Vista - Vista Internet Security/anti-virus?

On Sun, 14 Jan 2007 19:13:27 -0500, Rick Rogers wrote:

> "arachnid" <none@goawayspammers.com> wrote in message
> newsan.2007.01.14.23.13.26.409693@goawayspammers.com...
>> On Sun, 14 Jan 2007 16:04:25 -0500, Rick Rogers wrote:
>>
>>> A question I've always had: How do you know you've never had a virus
>>> if you have nothing that can detect them?
>>
>> The biggest threat to a Linux machine is a direct attack by a hacker on
>> that specific box. Hackers are usually after valuable financial,
>> corporate, and government databases (and the desktop machines that are
>> often the gateway to the database). Linux sysadmins religiously use
>> various intrusion detectors and kernel capabilities which by their
>> nature would also catch file changes due to viruses, spyware, etc.
>> Being open source, those same tools are readily available at no cost to
>> home users paranoid enough to care.
>
> Well, my main point here was that it was being inferred that there is no
> need for protection if you are running linux, when in fact there is.

That was Alias' claim. I think by "Internet Security" he was referring to
reading email and visiting web pages.

> Open source is available to hackers as well as the sysadmins.

And Windows source isn't available to either, yet Windows systems overall
are still deeply inundated under a flood of worms, viruses, and spyware.

>>> Let's face it, many bugs can run hidden in the background, even in
>>> linux, and are not easily detected.
>>
>> Enough Linux desktop machines are tightly secured that it's simply not
>> credible that there are Linux viruses floating around out there that
>> haven't triggered someone's security system.
>
> It is credible, just because you don't see it doesn't mean it doesn't
> exist.

Just because you haven't seen any pink-and-blue polka-dotted dancing
elephants doesn't mean they don't exist...

> We're talking users, not sysadmins here. You only need one unguarded
> machine. There are plenty around that have no idea what is going on with
> their systems. Linux and Vista are both tightly secured, but there are
> already 'proof of concept' bugs for both.

A virus that isn't spreading isn't a threat to other machines, including
mine. A virus that is spreading will be quickly detected when it hits one
of the secured machines. So if I buy your claim that there are Linux
viruses out there, then they aren't able to spread which only shows how
secure Linux is as compared to Windows. )

>>> I don't disagree that a knowledgable user can run without any AV (I do
>>> it frequently), but to recommend that one run without it is
>>> irresponsible, regardless of the OS in use.
>>
>> "Prevention" is approached a little differently under Linux. Rather
>> than relying on A/V scanners to catch infections after the fact, the
>> developers issue immediate patches for any specific vulnerabilities
>> that the virus or worm needs to get a toehold. If the virus takes
>> advantage of an algorithmic weakness then the algorithms will also be
>> changed so the virus can't simply be tweaked a little and used again.
>
> The number one way these vulnerabilities come to light is immediately
> after a bug is written to exploit it. Like Window developers, they are
> re_acting, not pro_active.

Quite the contrary. Open source code means that more programmers and
security researchers can apply their own code-analysis tools and methods
to the source code. The result is a constant flood of reported
"vulnerabilities" that are fixed long before anyone has a chance to create
worms or viruses that can exploit them. Go take a look at the fine print
on all those open-source vulnerability reports sometime. Most are problems
that can do only minor damage, or that can only be exploited under an
extremely unlikely set of circumstances, or that depend on technical
capabilities not yet developed. Yet, they were taken very seriously and
eliminated.

> One of the downsides of the many iterations of Linux is that there is
> not one central developer releasing updates to protect them all. You are
> beholden to the distributor of your version for assistance. While Linux
> proposes to be a collaberative effort, it is often very devisive
> instead.

Security patches usually do come from the applications developer, who is
about as close as you're going to get to "central". The distributions just
bundle up the resulting code and prepare it for their respective
installation systems. However, if the original developer is too slow to
fix the problem, the distro's all have the source code and can also fix it
themselves. And of course we users have the source code, too.

>> This system works a lot better for Linux users than it would under
>> Windows because a) open source means that a single updater can cover
>> all of a user's applications as well as the core system; and b) we're
>> more comfortable enabling automatic updates because, unlike Microsoft,
>> Linux distributors don't abuse updates to shut down our systems, force
>> "features" on us that we don't want, or infect our machines with nasty
>> things like DRM, WGA(N), etc.
>
> a) That's great provided the developer remains interested or involved
> and has enough time to work for free. The hobbiest nature of the home
> user distributions is one of the reasons Linux does not become more
> widely accepted.

But just think, this poorly-funded and (according to you) "hobbiest OS"
has 30% of the server market - a segment that it mostly took away from
highly respected mainframe UNIX and kept from the grip of a certain very
powerful OS monopoly that badly wanted it. About a third of IBM's
*mainframes* ship with Linux. It was used to design the Mars Rovers, it's
used to produce virtually all the high-end graphics you see in the movies,
and it runs about 40% of the Internet. Whole governments and some very
large international corporations have adopted it for their desktops and
more are considering it. It's forced Microsoft to drop their prices in
some countries. The OLPC project is critically dependent on it. And
despite the "hobbiest nature" of our OS, Linux users aren't the ones being
overrun by adware, spyware, viruses, trojans, and DRM.

