 |
Typical Windows updates
list (dated 10/22/08) |
Open Source Software vs. Commercial Software:
Migration from Windows to Linux
An IT Professional's Testimonial
Maintenance Headache of Windows
Security is definitely one of the hot topics nowadays with computers, both servers and desktops. Servers need to be secure to prevent attackers taking them over and getting valuable data, and desktops need to be protected from malicious users on the computers as well as those trying to attack them remotely. This is where the operating systems come in to play and are the main core of the issue. The operating systems are the ones running the programs and/or services that get attacked. So naturally, you would probably want to be using the operating system that is the most secure, right? At first, you can tell yourself that computers are using software written by humans, and that there will always be security holes in software. And while yes this is true, there are different levels of operating system security. It is a widely known fact that Windows seems to have the highest number of security holes, and security breaches among all other operating systems. However, this could be because it is the most widely used operating system on desktop computers. It is also a widely known fact that Linux seems to be one of the most (if not the most) secure operating system used today. And, this could follow the same analogy above, Linux is one of the lowest used operating systemson desktop computers so virus writers don't waste their time writing viruses for Linux. Is this true? Time will tell as the market shares of Linux and Windows change. But one thing for sure today is: Linux is more secure than Windows, case closed. In fact, our very own Department of Defense has published several articles stating just that. Most recently, the Department of Defense openly published [1] [2] [3] that it uses the Linux operating system, and actually published articles recommending the use of Linux for others as well because it has superior security. Part of the reason they justify this is because Linux is open source, and since the code is available to everybody, potential security problems can be found more quickly, and as a result patched more quickly, often times before anybody else discovers them. This is huge, especialy when you look at Microsoft Windows where there may be many users looking for security breaches, but only Microsoft can patch them since they alone are the only ones that have access to the code. But at the same time, by closing up the code Microsoft eliminates other parties from identifying potential problems ahead of time, which is a huge disadvantage.
Staying Secure
|
Let's talk about security updates, since this is a hot topic in today's world of malicious software. When you put Linux and Windows on the scale and look at security, Linux has quite a few advantages. But how, when Windows seems to be all over the place, and Linux isn't as much? Well, that is exactly the reason. More people are using Windows, so Windows is the target of those trying to write malicious software, viruses, and such. But, I am not convinced that is the only reason. Year after year and with each release of Windows, Microsoft claims that it has finally secured it up and swears that each version is more secure than ever, yet each week they release update after update to fix security holes. Even the widely boasted "Bitlocker" feature of Microsoft's newest operating system, Windows 7, designed to secure files on a disk with a secret password, has been breached. [4] See the example at the right, dated 10/22/08. This list was taken after the month's batch of regular updates were applied on the second Tuesday of the month. Note that all versions of Windows is listed, from Windows XP to Windows Server 2008. And, while I was writing this section of the document, yet another batch was released just 2 days after. I can definitely understand if Microsoft found additional bugs or updates, but it seemed that they were re-releasing updates that were already released the first time! On average during the time while writing this, it seems that updates are being released about once a week. On one hand, it is good to see that Microsoft is trying to keep things up to date and as secure as possible. But, think about it this way: could any of these security updates be avoided by developing software without as many security holes and glitches? The answer to this one may never be known for sure since software is constantly changing. It is one thing to release bug fixes which will happen and are fairly unavoidable no matter what operating system you are using. But, to release security update after security update gets a little old and tiresome after a while. When you stack up the list of security updates for Windows and put them next to the stack of security updates for Linux, the Windows stack is much much higher.
|
So, we have acknowledged that viruses are constantly coming out and being released into the cyber world. Along with viruses, spyware is continuously released as well. When running Windows, you must continously make sure your antivirus and spyware removal software is continuously updated, to ensure you can catch as many bugs as you can before they harm your computer. Keeping this software up to date can be time consuming and expensive. Even though you purchase antivirus and antispyware software, doesn't mean that you can update it for life. Most commercial products will require you to pay even more for updates. There are also some free antivirus and antispyware products on the market as well. Either way, keeping them up to date is a continuous process that is repeated over and over every day, week and month, to ensure you have the latest detection definitions for your antivirus/antispyware software. Things can go wrong, and the software can malfunction.
Overall antivirus and antispyware software are tools in place and are reactive to malicious software. Linux is the proactive approach as it almost completely disregards the need for preventative software since it is immune to Windows viruses and spyware. This doesn't mean that viruses and spyware do not exist for Linux, but they are very rare and hardly ever seen. In the world of computer security, this is a big deal.
Virus Outbreaks
We've acknowledged that viruses and worms are a huge deal in today's computing world. We've all heard of them and probably have dealt with them at some point in time when our computer was infected and doing all sorts of strange things like it was possessed. We're all very much acquainted with anti-virus software and making sure it's virus definitions are regularly updated. But, step back for a minute and imagine a computer without an Antivirus program. You probably think I'm crazy, right? Well, this is reality in Linux. Viruses are pretty much nonexistent in regards to Linux itself, so the need for an anti-virus program is too.
