There is a threshold where being skeptical of obvious things makes you insane, or at least holding an absurd position while encased in a reality distortion field of some sort.

Why do viruses need to install software? I don't get it.

Do you need to be root or Administrator to delete your own user files? Probably the most important data on the system, actually...

Only when you want it to be, and only when you're deliberately being obtuse.

Viruses rely on ignorant people, ignorant people are on every platform.

1) Why is Windows a "swiss cheese operating system" if there have been more security fixes release for MacOS X and standard Linux desktop configuratoins this year?
2) Why is the design bad (coming from your obviously informed perspective of an artsy philosopher)
3) Why is there a lack of incentive to fix it properly?

In practical terms, OS X is less capable than Windows. There is less good software, there is less bad software, and there are less users.

A user with any kind of half-decent intellect gets the same amount of viruses on either platform, so in practical terms, one still holds a huge advantage over the other.

In other words, you are still relying on the same argument without any further evidence.



Wake me up when you have some real evidence.

I have no evidence, I have nothing !!

I like your sig Agathon

More industry experts agreeing with Asher

Have you stopped beating your wife yet?

Myth: The FBI and numerous security groups have noticed that increasing (I did not say ALL) amounts of malware being written out there is for organized crime, with some spam thown in for giggles (since that seems to be the thread de jure word here). That has nothing to do with fame or destruction. It is a hard cost benefit analysis. How many machines deployed with that code, how easy is it to exploit afore-mentioned code, and what are the benefits incurred for exploiting it?

At this point those factors favor Microsoft products (as in from the cybercriminals viewpoint), so when it comes to cybercrime, running a Microsoft product makes you more likely to be a victim. It like driving a Hyandai sedan versus a Taurus. The Hyandai is not going to have that much value in the chop shop relative to other high-end seadans worth substantial amounts more, nor is it going to have the ease of selling the parts that the owner of a Ford Taurus sedan would have.

I expect to see Linux hacked more due to Apache Server and the various similiar applications out there. However, Linux products have an intrinsic advantage that Asher does not address, namely that they are less user friendly than MS products. Huh?

Because they are less user friendly, you need to have a relatively more skilled (read geeky) IT staff for Linux deployment versus Windows et al. Thus you are more likely to get patches done properly, systems secured, etc. Add in the fact cybercriminals (I don't give a f**k about cybervandals, they are just obnoxious), especially the pros, are quite familiar with this. Again, you end up with MS products being de facto less secure.

Plus MS products have a tendency to share code, and if I can get in an convince and everyday user on the network using Windows XP to open that wrong piece of email, or to surf to my website with Java/Active X permissions enabled, then I am more likely to successfully penetrate an all MS environment.

So while the popularity (and where it is used) of a OS does not at all affect the security of it's code, it has a massive practical effect on the OS's overall security. It all depends on how you ask the question.

1) This is considered good design and software practice
2) It's something Linux does, and should do a lot more, and is precisely why it's dependency hell

I have major problems with declaring one product "less secure" than the others due to intangible things such as popularity and targetability for cybercriminals.

I consider the security of the product to be something more tangible, such as number of exploits for a standard desktop suite.

I consider the frequency of attacks to be something related, but different. A Hyundai without a "Club" is less secure than a Civic with one, but the Hyundai is still less likely to be stolen.

Asher, we are talking apples and oranges here. You are talking essentially code security. My programming experience was on mainframes or on Microcomputers prior to the internet (I do not consider doing database or spreadsheet work "programming" per se).

I am talking about systemic issues. They are extremely tangible, but less straightforward. The military deals with those issues all the time, and because they are less straightforward also gets them wrong more often. That does not make the less straightforward (note I am not using the term tangible, these issues are just as real) issues less important, in fact once you deal with the straightforward issues, ALL improvements come from the systemic ones.

One of the first issues in dealing with those less straightforward issues is exactly that - how do you develop metrics, i.e. how to you measure it. One of the best examples from the military is measuring the results of asymmetric warfare (i.e. insurgencies) with body counts. That metric does not work.

I will stand by my statement made before - systemic issues make a Microsoft Product environment more susceptible to the attention of cyber criminals. I did not say better, nor did I say worse. If you deployed that many Linux Desktops and servers would they be more susceptible? Gibberish question, this kind of answer is based on the current environment.

Your comment about the Hyandai without the club is exactly on point. To take the analogy further, the BMW sedan with delayed ignition cut-out, keyless encrypted entry, GPS monitoring, and alarms in a gated parking garage is tremendously less likely to be stolen, and also more secure.

However, park it in the wrong area, and thieves may toe it away using a flatbed truck, while yanking the battery to disable the GPS tracker. Or they may have an inside man at the dealership with some of the override codes. This is analogous to some of the banking systems - tremendously more secure, but worth the while of real pros to get at. And the fact an insider can undo however much hardening you have done to the system.

So now in addition to code you have background checks for both criminal and credit ratings. The latter is a new systemic check, and sadly works because a person without credit problems is less likely to get into the kind of problems that tempt them to help penetrate the network. That is very unfair to the person who has bad credit due to their child's leukemia, but the metric is provable, bad credit = increased risk. That is why laws are passed preventing that kind of use/abuse of data like that.

