I was reading a news article that said people that use windows could get a virus by going to a website. Now that is insecure.

Um ... what?

Windows can get a virus from going to a website.

I'm glad you laid it out so clearly for us. I especially liked the parenthetical references to your sources.

Um, we all know this. Haven't you used Windoze before? :D

Yes I have. I'm just giving another reason why windows is so insecure and why it is so terrible. And yes I know everyone already knows this.

Yes I have. I'm just giving another reason why windows is so insecure and why it is so terrible. And yes I know everyone already knows this.

Then please don't waist server space posting it:)

Sorry.;)

Yes. So called "drive-by adware" is quite insidious by nature.

The problem is directly applicable to Linux. After all, a security vulnerability could still be exploited before it is patched by the Ubuntu security team.

On the flip side, however, having non-elevated permissions for all but the most prioritized tasks limits almost all damage. :)

Yeah but in linux you can't get a virus by going to a website. I don't even know if you can get a virus. Especially that DirectX or whatever it is.

Yeah but in linux you can't get a virus by going to a website. I don't even know if you can get a virus.

Theoretically, yes, you can.

I mean it won't copy itself onto removable media or anything. You can get a trojan I think.

Linux Viruses exist, but they are exceedingly rare and almost always harmless. very few of them are effective and to do any real damage require sudo/root authorization.

I only wish linux had a cleanup utility to remove windows viruses that get stored onto the system. Unless they are put into a dump or temp location. I am not suer how the FHS in Linux works, and how it handles internet data accordingly.

I mean it won't copy itself onto removable media or anything. You can get a trojan I think.

Assuming Firefox had a vulnerability that allowed hard drive writes to locations other than /tmp...

and assuming that you had, say... a USB key that had 777 permissions.

Then theoretically, yes, the ubuntu computer can be a "carrier" of sorts.

Yeah but in linux you can't get a virus by going to a website. I don't even know if you can get a virus. Especially that DirectX or whatever it is.

DirectX is a platform for multimedia access to hardware :|

I've visited thousands upon thousands of websites using Windows and never got a virus. Seriously it depends on where people go and the same thing could happen to a Linux OS.

Just because it is possible to contract a virus from a website does not mean that Windows is insecure. What determines the insecurity of Windows is how the virus affects Windows, if at all.

I don't even think that Window is that bad, what really annoys me is alternative OS users bashing Windows/Microsoft. Besides, haven't you heard of anti-virus software?

Why does this make Windows so insecure? How does the OP know it can't happen to Linux?

I don't even think that Windows is that bad, what really annoys me is alternative OS users bashing Windows/Microsoft.

thank you, most Linux users still use Windows. the "zealots" that don't are living in a dream world when they start screaming how poorly designed Windows is. No OS is perfect! And if Linux was so good and Windows So poor then why doesn't market share show that...hmmmm, Marketing can only go so far.. the product has to work too!

Windows is and has been designed to work for normal everyday people. The issues that arise are caused by people who know little of how their systems work or the correct procedures in maintaining an Operating System.

Just look on this very forum of user who "break" their systems, and go back to Windows, because Linux cant run X or work with Y.

thank you, most Linux users still use Windows. the "zealots" that don't are living in a dream world when they start screaming how poorly designed Windows is. No OS is perfect! And if Linux was so good and Windows So poor then why doesn't market share show that...hmmmm, Marketing can only go so far.. the product has to work too!

Windows is and has been designed to work for normal everyday people. The issues that arise are caused by people who know little of how their systems work or the correct procedures in maintaining an Operating System.

Just look on this very forum of user who "break" their systems, and go back to Windows, because Linux cant run X or work with Y.

+1 I completely agree.

thank you, most Linux users still use Windows. the "zealots" that don't are living in a dream world when they start screaming how poorly designed Windows is. No OS is perfect! And if Linux was so good and Windows So poor then why doesn't market share show that...hmmmm, Marketing can only go so far.. the product has to work too!

Windows is and has been designed to work for normal everyday people. The issues that arise are caused by people who know little of how their systems work or the correct procedures in maintaining an Operating System.

Just look on this very forum of user who "break" their systems, and go back to Windows, because Linux cant run X or work with Y.

I would give you a thank for this post if the feature hadn't been removed :P

Windows ain't insecure just because the user doesn't know what he is doing. I've never had any harmful viruses yet I find myself 'repairing' machines that my friends and family own, which for some reason were infested.

If my car could be driven at 300mph, does it make it insecure?

And if Linux was so good and Windows So poor then why doesn't market share show that...hmmmm, Marketing can only go so far.. the product has to work too! Well "work" doesn't mean "work well." I know a lot of Windows users who hate Windows, and yet they stick with it because they feel they don't have any choice. They have all sorts of reasons for sticking with Windows that have nothing to do with liking it or feeling it works well.

Here are some examples: Macs are too expensive I'm used to Windows I use this Windows-only program that doesn't work in Wine I use certain websites that work in Internet Explorer only I don't like any of the Linux-preinstalled options (i.e., there aren't many). Linux is by no means perfect (I have a few bones to pick about the user interfaces in Gnome and KDE), but most of the problems it has are out of its control (hardware compatibility with closed spec'ed hardware, lack of certain commercial software).

For example, I know a ton of people who would otherwise be perfect for Linux (most of their computer activities are web browsing, email, photo organization, music listening, light word processing), but then they have the latest iPod or they have an iPhone. I am not honestly going to tell an iPhone user, "Oh, you'd be perfect for Linux, except there's no iTunes for Linux. Here, you can jailbreak your iPhone and hope it'll work after you follow these complicated instructions (https://help.ubuntu.com/community/PortableDevices/iPhone#Syncing%20with%20Firmware%202.x%20possible! )."

It doesn't mean Linux isn't user-friendly or "good." It just means Apple doesn't want to port iTunes to Linux, and they don't want people syncing iPhones with software other than iTunes.

So part of it is marketing... but most of it is really vendor lock-in.

If Apple used some open standard for their iPhone database or if web designers all used open standards (and no ActiveX) for their websites, you'd get a lot more Linux users.

Well "work" doesn't mean "work well." I know a lot of Windows users who hate Windows, and yet they stick with it because they feel they don't have any choice. They have all sorts of reasons for sticking with Windows that have nothing to do with liking it or feeling it works well.

Here are some examples: Macs are too expensive I'm used to Windows I use this Windows-only program that doesn't work in Wine I use certain websites that work in Internet Explorer only I don't like any of the Linux-preinstalled options (i.e., there aren't many). Linux is by no means perfect (I have a few bones to pick about the user interfaces in Gnome and KDE), but most of the problems it has are out of its control (hardware compatibility with closed spec'ed hardware, lack of certain commercial software).

For example, I know a ton of people who would otherwise be perfect for Linux (most of their computer activities are web browsing, email, photo organization, music listening, light word processing), but then they have the latest iPod or they have an iPhone. I am not honestly going to tell an iPhone user, "Oh, you'd be perfect for Linux, except there's no iTunes for Linux. Here, you can jailbreak your iPhone and hope it'll work after you follow these complicated instructions (https://help.ubuntu.com/community/PortableDevices/iPhone#Syncing%20with%20Firmware%202.x%20possible! )."

It doesn't mean Linux isn't user-friendly or "good." It just means Apple doesn't want to port iTunes to Linux, and they don't want people syncing iPhones with software other than iTunes.

So part of it is marketing... but most of it is really vendor lock-in.

If Apple used some open standard for their iPhone database or if web designers all used open standards (and no ActiveX) for their websites, you'd get a lot more Linux users.


Even so, the reality is that Linux is lacking in software and hardware support. It may not be our fault, but it really doesn't matter. Windows "works" where Linux doesn't.

Even so, the reality is that Linux is lacking in software and hardware support. It may not be our fault, but it really doesn't matter. Windows "works" where Linux doesn't.

I've found Linux VMs to work perfectly w... Oh.

//Sorry for the bad joke

Title is misleading but here is the things.

The number one cause for viruses is the user, yes, infact the user. Windows in not insecure against viruses(in most cases), it's the user who opens every program he downloads. Knowledge is the best defense against viruses.

I can see it now, Linux gains 20% market share and suddenly everyone is complaining about viruses and ad-aware. You say Linux is secure because programs require root to do damage, well how many programs in the future are going to require root. That video that you downloaded requires a special video player to watch, requires root, no problem, misinformed user enter password, bam, virus.

It's gonna happen, knowledge is the best protection against viruses.

*Ends long boring topic. Discuss.

I am not very well versed on the whole virus/malicious-ware topics as some members here...but I would apply a theory I've seen happen in other areas of life: Eventually when there is enough to gain, or some is bored enough to put in the effort, time, and dedication, they'll be able to figure out a way to do x,y or z.

I wonder if...and hope...the linux community, being so vast and good in morals will serve as a means to tip the scale of the offensive/defensive battle that you see in the virus world (new virus, download new file for AV software...another new virus...repeat) such that its not an issue...but who knows, guess we get to wait!

Bring it on. The organic nature of FOSS is it's best defense.

Title is misleading but here is the things.

The number one cause for viruses is the user, yes, infact the user. Windows in not insecure against viruses(in most cases), it's the user who opens every program he downloads. Knowledge is the best defense against viruses.