Maybe those open-source developers aren't as amateur as you'd like to
think?

> b) No doubt that some updates are pushed out unnecessarily. I dislike
> DRM, WGA as much as you, but it is Microsoft's operating system to do
> with as they please.

Umm, no, once I hand over the money the software is mine to do with as I
please on my own computer. If the seller doesn't agree then I will be
happy to refund the product to them *after* they return my money.

> If they displease enough consumers, the market will shift.

In my case, the market *has* shifted. )

>>> Linux distros aren't any more secure than Windows, they are just
>>> targeted less frequently.
>>
>> They're targeted less frequently because the channels by which malware
>> automatically spreads under Windows are very effectively blocked under
>> Linux. Email attachments aren't executed, the browser is a userland
>> application instead of being foolishly woven into the kernel,
>> applications in the consumer-oriented distro's are only installed from
>> an approved repository, etc. This will remain so no matter how much of
>> the market Linux gains in the future.
>
> Study up on the changes made in Vista, much of which you just stated is
> implemented in the Vista user experience.

Microsoft has been promising proper OS security "Real Soon Now" ever since
Windows 95. I'll believe it when it happens.

> Also, it's funny how people complain about proprietary software for
> Windows, yet in Linux you must also get your applications from an
> approved repository.

There's absolutely no connection between proprietary closed-source
software and approved (or "Official", if you prefer) repositories
containing open-source software for which the source code is also
available on demand.

And BTW the repositories are an optional convenience. You can bypass them
if you want to but it takes more work.

> Substitute Linux for Mac, as it's the same effect. Linux is not
> targeted, so development of attacks and the search for exploits is not
> as far along as it is for Windows.

Secure design is independent of market share.

> If the market shifts to a predominantly Linux environment, you can be
> assured that the virus development will shift similarly and quickly
> advance. To think otherwise is to turn a blind eye.

What, precisely, is the vector by which these imaginary viruses of yours
are going to spread between Linux machines?

"arachnid" <none@goawayspammers.com> wrote in message
newsan.2007.01.15.06.24.48.901211@goawayspammers.com...
> On Sun, 14 Jan 2007 19:13:27 -0500, Rick Rogers wrote:
>
>> "arachnid" <none@goawayspammers.com> wrote in message
>> newsan.2007.01.14.23.13.26.409693@goawayspammers.com...
>>> On Sun, 14 Jan 2007 16:04:25 -0500, Rick Rogers wrote:
>>>
>>>> A question I've always had: How do you know you've never had a virus
>>>> if you have nothing that can detect them?
>>>
>>> The biggest threat to a Linux machine is a direct attack by a hacker on
>>> that specific box. Hackers are usually after valuable financial,
>>> corporate, and government databases (and the desktop machines that are
>>> often the gateway to the database). Linux sysadmins religiously use
>>> various intrusion detectors and kernel capabilities which by their
>>> nature would also catch file changes due to viruses, spyware, etc.
>>> Being open source, those same tools are readily available at no cost to
>>> home users paranoid enough to care.
>>
>> Well, my main point here was that it was being inferred that there is no
>> need for protection if you are running linux, when in fact there is.
>
> That was Alias' claim. I think by "Internet Security" he was referring to
> reading email and visiting web pages.

Well, I was, after all, responding to him. This diversion is of your making.

>> Open source is available to hackers as well as the sysadmins.
>
> And Windows source isn't available to either, yet Windows systems overall
> are still deeply inundated under a flood of worms, viruses, and spyware.

Absolutely, making implementation of protection imperitive.

>>>> Let's face it, many bugs can run hidden in the background, even in
>>>> linux, and are not easily detected.
>>>
>>> Enough Linux desktop machines are tightly secured that it's simply not
>>> credible that there are Linux viruses floating around out there that
>>> haven't triggered someone's security system.
>>
>> It is credible, just because you don't see it doesn't mean it doesn't
>> exist.
>
> Just because you haven't seen any pink-and-blue polka-dotted dancing
> elephants doesn't mean they don't exist...

Now you're just being silly.

>> We're talking users, not sysadmins here. You only need one unguarded
>> machine. There are plenty around that have no idea what is going on with
>> their systems. Linux and Vista are both tightly secured, but there are
>> already 'proof of concept' bugs for both.
>
> A virus that isn't spreading isn't a threat to other machines, including
> mine. A virus that is spreading will be quickly detected when it hits one
> of the secured machines. So if I buy your claim that there are Linux
> viruses out there, then they aren't able to spread which only shows how
> secure Linux is as compared to Windows. )

If Linux doesn't need AV and there are no viruses that target it, then why
are there Linux-compatible AV programs?

