Rant Mode Equals One: Anti-Anti Virus Software == Open Source SoftwareJul 02, 1999, 10:01 (31 Talkback[s])
(Other stories by Paul Ferris)
[ The opinions expressed by authors on Linux Today are their own. They speak only for themselves and not for Linux Today. -lt ed ]
Warning: Rant Mode Equals One is meant to be entertaining. If you are easily offended by strong language, violence, ranting or unabridged command line syntax, Paul suggests that you hit the "back" button on your browser now, before it's too late.
This is a rebuttal to Andy Donoghue & John Leyden's Network News article.
The article quotes James Gosling of Sun Microsystems on Java, Unix and Linux. He states that they have better security and an iron-clad history. The article states that Gosling is being "slammed by the anti-virus community as being inaccurate and biased".
They quote a Paul Ducklin who goes on and says that there is nothing about Unix that made it less prone to virus attack. This is a totally wrong, for the following technical reasons:
Windows 9x is based upon DOS technology.
DOS is an operating system that has direct hardware access to the kernel. DOS is also a single user operating system, and calling it an O/S is actually quite a stretch. DOS is really simply a convenient way for assembly language programs to access disk storage devices. Old DOS programs even used to bypass it for speed.
In a nutshell, there was practically no separation between program and operating system, allowing any virus access to the hardware, as needed.
Windows NT may have a different structure than this, but most PC's today still ship with the Windows 9x. Still, there is anti-virus software for Windows NT computers. I wonder why that is? Hmmmm.
For the rest of this article, I will be comparing Windows 9x, not NT. This despite the fact that NT is more secure than DOS and Windows 9x. A Chevette is also faster than someone on a pair of roller skates. I still wouldn't want to race someone using a Chevette, and when it comes to Internet security I sure don't want to run Windows NT on my computer.
Bear in mind that when people point to Windows NT, and it's supposed C2 security rating, they are being mislead. Windows NT is rated as C2 secure - with all networking removed, and only on certain hardware platforms. It's a mistake to think that that rating means anything in the real world, where an operating system isn't one unless it has some kind of networking enabled.
But Windows 9x is the most prevalent system in use today for personal computing. And, oddly enough in this Internet age, one of the most, if not the most, insecure as well.
Windows 9x is a single user operating system.
The idea of privilege itself is totally missing from the entire paradigm.
Windows 98 and 95 are both still using DOS technology. In effect, they still have no security what so ever. Launch a program and it had better be benevolent, because if it isn't it's going to do whatever it wants with whatever is in reach. With the something like the explore.exe virus, that includes network drives.
While you can argue that programs under Unix could also be hostile, they must be screened by an administrator to get loaded on the system, which takes a good deal of the punch out of a virus attack. Unix has a very good track record when it comes to virus attacks. Unix grew up a multi-user system. It has the idea of privilege built in from the ground up.
The moment that you say "Network" you must also, if you are sane that is, say "Multi-user". Somewhere the system should understand that there are different users with different privileges. To use a single-user system on a network to execute foreign code that has access to the hardware is to invite destruction.
To throw the internet worm in as evidence of a virus attack under Unix is extremely misleading. First of all, couldn't you find something more recent? We're talking about an attack that happened 11 years ago. It wasn't a "virus" in the strictest definition of the word.
The internet worm actually used a hole in sendmail that was known. However, to compare it to a virus outbreak today is actually very accurate in some respects.
Most people that were hit by Melissa and Explore.exe used outlook express in conjunction with Microsoft Word. It's this common code base, similar to the sendmail attack you mention earlier, that allowed the internet worm to do the damage. However, sendmail had few holes in it, and they were mostly known. Sendmail was being used at a system level, typically on a multi-user system.
This worm was executed during a time when the Internet itself was not a public item. Since then, it could be argued, security should be a higher priority. I wish I could say that it is, but it's not.
The problems that make people nervous stem from the fact that these new virus attacks are happening in user space, on network clients. In comparison, the sendmail attack was not like these attacks in a big way.
However, the biggest mistake of your article is in the area where you state that common access to the Unix kernel code makes it less secure. Security experts generally agree that open source code makes for less security holes, and not more.
Is this a deliberate attempt to praise proprietary software methods?
Please, do your readers a service and do some research in the future. Open source software is making the Internet a more secure place, not the reverse.
You quote, finally, Kevin Street, a manager at Symantec, as a final blow to your credibility. Symantec, which does make quality software, makes a pretty penny off of the insecurity and "viral-ity" of Windows systems. It would arguably appear that they have it in their best interests to see that this situation is perpetuated.
Just what is this "Unix kernel" source code, that is freely available? If Kevin is referring to Unix, he should do some research. SCO Unix is generally referred to as "Unix", but it's kernel is not "freely available". Linux's kernel is freely available, but it hasn't been UNIX branded.
In short, the majority of the Unix systems out there use the exact same development model as the proprietary systems that were praised in the article as more secure. Those proprietary Unices are less secure, in my opinion, because of this reason. To state, even incorrectly, that all Unix is less secure because the Linux and FreeBSD kernels are freely available is incredibly misleading.
Finally, you quote Kevin casting OLE as open and text based applications as "proprietary".
Let me get this straight: WINDOWS=OLE=GUI=OPEN. UNIX=TEXT=PROPRIETARY ? Is this some kind of mis-information service you are providing your readership?
Are we supposed to forget that HTML (a text based format, dear readers) is an open format? Are we supposed to forget that CORBA is an open object specification that a lot of Unix systems have available? Are we supposed to forget about X windows, CDE, GNOME and KDE? Are we supposed to believe, even half-heartedly, that OLE, Windows, and a lot of the things that are embraced today on the PC desktop are in fact proprietary "standards"?
In short, you deliver a bad explanation with mismatched examples. You speak vaguely about security in an age when Windows viruses are arguably doing the most damage and pose the biggest threat that they ever have. Please do some more research or understand the topics you speak about before you publish misleading garbage like this.
The amount of technical in-accuracy and half truth in this article is astounding. It's hard to imagine that it's not some kind of propaganda for some company pushing proprietary software solutions. Possibly, just a guess here, a company that recently had trouble patching a huge security hole in less than two weeks. Had that hole been exploited in similar fashion, it would have made the Internet worm look like an earth worm by comparison.
The person you really damage here is James Gosling, of Sun microsystems. He was correct, on all counts. He was right about the iron-clad history of Java, Unix and Linux. Other "standards", being pushed instead of Java would have had really big security problems. Image the insecurity of the web today, for example, if we were all using ActiveX instead of Java. I cringe at the thought.
Since it's inception, Java has pushed the idea that security is an important thing, at the cost of performance, hardware and operating specific optimizations. This was a very good thing for Internet security, and one that no one, save possibly an anti-virus company, would have a problem with.
No, it is not James Gosling who is "innacurate and biased". It is the community that you quote so heavily from. Maybe it is your publication itself as well.
Possibly the anti-virus community shouldn't have been the one
you consulted when it came to this issue. At least you should have
checked their "facts" first, and this might not have happened. In
case you need to report on stories in the future, here are some
guide-lines about who to be suspicious of, corresponding to the
issues being reported upon:
Maybe you should also ask your bartender if it's time to stop drinking. Let me tell you in advance though, he's probably going to laugh and pour you a stiff one.
Rant Mode Equals Zero.
And as usual, have a nice day.