MyDoom (was: Test)

bscott at ntisys.com bscott at ntisys.com
Wed Feb 4 00:07:00 EST 2004 

On Wed, 4 Feb 2004, at 1:01pm, invalid at pizzashack.org wrote:
>> Yes, but this has nothing to do with the design or implementation of
>> either Linux/Unix or MS-Windows.  It's simply a matter of operator
>> mindset.
> 
> Er, I can't say I agree there either.  Until very recently, Microsoft
> provided no separation of privileges in their for-home OSes.

  Hmmmmm.  Well, you've got a point there.  I'm so used to dealing with the
"professional" space at this point that I tend to forget that people
actually think 9X qualifies as an operating system.  :-)  Yah, if you're
running the toy software, you're screwed no matter what.

  But, that being said, I note that most OEMs ship their *current* Windows
computers configured with an automatic logon to full "Administrator"
privileges and no password by default, and that most lusers never change
that configuration.  So, even though Windows XP can run "just like Unix",
"nobody" is doing that.

  Just to clarify my position: I firmly believe that a Linux system is
easier to secure, and can be made more secure, then a MS-Windows system.  
However, that is not my point.  My point is that virtually *all* of the
security exploits seen in the MS-Windows world do not attack those areas.  
They attack human problems.

> Do you forsee [mass shipments of Linux] as even a possibility in anything
> resembling the near-term?

  No.  But that's irrelevant to the points I am making.

> I think (out of necessity) computer users in general are becoming more
> savvy all the time hopefully by the time this is even a possibility, the
> typical computer user will know better than they do today.

  Which is great.  But, you'll note, that has nothing to do with any
particular software product or platform.  :-)

> But, Lindows is a special case, where in remarkably short-sighted fashion,
> it is trying to mimic Windows' poor security model for ease of use.  This
> really makes them no better than Windows itself ...

  *Exactly*.  Poorly configured, Linux is "no better than Windows itself".  
*You said it*!  :-)  If it depends on configuration, it is not inherent.

  LindowsOS put ease-of-use before security, just like Microsoft and so many
computer OEMs often do.  LindowsOS received significant mainstream press,
because it was being sold by Wal-Mart.  I even read a short review of it in
Consumer Reports.  That's more "mainstream"  then most Linux distributions
get.

  Do I expect LindowsOS in particular to succeed?  No.  Am I saying that
something like LindowsOS *will* be what ends up getting all the market
share?  No.  But *could* it?  Yes.  See point #2, below.

> But I suspect this company will not last long.

  *shrug*  Again, based on the quality of Microsoft's products, I would not
have expected *them* to last long.

> "Normal" Linux distributions do not go out of their way to defeat the
> wisdom of the normal Unix security model.  Only particularly ignorant
> users do this.

  Most computer users are particularly ignorant.  Right now, most Linux
computer users are not.  If Linux really starts to win, that will change.

> I only argued the point because you made statements earlier in the thread
> which I think are not really true.  Linux advocates make such arguments
> because they are, in fact, technically true.

  The context of the discussion that started this discussion was a claim
that Linux is inherently resistant to the current style of malware attacking
Microsoft Windows systems.  This is patently false, as I believe has been
demonstrated.  The attacks we see in the MS-Windows world are not
sophisticated.  They are horribly simple, in fact.  Yet they still succeed.  
Claiming that Linux can fix this problem is wrong.

  Perhaps a metaphor will help: Microsoft Windows is a cardboard box with a
padlock on it.  Linux is a bank vault.  The current crop of malware exploits
that fact that the people who own the cardboard box do not lock the padlock.  
If those people switch to a bank vault, but continue to leave it unlocked,
the problems with malware will continue.  And the people in question will
then be pissed that they spent all this money on a bank vault that others
told them was inherently more secure...

  So, what's the point of all this argument from me?  Two things:

  (1) If people are discussing trivial exploits like a "MyDoom" worm,
statements that Linux would solve the problem are misleading, because it
gives the false impression that Linux is resistant to malware that attacks
operator naivety.

  (2) We -- as the clueful Linux community -- will need to be constantly on
our guard, to prevent something like LindowsOS from gaining significant
market share.  In other words, we need to make sure that everybody --
distribution vendors, computer OEMs, third-party software vendors, IT
departments, and end users -- realizes that security is *everybody's*
problem.  Otherwise, Linux will end up just like MS-Windows.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |

More information about the gnhlug-discuss mailing list