>>>> I don't disagree that a knowledgable user can run without any AV (I do
>>>> it frequently), but to recommend that one run without it is
>>>> irresponsible, regardless of the OS in use.
>>>
>>> "Prevention" is approached a little differently under Linux. Rather
>>> than relying on A/V scanners to catch infections after the fact, the
>>> developers issue immediate patches for any specific vulnerabilities
>>> that the virus or worm needs to get a toehold. If the virus takes
>>> advantage of an algorithmic weakness then the algorithms will also be
>>> changed so the virus can't simply be tweaked a little and used again.
>>
>> The number one way these vulnerabilities come to light is immediately
>> after a bug is written to exploit it. Like Window developers, they are
>> re_acting, not pro_active.
>
> Quite the contrary. Open source code means that more programmers and
> security researchers can apply their own code-analysis tools and methods
> to the source code. The result is a constant flood of reported
> "vulnerabilities" that are fixed long before anyone has a chance to create
> worms or viruses that can exploit them. Go take a look at the fine print
> on all those open-source vulnerability reports sometime. Most are problems
> that can do only minor damage, or that can only be exploited under an
> extremely unlikely set of circumstances, or that depend on technical
> capabilities not yet developed. Yet, they were taken very seriously and
> eliminated.

The same can be said of Windows. Many vulnerabilities are detected,
reported, and eliminated long before an exploit hits. You only here about
the ones that aren't.

>> One of the downsides of the many iterations of Linux is that there is
>> not one central developer releasing updates to protect them all. You are
>> beholden to the distributor of your version for assistance. While Linux
>> proposes to be a collaberative effort, it is often very devisive
>> instead.
>
> Security patches usually do come from the applications developer, who is
> about as close as you're going to get to "central". The distributions just
> bundle up the resulting code and prepare it for their respective
> installation systems. However, if the original developer is too slow to
> fix the problem, the distro's all have the source code and can also fix it
> themselves. And of course we users have the source code, too.

But honestly now, how many users - especially home users - are going to know
what to do with source code?

>>> This system works a lot better for Linux users than it would under
>>> Windows because a) open source means that a single updater can cover
>>> all of a user's applications as well as the core system; and b) we're
>>> more comfortable enabling automatic updates because, unlike Microsoft,
>>> Linux distributors don't abuse updates to shut down our systems, force
>>> "features" on us that we don't want, or infect our machines with nasty
>>> things like DRM, WGA(N), etc.
>>
>> a) That's great provided the developer remains interested or involved
>> and has enough time to work for free. The hobbiest nature of the home
>> user distributions is one of the reasons Linux does not become more
>> widely accepted.
>
> But just think, this poorly-funded and (according to you) "hobbiest OS"
> has 30% of the server market - a segment that it mostly took away from
> highly respected mainframe UNIX and kept from the grip of a certain very
> powerful OS monopoly that badly wanted it. About a third of IBM's
> *mainframes* ship with Linux. It was used to design the Mars Rovers, it's
> used to produce virtually all the high-end graphics you see in the movies,
> and it runs about 40% of the Internet. Whole governments and some very
> large international corporations have adopted it for their desktops and
> more are considering it. It's forced Microsoft to drop their prices in
> some countries. The OLPC project is critically dependent on it. And
> despite the "hobbiest nature" of our OS, Linux users aren't the ones being
> overrun by adware, spyware, viruses, trojans, and DRM.
>
> Maybe those open-source developers aren't as amateur as you'd like to
> think?

You're mixing up two different animals. Note that I used the phrase
"hobbiest nature of the home user distributions", and I did so
intentionally. Linux has a good share of the server market for the exact
reasons you stated. But this discussion is about home users, and Linux has
not gotten past the hobbiest phase for this part of the market. Don't get me
wrong, I like Linux and use it frequently. Were you to check the source of
my many posts over the years, you'd find knode as the agent quite often.

>> b) No doubt that some updates are pushed out unnecessarily. I dislike
>> DRM, WGA as much as you, but it is Microsoft's operating system to do
>> with as they please.
>
> Umm, no, once I hand over the money the software is mine to do with as I
> please on my own computer. If the seller doesn't agree then I will be
> happy to refund the product to them *after* they return my money.

This is often a point of contention, as with Windows what you purchase is a
license to use the software, not ownership of it. The agreement is that you
use it subject to their conditions for use, not yours. I don't necessarily
like this business model either, but it is what it is. One of the nice
things about Linux is the ability to modify it, but one must be knowledgable
enough to do so for this to be of benefit.

>> If they displease enough consumers, the market will shift.
>
> In my case, the market *has* shifted. )

You may not be the only one, and this is precisely what market demand is all
about. If Microsoft's business model continues to become cumbersome and
restrictive to the OEM system manufacturers, eventually one of them may move
away from the platform (and hopefully do better than Lindows).

>>>> Linux distros aren't any more secure than Windows, they are just
>>>> targeted less frequently.
>>>
>>> They're targeted less frequently because the channels by which malware
>>> automatically spreads under Windows are very effectively blocked under
>>> Linux. Email attachments aren't executed, the browser is a userland
>>> application instead of being foolishly woven into the kernel,
>>> applications in the consumer-oriented distro's are only installed from
>>> an approved repository, etc. This will remain so no matter how much of
>>> the market Linux gains in the future.
>>
>> Study up on the changes made in Vista, much of which you just stated is
>> implemented in the Vista user experience.
>
> Microsoft has been promising proper OS security "Real Soon Now" ever since
> Windows 95. I'll believe it when it happens.

