Derek Atkins <warl...@mit.edu> writes:
>
> Benjamin Scott <dragonh...@gmail.com> writes:
>
> > On Wed, Mar 24, 2010 at 3:02 PM, G Rundlett <greg.rundl...@gmail.com> wrote:
> > > So, it seems that you're saying: "Don't switch to Linux because
> > > even though it will prevent you from getting 99% of the malware
> > > out there today, someday it could be targeted and vulnerable".
> >
> > No. What I'm saying is: A false sense of security is a bad thing.
Up front: I absolutely agree with that.
> > Don't misrepresent what's really happening. When it comes to
> > security, it is critical to understand what's actually happening.
... and that, which *therefor* (not `but') leads me to:
> > I'm also looking ahead. Let's say everybody on Earth says, "Wow,
> > Greg Rundlett says to switch to Linux because it's more secure. Let's
> > do that!" So next week, everyone is running Linux. Now all these
> > problems that happen on MS Windows will happen on Linux instead.
>
> That of course assumes that the target platform is as vulnerable.
It's also neglecting that there are different classes of vulnerabilities:
everyone's harping on the `users downloading and running stuff' class,
but there's another class of *problems that don't even involve the user
at all*--like (for example) e-mail clients and web browsers automatically
running whatever is sent to them, buffer-overflows in the network stack
that the vendor refuses to even acknowledge, etc., etc., etc.
And, even for the `users downloading and running stuff' that we've covered:
while Ben has well-described the problem as a syndrome, there's no analysis
of the actual causes or whether the *premise* actually does port cleanly:
On my Debian and Ubuntu systems, I get *all of my software*
from a trusted source--with no exceptions. And I can run like that,
on these systems. As I understand it, *you can't do that with Windows*:
the system *doesn't come with anything useful*, so everything needs to be
procured as auxiliaries--and there's no such thing as `a trustworthy source
for everything that you need' there, so the user's are *necessarily*
accustomed to `downloading and running random crap'. How else would they work?
So it seems to me like there *is* some hope, if one can explain to converts
that they really (really!) don't *ever* need to download something
from the Internet. Something akin to the old "any sweepstakes that
asks for a fee is a scam" and "any cold call that asks for your SSN
is a scammer". If we can move people away from the `download culture'
that Ben has aptly described as being at the heart of Windows security-
issues, then the whole question of `*what* people download' becomes moot.
There *is* a difference between:
* A burglar forcibly breaking-in from outside.
vs.:
* A scammer tricking someone into letting them in.
My recollection is that *do* have a better track record with regard
to the first, and it looks like we have reason to believe that we
*can* also do better on the second. But we have to acknowledge that,
when we convert someone, there's a different `acquisition culture'
into which our converts need to be acclimated. If we tell people,
"Here, this is Linux, it's more secure--just keep working just
like you did on Windows, you can even download and run BONZI BUDDY
with WINE!", well....
> I think Linux is much less vulnerable to escalation-requiring
> attacks than Windows, mostly because in general on Linux users do
> not run with admin privs, whereas on Windows most people do.
This is another specific example of exactly the same cultural issue
that I'm describing, above: you're right, but we have to be sure
to *indoctrinate the converts* on that point--otherwise they'll go
`I'll just run as an administrator, like I did on Windows',
and the trend will go in the other direction.
And that's not even getting into the more subtle aspects like
how it doesn't necessarily matter which UID owns the malware that's
erasing, corrupting, or stealing your files... :)
--
"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
