they are on Windows, they will also open the door to the same kind of exploitation.
You keep coming back to this point but have yet to introduce any factual data other than your opinion as to why this may be true. On the other hand, I've posted links to several articles and white papers that show the differences in Windows and Linux architecture that indicate that it's not true.
Heh. You think you can condescend me regarding my familiarity with the computer security community. That's funny.
Yes, I can. Because I've been working professionally in the security community for over ten years and professionally as a system administrator for even longer. I've managed Unix and Windows networks, Cisco gear, Checkpoint firewalls, SANs, and just about anything else you can plug a network cable into. And in all those years, and all of the dollars that Microsoft has said that it's poured into securing Windows, Windows is just as full of holes today as it was then. Every new version is supposed to finally eliminate privilege escalation and remote exploits, but it doesn't.
In that same time I've seen the apologists keep saying that Unix will eventually become as malware-infested as Windows and it just hasn't happened.
And that's because Windows architecturally is a security problem and nothing short of a complete rewrite and abandonment of backwards compatibility will ever make it secure. And Unix has solid security underpinnings and while there are minor problems from time to time, it will never have the same kinds of problems Windows has.
Are you back to touting the debunked Zone-H joke?
What's the matter, didn't your new set of talking points from Redmond show up?
I've already answered this but you gloss over it like a FNORD. Therefore, this post is for the benefit of folks reading this thread, lest they fall for your continuous attempts to side-track the discussion by missing or ignoring my primary point.
So, I'm going to have to perform the objectively silly act of quoting myself, from my own post #132. Knitebane, you probably aren't going to see anything below this paragraph, but the rest of readers will see a very simple explanation of why your fetishization of Linux security characteristics doesn't actually help in the context of a naive desktop user.
The vast majority of malware on desktops today didn't get there through an errant message or a malformed packet or a buffer overflow. It got there because the user clicked on something they didn't know they weren't supposed to click on.
Because of this, I really, really don't care how quickly Microsoft or Red Hat issue patches, nor what those patches are. I'm happy to grant you the premise, for purposes of this discussion, that Linux systems are less buggy and less vulnerable to 0day remote exploits than Windows. It's irrelevant, because that's not how attacks come.
My Debian box at home is not vulnerable to attacks by the Downadup worm. It is also not vulnerable to attacks by velociraptors. But at the end of the day, when I go install some shareware game on my Debian box, I put myself at just as much risk as I would on Windows.
Hey, check this out! Hot off the presses: the latest Internet worm targets... wait for it... Linux-based DSL routers!
And how does it get in? Through some flaw in Linux’s architecture? No! By exploiting the fact that most home network users have weak administrator passwords! Ohhhhh, say it ain’t so!
The advantage Mint has over Ubuntu is that all of the media stuff works on the first run. Ubuntu wasn't hard to set up for me because I've been messing around with Linux since Red Hat 5 but Mint does just about everything I want with no work. Adding ManDVD is about all I had to do.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.