I can see it now, Linux gains 20% market share and suddenly everyone is complaining about viruses and ad-aware. You say Linux is secure because programs require root to do damage, well how many programs in the future are going to require root. That video that you downloaded requires a special video player to watch, requires root, no problem, misinformed user enter password, bam, virus.

noob
It's gonna happen, knowledge is the best protection against viruses.

*Ends long boring topic. Discuss.

It's much more than the root privilege that makes linux secure, go find out and then start a new thread ;)

Hello Flamebait!

Even if there would be more viruses for linux than for windows, linux will still be more secure :twisted: It will only mean M$ windows is reduced to insignificance and no one is writing viruses for it.

Linux, however, will remain more secure because of the way it's built. Linux it not more secure because windows is the OS for idiots.

Title is misleading but here is the things.

The number one cause for viruses is the user, yes, infact the user. Windows in not insecure against viruses(in most cases), it's the user who opens every program he downloads. Knowledge is the best defense against viruses.

I can see it now, Linux gains 20% market share and suddenly everyone is complaining about viruses and ad-aware. You say Linux is secure because programs require root to do damage, well how many programs in the future are going to require root. That video that you downloaded requires a special video player to watch, requires root, no problem, misinformed user enter password, bam, virus.

It's gonna happen, knowledge is the best protection against viruses.

*Ends long boring topic. Discuss.

It usually ends up being the user...

But...


MOST Linux users know better than to run their system as root, or to install any package included in an email--or to install a package because a website told them too....and MOST users are smart enough that once something bad start going around, they'd serious up.

Most Linux users know better than to compile and install source code off the internet, without knowing what they are doing and why.

Virtually every malware/virus out there needs keys to root...and getting a linux user to hand those keys over would take a GREAT deal of social engineering.


Linux users tend to be fundamentally informed about what they are doing. Windows users for the most part are not.

It's much more than the root privilege that makes linux secure, go find out and then start a new thread ;)

So your telling me someone creates an exec that contains commands to delete your / drive that linux will stop it if the user gives it root privileges?

Please elaborate because I have not known this to happen.

Also, I'm not starting a flamewar, general discussion on the topic please.

Virtually every malware/virus out there needs keys to root...and getting a linux user to hand those keys over would take a GREAT deal of social engineering.

You mean the same social engineering that got me to send my life savings to help Umbaru, the Nigerian prince who needed my help?

You mean the same social engineering that got me to send my life savings to help Umbaru, the Nigerian prince who needed my help?
exactly

social engineering is nothing to do with computer security

Yes, you can be tricked into doing something destructive on your system

but it won't happen without user interaction / confirmation,
and it won't spread like wild-fire like it does with Windows

Virtually every malware/virus out there needs keys to root...and getting a linux user to hand those keys over would take a GREAT deal of social engineering.


Linux users tend to be fundamentally informed about what they are doing. Windows users for the most part are not.

I'm talking about the average joe desktop user who uses his computer to check his email and watch porn.

If he is really excited to play this game he saw on the internet that looks legit and says that it requires root priv to run, you think he is smart enough to research this program? Or replace it with a 80 year old grandma if you wish, not your techy one either. ;)

You mean the same social engineering that got me to send my life savings to help Umbaru, the Nigerian prince who needed my help?

The same social engineering that gets UNL to spend millions of dollars on a new football coach every few years ;)

I'm talking about the average joe desktop user who uses his computer to check his email and watch porn.

If he is really excited to play this game he saw on the internet that looks legit and says that it requires root priv to run, you think he is smart enough to research this program? Or replace it with a 80 year old grandma if you wish, not your techy one either. ;)

Sounds to me like you'd be in the same place as we currently are with windows users (as defined by your continuing generalizations and scenarios) but at least the user would be given the option to prevent things by refusing to enter their pw...

The same social engineering that gets UNL to spend millions of dollars on a new football coach every few years ;)

Do you live in nebraska? Its like your in my brain!

Sounds to me like you'd be in the same place as we currently are with windows users (as defined by your continuing generalizations and scenarios) but at least the user would be given the option to prevent things by refusing to enter their pw...

Yes, that is a plus, I'm just saying that when/if Linux gains market share to adopt average joes that they are probably going to be entering root passwords like crazy and downloading everything as they did on windows. Just saying that Linuxes way of handling viruses is not useful to misinformed users who aren't smart enough to think about things that look funny.

Linux is far more secure than windows. The simple fact is to get infected on a Windows machine requires nothing but a double click. It is not the same on Linux, It will require a stupid user whereas in Windows it just requires a user.

The reason Linux is more secure is because of the way the kernel is programmed, AND because Windows has the majority of the attacks towards them.

Do you live in nebraska? Its like your in my brain!

Color me a graduate student-who's measly criminally small program gets cuts year after year...whilst the craptastic football team has full access to the taxpayer purse.

Color me a graduate student-who's measly criminally small program gets cuts year after year...whilst the craptastic football team has full access to the taxpayer purse.

and call me a chem student at uno who just may become a graduate sudent at unl with soon to be cut funding if med-school says no

on a side note: gotta love football...nebraska has no real history of it before osborne...but now we all aparently bleed it....

Linux is far more secure than windows. The simple fact is to get infected on a Windows machine requires nothing but a double click. It is not the same on Linux, It will require a stupid user whereas in Windows it just requires a user.

The reason Linux is more secure is because of the way the kernel is programmed, AND because Windows has the majority of the attacks towards them.

Sounds to me like you'd be in the same place as we currently are with windows users (as defined by your continuing generalizations and scenarios) but at least the user would be given the option to prevent things by refusing to enter their pw...

exactly

social engineering is nothing to do with computer security

Yes, you can be tricked into doing something destructive on your system

but it won't happen without user interaction / confirmation,
and it won't spread like wild-fire like it does with Windows



It seems to me that everyone's argument for Linux's superior security hinges on permissions levels. Windows has had a permissions system as good as, or close to, Linux's for over two years now. Technically it has had a permissions system for much longer than that, but everyone ignored it because it wasn't default.

Anyway, drive-by, vulnerability based infections are possible on either OS.

I'm talking about the average joe desktop user who uses his computer to check his email and watch porn.

If he is really excited to play this game he saw on the internet that looks legit and says that it requires root priv to run, you think he is smart enough to research this program? Or replace it with a 80 year old grandma if you wish, not your techy one either. ;)

Just remove Joe from the sudoers list and he'll only spill beer over the mouse and keyboard.

It seems to me that everyone's argument for Linux's superior security hinges on permissions levels. Windows has had a permissions system as good as, or close to, Linux's for over two years now. Technically it has had a permissions system for much longer than that, but everyone ignored it because it wasn't default.

Yet, again Windows takes alot of blame because of yet the users fault of faulty settings and poor choices. Just irritates me that Windows is the target for security problems with more then the majority are the results of poor settings and faulty choices, these results are easily possible of Linux to achieve the same results.

It seems to me that everyone's argument for Linux's superior security hinges on permissions levels. Windows has had a permissions system as good as, or close to, Linux's for over two years now. Technically it has had a permissions system for much longer than that, but everyone ignored it because it wasn't default.

Windows was developed from a user perspective upwards (the user had all the power)

The Linux kernel was not and is structured around protecting the system from the user, even if malware is picked up by the user it's virtually impossible for it to spread to other parts of the system (unlike MS)
BtW i am not MS hater

Linux also has a huge amount of people working on the kernel/applications so any security hole is picked very quickly and the updates released straight away.

So your telling me someone creates an exec that contains commands to delete your / drive that linux will stop it if the user gives it root privileges?

Please elaborate because I have not known this to happen.

Also, I'm not starting a flamewar, general discussion on the topic please.

To make this clear: Root account is just another reason why Linux as an Operating System is secure. Before you are allowed to makes changes *on* system files, the OS force the user to input an elevated password before changes are integrated in the system. From what I see, this is not a feature which Windows has (XP down to 98, and down.... I can't talk about vista since I had not have a hands-on on it).

It seems to me that everyone's argument for Linux's superior security hinges on permissions levels. Windows has had a permissions system as good as, or close to, Linux's for over two years now. Technically it has had a permissions system for much longer than that, but everyone ignored it because it wasn't default.

Anyway, drive-by, vulnerability based infections are possible on either OS.

Sadly that permissions system is irrelevant because every home user runs windows as admin. All you get is a popup window that goes away in one click. It works better in a business where users don't work as admins.

There're a lot of things not very clear in this argument that make it a potential disaster. First, define "Windows" -- only Vista? Only Windows 7? Or are we counting Windows XP, since it's still on a good chunk of the computers in the world?

Second, define "Linux". The kernel? A desktop distro? Ubuntu? My router, phone, or Tivo? My web/samba servers at work?

Next, secure against what? Viruses? Script Kiddies? Professional Hackers? User Error? My kids?

Shall we limit the conversation to desktop Linux vs. desktop Windows on the issue of malware/viruses?

Permissions issues are NOT the clinching argument for Linux security. Windows has had that since NT first saw daylight. What Microsoft has yet to overcome (and what they've admitted Vista was intended to force to some extent) is the user/developer community's bad habits of ignoring these tools. Vista + UAC was a good wakeup call for ISVs to quit depending on administrative privs for normal application use, and it got users thinking security-wise also.

Unix systems were just designed this way from the beginning, so apps were always designed to not need root privs. I still wonder about having multiple administrator accounts, and the mysterious "system" account which seems to trump administrator; but we'll give Windows the benefit of the doubt on this one anyway and call it even.