Reread what I stated already, study up on the changes in Vista. They really
are quite substansive.

>> Also, it's funny how people complain about proprietary software for
>> Windows, yet in Linux you must also get your applications from an
>> approved repository.
>
> There's absolutely no connection between proprietary closed-source
> software and approved (or "Official", if you prefer) repositories
> containing open-source software for which the source code is also
> available on demand.
>
> And BTW the repositories are an optional convenience. You can bypass them
> if you want to but it takes more work.

Right, and inconvenience if you will, that makes using official channels
easier. Not unlike Windows in many respects, except for the implementation
of WGA.

>> Substitute Linux for Mac, as it's the same effect. Linux is not
>> targeted, so development of attacks and the search for exploits is not
>> as far along as it is for Windows.
>
> Secure design is independent of market share.

You missed the point. It may seem secure precisely because it's not
targeted. Should that condition change, you may find it's not as secure as
is thought.

>> If the market shifts to a predominantly Linux environment, you can be
>> assured that the virus development will shift similarly and quickly
>> advance. To think otherwise is to turn a blind eye.
>
> What, precisely, is the vector by which these imaginary viruses of yours
> are going to spread between Linux machines?

If a majority of regular old home users (grandma, old aunt sally, your 8
year old niece) become the base of linux home users, then the answer should
be obvious. Currently, the majority of Linux users are fairly computer
literate users, just as early Win3.x users were. With the expansion into
everyday lives of millions of non-technical users, it's easy to get things
to spread. Remember, "I love you...."

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Windows help - www.rickrogers.org

Rick Rogers wrote:

> If the market shifts to a
> predominantly Linux environment, you can be assured that the virus
> development will shift similarly and quickly advance. To think otherwise
> is to turn a blind eye.
>

Well, I noticed that Automatix has a firewall and an anti virus so I
installed them. Unlike Windows, however, it did not slow down the boot
up or reboot and doesn't slow down the computer, at least noticeably.

Alias

The AV programs for Windows vary greatly. The more widely used ones, Norton
and Mcafee, are notorious for the way they bog down the system by aggressive
scanning and insiduous integration into everything. Get away from those, and
you will find ones with a much lighter footprint that is barely perceptible,
if at all. AVG, NOD32, and Antivir are just some examples. Kaspersky and
Avast are a bit heavier, but still better than the big boys. I have amazed
many complaining of miserable performance by simply removing those
aforementioned overbearing programs, they can't believe how much more
efficient their systems are. Many had no idea that there were other options.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Windows help - www.rickrogers.org

"Alias" <Alias@masked&anonymous.es> wrote in message
news:uBp0V0KOHHA.2232@TK2MSFTNGP02.phx.gbl...
> Rick Rogers wrote:
>
> > If the market shifts to a
>> predominantly Linux environment, you can be assured that the virus
>> development will shift similarly and quickly advance. To think otherwise
>> is to turn a blind eye.
>>
>
> Well, I noticed that Automatix has a firewall and an anti virus so I
> installed them. Unlike Windows, however, it did not slow down the boot up
> or reboot and doesn't slow down the computer, at least noticeably.
>
> Alias

I highly recommend NOD32. It's not free, but with the level of
protection it provides *without* being a drag on your system-
people should be more than happy to pay for. The folks at Eset
have made a superior AV and should/deserve to be paid/rewarded for
their efforts.


-Michael

"Rick Rogers" <rick@mvps.org> wrote in message news:%23JaK2GLOHHA.1240@TK2MSFTNGP03.phx.gbl...
> The AV programs for Windows vary greatly. The more widely used ones, Norton
> and Mcafee, are notorious for the way they bog down the system by aggressive
> scanning and insiduous integration into everything. Get away from those, and
> you will find ones with a much lighter footprint that is barely perceptible,
> if at all. AVG, NOD32, and Antivir are just some examples. Kaspersky and
> Avast are a bit heavier, but still better than the big boys. I have amazed
> many complaining of miserable performance by simply removing those
> aforementioned overbearing programs, they can't believe how much more
> efficient their systems are. Many had no idea that there were other options.
>
> --
> Best of Luck,
>
> Rick Rogers, aka "Nutcase" - Microsoft MVP
> http://mvp.support.microsoft.com/
> Windows help - www.rickrogers.org
>
> "Alias" <Alias@masked&anonymous.es> wrote in message
> news:uBp0V0KOHHA.2232@TK2MSFTNGP02.phx.gbl...
>> Rick Rogers wrote:
>>
>> > If the market shifts to a
>>> predominantly Linux environment, you can be assured that the virus
>>> development will shift similarly and quickly advance. To think otherwise
>>> is to turn a blind eye.
>>>
>>
>> Well, I noticed that Automatix has a firewall and an anti virus so I
>> installed them. Unlike Windows, however, it did not slow down the boot up
>> or reboot and doesn't slow down the computer, at least noticeably.
>>
>> Alias
>

