Rant Mode Equals One: Anti-Anti Virus Software == Open Source Software

[ The opinions expressed by authors on Linux Today are their
own. They speak only for themselves and not for Linux Today. -lt ed
]

By Linux Today writer
Paul Ferris

Warning: Rant Mode Equals One is meant to be entertaining. If you are
easily offended by strong language, violence, ranting or unabridged
command line syntax, Paul suggests that you hit the “back” button
on your browser now, before it’s too late.

This is a rebuttal to
Andy Donoghue & John Leyden’s Network News article.

The article quotes James Gosling of Sun Microsystems on Java, Unix and Linux.
He states that they have better security and an iron-clad history.
The article states that Gosling is being “slammed by the anti-virus
community as being inaccurate and biased”.

They quote a Paul Ducklin who goes on and says that there is
nothing about Unix that made it less prone to virus attack. This is
a totally wrong, for the following technical reasons:

Windows 9x is based upon DOS technology.

DOS is an operating system that has direct hardware access to
the kernel. DOS is also a single user operating system, and calling
it an O/S is actually quite a stretch. DOS is really simply a
convenient way for assembly language programs to access disk
storage devices. Old DOS programs even used to bypass it for
speed.

In a nutshell, there was practically no separation between
program and operating system, allowing any virus access to the
hardware, as needed.

Windows NT may have a different structure than this, but most
PC’s today still ship with the Windows 9x. Still, there is
anti-virus software for Windows NT computers. I wonder why that is?
Hmmmm.

For the rest of this article, I will be comparing Windows 9x,
not NT. This despite the fact that NT is more secure than DOS and
Windows 9x. A Chevette is also faster than someone on a pair of
roller skates. I still wouldn’t want to race someone using a
Chevette, and when it comes to Internet security I sure don’t want
to run Windows NT on my computer.

Bear in mind that when people point to Windows NT, and it’s
supposed C2 security rating, they are being mislead. Windows NT is
rated as C2 secure – with all networking removed, and only on
certain hardware platforms. It’s a mistake to think that that
rating means anything in the real world, where an operating system
isn’t one unless it has some kind of networking enabled.

But Windows 9x is the most prevalent system in use today for
personal computing. And, oddly enough in this Internet age, one of
the most, if not the most, insecure as well.

Windows 9x is a single user operating
system.

The idea of privilege itself is totally missing from the entire
paradigm.

Windows 98 and 95 are both still using DOS technology. In
effect, they still have no security what so ever. Launch a program
and it had better be benevolent, because if it isn’t it’s going to
do whatever it wants with whatever is in reach. With the something
like the explore.exe virus, that includes network drives.

While you can argue that programs under Unix could also be
hostile, they must be screened by an administrator to get loaded on
the system, which takes a good deal of the punch out of a virus
attack. Unix has a very good track record when it comes to virus
attacks. Unix grew up a multi-user system. It has the idea of
privilege built in from the ground up.

The moment that you say “Network” you must also, if you are sane
that is, say “Multi-user”. Somewhere the system should understand
that there are different users with different privileges. To use a
single-user system on a network to execute foreign code that has
access to the hardware is to invite destruction.

To throw the internet worm in as evidence of a virus attack
under Unix is extremely misleading. First of all, couldn’t you find
something more recent? We’re talking about an attack that happened
11 years ago. It wasn’t a “virus” in the strictest definition of
the word.

The internet worm actually used a hole in sendmail that was
known.  However, to compare it to a virus outbreak today is
actually very accurate in some respects.

Most people that were hit by Melissa and Explore.exe used
outlook express in conjunction with Microsoft Word. It’s this common
code base, similar to the sendmail attack you mention earlier, that
allowed the internet worm to do the damage. However, sendmail had
few holes in it, and they were mostly known. Sendmail was being
used at a system level, typically on a multi-user system.