But let's look at some other things that give Linux a security advantage:

- package managers: If you stick to using package managers and repositories, you've got a great safety net. What many people don't realize about package managers is that they don't just blindly install .deb files no matter what's in them. If I download really_cool_game.deb from some dodgy site and it's got a rootkit that overwrites ls, ssh, and other system tools, APT isn't going to install it. I'll get an error saying it's trying to overwrite "ls" which is in another package. Windows has "windows file protection", which protects a small set of system files from being tinkered with. But apart from that, your setup.exe run as administrator can have its way with the system.

- Repositories: on the same note, you've got the vast majority of software you'll ever need on Linux vetted and custom-compiled by your distro maker all ready to install. No worries about baddies trying to find a cool screen saver or chat client. Yes, you can't get quite everything from repos, and a lot of advanced users get .debs or .bins or sources from elsewhere. But by the time you're ready for that, you hopefully have the smarts to avoid the bad stuff.

- diversity: If I find a zero-day exploit for explorer.exe, I can pwn every Windows XP box on the planet. Because they all run explorer.exe. If I find a zero day exploit for GNOME, all the KDE/XFCE/Enlightenment/$YOUR_WM_HERE users are in the clear. Every major distro compiles all its packages from source, applying different patches, using different configuration flags, compiling against a different tool chain, using differnt library versions, etc. If you and I are both running Vista with all the same updates, our system folders are full of identical binaries. If I'm running Ubuntu and you're running Mandriva, even with the same software installed our binaries are going to be different. Probably not one the same.

Diversity makes it harder to target systems for exploit-based attacks, and to some extent social engineering (consider all those bogus "system warnings" made to look like real Windows error messages. Look obviously out of place on Linux. Same would be true of GNOME-looking error boxes on a KDE system).

There's a few more points that come to mind, but it's late and that's enough to start some discussion anyway. Go ahead, tear it apart.

Even so, the reality is that Linux is lacking in software and hardware support. It may not be our fault, but it really doesn't matter. Windows "works" where Linux doesn't.
But the point is that people aren't necessarily happy with Windows, and they do not necessarily feel Window "works." They are often stuck with Windows because of vendor lock-in.

Windows isn't winning on technological merit or programming superiority, which is what the post I was replying to seemed to imply.

If ever the Linux community were to wake up to their true potential, Apple might have cause to worry. As it is, while Linux might help to contribute to it, Microsoft's fall will serve to primarily benefit Apple.

When you say that linux is more secure, do you mean the OS, or it's users? Linux is by far not as easy as windows or mac. That means that more advanced users with common sense use linux, while people who are not quite as smart use windows. (usally) I bet that I could run windows for a few years without AV just by not installing every piece of crap I get. The same goes for linux.

Linux isn't any more secure than Windows. Windows gets attacked more because more people use it. If hackers really started attacking Linux then we'd be in exactly the same boat. There are probably tonnes of flaws just waiting to be exposed.

Here's how an application could cause problems on your Ubuntu without having root access:

1. Script on webpage tricks Firefox, allowing code to be exectuted. The code obviously wont have root because nobody in their right mind would run firefox as root.
2. The code downloads a program/script to your home folder and runs it. It doesn't need root to do that.
3. The program adds itself to your 'session' settings, making it start when you login. It doesn't need root to do this either.

The program will be able to do anything that you can do without sudo. That includes looking at your contact list, sending emails, downloading webpages, launching a DOS attack, Instant Messaging etc.

Basically you can be added to a botnet without the program even having root access. Sure you can fix it, but only if you notice it manually. There are no malware detectors for Linux.

Then the program could get smarter and wait for you to do something that requires root. Before the legit program has a chance to use gksudo the malware program throws up a fake gksudo. The password prompt came up when you were expecting to enter a password... It looks legit... but is it really?

The malware now has your root password and you are well and truly pwned.

Ps. this whole method isn't much different to the methods used in Windows.

I believe aysiu provides the perfect balance between the Windows bashers and the Linux bashers on this thread.

That video that you downloaded requires a special video player to watch, requires root, no problem, misinformed user enter password, bam, virus.

Hah.

Title is misleading but here is the things.

The number one cause for viruses is the user, yes, infact the user. Windows in not insecure against viruses(in most cases), it's the user who opens every program he downloads. Knowledge is the best defense against viruses.

I can see it now, Linux gains 20% market share and suddenly everyone is complaining about viruses and ad-aware. You say Linux is secure because programs require root to do damage, well how many programs in the future are going to require root. That video that you downloaded requires a special video player to watch, requires root, no problem, misinformed user enter password, bam, virus.

It's gonna happen, knowledge is the best protection against viruses.

*Ends long boring topic. Discuss.

You seem to be confusing a virus with a trojan.

You can create trojans for any OS, otherwise the OS wouldn't be usable for users.

-

But what you say is true, kind of.

The Linux kernel was not and is structured around protecting the system from the user, even if malware is picked up by the user it's virtually impossible for it to spread to other parts of the system (unlike MS)
BtW i am not MS hater

You can do anything with the right password.

Sadly that permissions system is irrelevant because every home user runs windows as admin. All you get is a popup window that goes away in one click. It works better in a business where users don't work as admins.

requiring one click is no different from requiring a password, it takes maybe one extra second to peck away at the keyboard than it does to click a button. When the OS clearly asks you for permissions elevation the point of failure is solely on the user.

To make this clear: Root account is just another reason why Linux as an Operating System is secure. Before you are allowed to makes changes *on* system files, the OS force the user to input an elevated password before changes are integrated in the system. From what I see, this is not a feature which Windows has (XP down to 98, and down.... I can't talk about vista since I had not have a hands-on on it).

If you ran XP as a limited user than it did require elevated permissions.


I bet that I could run windows for a few years without AV just by not installing every piece of crap I get.

I know I do :D

This thread is ridiculous. The person who started this thread did so without enough understanding on the subject.
This is basically flamebait even though it may not have been intended to be so.
Yes more people using Linux will result in more Malware being created for Linux but there is much more to it than that. Do more research before posting ridiculous topics.

Title is misleading but here is the things.

The number one cause for viruses is the user, yes, infact the user. Windows in not insecure against viruses(in most cases), it's the user who opens every program he downloads. Knowledge is the best defense against viruses.

I can see it now, Linux gains 20% market share and suddenly everyone is complaining about viruses and ad-aware. You say Linux is secure because programs require root to do damage, well how many programs in the future are going to require root. That video that you downloaded requires a special video player to watch, requires root, no problem, misinformed user enter password, bam, virus.

It's gonna happen, knowledge is the best protection against viruses.

*Ends long boring topic. Discuss.

That is completely true, but Windows IS more insecure than Linux because administrator is always logged in and most users have all power, so any run executable can install a virus. Not so in linux, it would need root privileges.

and call me a chem student at uno who just may become a graduate sudent at unl with soon to be cut funding if med-school says no

on a side note: gotta love football...nebraska has no real history of it before osborne...but now we all aparently bleed it....

UNL had a fantastic academic record, and was called the Harvard of the Midwest for a great deal of its history. Then the football team came along, and eventually started winning. Then the school got its priorities *&^%backwards. And here we are. The budget for my entire department/building (~400 undergrads and ~100 grads), minus staff salary is $65-70k for the entire academic year....the football team blows through that in a weekend.

Football is the reason my building is literally crumbling at its foundations and cannot be rebuilt...football is also the reason my building is locked down entirely on weekends so that no work can get done-football Boosters once trashed our building....and ever since on football weekends the building is entirely locked down except for paid state staff.

UNL would be far better off if the football team never happened.

That is completely true, but Windows IS more insecure than Linux because administrator is always logged in and most users have all power, so any run executable can install a virus. Not so in linux, it would need root privileges.

Windows doesn't force you to run as an admin. In Vista, even when you do run as an admin you are still required to elevate permissions to perform actions that require it.

I think we need a little balance in here.

I don't think Linux is invincible, but it is not as insecure as Windows.

A few things: Yes, you can use a limited user account in Windows, but there is no easy way to temporarily escalate privileges to perform system-level tasks, and that is the main reason (along with admin just being default) that Windows users run as admin instead of limited user. "Run as..." doesn't work for certain shortcuts, it's a lot of extra steps (not just typing your password), and it plain will not install Windows Updates. Social engineering relies on tricking the user, and this can happen on any OS. If someone tells me there is a .deb for some program and links to it, I am not a programmer and I will not look at (or make meaning of) all the source code for that .deb before installing it. So a certain amount of trust and "street smarts" comes into operating Ubuntu (or any Linux distro). And, no, you do not have to first make the .deb an executable. GDebi allows you to double-click-install a .deb file, so if it is malicious, it owns your whole computer, including root. Clicking a window is a lot less of a barrier than typing a password. If you don't believe me, look at how many threads there are of people wanting to log in as root because they're tired of typing in their password "all the time" (why they are constantly doing system-level tasks is beyond me). I never see a thread complaining about clicking a window. The intensity of annoyance some users feel for UAC in Vista would surely be compounded tenfold if Windows adopted a more sane security approach a la Mac and Ubuntu. Also, people get into the habit of clicking "Yes" or "OK" without really thinking about what they're doing. Typing a password forces you to think about what you're doing, because your brain needs to recall the password and because it's not something you're used to doing as often. While it is theoretically possible to compromise the user space and then eventually compromise the entire installation, it is nice to have that extra permission separation, because if (and this can't always happen, but at least it's a possibility) you happen to discover the infection, you can easily delete that account and then eliminate the threat. If you're running as admin all the time, then the only real solution is a total reinstallation of the operating system. Although social engineering ultimately relies on the user being tricked, Windows has all sorts of extra little things that make social engineering easier (hiding file extensions by default, executing autorun files in removable media, creating a software installation model that encourages users to get new software non-approved sources). If you buy into the Linux default way of doing things, you will go outside the repositories only if you can't find the program you're looking for. I don't understand why people insist on making such extreme statements, either implying Ubuntu or Linux is virtually impenetrable or asserting that there's no security difference at all between Linux and Windows.

