On 3/30/06, Linda Walsh
Clearly no one here understands the nature of 99% of Windows virii and how they could easily run on Linux if Linux had a full port of Explorer, ActiveX and the desktop libraries.
But Linux don't have those flaws, while Windows do. You cannot install a Windows system without it. So, even though the components that make it insecure is not the kernel, the system as a whole is still insecure as those are core parts of the system. Besides, if you want to make Linux just as vulnerable to viruses as Windows by porting ActiveX to it, you will firstly have to do the porting in a very stupid way. You will have to tie the ActiveX into the kernel's security level (like Windows have), so you will be actively MAKING an insecure Linux. But that would be stupid, would it not? What would the point be? Who would be stupid enough to use such a system? (Hmmm... Maybe if you get MicroSoft's marketing department to seel it, you will be able to sell it to people) But then it is definately not Gnu/Linux anymore and the Gnu/Linux community will never accept or allow such a beast.
Where do you think Window's (as separate application on top of WinNT) got it's "ActiveX" technology from? Before that it was called DCOM, and before that "COM" and before that...I think "CORBA"?, but Window's "COM" technology came from Unix (Sun).
I don't know if COM and DCOM comes from CORBA, but if it does then MS did a pretty crappy job of copying CORBA functionality. CORBA is a stand-alone bus that allow clients to talk to each other. THe clients interface with the CORBA bus via an API, but do not share memory space with the bus itself. With COM and ActivX the API gives your app access to the memory space of the ActiveX component, which again use a shared system bus. If you plug into the Windows system bus, you can see all messages gong around. You can intercept messages meant for other applications, change it and send if off again. With the message busses used on *nix systems you cannot do that, because there are diferent busses and you can only access what the bus allow you to see.
Look at technology common to Windows & *nix, say Java: how much less secure is Java on Windows than Gnunix?
Very much. Due to the common message bus that Windows use, the java application potentially have access to any other application, while on a *nix system, the java engine is run as a normal user and there is no common message bus. In fact, java normally does not have access even to the KDE or GNOME message busses. If a java app gets compromised, it will only effect the user.
What started this conversation no one has addressed: the primitive [absent] interactive GUI "Firewall" technology available on Windows.
I think you are still not getting the point. You percieve Linux as being primitive because it does not feature a useless application that can only give you a false sense of security. You are still measuring linux security according to Windows security features and issues. The point is that you should first look at where the real threats are on a Linux system and then think from that angle. On Linux you should NOT focus on a tool that can tell you that you HAVE ALREADY been compromised. If you say that Linux is primitive because it does not have a fancy GUI that can tell me that I am already compromised, then I say that I prefer the primitive sytem that rather prevent me from being compromised in the first place.
If I install FF, on Linux, on startup, *by default*, it will go out and download the Firefox home page after you first install it. Unless you are on a separate subnet and block the use of outgoing port 80, it will succeed. When I install the same program on my Windows box, Firefox is blocked and I receive a popup on my desktop telling me that application "Firefox" is trying to contact host "xxyz" on port 80. Do I wish to allow this?
OK, so help me understand the usefulness of this.. I start up a browser with the intent of acessing web pages on a web server, that is normally via port 80. Now I have an application that tells me that the browser is trying to access port 80. Well, I kind of expect it to access port 80 that is why I started it up. Why would I want an application to tell me this? Or do you start up Firefox and use it as a local file browser. FireFox should NOT access port 80, that would be wrong....
That ability isn't readily available on Linux. That's not to say it _couldn't_ be done, it's just saying that it doesn't currently have the interactive GUI to control an all encompassing Firewall of the type that has been available on Windows for over 6 years (or more).
That is because that functionality is moot on Linux. You don't need it as the security issues are different.
The behavior I see on Linux is "silent failure" -- a log file entry is generated, and it doesn't tell me what application made the request.
No, not silent failure, but silent protection. A firewall is not there to tell you what is trying to go where, it's main purpose is to prevent thngs from going through it. If you want to see what traffic os going where, use something like Ethereal. [...]
The reason MS has been successful in the marketplace is that rather than spending all this energy telling me why I shouldn't want what I want, they have traditionally just bent over backwards to enable it (too much so, allowing harm from the opposite direction). Neither direction is 100% right. They need sensible blending -- something you won't have as long as you color everything "MS", "wrong".
The reason MS is successfull does not have much to do with giving users what they want. It has to do with very clever marketing and social engineering. They have managed to form the market to thier view of it. MS (and cronies) basically tells you that you need a tool to tell you that an application wants to access the net. They fabricate the need by perception. You have been brain washed into believing that the best way to protect your system is to be notified that you have been compromised. Does that make sense? To me that is not logical. The MS-dominated IT sector has also very successfully brainwashed people into believing that a computer system is virus prone, that it has to be rebooted often and that instability is normal. These are all things that should not make sense, but somehow people believe it. It is like getting people to believe that it is normal for a car's brakes to fail every now and again. Ford will have difficulty in making people believe and accept this, because there are a lot of other car manufacturers that will not play along with this. Unfortunately the IT world have been domintated for so long by MS that they managed to establish certain perceptions about how a computer should function. People started to accept that a PC crash every now and again. People loose files and just carry on because that is the nature on a PC. -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za ~ A dinosaur is a salamander designed to Mil Spec ~