 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> (basically the only relatively successful worms
> in the unix world have exploited bugs in the systems to spread themselves,
> rather than relying on the users; fix the bug, and the worm stops;
Recently it's the same on Windows (Outlook has prevented you running
executables for years now).
There are several other important differences between viruses on Unix
type OSs and Windows. Firstly, the average "computer knowledge" of unix
users is probably way higher than windows users, this in itself prevents
a load of viruses spreading. Secondly, virus writers know this, so
target Windows. Do not underestimate a large amount of people with
malicious intent. I would be very surprised if similar exploitable bugs
and loop-holes don't exist in Unix, it's just people haven't searched
that hard for them.
Also I wonder if having an open-source OS would make it more or less
vulnerable to viruses compared to closed-source (if all other factors
were equal)? On the one hand virus writers can browse the source code
looking for exploits (surely way easier than reverse engineering or
random testing), but on the other hand people can do the same to close
the exploits.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> If it went far enough, people would send out "here's a zip file with the
>> password xyz. Unpack it with that password, rename hello.jpg to hello.exe,
>> and run it to get an important message from your bank" and someone would do it.
>
> Didn't seem to be such a problem in the unix world.
Because there are a tiny number of unix users who would follow
instructions such as "you must run this attachment as admin to regain
access to your bank account" from a random email. Yet there are
probably thousands of windows users who would simply run the attachment
and click "Yes" when asked exactly the same question by the OS. If you
were a virus writer wanting to make money, which platform would you target?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott <sco### [at] scott com> wrote:
> >> If it went far enough, people would send out "here's a zip file with the
> >> password xyz. Unpack it with that password, rename hello.jpg to hello.exe,
> >> and run it to get an important message from your bank" and someone would do it.
> >
> > Didn't seem to be such a problem in the unix world.
> Because there are a tiny number of unix users who would follow
> instructions such as "you must run this attachment as admin to regain
> access to your bank account" from a random email. Yet there are
> probably thousands of windows users who would simply run the attachment
> and click "Yes" when asked exactly the same question by the OS. If you
> were a virus writer wanting to make money, which platform would you target?
Well, that's kind of my point: Microsoft made it easy for viruses and
other malware to spread. The fundamental problem is that Microsoft didn't
"teach" their users to be more conscious about security. Safety thinking
didn't become a second nature to their users because the OS wasn't hammering
it into them by its very behavior.
And by this I don't mean eg. messages popping up warning the users.
With this I am talking about the very design of the OS. The design itself
should have been such that the users who learn to use it automatically
learn an instinct that protects them from most harm.
It's a bit like the difference between a "safe" and an "unsafe" programming
language: If the programming language, by its very design, makes it very
hard to write unsafe code, programmers who learn the language will learn
to use it safely, in a natural way. When the safety is in the design, the
language doesn't need to remind the user of it eg. with warnings.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New <dne### [at] sanrrcom> wrote:
> Thinking on it, there are a whole bunch of "patches" made in the UNIX world
> to account for bad security.
I never said that unix was perfect from the start (nor even that it is
perfect now). That wasn't my point.
My point was that the *approach* at OS design was different from the
start, and this caused it to naturally grow into a safer environment.
When the internet got immensely popular, unixes were already mostly safe
(give or take some exploitable bugs), while Windows was completely open
to all kinds of attacks. And this was not solely because unix has existed
longer. It's a question of fundamental design.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New <dne### [at] sanrrcom> wrote:
> > If the very first version of DOS had had a similar account/password
> > system as unixes,
> ... then it wouldn't have run on an 8086, and MS would be broke.
Or maybe we would have much better PCs today because they would not be
based on (and mostly backwards-compatible with) a totally antiquated and
obsolete architecture designed by IBM and Intel.
Think about how the game industry has boosted the development of graphics
cards. Imagine if the same boost would have been done to the PC architecture
by OS vendors.
> > would not complain because they would take it for granted, as something
> > obvious.