Rick Rogers wrote:
> The AV programs for Windows vary greatly. The more widely used ones,
> Norton and Mcafee, are notorious for the way they bog down the system by
> aggressive scanning and insiduous integration into everything. Get away
> from those, and you will find ones with a much lighter footprint that is
> barely perceptible, if at all. AVG, NOD32, and Antivir are just some
> examples. Kaspersky and Avast are a bit heavier, but still better than
> the big boys. I have amazed many complaining of miserable performance by
> simply removing those aforementioned overbearing programs, they can't
> believe how much more efficient their systems are. Many had no idea that
> there were other options.
>

The one that comes with Automatix is called ClamAV. The firewall is
called Firestarter.

Alias

"Alias" <aka@maskedandanonymous.eu> wrote in message news:eog5bl$f10$1@aioe.org...
> Rick Rogers wrote:
>> The AV programs for Windows vary greatly. The more widely used ones,
>> Norton and Mcafee, are notorious for the way they bog down the system by
>> aggressive scanning and insiduous integration into everything. Get away
>> from those, and you will find ones with a much lighter footprint that is
>> barely perceptible, if at all. AVG, NOD32, and Antivir are just some
>> examples. Kaspersky and Avast are a bit heavier, but still better than
>> the big boys. I have amazed many complaining of miserable performance by
>> simply removing those aforementioned overbearing programs, they can't
>> believe how much more efficient their systems are. Many had no idea that
>> there were other options.
>>
>
> The one that comes with Automatix is called ClamAV. The firewall is
> called Firestarter.

ClamAV isn't resident/real-time protection, at least the Windows version
isn't. Of course, I know a few people who have never used an AV in
real-time protection mode, and have never been infected.... Windows
users, too.


-Michael

On 2007-01-14 18:35:39 +0000, Alias <aka@maskedandanonymous.eu> said:

>
> Yawn. I see you know nothing about the latest Linux distros.
>
> Alias

Yawn indeed. I don't claim to be an expert on Linux security but I
probably know far more than you think. Your assertation was that
running Linux meant never having to worry about "Internet Security". I
posted a hard example of Linux not being immune to such considerations.

Yes I know that is 'old news', obviously it is hard to know about
things before they happen and if I happened to have that particular
magical superpower I'd be far too busy buying winning lottery tickets
and making sure-fire stock market investments to talk here.

If I had posted a vague note about possible threats in the future I'm
sure you'd be equally scathing of me for not providing hard examples.
You can't have it both ways.

--
Robert Moir

www.rhymeswithgeek.com

On Mon, 15 Jan 2007 07:37:26 -0500, Rick Rogers wrote:

> "arachnid" <none@goawayspammers.com> wrote in message
> newsan.2007.01.15.06.24.48.901211@goawayspammers.com...
>> On Sun, 14 Jan 2007 19:13:27 -0500, Rick Rogers wrote:
>>
>>> "arachnid" <none@goawayspammers.com> wrote in message
>>> newsan.2007.01.14.23.13.26.409693@goawayspammers.com...
>>>> On Sun, 14 Jan 2007 16:04:25 -0500, Rick Rogers wrote:
>>>>
>>>>> A question I've always had: How do you know you've never had a virus
>>>>> if you have nothing that can detect them?
>>>>
>>>> The biggest threat to a Linux machine is a direct attack by a hacker
>>>> on that specific box. Hackers are usually after valuable financial,
>>>> corporate, and government databases (and the desktop machines that
>>>> are often the gateway to the database). Linux sysadmins religiously
>>>> use various intrusion detectors and kernel capabilities which by
>>>> their nature would also catch file changes due to viruses, spyware,
>>>> etc. Being open source, those same tools are readily available at no
>>>> cost to home users paranoid enough to care.
>>>
>>> Well, my main point here was that it was being inferred that there is
>>> no need for protection if you are running linux, when in fact there
>>> is.
>>
>> That was Alias' claim. I think by "Internet Security" he was referring
>> to reading email and visiting web pages.
>
> Well, I was, after all, responding to him. This diversion is of your
> making.

This "diversion" started as a response to a question you posed in a public
forum.

>>> Open source is available to hackers as well as the sysadmins.
>>
>> And Windows source isn't available to either, yet Windows systems
>> overall are still deeply inundated under a flood of worms, viruses, and
>> spyware.
>
> Absolutely, making implementation of protection imperitive.

Yes, Microsoft really needs to do something. For the sake of my friends
who use Windows, I hope they finally get it right with Vista. But based on
past history I seriously doubt that they will.

>>>>> Let's face it, many bugs can run hidden in the background, even in
>>>>> linux, and are not easily detected.
>>>>
>>>> Enough Linux desktop machines are tightly secured that it's simply
>>>> not credible that there are Linux viruses floating around out there
>>>> that haven't triggered someone's security system.
>>>
>>> It is credible, just because you don't see it doesn't mean it doesn't
>>> exist.
>>
>> Just because you haven't seen any pink-and-blue polka-dotted dancing
>> elephants doesn't mean they don't exist...
>
> Now you're just being silly.

