Forgot your password?
typodupeerror
Technology

Journal NixLuver's Journal: Teknopolitically Correct 18

There's a certain disturbing tendency among techno-geeks everywhere that I tend to chalk up to a general tendency to be conservative in intellectual affairs. That being said, it infuriates me when this particular bit of intellectual kindness is adapted and regurgitated as though it were 'proven fact' among those 'in the know'.

The bit of FUD that I'm speaking of is the tendency to assume that Linux/BSD/OSX/BeOS/<insert operating system here> would be "just as bad" security-wise as the prevailing desktop and sometime server from Redmond.

The reasoning goes like this: Windows is the predominant desktop and as such has the most instances in cyberspace; thus virus/trojan/hack/toolkit writers target Windows specifically. In addition, nowadays it seems to be assumed that most 'hackers' (crackers and malware authors, not "real" hackers) use *nix (which may or may not be true - it seems counter intuitive if the malware is to run on Windows, no?).

These two concepts give rise to the assertion that if the attention of these 'black hats' were focussed on some other OS, the results would be similar to those experienced in our Windows-centric technoscape currently.

Well, I say POPPYCOCK and HORSESHIT. Before the flamethrowers kick into overdrive, let me disclaim a bit: I think that, were another OS in Window's market position, more of that platform's security/stability issues might be exposed than are now; my point is to address the 'just as bad' mindset.

This worldview is the result of certain assumptions that are based on faulty reasoning. The first failure is the assumption that all design philosophies are security-neutral. Now, almost any programmer and most techies of any sort will realize that this is not true; a little bit of thought should expose for you the fact that this is an underlying assumption of the "just as bad" school of thought.

Now, the second failure is the assumption that all programmers are equivalent. This one is not as obvious as the last, but it's equally incorrect and even more insidious, becaues it's not necessarily intuitively false. We tend to think of programmers/developers in a stochastic sense, and assume that we're comparing apples and apples, when in fact, I think there is little overlap between opensource development and the Redmond mentality - and here's the kicker - even if the developer/programmer in question works on both types of product... Yes, I'm saying what it sounds like I'm saying. I think a programmer that works on both commercial, closed source 'enterprise' development, on the whole, will write better code on his own opensource/FS project than on the project he is paid to develop. I believe that every individual will do better work when they're doing it because they love to do it than when they are doing it because they're being paid to do it - no matter what their work ethic.

Finally, one may certainly express an opinion (as I have done and am doing) about one's preferred platform, but assertions such as the "JAB" (just as bad) assertion are *just that*, opinions, not some enlightened view of the universe. JAB has not been tested or verified in any meaningful manner - it's an assumption made to assuage the consciences of those who choose Redmond because 'no one has ever been fired for doing so'. Until and unless <alternative OS X> becomes as ubiquitous as Windows, such assertions remain just that - unfounded assertions designed to mislead people who haven't considered the real issues and implications of JAB.

In addition, let me point out that anyone who runs a firewall and logs into #linux or #linuxhelp or #hackerz or "..." on IRC will see that his/her box comes under attack from script kiddies and crackers within seconds, usually probing for poor security decisions and software not kept up to date by the user/administrator. I think that many malware authors write their devious little trinkets for reasons of pride - or at least, used to; now it's pretty much because it's so easy and spammers need the help. Imagine what a coup for the Redmond crowd if someone were to come up with a really solid virus or trojan for *nix? Say, in perl, which is extremely cross-platform, increasing the possible target systems to include most of the *nix universe - along with devices like '~/' eliminating many of the path inconsistencies. People like to assert that the lack of such is because of the relative obscurity of *nix; I say it's not been done because it's fscking hard to do.

Regardless, here's my assertion, based on my opinion that the design philosophy of *nix is qualitatively and quantitatively better from a security and stability standpoint than the Redmond offerings, and my opinion that authors who write code because they love it write better code than those who do it because they get paid to (I think that applies to most endeavors, actually): Were *nix as ubiquitous as Windows is now, we would not face anything even approaching the global interference caused by trojans, virii, and crackers who attack Windows. In other words:

No, Virginia, it's not 'just as bad'

.

Steve

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." --Bertrand Russell

This discussion has been archived. No new comments can be posted.

Teknopolitically Correct

Comments Filter:
  • Somewhat agree (Score:3, Interesting)

    by Tassach ( 137772 ) on Monday February 02, 2004 @12:53PM (#8159597)
    I'll agree with you on the point of secure architectures: security has to be a fundamental part of the system and not an afterthought. However, I'd argue that the the NT family of windows products actually have a better security architecture than Unix. The NT kernel has a much more advanced security model than any classical Unix kernel (Linux being a textbook example). So, if NT's security is so much more advanced than Unix, why is the average NT installation so much less secure than the average Unix installation?

    The big problem lies outside of the Kernel. Microsoft does have architecture problems, but it's not the architecture of the OS kernel itself, but rather the architecture all the userland stuff that's needed to turn a bare kernel into a usable operating system. Microsoft applications use a design philosophy that emphesizes usability and interoperability over security. While NT might have a really incredible security model, the benefit of this is negated by having 3/4 of all the userland processes running with administrator rights, and by having 30 unneeded services turned on by default also running with administrator rights.

    Ultimately security comes down to the sysadmin. A windows system run by a competant and knowledgable sysadmin is as secure as a unix system run by a competant and knowledgable sysadmin. The problem is that there are a lot more incompetant windows administrators. The clueful/clueless ratio is a lot lower among Windows sysadmins than among Unix sysadmins, although this may change as Unix becomes more mainstream and moves into the desktop and SOHO markets. To a large extent, security is inversely proportionate to ease of use, and it is (perceived) ease of use that is one of Window's main selling points.