> It's hard to say. Most of the other systems of the day didn't have it either.
Multi-user unix systems were certainly being used in many environments
(eg. at universities with thousands of students) back when Windows95 didn't
even exist. Back then things like logins, passwords and access rights were
a given in those system. Yes, I have personal experience.
> Contrast with something like Singularity, where you explicitly list every
> program you're going to run
I never said that unix is the perfect system. I just said that it's
*better* (in terms of safety) because the fundamental design is different
(namely, it's intended to be a multi-user system).
The point is that if operating systems had had the proper design from
the start, things like computer viruses wouldn't exist (except perhaps
ones exploiting bugs, but those would probably not get as widespread
because bugs are easier to fix than fundamental OS design).
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott <sco### [at] scottcom> wrote:
> Also I wonder if having an open-source OS would make it more or less
> vulnerable to viruses compared to closed-source (if all other factors
> were equal)?
At least some years ago Linux was the second OS with the most security
vulnerabilities found each year (probably no need to mention which OS the
one with the most). I wouldn't be surprised if that was the case today as
well.
It's not like systems like Linux don't have security bugs to be exploited
(either by hackers or by malware).
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp wrote:
> My point was that the *approach* at OS design was different from the
> start, and this caused it to naturally grow into a safer environment.
Sure, I'll grant that. It wasn't what I was talking about in the original
post, but I'll grant that.
I don't think it applies any longer, tho. Indeed, in many ways I think
Windows might have a more secure architecture than UNIX nowadays, even if in
practice it's not quite up to snuff and in practice it gets attacked more.
--
Darren New, San Diego CA, USA (PST)
Serving Suggestion:
"Don't serve this any more. It's awful."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott wrote:
> Because there are a tiny number of unix users who would follow
> instructions such as "you must run this attachment as admin to regain
> access to your bank account" from a random email.
http://en.wikipedia.org/wiki/Christmas_Tree_EXEC
Enough that it made international news at the time. Granted, this was IBM
big iron, not unix, but the principle is the same.
--
Darren New, San Diego CA, USA (PST)
Serving Suggestion:
"Don't serve this any more. It's awful."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp wrote:
> Darren New <dne### [at] sanrrcom> wrote:
>>> If the very first version of DOS had had a similar account/password
>>> system as unixes,
>
>> ... then it wouldn't have run on an 8086, and MS would be broke.
>
> Or maybe we would have much better PCs today because they would not be
> based on (and mostly backwards-compatible with) a totally antiquated and
> obsolete architecture designed by IBM and Intel.
Maybe. But the machines had to be cheap enough for individuals to buy. More
importantly, they had to be cheap enough that they could go into the right
spot on the budget.
The only thing that made PCs "cheap" at the time was the clone makers. It's
hard to say whether things would have taken off or not, but it's not like
there weren't powerful UNIX-based machines with well-designed CPUs in the
mix at the time.
> Think about how the game industry has boosted the development of graphics
> cards. Imagine if the same boost would have been done to the PC architecture
> by OS vendors.
They had things like that. The Dolphin running Smalltalk. The Amiga's
specialized chips. LISP machines. IBM made an APL luggable computer I worked
on for a while. Heck, even the Mac was in the competition. And at the low
end you had dozens of radio shack, Apple ][, Vector Graphics, Tektroniks,
Kay-Pro, Commodore, and a dozen other brands of machines, many of which were
mostly compatible with each other at the software level via CP/M.
And the 8086/8088 was designed to run Pascal, which also didn't take off.
So... what happened?
>> It's hard to say. Most of the other systems of the day didn't have it either.
>
> Multi-user unix systems were certainly being used in many environments
> (eg. at universities with thousands of students) back when Windows95 didn't
> even exist. Back then things like logins, passwords and access rights were
> a given in those system. Yes, I have personal experience.