There's a difference. There's a big difference. But you still need to use common sense.

And, regardless of what OS you use, I would encourage anyone paranoid about arbitrary code execution flaws to use the NoScript extension in Firefox.

I'm also hoping that AppArmor becomes easier to configure in the future (a few points and clicks) so that any vulnerability in one application cannot then take advantage of the entire user space.

I for one hope that widespread Linux adoption doesn't take off big time in terms of consumer computing.

I make quite a bit of money from cleaning up stupid Windows user's computers, and I don't wanna see that dry up. Controversial as it may be, I cash in on viruses / malware being so easy to attack Windows. I can't say I'd be as happy if that were the case on Linux. That would be a sad day.

I just don't gett it. How can people say that by not being able to execute as root in linux a virus can't do much dmage. I don't think so. If someone finds a way to execute "rm" for the user's home just by wisiting a webpage with a specific version of firefox that user would be doomed!
I mean.. from a desktop user's point of view what is more important? the OS's files(that come with the cd) or his work?
I could say that from a desktop user's point of view "not being able to execute as root in linux" does not help much.

Still i'm glat that for now noone found a way to execute those commands.

The problem is between the keyboard and chair. No matter how secure an OS is it will always fall to social engineering.

I just don't gett it. How can people say that by not being able to execute as root in linux a virus can't do much dmage. I don't think so. If someone finds a way to execute "rm" for the user's home just by wisiting a webpage with a specific version of firefox that user would be doomed!
I mean.. from a desktop user's point of view what is more important? the OS's files(that come with the cd) or his work?
I could say that from a desktop user's point of view "not being able to execute as root in linux" does not help much.

Still i'm glat that for now noone found a way to execute those commands.Exactly.. its enough if a virus implants itself in the users .xinit or some other startup-file. Doesnt need to be systemwide, especially on a single-user machine.

And to the original claim... malicious software on a website can only do its course automatically if the browser allows it. Has nothing to do with Windows, run Firefox or Opera instead of IE and you`re just as secure from evil stuff from websites.

Most viruses are the "Click to see my naked butt.exe" variety and the only reason they work is user stupidity.

Linux isn't any more secure than Windows. Windows gets attacked more because more people use it. If hackers really started attacking Linux then we'd be in exactly the same boat. There are probably tonnes of flaws just waiting to be exposed.

This is so old, and so wrong, it's not funny anymore.
Linux is used extensively on internet infrastructure servers such as Web and DNS, and by their nature, they are readily accessible (in contrast to, say, a company file server). Where's all the attacks and succesful exploits you promise ?



Here's how an application could cause problems on your Ubuntu without having root access:

1. Script on webpage tricks Firefox, allowing code to be exectuted. The code obviously wont have root because nobody in their right mind would run firefox as root.

AFAIK, Firefox runs scripts in a sandbox so they can not touch anything, so your scenario stops right here.
I'm willing to change my mind on this if you can provide concept code that works on a recent, reasonably up to date FF on a recent, reasonably up to date Linux system.

thank you, most Linux users still use Windows. the "zealots" that don't are living in a dream world when they start screaming how poorly designed Windows is.
I'm a systems and network administrator. I manage a mixed environment of Linux servers, Windows Servers, and Windows clients.
As I'm not a programmer, I can't comment on the actual design and implementation of either operating system. Even if I was a programmer, I wouldn't have access to Windows sources anyway.
However, I know from experience that Linux system administration is easier that Windows system administration, Apparently the design decisions in Linux contribute to making system administration easy, by providing mechanisms to automate tasks easily, to retrieve and manipulate configuration data easily, by providing simple but powerful mechanisms for remote execution of commands, by having on board excellent networking programs and network troubleshooting tools, and so on.
Far more so than Windows, where a lot of this work is a real pain, and some of it is downright impossible.

So I have excellent reasons to consider Windows poorly designed.

Proof me wrong before you try calling me a zealot again.

thank you, most Linux users still use Windows. the "zealots" that don't are living in a dream world when they start screaming how poorly designed Windows is. No OS is perfect! And if Linux was so good and Windows So poor then why doesn't market share show that...hmmmm, Marketing can only go so far.. the product has to work too!

Windows is and has been designed to work for normal everyday people. The issues that arise are caused by people who know little of how their systems work or the correct procedures in maintaining an Operating System.

Just look on this very forum of user who "break" their systems, and go back to Windows, because Linux cant run X or work with Y.

Are you a Microsoft zealot?

A few things: Yes, you can use a limited user account in Windows, but there is no easy way to temporarily escalate privileges to perform system-level tasks, and that is the main reason (along with admin just being default) that Windows users run as admin instead of limited user. "Run as..." doesn't work for certain shortcuts, it's a lot of extra steps (not just typing your password), and it plain will not install Windows Updates.

This is true in XP, not Vista. Even if you run as an admin in Vista you are still required to escalate privileges.

Clicking a window is a lot less of a barrier than typing a password. If you don't believe me, look at how many threads there are of people wanting to log in as root because they're tired of typing in their password "all the time" (why they are constantly doing system-level tasks is beyond me). I never see a thread complaining about clicking a window. The intensity of annoyance some users feel for UAC in Vista would surely be compounded tenfold if Windows adopted a more sane security approach a la Mac and Ubuntu. Also, people get into the habit of clicking "Yes" or "OK" without really thinking about what they're doing.

Every single time I encounter an "average user" with Vista, they complain about having to click allow. There was a "Get a Mac" commercial about Allow or Deny. Microsoft turned down UAC's frequency in Windows 7 because of complaints (they promptly turned it back up after the security community revolted). It doesn't take much to find someone complaining about "clicking a window."

Typing a password forces you to think about what you're doing, because your brain needs to recall the password and because it's not something you're used to doing as often.

This brings up another issue. First of all, I don't believe it's true that typing a password is inherently more secure than clicking a button. I have almost all of my passwords down to muscle memory, I don't even have to think about them to type them. However, I will say that Windows' UI is flawed here because of it's history: in Windows many programs require elevation because of legacy code that writes to system folders, leading to "UAC numbness" whether you're an admin or a limited user. Most Linux apps only require elevation to change system settings, as they write to a user's home folder.
None of this even matters, though, because a smart trojan writer will trick you into typing in your password or clicking allow.

While it is theoretically possible to compromise the user space and then eventually compromise the entire installation, it is nice to have that extra permission separation, because if (and this can't always happen, but at least it's a possibility) you happen to discover the infection, you can easily delete that account and then eliminate the threat. If you're running as admin all the time, then the only real solution is a total reinstallation of the operating system.

That's why no modern OS runs as true admin by default :)

Although social engineering ultimately relies on the user being tricked, Windows has all sorts of extra little things that make social engineering easier (hiding file extensions by default, executing autorun files in removable media, creating a software installation model that encourages users to get new software non-approved sources). If you buy into the Linux default way of doing things, you will go outside the repositories only if you can't find the program you're looking for.

That's very true (except for the software installation model part, if someone knows what app they want than they'll get it from a trusted source. All it takes to get someone to download from an unknown source is to say something like "Brand new app, download here" and boom, you're infected.)

Every single time I encounter an "average user" with Vista, they complain about having to click allow. There was a "Get a Mac" commercial about Allow or Deny. Microsoft turned down UAC's frequency in Windows 7 because of complaints (they promptly turned it back up after the security community revolted). It doesn't take much to find someone complaining about "clicking a window." Please re-read my post. I understand there are already people annoyed at having to click on a window. But it's a matter of relative annoyance. People are far more annoyed at having to type a password than click a window.

This brings up another issue. First of all, I don't believe it's true that typing a password is inherently more secure than clicking a button. I have almost all of my passwords down to muscle memory You aren't representative of the populace at large in this respect.

That's why no modern OS runs as true admin by default :) With respect to the system being compromised to the point where a reinstall is the only true cure, Windows XP does run as admin by default. I don't really care about "true" admin, whatever that means.

That's very true (except for the software installation model part, if someone knows what app they want than they'll get it from a trusted source. All it takes to get someone to download from an unknown source is to say something like "Brand new app, download here" and boom, you're infected.) Which is precisely why I don't side with the folks who make it sound as if Linux is invincible. I don't want people to say "Switch to Linux and you'll never get a virus!" to new users, especially since most people consider "virus" to be a generic umbrella term for "anything bad" and don't distinguish between self-replicating viruses (that take advantage of security holes) and trojans (that take advantage of easily fooled users).

As Linux's marketshare on the desktop/laptop/netbook increases, so will the malware breakouts, as long as people rely on "antivirus" to protect them instead of getting some common sense.

The user is the biggest security threat, and social engineering will win every time.

But I still don't buy this idea that Windows is just as secure as Ubuntu or other Linux distros (sans the Xandros on the Eee PC).