    • You certainly make some good points... I've always said that a system's security is never better than its sysadmin.

      However, I'm interested in what it is that makes you think that NT has a better security architecture than *nix (including linux, OpenBSD, MacOSX, and trad unix)? What defines this 'much more advanced security architecture'? Are we simply referring to the ACLs that NTFS supports? Or is there something specific to the NT kernel that makes it a 'more advanced security architecture'?

      • ACLs are a core part of the NT kernel, not just something slapped on by NTFS, every process has an ACL even if you're running NT from fat32. Also remember that NT is a microkernel whereas most *nix kernels are monolithic. A microkernel architecture has, at least in theory, significant security advantages over a monolithic architecture. NT inherits it's security model directly from VMS, which is still probably the most secure OS around. There's no reason why NT shouldn't be at least as secure as VMS from
        • Ah, I see what you're getting at. I'd have to say that my memory indicates that NT/2k/etc incorporate VMS's memory management rather than filesystem ACLs. Regardless, I'm not sure agree that it's intrinsically a stronger architecture than Linux, BSD, or OS X.

          If NT is a microkernel, it's a severely brain damaged one. I've never seen anything that specifically claimed that, but I'll take your word for it for the sake of discussion. Regardless, OS X is a microkernel (mach) architecture, and one that works. Ba

          • Personally, I'll use Unix over windows any day for a server, and maybe 50% of the time for a desktop. As much as I like Linux, it's still a PITA as a desktop for anyone other than a hard-core computer geek. When I use a desktop, I want to get actual work done, not fart around trying to get enviornment working.

            I haven't tried OS X yet, and probably won't anytime soon because of Apple's predatory pricing model. As sweet as they may be, Macs can't compete with commodity x86 hardware on a bang-for-the-buc

            • LOL - I'm completely in line with that - I have a three year old and I'm on the last phase of upgrades to my current system that I got through trading of the toys I had prior to Baby... I hear my dual Athlon board only has one more upgrade (2100 to 2800) but I don't have a clue where I might be able to afford to go after that.

              Have you tried RH9 with Ximian D2? I haven't seen that it was that much of a PITA, although I may have been using it (Linux) so long that the PITA parts have dropped below my radar.

              H

            • Well, in terms of new machines, Macs are indeed still more expensive, but the older machines hold up far better and for far longer then their x86 counterparts running Win.
              I'm on my day off so you'll have to drop by my site to get all the links (I'm done HREFing for the day) but you'll find that you can get a used G3 beige from, say, MacResQ for under two hundred bucks. Add a USB/firewire card (about forty bucks) and some RAM and you will be able to run OSX just fine.
              A while back I bought a Mac of the same
  • Hard to tell (Score:3, Interesting)

    by miu ( 626917 ) on Wednesday February 04, 2004 @01:23AM (#8177477) Homepage Journal
    I remember in the NT 3.51 and 4.0 days that the MS boosters loved to point out the insecure history of Unix and all the ways it could be hacked. Those folks never believed what sort of weaknesses would show up once NT servers were connected to the public networks. Since I was a Unix admin at the time I got to see several of these NT projects and see how unprepared the technology was.

    Pride comes before a fall. I'd hate to see the Linux community repeat the mistakes that the MS community made in moving to a new environment. Since Unix is new to the desktop we have the chance to make sure that the known weaknesses of Windows on the desktop are not transfered into Unix on the desktop.

  • Apache (Score:2, Insightful)

    by rgmoore ( 133276 ) *

    The obvious counterpoint to the JAB argument is Apache vs. IIS. It's one case where the Free Software solution is the dominant player in the market but it hasn't had the same kind of security problems that the biggest proprietary competitor has. It's fairly clear why, too; Apache has always concentrated on being secure and correct first and being fast and easy to use second. IIS has tended to focus on performance and ease of use, with consequent problems with its security.

  • I agree. One factor ignored amoungst those who would claim especially that open source architectures would suffer as badly is that as (eg. Linux) gets more exposure, so there are more pairs of eyes looking at the source. Thus current security is probably a good guide to future security, as both attacks and degree of review are likely to be proportional to the penetration of (eg. Linux).
    • The problem with most opinion articles like this one are the false assumptions for the foundation then running off on the slippery slope from there. I fully agree with the basis and the logical argument of the overall position of this one though.

      The security-neutral and worldwide view is very correct in this context. Some organizations, NSA, have the highest focus on security.

      What the hell, programmers have different skill levels? I would say that only a few, 1000 worldwide, maybe, have the raw talent and
  • One fatal weakness you are overlooking is the users.
    While you mention programmers and admins not being apples to apples, you forget users. I have run windows and linux boxes for a while and have never been owned or had real issues with either. I have had a windows server get owned but that was do more to my own stupidity, than anything else. (Running a popular gameserver without ANY type of firewall on 2k server and leaving some other stuff up was just dumb)
    But where a LOT of the biggest problems we have
    • I didn't overlook that at all... My thesis was that an operating system that makes better security and stability decisions won't be 'just as bad' as Windows in the wild. My opinion is that *nix does make better decisions in both of those arenas and as *nix based systems propagate it will become clear that they are not "Just As Bad".

      Users will always be a problem for administrators, but by default, on a *nix system, the users don't have the necessary privileges to do the kind of damage a user in Windows 9x

"Wish not to seem, but to be, the best." -- Aeschylus

Working...