Sure. But the other computers you'd buy yourself, for one user, didn't have
any password stuff. I'm talking mostly the 8-bit computers that the IBM PC
wound up replacing. Sure, I used Solaris machines and even z8000-based UNIX
machines. They weren't something you'd buy for a secretary, tho.
And when you have a computer with thousands of users, you have someone
knowledgeable taking care of it, and everyone with access has a basic
understanding of computers or they wouldn't have access. It wasn't a general
purpose tool - it was a computing tool, and to use it, you needed a
fundamental understanding of how the computer worked.
>> Contrast with something like Singularity, where you explicitly list every
>> program you're going to run
>
> I never said that unix is the perfect system. I just said that it's
> *better* (in terms of safety) because the fundamental design is different
> (namely, it's intended to be a multi-user system).
Well, Windows is too, *now*. You can blame Windows users for the problems,
and blame Microsoft for Windows users. But having actually dealt with people
who don't know what they're doing, I have come to the conclusion that if you
put a general purpose tool in the hands of someone who has *no* idea how it
works, you're going to get scripted behaviors (i.e., people who take notes
on the steps they have to go thru to send a picture to their grandchild)
with no understanding or desire for understanding of the implications for
anything except "did it work?"
In other words, I don't think that having had logins from the beginning
would have taught people that mail can be forged. I mean, heck, do you think
having logins on the computer would teach people not to fall for Nigerian
scams? Do you think it would teach people not to fall for phishing scams?
Why would you think it would teach people not to fall for any other sort of
forged mail?
> The point is that if operating systems had had the proper design from
> the start, things like computer viruses wouldn't exist
I disagree. That's exactly why I listed all the security flaws that UNIX
fixed over time. Such OSes *would* have bugs, *did* have bugs, and they'd
continue to have bugs as new capabilities were introduced. Nobody has a
Morris worm before SMTP. Nobody had UUCP appending mail to /etc/passwd
before UUCP was around. Nobody stole passwords by connecting to a coworker's
X terminal before X was invented. Every operating systems has had viruses
and worms and such, including those who had multi-user access controls built
in to start with. Granted, it's hard to know exactly how many, especially
given the explosive growth in the number of machines in use and the
explosive growth in the number of computer-naive users. But, too, when a bug
was found in UNIX, it wasn't valuable to avoid reporting it, so they got
fixed instead of exploited, usually. Except Kevin Mitnick, who also made
international news by stealing stuff not from Windows machines, but from
UNIX machiens.
Now we're in a different world, where it's actually valuable to find and
exploit flaws, rather than reporting them when you come across them in
normal usage. (Sort of like now suddenly we need to protect airplanes from
terrorists, and not just the passengers. :-)
Basically, history does not bear out your statement, and the disproof is why
I listed all the UNIX flaws that had been fixed over time.
Heck, by all estimates, Mac OSX has more security holes in it than Windows
does (per installed unit, obviously), and it's based on an OS that has
always had logins.
That said, yes, certainly a system that has always had multi-user
authentication (and, more importantly, a separation of administrative duties
from daily operations) is superior to one that doesn't. But when every
system now has multi-user controls, and people try to deliver applications
over the internet yadda yadda, you wind up with viruses that don't need
administrative privs to propagate. I suspect that's the vast majority of
active viruses now - those that steal personal information or add you to a
bot-net, neither of which need (or even want) admin privileges.
--
Darren New, San Diego CA, USA (PST)
Serving Suggestion:
"Don't serve this any more. It's awful."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp wrote:
> I wouldn't be surprised if that was the case today as well.
I saw an interesting article a couple weeks ago (on LWM?) where the author
looked at the security bugs fixed, and tracked back thru the archives to
figure out where they'd been introduced, to see if the number of security
holes in Linux is going up or down. Apparently, the number is down, very
slowly, but it's close to the measurement noise. (It's hard to tell where a
bug was introduced in a system where it's a number of interacting systems
that cause the bug, for example.)
--
Darren New, San Diego CA, USA (PST)
Serving Suggestion:
"Don't serve this any more. It's awful."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