Extreme: Windows and Linux have the same security
Other Extreme: Linux is virtually invincible

Moderation: Linux has better security, but it isn't invincible, and users need to educate themselves on social engineering.

I'm trying to get people to have a little moderation.

Please re-read my post. I understand there are already people annoyed at having to click on a window. But it's a matter of relative annoyance. People are far more annoyed at having to type a password than click a window.

In your post, you said "I never see a thread complaining about clicking a window."
I'm simply disagreeing with you.

You aren't representative of the populace at large in this respect.

Perhaps, but even my 10 year old sister has her password down pat, and she changes it occasionally. Additionally, with the general public's passwords consisting of "123" password" "[my account name]" etc.... it's not a big deal to have to type it in.

With respect to the system being compromised to the point where a reinstall is the only true cure, Windows XP does run as admin by default. I don't really care about "true" admin, whatever that means.

Windows XP is not a modern operating system, it is seven years old and has been superseded by Vista. XP is still supported, and even sold in some cases, but it is not current.
By "true admin" I mean to distinguish between root, and what Vista and OS X run you at, where you are technically an admin, but do not have escalated privileges by default.


Which is precisely why I don't side with the folks who make it sound as if Linux is invincible. I don't want people to say "Switch to Linux and you'll never get a virus!" to new users, especially since most people consider "virus" to be a generic umbrella term for "anything bad" and don't distinguish between self-replicating viruses (that take advantage of security holes) and trojans (that take advantage of easily fooled users).

As Linux's marketshare on the desktop/laptop/netbook increases, so will the malware breakouts, as long as people rely on "antivirus" to protect them instead of getting some common sense.

The user is the biggest security threat, and social engineering will win every time.

Exactly.

But I still don't buy this idea that Windows is just as secure as Ubuntu or other Linux distros (sans the Xandros on the Eee PC).

I don't mean to say that Windows is just as secure as Linux, but that Linux is just as insecure; both Linux and Windows have the same, most significant, point of failure. When there are weak links in the chain it doesn't matter how many or where they are, the chain will still break.

In your post, you said "I never see a thread complaining about clicking a window."
I'm simply disagreeing with you. Well, I don't think you are disagreeing with me, then. I was talking about forum threads here. I've seen the Mac v. PC commercials. I know there exist complaints about clicking windows. I'm just saying that on these forums, I have seen many complaints about having to type a password but see no complaints about having to click a window.


Windows XP is not a modern operating system, it is seven years old and has been superseded by Vista. XP is still supported, and even sold in some cases, but it is not current. It is still widely used, though, so its security defects affect tens of millions if not hundreds of millions of users. And Microsoft has released at least three service packs. Surely one of those could have patched such obvious flaws as making it difficult to run as limited user.

I don't mean to say that Windows is just as secure as Linux, but that Linux is just as insecure; both Linux and Windows have the same, most significant, point of failure. When there are weak links in the chain it doesn't matter how many or where they are, the chain will still break. If by "point of failure," you mean they're both used by humans who can be tricked, then I agree with 100%, but the phrase "Linux is just as insecure" is misleading.

Windows XP is not a modern operating system, it is seven years old and has been superseded by Vista.

I think it's a little disingenuous to call XP a seven year old operating system in the context of not holding it to modern security standards. It may have been released 7.5 years ago, but there have been 3 service packs and 7.5 years of patch Tuesday between then and now. The bits on any up-to-date XP install and the one released in 2001 are not the same bits.

Granted, there are limits to what you can change in a service pack, but when you look at the sweeping changes made in SP2, it seems reasonable to hold XP to higher standards than what was required in 2001.

I have an XP SP3 install disc at work, and it still installs you as admin with no password by default. Could this not have been fixed?

And if you believe HitLinks on operating system marketshare, Windows XP has 64% and Vista has only 23%. So XP is hardly obsolete. Not only is Microsoft giving it support until 2014, but most Windows users are still using it.

XP may be widely used, but that doesn't change the fact that it's an outdated operating system.

We don't ask users to evaluate Ubuntu based on the one four versions back, so lets evaluate Windows based on the current version.

I have an XP SP3 install disc at work, and it still installs you as admin with no password by default. Could this not have been fixed?

Using a blank password is actually more secure in XP because users without passwords can't be logged in remotely.

XP may be widely used, but that doesn't change the fact that it's an outdated operating system. Well, actually it does, as it has received numerous service packs in the meantime and is still supported by Microsoft for the next five years.

We don't ask users to evaluate Ubuntu based on the one four versions back, so lets evaluate Windows based on the current version. I wouldn't mind users evaluating the security of any Ubuntu release that's still supported (6.06 for the next three months, 7.10 until next month, 8.04, and 8.10).

We're not talking about Wow-Zap-Bam! features here. We're talking basic security principles like not running as admin.

Using a blank password is actually more secure in XP because users without passwords can't be logged in remotely. Turning off remote logins by default is even more secure. And most malware doesn't come in through remote logins anyway.

- How do I install an Anti-Virus and a Firewall in Ubuntu?
- Why do you need one?
- To make my OS secure.
- You practically, don't need an anti virus, until ...
- OK, then how do I install a Firewall?
- Why do you need a firewall?
- To make my OS secure.
- Do you know what is a firewall?
- Yes, it makes my OS more secure :confused:.
:confused:
http://www.msn-names.co.uk/emoticons/wall.gif

Security is an ongoing process and, like an onion, it has layers and stinks. The best defense you have is to read and learn how to secure your OS.

Linux(maybe) stinks, but(by design) has much more layers.
/offtopic?

A new variant of the Conficker or sometimes referred to as Downadup, worm is about to start spreading like wildfire on April 1st. Win32/Conficker.C is a worm capable of blocking security related websites, terminating system security services and downloading component files using time-based generated URLs. When the worm is executed, it drops a copy of itself using a random filename in the System directory on your system. It can also sometimes drop a copy in other locations under Program Files. It also automatically runs at startup, blocks access to any security related web sites, registers itself as a service, disables any antivirus/security services, and more.


I think this settles this debate quite nicely. ;)

requiring one click is no different from requiring a password, it takes maybe one extra second to peck away at the keyboard than it does to click a button. When the OS clearly asks you for permissions elevation the point of failure is solely on the user.

Requiring one click is vastly different from requiring a password, it takes a lot more to enter a password than it does to mindlessly click a OK button. When the OS repetitively asks you to OK actions that might - or might not - compromise the OS, the point of failure is mostly in the OS.

You know there are these machines that have 2 buttons you need to press with each of your hands for the machine to operate? Now, if you operate the machine and hold your hand in it, you will loose your hand. So, who in his right mind needs 2 buttons to prevent him to put hand in the machine?

Sometimes you just need to make people to think for a second. And the sudo password prompt does that, somewhere while typing the password you will ask yourself why you are typing your password (unless you were expecting it). People are also less eager to give a password than to OK something. In fact people often OK something to only think about the consequences after they let go so the mouse button. Any OS security that ignores this fact will be inferior - by design :twisted:

Not running linux as administrator by default is only one of the many ways which make linux more secure. It's an good example though, because it shows how the linux approach it more taught through and the microsoft solution as plain mindless patchwork.

a password is not nescessarily safer than hitting ok if you are used to a password prompt coming up then it will be second nature just like clicking ok. but since ubuntu has alot of preapproved packages that are guaranteed virus free you are not likely to go dling random stuff off the internet. and since linux has like 1 percent market share glory hunters dont go programing linux viruses

If you ran XP as a limited user than it did require elevated permissions.


Limited user? As in domain authenticated? No.no.. My message was implied only on Linux and Windows running as a standalone unit.

a password is not nescessarily safer than hitting ok if you are used to a password prompt coming up then it will be second nature just like clicking ok. The two can never be the same, no matter how "second nature" you think typing a password is.

The password you enter only to log in and to temporarily escalate to root privilege.

Clicking OK happens for a huge variety of tasks and can involve root privileges or user privileges.

Whether you type quickly or not, your brain is likely to make an association between passwords meaning something special and make no such association with clicking OK.

...Not running linux as administrator by default is only one of the many ways which make linux more secure. ....

How do you not run Linux as administrator if you have only one user?

How do you not run Linux as administrator if you have only one user?
So-called "administrator" users in Ubuntu run as limited users almost all the time and have to password-authenticate to temporarily gain true administrator rights for certain tasks.

On non-Ubuntu Linux distros, the user is just a user, and temporarily switches to log in as the root user to get root privileges.

There is never actually only one user in Linux anyway. Even in Ubuntu (where you can't log in as root by default) the root user exists.

^^^I thought there was some way to do it in Linux as well. Although, I see what you mean......entering the password is the Linux way of doing it.

No offense, but the first few posts in this thread made me laugh my a** off!

^^^I thought there was some way to do it in Linux as well. Although, I see what you mean......entering the password is the Linux way of doing it.
There is a way and if you google it you'll find it's pretty simple, but I advise against, it's against the rules to explain how to on here, and for good reason, the sudo method is a lot more secure....

if you log in as root, you are running root power for everything, with sudo you selectively apply root power to only the task that needs it, nothing else can just take advantage of you being root, you can't just forget to logout either since you need to sudo for each administrative action...

if you need extended root acces just type sudo su, and you'll basically login as root in the terminal, I however also advise against this unless you have a lot of sudo stuff need doing because this also has nearly all the downfalls of just enabling the root account

Ironically, while you're all trying to discredit the OP, he's absolutely correct. You can get a virus by visiting a website, such as Winfixer (although justice has hit the scum at last!) or Antivirus 2009.

