Linked by David Adams on Tue 22nd Jun 2010 16:14 UTC, submitted by sjvn
Privacy, Security, Encryption A Computerworld editorial takes note of some interesting changes Dell made to the Linux page we linked to last week. They watered down some of their pro-Linux claims, but not as far as you might think.
Thread beginning with comment 431132
To read all comments associated with this story, please click here.
Inaccurate
by malxau on Tue 22nd Jun 2010 21:10 UTC
malxau
Member since:
2005-12-04

You see Windows was designed as a single-user, non-networked operating system. That design is still at the heart of Windows, which is why security must always be an add-on to Windows.


This is not correct. "Windows" (1.0-3.11, 9x, me) was a natively single user product. NT (3.1-4, 2000, XP, Vista, Win7) remains natively multi user, and was always built for networks. The design of NT always included multiple users, multiple groups per user, flexible ACLs, fine grained privilege, and other concepts which Linux has been retrofitting.

Windows has been harmed by setup insisting that a user account must be created in the administrators group, which has led to people to run as an admin all the time. Running as root all the time is much more rare on UNIX/Linux.

Reply Score: 2

RE: Inaccurate
by cycoj on Wed 23rd Jun 2010 09:26 in reply to "Inaccurate"
cycoj Member since:
2007-11-04

"You see Windows was designed as a single-user, non-networked operating system. That design is still at the heart of Windows, which is why security must always be an add-on to Windows.


This is not correct. "Windows" (1.0-3.11, 9x, me) was a natively single user product. NT (3.1-4, 2000, XP, Vista, Win7) remains natively multi user, and was always built for networks. The design of NT always included multiple users, multiple groups per user, flexible ACLs, fine grained privilege, and other concepts which Linux has been retrofitting.
"

Huh? Since when did multiple users, multiple groups per user and file privileges have to be retrofitted to Linux? Even ACLs are supported in most Linux/Unix systems, although you could argue that they have been retrofitted because the first filesystems might not have supported them. But your statement is about as false as the OP statement that Windows is a single user system with the everything else bolted on (actually that statement is probably more true, because it actually was true at some point, your statement not)

Reply Parent Score: 2

RE[2]: Inaccurate
by malxau on Wed 23rd Jun 2010 10:20 in reply to "RE: Inaccurate"
malxau Member since:
2005-12-04


Huh? Since when did multiple users, multiple groups per user and file privileges have to be retrofitted to Linux? Even ACLs are supported in most Linux/Unix systems, although you could argue that they have been retrofitted because the first filesystems might not have supported them. But your statement is about as false as the OP statement that Windows is a single user system with the everything else bolted on (actually that statement is probably more true, because it actually was true at some point, your statement not)


Multiple users was always native to UNIX/Linux. It was bad wording on my part if this was interpreted otherwise.

Multiple groups per user are a retrofit in AT&T Unix Version 6. I know this sounds prehistoric, but consider the consequences: each user has a 'primary' group, so multiple groups required the concept of a 'secondary' group. This distinction is important in many ways (see man newgrp for an example.) NT has no distinction: groups are arbitrary, users can belong to many or none. If a user is in many groups, none are special. In addition, privilege is determined by built in groups, meaning that many users can be administrators; there is no equivalent to a single root user.

ACLs are now supported in UNIX/Linux, but again, this is a retrofit. Support was added in Linux kernel 2.5.46, and many distributions backported these to 2.4. They are rather foreign to UNIX, which was designed around chmod style permissions. In NT, ACLs are the only security primitive used for files/registry etc. There is a chmod call in the C library on NT, but it is very different to UNIX as there is no primary group, so UNIX-style chmod would be meaningless.

When I said privilege, what I was referring to is not file permissions, but fine grained control over different system calls. In NT, a group might have permission to (say) shut down the system; debug other users processes; create paging files; create symbolic links; load drivers; lock physical memory; change the system time; perform system wide backup or restore operations; or permission to open leaf files (if permission is granted) without requiring permission on all parent directories. There has been a push to retrofit a similar concept into Linux (as part of moving away from a single root user), but I don't know the current status of it. Perhaps somebody else here can comment...?

Reply Parent Score: 4

RE: Inaccurate
by coreyography on Wed 23rd Jun 2010 16:04 in reply to "Inaccurate"
coreyography Member since:
2009-03-06

This is not correct. "Windows" (1.0-3.11, 9x, me) was a natively single user product. NT (3.1-4, 2000, XP, Vista, Win7) remains natively multi user, and was always built for networks. The design of NT always included multiple users, multiple groups per user, flexible ACLs, fine grained privilege, and other concepts which Linux has been retrofitting.


Maybe somewhat under the covers, but Windows until recently seemed targeted at only one *interactive* user. It took Citrix to show Microsoft how to do multiple interactive users in the first place, and many Windows apps today don't function well in a Citrix/WTS environment. The irony to me is that Microsoft knew this (and couldn't justify the higher cost of this approach to their desktop-only customers), so they promoted NT and its progeny as server OSes -- where the GUI is often not needed and is unnecessary fluff. Yet on Windows you cannot get rid of said GUI.