Yes, I am talking code security. That was the point of this thread.

If you don't know what you're doing, you're far less likely to get a virus on the Mac today than you are on Windows.

If you know what you're doing, you're just as likely to get a virus on either Mac or Windows -- pretty much nil.

If you don't know what you're doing and don't take any precautions (like most Mac users), you are at more risk for a virus than users who don't know what they're doing and take precautions on Windows.

If MacOS gets more popular, it will increasingly become a target for attacks and viruses -- whether by geek who want fame, spammers/malware that want money, or cybercriminals. This is my point.

All platforms have security vulnerabilities, the Mac ones just aren't being exploited en masse.

Only partially correct - because what you call good programming, i.e. code reuse is only good if you can guarantee the code you are reusing has no vulnerabilities, i.e. is fully debugged. I will submit that the second qualification, and I do include security vulnerabilities as "fully debugged" is more often ignored as long as the reused code, i.e. module, does the job.

The problem with security is similar to that for pharma. A true cure produces less money then on ongoing treatment. Plus reengineering flawed products on the market, at increased expense, has no constituency per se. You made a comment, I guess about a year ago, sarcastically commenting about security on the old mainframe systems (something I am familiar with, though by no means an expert). You made comments about priviledges, etc. and said who would want that?

Exactly. From a pure security standpoint, many of the web interactions we have today would not exist, plus desktops would be a much more obnoxious environment for the casual user. Until this reengineering is done (Linux is an OS for geeks, who are not going to abandon their "project" to rewrite it properly from the security standpoint) even smart users will get nailed with malware.

Mac OS X, being based of a UNIX, is probably more secure than Windows due to a variety of reasons, including a series of very bad policy decisions reference security that were made by Microsoft, decisions which were excellent business decisions. Trying to fix an inherently insecure system, especially with the tight integration of many components (i.e. Outlook, IE, and VB for just a few examples) have that increases vulnerability, is going to be a Sisyphean task.

Also, Mac OS X will never get the penetration of the server and back-end market, and thus will never provide the tempting target for cybercriminals. Thus, I suspect I can safely say, unless there is a massive change in the market, i.e. the EU breaks up Microsoft or some such silly scenario, any Windows Box will be more, probably substantially more, likely to be hacked than an Mac OS X box.

Your simply talking code security is like the Marine Corps still talking body counts, even today in Iraq. You are repeating a fact, and it is one that you believe. It however is moot. Body counts mean very little in defeating an insurgency. Code security, unless you are talking total security, which most end users have negative interest in due to the inconvenience, is only a very small picture of the actual security situation faced in the real world. Using an MS product is the most likely way to get your machine compromised, all other things being equal. That fact is inescapable, just like talking about code security will do virtually nothing to change the current state of affairs.

But there's another aspect to that -- all programs will have vulnerabilities. The more time code is reused, the more likely it will go through some kind of code review, and the more often it will be tested for vulnerabilities. By reusing code you are restricting the amount of new, unique code that could have vulnerabilities.

I'm going to disagree with your UNIX rationalization -- what does this have to do with using the Mach microkernel? The Windows NT kernel hasn't had a vulnerability in many years either.

Windows isn't inherently insecure, it's just that much of what's used today was designed well before the internet proliferated. Apple got lucky in that they had a major overhaul of their OS at the same time of the dot-com boom, while MS' major overhaul is still in the future. They could do a lot of smart changes that would force users to learn new habits, etc...such as running in a restricted userlevel by default. These changes for MS are coming in Longhorn, MS' major overhaul.

I'm not arguing that at all -- my point was MS is the main target because of its market penetration.

A secondary point is if you properly configure your Windows box, you don't run into these problems either.

My boxes, nor my family's boxes that I've set up, have had viruses. Even with my know-nothing mother.

Windows XP is just as secure by design as MacOS X does, if you make it that way. It's not that way by default (it's getting there, with the firewall) because it'll annoy many users who will instantly just revert back...

Surprise, surprise

Another research report that finds Windows to be more secure than Linux turns out to be funded by Microsoft.

link

It's like all those "independent" studies that were found to be funded by Microsoft later.

The problem is nobody knows exactly what the Windows kernel is, outside of Redmond.

Not so. Bruce Schneier said something about why Windows is inherently insecure.

Um, making it easy for unknown executables to run and have access to system services is a big reason for it.

Joe User doesn't even know he needs to configure a Wintel box that he just got from Dell.

This is hilarious. Asher still believes this, even though he has not one shred of evidence for it.

Are you kidding?

The architecture is both public and well-documented, as well as being in many OS design textbooks this day and age. It's a shame you're too old to know what you're talking about here.

You mean that article you linked to earlier that was shot down because it didn't mention anything about Windows being "fundamentally" or "inherently" insecure?

1. You sound like Fez.
2. I'm pretty sure these security analysts, academics, and even someone such as myself understand computer security far more than you ever will. Whether you don't believe it is kinda moot, it's like me saying Plato was a black man and unless you show me a color photograph of him I'm not going to believe you.