Ironically, while you're all trying to discredit the OP, he's absolutely correct. That's not really irony, and we're not all trying to discredit the OP.

Ironically, while you're all trying to discredit the OP, he's absolutely correct. You can get a virus by visiting a website, such as Winfixer (although justice has hit the scum at last!) or Antivirus 2009.really? I just googled up Antivirus 2009 and it asks you to install a Video-Codec. I dont see how this a OS vurnerability if a user decides to install a virus himself.

really? I just googled up Antivirus 2009 and it asks you to install a Video-Codec. I dont see how this a OS vurnerability if a user decides to install a virus himself.

But it is embedded in some webpages, believe me, I've seen it firsthand.

But it is embedded in some webpages, believe me, I've seen it firsthand.Point is, if the browser downloads and installs anything by itself its a weakness in the browser (or some browser-plugins). Linux is in no way more secure than Windows in that matter - atleast technically, theres apparently more interest in exploiting those holes and writing viruses for windows.

So either you have a browserhole which allows automatic installation of Viruses, or the user has to manually install the virus. Either way its not related to the OS.

But you can go on and rant all day about how insecure IE is... that would be more than justified. :D

I'm thinking of using an ubuntu live CD on my old computer. I am new to Linux & I have to get the WiFi sorted first, but I was under the impression that ubuntu (or any Linux) was far safer than Windows. I was looking forward to not having to run so many anti-malware apps that sometimes have false positives & try to remove half of your hard drive!

Please tell me ubuntu is safer...

If people ran as Restricted Users and not as Administrators on their Windows machines the lack of security would be far less of an issue.

If people ran as Restricted Users and not as Administrators on their Windows machines the lack of security would be far less of an issue.

Yes. THIS.

Is that a yes or a no then?

Please tell me ubuntu is safer...

It is safer, Daveski.

Look, people can debate til the end of time what MIGHT happen if Linux attains a bigger market share, or what COULD be done; it doesn't change the fact that there is currently no realistic threat to Linux from malware or viruses.

Look at it this way: a gunshot wound can kill you no matter where you live, but suburban Nebraska is still safer than Afghanistan or Sudan.

What people are debating here is whether Linux is inherently safer or just safer because it is more obscure. In either case, it's still safer.

So either you have a browserhole which allows automatic installation of Viruses, or the user has to manually install the virus. Either way its not related to the OS.

Not really. A lot of it has to do with how Windows was designed, and implemented. SO it is related to the OS.

IE's support for technologies such as ActiveX, Hypertext Apllications, and possibly Visual Basic Script, has always made it one of the most vulnerable browsers, by design. There have always been several flaws in its security model as well, one of the ones I remember had to to do with the fact that IE could be tricked to let unsafe websites be moved into the 'trusted websites' zone without the user knowing. So the implementation was/is flawed as well.

On top of that, IE is so much a part of the OS that its practically impossible to remove it and still have a functioning system. That is the result of a design decision to have the GUI tightly integrate with the OS, and use a web browser as a quasi indispensible part of the GUI.


So drive-by infections are a threat, but a lot more so to Windows, and not because of Windows' market share, but because of the way it's designed.

Not really. A lot of it has to do with how Windows was designed, and implemented. SO it is related to the OS.

IE's support for technologies such as ActiveX, Hypertext Apllications, and possibly Visual Basic Script, has always made it one of the most vulnerable browsers, by design. There have always been several flaws in its security model as well, one of the ones I remember had to to do with the fact that IE could be tricked to let unsafe websites be moved into the 'trusted websites' zone without the user knowing. So the implementation was/is flawed as well.You can disable ActiveX and VBA easily. Thats like saying FF is inheritly insecure because you could use exploits in one of its plugins (which has already been done).. you dont have to use plugins at all. I agree that IE is insecure and coming with bad default setting, but still these are all faults of the Browser.
On top of that, IE is so much a part of the OS that its practically impossible to remove it and still have a functioning system. That is the result of a design decision to have the GUI tightly integrate with the OS, and use a web browser as a quasi indispensible part of the GUI.You cant remove it, no. You dont have to use it tough (its no part of the gui but a standalone Component). I think you refer to Win9x where Exporer and IE are practically the same thing - they arent on newer Windows OSes
(Funny enough, you cant remove XULRunner on Ubuntu either, which is the most significant part of Firefox.)
So drive-by infections are a threat, but a lot more so to Windows, and not because of Windows' market share, but because of the way it's designed.And you base that on what?

You can disable ActiveX and VBA easily. Thats like saying FF is inheritly insecure because you could use exploits in one of its plugins (which has already been done).. you dont have to use plugins at all. Plugins are things you add to your browser yourself, and are usually 3th party work. ActiveX, vbs and hta are Microsofts own products, support for it comes as part of your operating system, and your browser has them enabled by default. There is a difference.

I agree that IE is insecure and coming with bad default setting, but still these are all faults of the Browse
Yes, mostly, but the distinction between brower and operating system in Windows is rather vague. We'll come back to that.


You cant remove it, no. You dont have to use it tough (its no part of the gui but a standalone Component).
If you can't remove it, it's & part of the system, isn't it ?


You cant remove it, no. You dont have to use it tough (its no part of the gui but a standalone Component). I think you refer to Win9x where Exporer and IE are practically the same thing - they arent on newer Windows OSes

I've read that Microsoft itself has held that in Windows 98 and newer versions, "Internet Explorer" is not a separate piece of software but simply a brand name for the Web-browsing and HTML-displaying capacities of the Windows operating system. In this view, the result of removing IE is simply a damaged Windows system; to have a working system without IE one must replace Windows entirely. I believe it was part of their defense in a monopoly court case about "bundling" IE with Windows.


And OK, you don't have to use it. But people do use it, and most likely because its readily available on every Windows system. Some people don't even distinguish between the internet and the IE icon on their desktop.


And you base that on what?
Apparently you were unable to follow the reasoning in my post, but I can't explain it any clearer than that.

Funny enough, you cant remove XULRunner on Ubuntu either, which is the most significant part of Firefox.
Funny enough, I gave that a try, and found you can uninstall it just fine and still have an apparently fully functioning ubuntu-system, minus a web browser.

So what makes you think this was impossible ?

OK Thanks.

I was reading a news article that said people that use windows could get a virus by going to a website. Now that is insecure.

The few I've encountered usually required me to approve a download and then open it or some such activity. At the end of the day, paying attention to what you're doing, combined with a modicum of good sense, go a long way to preventing problems, e.g. be wary of clicking on links in emails from people you don't know and lookig at where the link actually takes you before wildly clicking.

(Funny enough, you cant remove XULRunner on Ubuntu either, which is the most significant part of Firefox.)

I didn't know XULRunner was the Ubuntu equivalent of Windows Explorer.

Plugins are things you add to your browser yourself, and are usually 3th party work. ActiveX, vbs and hta are Microsofts own products, support for it comes as part of your operating system, and your browser has them enabled by default. There is a difference.

Yes, mostly, but the distinction between brower and operating system in Windows is rather vague. We'll come back to that.

If you can't remove it, it's & part of the system, isn't it ?Its part of the whole package, that doesnt mean its part of the base most Apps run on.

I've read that Microsoft itself has held that in Windows 98 and newer versions, "Internet Explorer" is not a separate piece of software but simply a brand name for the Web-browsing and HTML-displaying capacities of the Windows operating system. In this view, the result of removing IE is simply a damaged Windows system; to have a working system without IE one must replace Windows entirely. I believe it was part of their defense in a monopoly court case about "bundling" IE with Windows.Valid for old Windows, not for newer ones (certainly not XP). You can "uninstall" IE, but it does only remove the UI, the components for eg. rendering HTML are still there for Applications to use. (And no, Explorer doesnt use them).

And OK, you don't have to use it. But people do use it, and most likely because its readily available on every Windows system. Some people don't even distinguish between the internet and the IE icon on their desktop.

Apparently you were unable to follow the reasoning in my post, but I can't explain it any clearer than that.Its the users fault for the most part... not a problem of Windows as an Operating System. And you somehow claim to know as fact that the major reason most Viruses target Windows is because its less secure.

Funny enough, I gave that a try, and found you can uninstall it just fine and still have an apparently fully functioning ubuntu-system, minus a web browser.

So what makes you think this was impossible ?ubuntu-desktop and I think a few gnome-packages depend on xulrunner-1.9 (using Intrepid). Sure I could manually delete it, same as I could simply delete IE... Windows still would work, minus IE and Outlook (and third-party Apps depending on IEs components)

I didn't know XULRunner was the Ubuntu equivalent of Windows ExploreI dont know where you got Explorer from, its firefox main component for rendering HTML. You can uninstall Firefox, and you can unistall IE (The App with Menus and so on).. but not (easily) some components of them.

Its part of the whole package, that doesnt mean its part of the base most Apps run on.
It's required for at least the Help system and for the Automatic Updates mechanism (at least for systems prior to Vista, i.e. the bulk of Windows' install base). You may argue that a mechanism to apply bug fixes and security patches is not an essential part of the system, but in a discussion about the security of an OS, that's kinda weak.


Valid for old Windows, not for newer ones (certainly not XP).