Windows has been harmed by setup insisting that a user account must be created in the administrators group, which has led to people to run as an admin all the time. Running as root all the time is much more rare on UNIX/Linux.


I still feel Microsoft has no one to blame but themselves for this. They should have made that clean break, enforced least-privilege policies, when they brought out NT. Those "fine-grained privileges" you mention above have been largely wasted for many years, and would still be if Windows had not become the poster child for malware.

All that said, (potentialy controversial statement coming right up ;) I think security- and capability-wise, Linux and Windows each have advantages over the other, but on balance they are pretty much equals. The biggest practical area where Linux/BSD trump Windows today IMHO is flexibility. You can make those OSes just about anything you want. With Windows, you pretty much get what MS gives you.

Reply Parent Score: 2

RE[2]: Inaccurate
by malxau on Wed 23rd Jun 2010 23:08 in reply to "RE: Inaccurate"
malxau Member since:
2005-12-04

...Windows until recently seemed targeted at only one *interactive* user.

Agreed. To put this differently, X is amazing technology in allowing multiple displays per machine, multiple users running multiple apps to different displays, one display rendering apps from different servers on different versions of different systems on different architectures. The people who designed X should be very proud of themselves - from a flexibility perspective, it's simply beautiful.

TS only recently implemented a "seamless" mode where applications render without a desktop, although Citrix has had it for a while. There's a lot more retrofitting to bring NT up to UNIX/Linux for networked application delivery.

Yet on Windows you cannot get rid of said GUI.

Have you looked at Server Core? It still has a GUI, but it doesn't have explorer et al.

"Windows has been harmed by setup insisting that a user account must be created in the administrators group...
I still feel Microsoft has no one to blame but themselves for this. They should have made that clean break, enforced least-privilege policies, when they brought out NT. "
Don't get me started. The sad part is that NT 3.1 insisted that you must create a low-privilege user as part of setup. Somewhere that idealism became derailed. I used low-privilege accounts on NT for a decade, and things generally work; I blame XP for trying to "dumb down" NT, which in turn allowed developers to be less vigilant.

The biggest practical area where Linux/BSD trump Windows today IMHO is flexibility.

Agreed. Sometimes it requires more knowledge, but when you have that knowledge, it allows more possibilities.

Reply Parent Score: 1

RE[2]: Inaccurate
by lemur2 on Thu 24th Jun 2010 01:31 in reply to "RE: Inaccurate"
lemur2 Member since:
2007-02-17

"Windows has been harmed by setup insisting that a user account must be created in the administrators group, which has led to people to run as an admin all the time. Running as root all the time is much more rare on UNIX/Linux.
I still feel Microsoft has no one to blame but themselves for this. They should have made that clean break, enforced least-privilege policies, when they brought out NT. Those "fine-grained privileges" you mention above have been largely wasted for many years, and would still be if Windows had not become the poster child for malware. All that said, (potentialy controversial statement coming right up ;) I think security- and capability-wise, Linux and Windows each have advantages over the other, but on balance they are pretty much equals. The biggest practical area where Linux/BSD trump Windows today IMHO is flexibility. You can make those OSes just about anything you want. With Windows, you pretty much get what MS gives you. "

I'd disagree only only one point. The biggest practical area where Linux/BSD trump Windows today derives IMO from the fact that for well over a decade, for whatever reasons, the concerted effort of malware authors has been targetted almost exclusively against Windows. The vast library of malware payloads and malware techniques has evolved over that decade along with Windows.

Today, the vast body of malware is effectively impotent when one uses systems other than Windows. Almost without exception, malware is not only targetted at Windows, it depends upon Windows.

One might be able to argue a case that "capability-wise, Linux and Windows each have advantages over the other, but on balance they are pretty much equals" ... but that simply cannot be argued security-wise as a whole. The actual malware corpus itself demands that it cannot be so argued.

Edited 2010-06-24 01:32 UTC

Reply Parent Score: 2

RE: Inaccurate
by drcoldfoot on Thu 24th Jun 2010 13:06 in reply to "Inaccurate"
drcoldfoot Member since:
2006-08-25

No Sir,
The article was spot on. Windows Desktop line is not multiuser. Unix/Linux is multiuser by design. You can loggin as differnet simultaneous users, each running their own desktops, run apps,scripts, scheduled jobs, etc.

Reply Parent Score: 1

RE[2]: Inaccurate
by ssa2204 on Thu 24th Jun 2010 13:34 in reply to "RE: Inaccurate"
ssa2204 Member since:
2006-04-22

No Sir,
The article was spot on. Windows Desktop line is not multiuser. Unix/Linux is multiuser by design. You can loggin as differnet simultaneous users, each running their own desktops, run apps,scripts, scheduled jobs, etc.


This has nothing to do with the architecture of the OS you twat, it is a licensing issue. People figured out a long time ago how to bypass this.

Reply Parent Score: 3