"Just because you don't see them doesn't mean they don't exist"

>>> We're talking users, not sysadmins here. You only need one unguarded
>>> machine. There are plenty around that have no idea what is going on
>>> with their systems. Linux and Vista are both tightly secured, but
>>> there are already 'proof of concept' bugs for both.
>>
>> A virus that isn't spreading isn't a threat to other machines,
>> including mine. A virus that is spreading will be quickly detected when
>> it hits one of the secured machines. So if I buy your claim that there
>> are Linux viruses out there, then they aren't able to spread which only
>> shows how secure Linux is as compared to Windows. )
>
> If Linux doesn't need AV and there are no viruses that target it, then
> why are there Linux-compatible AV programs?

Because Windows needs them. Linux is widely used for email and web servers
so it needs to be able to check for infected traffic destined for Windows
machines. On desktop machines, there's the danger of a Linux user
downloading a document or program and then passing it on to a Windows user.

Now there _are_ a few recent commercial A/V programs for home users that
purport to protect Linux itself against viruses. However, their
rather alarming sales pitches are lacking in solid details and in contrast
to their Windows-virus brags they seem exceedingly reluctant to list all
of those nasty Linux viruses they're supposed to protect me against. In
other words, the a/v half of the package is nothing but snake oil. The
other half is usually an intrusion detector, but Linux already has plenty
of excellent intrusion detectors for free.

>>>>> I don't disagree that a knowledgable user can run without any AV (I
>>>>> do it frequently), but to recommend that one run without it is
>>>>> irresponsible, regardless of the OS in use.
>>>>
>>>> "Prevention" is approached a little differently under Linux. Rather
>>>> than relying on A/V scanners to catch infections after the fact, the
>>>> developers issue immediate patches for any specific vulnerabilities
>>>> that the virus or worm needs to get a toehold. If the virus takes
>>>> advantage of an algorithmic weakness then the algorithms will also be
>>>> changed so the virus can't simply be tweaked a little and used again.
>>>
>>> The number one way these vulnerabilities come to light is immediately
>>> after a bug is written to exploit it. Like Window developers, they are
>>> re_acting, not pro_active.
>>
>> Quite the contrary. Open source code means that more programmers and
>> security researchers can apply their own code-analysis tools and
>> methods to the source code. The result is a constant flood of reported
>> "vulnerabilities" that are fixed long before anyone has a chance to
>> create worms or viruses that can exploit them. Go take a look at the
>> fine print on all those open-source vulnerability reports sometime.
>> Most are problems that can do only minor damage, or that can only be
>> exploited under an extremely unlikely set of circumstances, or that
>> depend on technical capabilities not yet developed. Yet, they were
>> taken very seriously and eliminated.
>
> The same can be said of Windows. Many vulnerabilities are detected,
> reported, and eliminated long before an exploit hits. You only here
> about the ones that aren't.

Now you're contradicting yourself. You just admitted earlier that Windows
developers are "...re_acting, not pro_active". (see above)

>>> One of the downsides of the many iterations of Linux is that there is
>>> not one central developer releasing updates to protect them all. You
>>> are beholden to the distributor of your version for assistance. While
>>> Linux proposes to be a collaberative effort, it is often very devisive
>>> instead.
>>
>> Security patches usually do come from the applications developer, who
>> is about as close as you're going to get to "central". The
>> distributions just bundle up the resulting code and prepare it for
>> their respective installation systems. However, if the original
>> developer is too slow to fix the problem, the distro's all have the
>> source code and can also fix it themselves. And of course we users have
>> the source code, too.
>
> But honestly now, how many users - especially home users - are going to
> know what to do with source code?

When everyone has the source code, there are bound to be a few people in
any large pool of users who know how to work with it. That's already been
proven to work for adding features and bugfixes.

>>>> This system works a lot better for Linux users than it would under
>>>> Windows because a) open source means that a single updater can cover
>>>> all of a user's applications as well as the core system; and b) we're
>>>> more comfortable enabling automatic updates because, unlike
>>>> Microsoft, Linux distributors don't abuse updates to shut down our
>>>> systems, force "features" on us that we don't want, or infect our
>>>> machines with nasty things like DRM, WGA(N), etc.
>>>
>>> a) That's great provided the developer remains interested or involved
>>> and has enough time to work for free. The hobbiest nature of the home
>>> user distributions is one of the reasons Linux does not become more
>>> widely accepted.
>>
>> But just think, this poorly-funded and (according to you) "hobbiest OS"
>> has 30% of the server market - a segment that it mostly took away from
>> highly respected mainframe UNIX and kept from the grip of a certain
>> very powerful OS monopoly that badly wanted it. About a third of IBM's
>> *mainframes* ship with Linux. It was used to design the Mars Rovers,
>> it's used to produce virtually all the high-end graphics you see in the
>> movies, and it runs about 40% of the Internet. Whole governments and
>> some very large international corporations have adopted it for their
>> desktops and more are considering it. It's forced Microsoft to drop
>> their prices in some countries. The OLPC project is critically
>> dependent on it. And despite the "hobbiest nature" of our OS, Linux
>> users aren't the ones being overrun by adware, spyware, viruses,
>> trojans, and DRM.
>>
>> Maybe those open-source developers aren't as amateur as you'd like to
>> think?
>
> You're mixing up two different animals. Note that I used the phrase
> "hobbiest nature of the home user distributions", and I did so
> intentionally. Linux has a good share of the server market for the exact
> reasons you stated. But this discussion is about home users, and Linux
> has not gotten past the hobbiest phase for this part of the market.