I can take your word for it, or the word of Microsoft. For now, I'll assume that the company who made the product, knows how it works.


Its the users fault for the most part... not a problem of Windows as an Operating System. And you somehow claim to know as fact that the major reason most Viruses target Windows is because its less secure.

When an operating system has a built-in browser that can run with system privileges an has the capability to run applications and modify system files, and that browser has exploitable flaws, I'd say that's rather less secure, yes. And I think one of the major reason most viruses target Windows is because it's an easier target.


ubuntu-desktop and I think a few gnome-packages depend on xulrunner-1.9 (using Intrepid). Sure I could manually delete it, same as I could simply delete IE... Windows still would work, minus IE and Outlook (and third-party Apps depending on IEs components)

You can uninstall Firefox, and you can unistall IE ... but not (easily) some components of them.

"apt-get --purge remove xulrunner*", that's all it takes. If that's not easy enough, use synaptic.

Ubuntu-desktop is a meta-package, it's save to remove it. It's only used to trigger the installation of a set of other packages, i.e. to easily manage installation and maintenance. The other packages you mention provide look-and-feel integration between FF and Gnome. All in all, it's only about configuring the desktop environment, not the operating system as such. On Linux, the desktop environment is just another application, so one can make that distinction. Not so much on Windows.

If you use Firefox,, that should not happen. If you use Internet Explorer, that happens

Well, actually it does, as it has received numerous service packs in the meantime and is still supported by Microsoft for the next five years.

Support doesn't equate to modernity. Windows XP has been superseded by Windows Vista.

I wouldn't mind users evaluating the security of any Ubuntu release that's still supported (6.06 for the next three months, 7.10 until next month, 8.04, and 8.10).

We're not talking about Wow-Zap-Bam! features here. We're talking basic security principles like not running as admin.

We kind of are talking about Wow-Zap-Bam! features because it's more than possible to run as a limited user in Windows XP, UAC just makes it easier.


I think this settles this debate quite nicely. ;)

:roll: The flaw in the Windows Server service that allows Conficker to infect your system was fixed ages ago.



Requiring one click is vastly different from requiring a password, it takes a lot more to enter a password than it does to mindlessly click a OK button. When the OS repetitively asks you to OK actions that might - or might not - compromise the OS, the point of failure is mostly in the OS.

You know there are these machines that have 2 buttons you need to press with each of your hands for the machine to operate? Now, if you operate the machine and hold your hand in it, you will loose your hand. So, who in his right mind needs 2 buttons to prevent him to put hand in the machine?

Sometimes you just need to make people to think for a second. And the sudo password prompt does that, somewhere while typing the password you will ask yourself why you are typing your password (unless you were expecting it). People are also less eager to give a password than to OK something. In fact people often OK something to only think about the consequences after they let go so the mouse button. Any OS security that ignores this fact will be inferior - by design :twisted:

Not running linux as administrator by default is only one of the many ways which make linux more secure. It's an good example though, because it shows how the linux approach it more taught through and the microsoft solution as plain mindless patchwork.

You're still overlooking the purpose of permission escalation. If the OS "repetitively asks you to OK actions that might - or might not - compromise the OS" it doesn't matter if you're typing a password or clicking a button, you've already been numbed to the risks of authenticating. Anyway, The VAST majority of UAC/password prompts related to security compromises will be authenticated because the user thought that they were installing a valid program when they were really installing a trojan, not because they had to type on the keyboard instead of click the mouse.

The two can never be the same, no matter how "second nature" you think typing a password is.

The password you enter only to log in and to temporarily escalate to root privilege.

Clicking OK happens for a huge variety of tasks and can involve root privileges or user privileges.

Whether you type quickly or not, your brain is likely to make an association between passwords meaning something special and make no such association with clicking OK.


Good thing the UAC prompt looks pretty different from a standard "OK, Cancel" dialog box. Come to think of it, it doesn't even say "Ok" or "Cancel," it even dims your screen and prevents you from clicking on other programs!

Limited user? As in domain authenticated? No.no.. My message was implied only on Linux and Windows running as a standalone unit.

Limited user as in going into the control panel, opening the user settings, and changing your account from Administrator to Limited - whether you're on a network domain or not.

But it is embedded in some webpages, believe me, I've seen it firsthand.

What you've seen is a pop-up window that looks like AV2009, following it's instructions will give you AV2009, but AV2009 cannot be "embedded" into a webpage.

Not really. A lot of it has to do with how Windows was designed, and implemented. SO it is related to the OS.

What you forget is that "the bad guys" write viruses so that they can add your system to their bot net. There's big money in it. Why write a virus that 1 or 2% of the entire consumer computer market, at most, will get, when you could write for about 90% of the market?

On top of that, IE is so much a part of the OS that its practically impossible to remove it and still have a functioning system. That is the result of a design decision to have the GUI tightly integrate with the OS, and use a web browser as a quasi indispensible part of the GUI.

Actually you can remove IE, I've done it. In Windows 7 you can even do it easily.

Actually you can remove IE, I've done it. In Windows 7 you can even do it easily.

If windows help and (automatic) updates still work then IE is still there.

It's a bullying tactic to get you to use their products. They've been in trouble from the EU repeatedly for it.

Yeah but in linux you can't get a virus by going to a website. I don't even know if you can get a virus. Especially that DirectX or whatever it is.

I think you mean ActiveX :)
http://en.wikipedia.org/wiki/ActiveX

Actually you can remove IE, I've done it. In Windows 7 you can even do it easily.

Plus Windows 7 isn't even released yet so your point is kinda moot, byt it's interesting to see that MS, for the first time since '95, manages to separate the browser from the operating system.

If windows help and (automatic) updates still work then IE is still there.

Like I said, you can remove IE, I've done it.

Plus Windows 7 isn't even released yet so your point is kinda moot, byt it's interesting to see that MS, for the first time since '95, manages to separate the browser from the operating system.

The point I was trying to make isn't that it's easy to remove IE from the current version of Windows, but that it is possible, and will be even easier in the future.
And it is rather interesting, I don't think that they've "managed" to do it though, they always could have removed it if they wanted to, they just didn't have the incentive that they have now (pressure from the EU).

What you forget is that "the bad guys" write viruses so that they can add your system to their bot net. There's big money in it. Why write a virus that 1 or 2% of the entire consumer computer market, at most, will get, when you could write for about 90% of the market?

No, i didn't forget. I wrote "a lot of it ...", not "all of it", right ?

Your reasining only covers halve of the issue. The reason Windows is the main target is twofold :
1- lots of machines out there, and
2- they're vulnerable to exploits - almost all of them.

Imagine Windows being so secure that, while comprising 90% of the PC market, attempts to zombify them would only have an effect on 1% of all PC's out there. Why write a virus that 1% of the entire consumer computer market, at most, would get ?

The point I was trying to make isn't that it's easy to remove IE from the current version of Windows, but that it is possible, and will be even easier in the future.

I know it can be done. There are some Windows releases where you can opt to not have IE. There are also a lot of howto's out their that have instructions to remove IE, going from simply disabling the browser, over uninstalling the browser, all the way to removing all IE code from the system. there's even at least 1 company that produces tools to help with this and somewhat fix the scars that result from this operation.

The fact that you have to jump through such hoops to uninstall a web browser is an indication of the tight integration between IE and the operating system as such. In light of IE's vulnerability to exploits, and the far-stretching effects they could have given IE's capabilities to interact with the system, that's a design flaw in terms of security, if nothing else.

And that was actually the topic of this thread, and the point I'm making.


---
This recurring discussion is repeating itself.

No, i didn't forget. I wrote "a lot of it ...", not "all of it", right ?

Your reasining only covers halve of the issue. The reason Windows is the main target is twofold :
1- lots of machines out there, and
2- they're vulnerable to exploits - almost all of them.

Imagine Windows being so secure that, while comprising 90% of the PC market, attempts to zombify them would only have an effect on 1% of all PC's out there. Why write a virus that 1% of the entire consumer computer market, at most, would get ?

I know it can be done. There are some Windows releases where you can opt to not have IE. There are also a lot of howto's out their that have instructions to remove IE, going from simply disabling the browser, over uninstalling the browser, all the way to removing all IE code from the system. there's even at least 1 company that produces tools to help with this and somewhat fix the scars that result from this operation.

The fact that you have to jump through such hoops to uninstall a web browser is an indication of the tight integration between IE and the operating system as such. In light of IE's vulnerability to exploits, and the far-stretching effects they could have given IE's capabilities to interact with the system, that's a design flaw in terms of security, if nothing else.

And that was actually the topic of this thread, and the point I'm making.


---
This recurring discussion is repeating itself.

The vulnerability that the majority of computers, Windows or Linux, will be compromised by is an unknowledgeable/careless user.
Ubuntu is vulnerable to exploits too, that's why we get so many security patches.

The vulnerability that the majority of computers, Windows or Linux, will be compromised by is an unknowledgeable/careless user.
Ubuntu is vulnerable to exploits too, that's why we get so many security patches.

As aysiu pointed out ~40 posts ago (this recurring discussion is really repeating itself), it's not a black and white thing, it's a gradational matter.
Users are indeed a part of the problem, but Windows usually tends to encourage unsafe behaviour on the part of the user, while Linux tends to impose safe behaviour.

