Contributed by Eric S.
Raymond
Melissa. Explore.zip. Back Orifice. If you think there has been
a bad rash of viruses and crack attacks lately, you’re right. And
security experts say it’s going to get worse, not better; the
frequency of crack attacks is rising exponentially. So are the
money losses fromm the problem. Computer Economics, a research firm
in Carlsbad NM, reports that American businesses lost $7.6 billion
due to software viruses during the first half of 1999 — more than
in all of 1998,
Curiously, the massive mainstream media coverage of these
incidents completely fails to mention the one thing they all have
in common; Microsoft Windows. Non-Microsoft operating systems such
as Linux are invulnerable to macro attacks, immune to viruses, and
can laugh at Back Orifice.
This simple fact explains why your Internet service provider
never suffers from viruses; essentially all ISPs run their services
off Unix boxes, and about 40% of them run Linux. Evidently
businesses are finding this an increasingly attractive option; a
recent Computer Associates survey reports that 49% of information
technology manages describe Linux as “important or essential” in
their enterprise plans.
One of the reasons for this trend is surely security. Anyone
running a Microsoft operating system on a machine visible from the
internet is just begging to be cracked. If you’re concerned with
computer security, you need to understand why — and why Microsoft
will not and cannot fix the problem.
Linux and other operating systems like it were designed from the
ground up to be used by several people on the same machine, and to
protect those people from each other. The user interface of Linux
is separated fromn the `kernel’, the privileged operating system
core. And the kernel is carefully protected from being modified by
ordinary programs. This is why Linux doesn’t get viruses.
Microsoft Windows, on the other hand, has a
one-person-per-machine assumption built deeply into it. There is no
internal security and the Windows kernel is not protected against
being modified by user programs. In fact, the user interface of
Windows is wired right into the kernel. This is why hostile
programs coming in over an Internet connection (such as Back
Orifice) can reach right through the user interface, deep into the
oprating system core, and infect it.
If you value your data and your privacy, you need to understand
that Microsoft cannot fix this. Too many applications (including
Microsoft Office and the IIS web server) actually *depend* on the
lack of security in the system. Furthermore, the fact that the
source code of Windows is closed means that it never gets properly
audited for security problems.
How does Microsoft deal with this? Not well. Mainly, they tell
lies and try to confuse the issue.
Three days ago, on August 3 1999, Microsoft put a machine
running a beta of its new Windows 2000 operating system on the net
and challenged crackers the world over to break into it. A few
hours after the announcement, the machine crashed. Microsoft
spokespeople subsequently claimed that it had been brought down by
electrical storms.
But the machine’s own error logs showed there had been nine
crashes due to errors in Microsoft’s own software, not the weather.
Furthermore, crackers did indeed get in and alter a guestbook
application during the short time the machine was actually up — a
fact Microsoft tried to dismiss as irrelevant.
A few hours after Microsoft’s challenge was announced, a Linux
company in Wisconsin matched it. During the following three days,
their Linux machine withstood 6,755 attacks without crashing
once.
Which system would *you* rather trust your critical data to?