The same Linux kernel used for servers, mainframes, and corporate desktops
is used on home machines. Many of the same GUI and desktop applications
used on government/corporate desktops are also used on home machines. The
primary software difference between a corporate system and a home system
is the installers designed to help a nontechnical home user install and
configure the OS by himself. Given that we're asking for Linux to be
installed aftermarket on frequently-undocumented hardware designed for
another OS by a user with no technical skill and no previous Linux
experience, I think the open-source developers have done a fantastic job
here.

> Don't get me wrong, I like Linux and use it frequently. Were you to
> check the source of my many posts over the years, you'd find knode as
> the agent quite often.

It was clear right from the beginning that you're trolling, though I
didn't figure you for a reverse troll.

>>> b) No doubt that some updates are pushed out unnecessarily. I dislike
>>> DRM, WGA as much as you, but it is Microsoft's operating system to do
>>> with as they please.
>>
>> Umm, no, once I hand over the money the software is mine to do with as
>> I please on my own computer. If the seller doesn't agree then I will be
>> happy to refund the product to them *after* they return my money.
>
> This is often a point of contention, as with Windows what you purchase
> is a license to use the software, not ownership of it. The agreement is
> that you use it subject to their conditions for use, not yours.

I wouldn't be so sure:

: http://en.wikipedia.org/wiki/First_Sale_Doctrine
:
: The first-sale doctrine as it relates to computer software is an area
: of legal confusion. Software publishers claim the first-sale doctrine
: does not apply because software is licensed, not sold, under the terms
: of an End User License Agreement (EULA). The courts have issued
: contrary decisions regarding the first-sale rights of consumers. Bauer
: & Cie. v. O'Donnell and Bobbs-Merrill Co. v. Straus are two US Supreme
: Court cases that deal with copyright holders trying to enforce terms
: beyond the scope of copyright and patent, by calling it a license. Many
: state courts have also ruled that a sale of software is indeed a sale
: of goods under the Uniform Commercial Code (UCC) at the point where
: funds are exchanged for the physical copy of the software. The licensed
: and not sold argument is held mostly in the 8th and 7th Circuits while
: other circuits tend to support the opposite, thus leading to
: conflicting court opinions such as seen in the 3rd Circuit Step-Saver
: Data Systems, Inc. v. Wyse Technology and fifth circuit Vault Corp. v.
: Quaid Software as opposed to the 8th Circuit Blizzard v. BNETD
: (Davidson & Associates v. Internet Gateway Inc (2004)), which have not
: been resolved by the Supreme Court.
:
: Federal district courts in California and Texas have issued decisions
: applying the doctrine of first sale for bundled computer software in
: Softman v. Adobe (2001) and Novell, Inc. v. CPU Distrib., Inc. (2000)
: even if the software contains an EULA prohibiting resale. In the
: Softman case, after purchasing bundled software (A box containing many
: programs that are also available individually) from Adobe Systems,
: Softman unbundled it and then resold the component programs. The court
: ruled that Softman could resell the bundled software, no matter what
: the EULA stipulates, because Softman had never assented to the EULA.
: Specifically, the ruling decreed that software purchases be treated as
: sales transactions, rather than explicit license agreements. In other
: words, the court ruling argued that California consumers should have
: the same rights they would enjoy under existing copyright legislation
: when buying a CD or a book.

Personally I found it easier to switch to open source than take on a
multinational company and its horde of lawyers. Software-wise it turned
out to be a move for the better, anyway.

> I don't necessarily like this business model either, but it is what it
> is. One of the nice things about Linux is the ability to modify it, but
> one must be knowledgable enough to do so for this to be of benefit.

The benefits are greater and more direct for the user who can modify the
code himself. However, individuals also benefit from the ability of
other users to add features and bugfixes.

>>> If they displease enough consumers, the market will shift.
>>
>> In my case, the market *has* shifted. )
>
> You may not be the only one, and this is precisely what market demand is
> all about. If Microsoft's business model continues to become cumbersome
> and restrictive to the OEM system manufacturers, eventually one of them
> may move away from the platform (and hopefully do better than Lindows).

While their software sucks (IMHO), Microsoft isn't stupid when it comes
to business. Yet, everything they're doing lately appears unbelievably
dumb. I am truly mystified as to what they're really up to.