This, again, is related to the design of the OS itself. Microsoft seems to work with a design philosophy of "easy of use first, well add some fixes for possible security issues afterwards", while Linux is designed more along the lines of "it hast to be robust and secure, and if necessary, we'll add a layer of userfriendliness on top of that". Guess which one works best, security-wise.

If windows help and (automatic) updates still work then IE is still there.

Like I said, you can remove IE, I've done it.

](*,)

Alot of people on here seem to think that malware can't do anything significant without root access. That is a common misconception.

In Ubuntu a non-root user still has a hell of a lot of permissions. Software can be installed in the home folder, programs can be added to the users startup (session), the non-root user has access to network/internet. Sure a non-root user cannot write to some folders, but if you think about it there are still plenty of things a malware could do without being root.

The idea that firefox on Ubuntu cannot be targetted by malicious code is also a misconception. There are plenty of examples of Firefox on Linux being compromised:

http://www.vupen.com/english/advisories/2009/0600
http://www.xatrix.org/advisory.php?s=8418
http://www.linuxsecurity.com/content/view/145955
http://www.securityfocus.com/archive/1/500849

Those issues may have been dealt with in security patches by new ones come up quite regularly.


There is a detailed list of Ubuntu security notices at http://www.ubuntu.com/usn

Ubuntu is not as bullet proof as some people here would like you to believe. It has vulnerabilities and security holes just like any other opertating system. Maybe root/non-root makes a bit of difference but it should never be seen as the be all and end all of computing security.

http://www.happyassassin.net/2009/01/20/on-linux-security/

http://www.happyassassin.net/2009/01/20/on-linux-security/

:biggiantsmile:

I enjoyed that article. I think some people only say Linux is more secure because they want it to be, and then they seem to have no understanding of the various flaws that Linux does have.

One commentator actually suggested that Windows is more secure because there are Aniti-virus and Anti-spyware programs to help find and get rid of malware. Linux doesn't have alot to offer in that respect. If you had malware running in your user account you might not know how to find or remove it manually.

One commentator actually suggested that Windows is more secure because there are Aniti-virus and Anti-spyware programs to help find and get rid of malware. Linux doesn't have alot to offer in that respect. If you had malware running in your user account you might not know how to find or remove it manually. I wouldn't trust antivirus and antispyware programs to remove malware. If Windows is compromised, the only sure way to remove the malware is a clean reinstall of Windows. If my user account is compromised, I would delete that user account and create a new one. If Ubuntu were compromised completely, I'd reinstall Ubuntu.

If the ability to clean up malware is considered better security, then Ubuntu wins hands-down with proper privilege level separation that's convenient (unlike the limited user account in Windows) and a much quicker reinstall (20 minutes as opposed to 2-3 hours).

One commentator actually suggested that Windows is more secure because there are Aniti-virus and Anti-spyware programs to help find and get rid of malware. Linux doesn't have alot to offer in that respect. If you had malware running in your user account you might not know how to find or remove it manually.

It doesn't have a lot to offer, because there isn't a lot to deal with. Why would you expect to have 25 programs to deal with a problem that doesn't currently exist?

It doesn't wash that Windows is more secure because it has AV software. That's like saying I'm healthier than you because I take cholesterol medicine and you don't (because you don't have high cholesterol).

I wouldn't trust antivirus and antispyware programs to remove malware. If Windows is compromised, the only sure way to remove the malware is a clean reinstall of Windows. If my user account is compromised, I would delete that user account and create a new one. If Ubuntu were compromised completely, I'd reinstall Ubuntu.


+1

A regular part of my job is cleaning up malware problems on Windows. By far the most important tools in my arsenal are not scanners and automated removal tools. They are tools like "Autoruns" and "Process Explorer" which make the operations of the OS more transparent, so that I can identify things that shouldn't be there and remove them. But even with all kinds of fancy tools, we have to reinstall about 50% of the time.

http://www.happyassassin.net/2009/01/20/on-linux-security/

Good read. What AdamW writes, is true, he makes a couple of good points and makes them well.
However, by posting this link in a Is Linux really more secure than Windows? discussion, you seem to imply that this article makes a case against Linux.
It doesn't. It makes a case against any operating system that
- gives the user unrestricted access to his home directory
- allows the user to run (downloaded) programs.

OK, Linux does that. So does Windows. So does any operating system I know of. So this isn't going to settle any debate.

On the other hand, the behaviour AdamW describes is the typical behaviour of a Windows user : they've been trained to hunt for software all over the internet and install anything they can get their hands on as long as it's free. When they start using Linux, there's nothing to actively stop them from doing the same, although Linux does offer a safe alternative, the distro's software repos.
So I think the point that Windows encourages unsafe behaviour while linux promotes safe behaviour, still stands, although this is not going to safe all of the people all of the time. It would be unrealistic to think that it could.

Good read. What AdamW writes, is true, he makes a couple of good points and makes them well.
However, by posting this link in a Is Linux really more secure than Windows? discussion, you seem to imply that this article makes a case against Linux.
It doesn't. It makes a case against any operating system that
- gives the user unrestricted access to his home directory
- allows the user to run (downloaded) programs.

OK, Linux does that. So does Windows. So does any operating system I know of. So this isn't going to settle any debate.

On the other hand, the behaviour AdamW describes is the typical behaviour of a Windows user : they've been trained to hunt for software all over the internet and install anything they can get their hands on as long as it's free. When they start using Linux, there's nothing to actively stop them from doing the same, although Linux does offer a safe alternative, the distro's software repos.
So I think the point that Windows encourages unsafe behaviour while linux promotes safe behaviour, still stands, although this is not going to safe all of the people all of the time. It would be unrealistic to think that it could.
My point was that an operating system can't be expected to provide security. That's up to the user. I certainly won't deny that most Linux system provide both better defaults and more transparency than Windows. I do consider my NetBSD system more secure than my XP setup - it is open source, transparent, and was much easier for me to effectively customize. However, I think that far too many people expect the better defaults in Linux to be a magic bullet of some kind. Many people on this forum take security too lightly. Responsibility is so important and so underappreciated.

However, I think that far too many people expect the better defaults in Linux to be a magic bullet of some kind. It's really a matter of extremes. I see too much of this attitude

It's scary out there. I need antivirus. I need antispyware. I need a security suite. What's a tracking cookie? Help!

and this attitude

I run Linux. I don't have to worry about malware

I don't see enough of this attitude

I know I'm not exposed to as many threats as Windows users are, but I take care to secure my installation by not enabling unnecessary network services or using weak passwords, and I know how to avoid social engineering threats

Basically, it's not a matter of totally safe or totally unsafe. There are degrees of security, and Linux has better security. Better security does not mean invincibility or complacency.

It's really a matter of extremes. I see too much of this attitude

It's scary out there. I need antivirus. I need antispyware. I need a security suite. What's a tracking cookie? Help!
This attitude isn't really a focus on security. It is a search for a magic bullet, following the trends (I might say brainwashing) in society. It's one thing to encrypt everything, use a 36 character password, and lock your computer in a six-inch-thick safe at night. While I think such paranoia is unnecessary, it stems from an actual concern about good security practices taken to an extreme rather than misinformation or lack of knowledge.

I've also noticed that when a lot of Linux users refer to Windows, they make it sound like viruses, spyware, and other malware are already on the operating system when you install it. It's like comparing Windows to a piece of raw chicken and every time you turn it on, you rub the raw chicken all over your face and then cook it.

I've also noticed that when a lot of Linux users refer to Windows, they make it sound like viruses, spyware, and other malware are already on the operating system when you install it. It's like comparing Windows to a piece of raw chicken and every time you turn it on, you rub the raw chicken all over your face and then cook it.

I like that! It's kinda half true... lol

I like that! It's kinda half true... lol

If you don't know how to secure Windows correctly, then sure, using Windows is like taking that raw drumstick and and giving yourself a facial with it.

If you do know how to secure Windows correctly, then using Windows is like cooking the drumstick to at least the minimum safe temperature. However, if your idea of securing Windows means relying solely on expecting an antivirus or firewall program to do the work for you, then it's like only cooking the chicken halfway and eating it.

If you don't know how to secure Windows correctly, then sure, using Windows is like taking that raw drumstick and and giving yourself a facial with it.

If you do know how to secure Windows correctly, then using Windows is like cooking the drumstick to at least the minimum safe temperature. However, if your idea of securing Windows means relying solely on expecting an antivirus or firewall program to do the work for you, then it's like only cooking the chicken halfway and eating it.

:lolflag: These quotes get better and better! :p

If you don't know how to secure Windows correctly, then sure, using Windows is like taking that raw drumstick and and giving yourself a facial with it.

If you do know how to secure Windows correctly, then using Windows is like cooking the drumstick to at least the minimum safe temperature. However, if your idea of securing Windows means relying solely on expecting an antivirus or firewall program to do the work for you, then it's like only cooking the chicken halfway and eating it.

That is a beautiful BEAUTIFUL analogy :P

Sir, I applaud you :D

If you don't know how to secure Windows correctly, then sure, using Windows is like taking that raw drumstick and and giving yourself a facial with it.

If you do know how to secure Windows correctly, then using Windows is like cooking the drumstick to at least the minimum safe temperature. However, if your idea of securing Windows means relying solely on expecting an antivirus or firewall program to do the work for you, then it's like pouring soy sauce (which cost you money) on it and expecting that to make it safe.
Corrected version above.

Corrected version above.

This is why I like you, CF.

now, that's the kind of information i was looking for. thanks!

i was referring to post #51