This worm was executed during a time when the Internet itself
was not a public item. Since then, it could be argued, security
should be a higher priority. I wish I could say that it is, but
it’s not.

The problems that make people nervous stem from the fact that
these new virus attacks are happening in user space, on network
clients. In comparison, the sendmail attack was not like these
attacks in a big way.

However, the biggest mistake of your article is in the area
where you state that common access to the Unix kernel code makes it
less secure. Security experts generally agree that open source code
makes for less security holes, and not more.

Is this a deliberate attempt to praise proprietary software
methods?

Please, do your readers a service and do some research in the
future. Open source software is making the Internet a more secure
place, not the reverse.

You quote, finally, Kevin Street, a manager at Symantec, as a final blow to your
credibility.  Symantec, which does make quality software,
makes a pretty penny off of the insecurity and “viral-ity” of
Windows systems. It would arguably appear that they have it in
their best interests to see that this situation is perpetuated.

Just what is this “Unix kernel” source code, that is freely
available? If Kevin is referring to Unix, he should do some
research.  SCO Unix is generally referred to as “Unix”, but
it’s kernel is not “freely available”. Linux’s kernel is freely
available, but it hasn’t been UNIX branded.

In short, the majority of the Unix systems out there use the
exact same development model as the proprietary systems that were
praised in the article as more secure. Those proprietary Unices are
less secure, in my opinion, because of this reason. To state, even
incorrectly, that all Unix is less secure because the Linux and
FreeBSD kernels are freely available is incredibly misleading.

Finally, you quote Kevin casting OLE as open and text based
applications as “proprietary”.

Let me get this straight: WINDOWS=OLE=GUI=OPEN.
UNIX=TEXT=PROPRIETARY ? Is this some kind of mis-information
service you are providing your readership?

Are we supposed to forget that HTML (a text based format, dear
readers) is an open format? Are we supposed to forget that CORBA is
an open object specification that a lot of Unix systems have
available? Are we supposed to forget about X windows, CDE, GNOME
and KDE? Are we supposed to believe, even half-heartedly, that OLE,
Windows, and a lot of the things that are embraced today on the PC
desktop are in fact proprietary “standards”?

In short, you deliver a bad explanation with mismatched
examples. You speak vaguely about security in an age when Windows
viruses are arguably doing the most damage and pose the biggest
threat that they ever have. Please do some more research or
understand the topics you speak about before you publish misleading
garbage like this.

The amount of technical in-accuracy and half truth in this
article is astounding. It’s hard to imagine that it’s not some kind
of propaganda for some company pushing proprietary software
solutions. Possibly, just a guess here, a company that recently had
trouble patching a huge security hole in less than two weeks. Had
that hole been exploited in similar fashion, it would have made the
Internet worm look like an earth worm by comparison.

The person you really damage here is James Gosling, of Sun
microsystems. He was correct, on all counts. He was right about the
iron-clad history of Java, Unix and Linux.  Other “standards”,
being pushed instead of Java would have had really big security
problems. Image the insecurity of the web today, for example, if we
were all using ActiveX instead of Java. I cringe at the
thought.

Since it’s inception, Java has pushed the idea that security is
an important thing, at the cost of performance, hardware and
operating specific optimizations. This was a very good thing for
Internet security, and one that no one, save possibly an anti-virus
company, would have a problem with.

No, it is not James Gosling who is “innacurate and
biased”.  It is the community that you quote so heavily
from.  Maybe it is your publication itself as well.

Possibly the anti-virus community shouldn’t have been the one
you consulted when it came to this issue. At least you should have
checked their “facts” first, and this might not have happened. In
case you need to report on stories in the future, here are some
guide-lines about who to be suspicious of, corresponding to the
issues being reported upon:
 

Maybe you should also ask your bartender if it’s time to stop
drinking. Let me tell you in advance though, he’s probably going to
laugh and pour you a stiff one.

Rant Mode Equals Zero.

And as usual, have a nice day.