Linked by Thom Holwerda on Tue 10th Nov 2009 09:31 UTC
Windows Last week, security vendor Sophos published a blog post in which it said that Windows 7 was vulnerable to 8 our of 10 of the most common viruses. Microsoft has responded to these test results, which are a classic case of "scare 'm and they'll fall in line".
Thread beginning with comment 393925
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Comment by satan666
by lemur2 on Tue 10th Nov 2009 22:48 UTC in reply to "RE: Comment by satan666"
lemur2
Member since:
2007-02-17

"That's simply not true. I've been using Linux exclusively both at work and at home (at least 10 hours a day in total). I've never installed an antivirus and I haven't had any virus at all.
As much as I would like to agree, having a false sence of security because we run linux is dangerous. Yes, there might not be any (real) virus for linux out there, but I still don't want to be a vector of transmission by giving infected files to other computers. Of course we wont have any threat if we us something nobody else uses, because, well, nobidy care! Now that allows me to surf the web and laugh at attempts to highjack my IE or even Safari, but that does not mean that my 3 years old unpatched firefox is more secure then the sandboxed,firewalled,antivirused IE 8... Often, when advocating linux, I ear people saying that it is more secure and does not need antivirus. This is a dangerous idea of false security. "

Firstly, antivirus isn't security. Antivirus is trying to detect and remove a security breach after it has already compromised your system.

Secondly, the correct method of installing software on Linux is via the package manager. Package managers and the associated online repositories allow for a system where any piece of software can be audited and verified by any person on the planet. Anyone at all, not just the person who wrote the software. If everyone on the planet can see what is in a piece of software BEFORE it gets to end users, this makes it very difficult indeed to hide malware within that software.

Finally, one should examine the record. The record is AFAIK impeccable. AFAIK (and no-one has yet been able to contradict this) ... there has never been an end-user's system compromised with malware via installing open source software from package managers.

PS: On Linux, all programs by default run as a normal user. Running firefox on Linux means running it as a normal user, and hence it has no ability at all to modify or create system files or directories. All programs run as a normal user on Linux are effectively sandboxed.

Edited 2009-11-10 23:07 UTC

Reply Parent Score: 2

RE[3]: Comment by satan666
by tomcat on Wed 11th Nov 2009 01:13 in reply to "RE[2]: Comment by satan666"
tomcat Member since:
2006-01-06

Secondly, the correct method of installing software on Linux is via the package manager. Package managers and the associated online repositories allow for a system where any piece of software can be audited and verified by any person on the planet. Anyone at all, not just the person who wrote the software. If everyone on the planet can see what is in a piece of software BEFORE it gets to end users, this makes it very difficult indeed to hide malware within that software.


The "package manager and associated online repositories" doesn't work with commercial/proprietary software, where you don't have the source code. The best that an auditor can do in that case is GUESS whether the software contains malware or not; for example, an application may only reveal itself as malware under timed conditions (only destroying your machine or turning it into a zombie after a period of time). And, since there is an unquestionable need for commercial/proprietary software, you don't have a solution.

Edited 2009-11-11 01:14 UTC

Reply Parent Score: 2

RE[4]: Comment by satan666
by lemur2 on Wed 11th Nov 2009 04:02 in reply to "RE[3]: Comment by satan666"
lemur2 Member since:
2007-02-17

"Secondly, the correct method of installing software on Linux is via the package manager. Package managers and the associated online repositories allow for a system where any piece of software can be audited and verified by any person on the planet. Anyone at all, not just the person who wrote the software. If everyone on the planet can see what is in a piece of software BEFORE it gets to end users, this makes it very difficult indeed to hide malware within that software.
The "package manager and associated online repositories" doesn't work with commercial/proprietary software, where you don't have the source code. The best that an auditor can do in that case is GUESS whether the software contains malware or not; for example, an application may only reveal itself as malware under timed conditions (only destroying your machine or turning it into a zombie after a period of time). And, since there is an unquestionable need for commercial/proprietary software, you don't have a solution. "

When package managers (on an end users system) are enabled to use an additional repository which holds binary-only software, then it is true that for that small set of packages the end users have no ability to audit them. They could potentially contain malware.

This is the risk one takes when one adds repositories for closed-source applications.

This is the PRECISE reason why such repositories are not enabled by default on most distributions.

You add the repository at your own risk.

My advice would be to refrain from ading such a repository until many thousands of expert users had had a chance to trial the applications. A few months after first release might be enough time. If there was any malware, it should have shown up by then.

Mind you, if a software supplier did set up a closed-source repository, and an application therein did contain malware, and end users did end up with malware as a result ... that story would be all over the net in days. You wouldn't hear the end of it. Windows fans would be jumping with glee, Linux users would be livid, and the site would be blacklisted (as a critical security update) almost immediately. You wouldn't have time to blink.

The fact that this has never actually happened also nicely illustrates the security of package managers and repositories as a distribution mechanism, even when it comes to closed-source applications.

Keep going with these posts, you are doing a very good job so far of highlighting the fact that this repository/package manager system for distribution of Linux software is vastly superior to anything for Windows.

Reply Parent Score: 2