>>>>> Linux distros aren't any more secure than Windows, they are just
>>>>> targeted less frequently.
>>>>
>>>> They're targeted less frequently because the channels by which
>>>> malware automatically spreads under Windows are very effectively
>>>> blocked under Linux. Email attachments aren't executed, the browser
>>>> is a userland application instead of being foolishly woven into the
>>>> kernel, applications in the consumer-oriented distro's are only
>>>> installed from an approved repository, etc. This will remain so no
>>>> matter how much of the market Linux gains in the future.
>>>
>>> Study up on the changes made in Vista, much of which you just stated
>>> is implemented in the Vista user experience.
>>
>> Microsoft has been promising proper OS security "Real Soon Now" ever
>> since Windows 95. I'll believe it when it happens.
>
> Reread what I stated already, study up on the changes in Vista. They
> really are quite substansive.

Where have we heard this before?

>>> Also, it's funny how people complain about proprietary software for
>>> Windows, yet in Linux you must also get your applications from an
>>> approved repository.
>>
>> There's absolutely no connection between proprietary closed-source
>> software and approved (or "Official", if you prefer) repositories
>> containing open-source software for which the source code is also
>> available on demand.
>>
>> And BTW the repositories are an optional convenience. You can bypass
>> them if you want to but it takes more work.
>
> Right, and inconvenience if you will, that makes using official channels
> easier.

One would hope so, since one of the goals of a consumer-friendly
distribution is to hide technical complexity.

> Not unlike Windows in many respects, except for the implementation of
> WGA.

Windows doesn't have any real equivalent of Linux repositories. Sure, you
can download and update stuff directly from MS but you can't download or
update all of your other installed applications unless you only use MS
apps. You also can't select and install new applicaitons from a field
of 15,000 using a simple point-and-click installer.

>
>>> Substitute Linux for Mac, as it's the same effect. Linux is not
>>> targeted, so development of attacks and the search for exploits is not
>>> as far along as it is for Windows.
>>
>> Secure design is independent of market share.
>
> You missed the point. It may seem secure precisely because it's not
> targeted.

But it -is- targeted. Linux was a multi-user networking OS when Windows
was still single-user, and its design is based on UNIX, a mature and
highly-respected multi-user networking OS even back then. In a large
corporate multi-user system there are bound to be hackers, corporate
spies, and employees with grudges who are have already been assigned user
accounts on the machine. So, Linux developers are hardly babes in the
woods when it comes to OS security and networks. In addition to that
expertise, top security experts worldwide are able to freely examine the
source code in search of design weaknesses - an advantage that Windows
doesn't enjoy. (Not that it matters, since Microsoft ignores the security
community's advice anyway)

> Should that condition change, you may find it's not as secure
> as is thought.

No, -you- missed the point. Secure design is independent of market share.
Safes made of 12" armor plate are more secure than safes made of cheap
sheetmetal whether they have 0.0001% of the market or 100%. PGP encryption
is just as secure no matter how many people use PGP. Linux email clients
won't automatically execute worm-infected email attachments no matter how
many people send them.

Oh, and your Mac story is getting dangerously close to the tired old
excuse that any OS that enjoys Windows' market share will inevitably be
penetrated just as often as Windows because it will be targeted just as
much. In other words, that the maximum security any consumer OS can
achieve is determined by market share rather than software design, and
that Windows has already achieved that maximum. That leads to some bizarre
conclusions:

- No matter how much better it's designed, no consumer OS that achieves
Windows' market share can ever be any more secure than Windows is.

- The only way for any other consumer OS to achieve greater OS security
than Windows offers, is to have less market share than Windows has.

- Windows can't be made any more secure through software fixes because
it's already reached the maximum OS security allowed by its market
share.

- If Microsoft increases its market share, Windows will become less
secure. If another OS takes away some of Windows' market share, Windows
will become more secure.

>>> If the market shifts to a predominantly Linux environment, you can be
>>> assured that the virus development will shift similarly and quickly
>>> advance. To think otherwise is to turn a blind eye.
>>
>> What, precisely, is the vector by which these imaginary viruses of
>> yours are going to spread between Linux machines?
>
> If a majority of regular old home users (grandma, old aunt sally, your 8
> year old niece) become the base of linux home users, then the answer
> should be obvious. Currently, the majority of Linux users are fairly
> computer literate users, just as early Win3.x users were. With the
> expansion into everyday lives of millions of non-technical users, it's
> easy to get things to spread. Remember, "I love you...."

No matter how many email worms people send to Grannie, her Linux email
client still isn't going to execute them. She'll also have a new security
measure soon that Windows-using grannies won't: virtual machine
technology. Whereas Microsoft strongly discourages home users from running
Vista Home in a VM by requiring that they first buy a $300 version of
Vista, open-source developers are just about finished making VM software
part of the core OS. Once that's complete, setting up a VM is totally free
and just a matter of a few mouse-clicks. I can easily see consumer
friendly distro's automatically installing a small Internet-browsing VM as
part of the normal OS installation. Grannie would benefit from the
improved security of a VM without even knowing what a virtual machine is
or that her web-browser and email client were running in one.