I already mentioned the infamous Slammer and Blaster worms, that traversed over Windows systems in years past. Viruses are still commonplace in Windows, but large scale outbreaks have been pretty much non-existent since Slammer and Blaster... until now. As I started writing this, a new and very advanced worm called Conficker has arisen. It was first discovered spreading around on Windows systems in October 2008. From that point up to March 2009, it is still spreading, and has additional versions: variants A, B, and C. As of March 2009, it is spreading wildly across all unpatched and vulnerable Windows systems from all regions of the Internet. Even with the patch by Microsoft, the worm can still be spread by flash drives and removable media. Microsoft has even issued a $250,000 reward for information leading up to the person behind it.
|
Five months later since it was first discovered, Conficker is still spreading rapidly, and it is unknown what exactly the worm is intended to do. Some have speculated that it will gather valuable and personal information and send it to a central server, or possibly take over the infected computers and turn them into some sort of supercomputer. Rumors have floated around the Internet that on April 1, the worm will rise up and do something evil. Whatever the reason, it is a bad situation and scary in some ways, that data and personal information can be easily obtained from computers, when the user is completely unaware.
Can you believe that in 2006, Bill Allchin of Microsoft actually stated publicly that Windows Vista would not need any antivirus software, because it was too secure?! [5] First, this is just another example of how Microsoft will say anything to sell their software, just like the pesty salesman that shows up at your door from time to time. We know now that this is far from the case. Viruses for Windows Vista have been circulating around just like every other Windows operating system. In fact, Microsoft ended up doing the very opposite from Allchin's statement, and released their own antivirus software for Vista! Again, Microsoft just doesn't want to publicly acknowledge that their software is riddled with security problems, even though all of us that have used it know that it is so.
Recall that Linux is not affected by any of these viruses or massive worm outbreaks. To this date, viruses and worms are pretty much nonexistent on Linux. This means that there are pretty much no worries about getting infected with something, while viruses run wild on Windows systems. Why is this? Well, I've already mentioned that since Linux is still a relatively small portion of the desktop computing world, that it's possible the hackers have not deemed it worth trying to attack. However this reason can be argued since Linux is very apparent in the server world, which leaves a high number of Linux systems sitting on the Internet at all hours around the clock. It's also possible that Linux is more difficult to hack or exploit, however it is still really unknown since not many have attempted to perform exploits over it. However, with that being said, since Linux is used heavily in the server world there have certainly been attempts to take over Linux servers. Luckily since Linux is open source, the attacks have not been widely successful, and patches have been released quickly for the exploits, often times before any opportunity is given for exploits to be executed. In fact, it is common for the patches/fixes to be released this quick which may account for such a low number of exploited problems. Since the open source community is so vast, there are a lot of tests and checks done to try and discover possible exploits all of the time. Yes, these tests and checks are also done for Windows, however they cannot be fixed by the very same individuals that discover them. Fixes must be channeled through Microsoft itself, which can cause significant delays. Where with open source, the same community that identifies them can in theory also fix them. Typically, the fixes are submitted to the group responsible for developing the software that has the security problem.
I have been hit by viruses and worms in the past, it's essentially unavoidable especially on networks full of users. There are many avenues that they can be spread. Probably the worst part of the whole deal is that viruses and worms cannot only steal valuable information, but they can cause a lot of downtime, high cost, and valuable resources to fix. Often times viruses can spread at the speed of data transfer, which can be seconds over a local network or minutes over the Internet. But, the aftermath can be devastating, and can take hours, days, or even weeks to fully recover. During this recovery stage, costs can skyrocket as resources are pooled in order to fix all of the issues and remains of the virus or worm. So, in my opinion being immune to this sort of activity is truly a huge advantage and can save tons of valuable time and money for any individual or business.
Immunity to Malicious Software
What about spyware? People have become very clever at writing software that runs on your computer and watches what you do, hence the age of spyware that we are in. But, in Linux, there is practically no such thing as spyware either. Why is this? My theory is this: Spyware is usually bundled or hidden within a free program that somebody downloads on the Internet and installs. Sometimes spyware is installed by simply visiting a website. But either way, when people download this software, it is to add some sort of functionality that does not already exist on their computer. In Windows, there are probably a million programs out on the Internet to add certain functionality, all developed by 3rd parties of all sorts. Some will be good and others will be bad and include spyware in them. On the flip side, since Linux is open source, you don't have competing 3rd parties writing software that does the same thing, trying to beat the other. Yes, there are some cases where there is more than one piece of software for handling the same function or task. But overall, esentially what you come up with is many people coming together and borrowing ideas and code, collaborating and coming up with a single software package. And, the chances of it containing spyware are slim to none. If a piece of open source software did contain some of spyware, you can bet that it would be published all over on the Internet and software download mirrors would avoid it. And, if you stick to a Linux distribution such as RedHat (Fedora), Ubuntu, Suse, etc. (there are too many to list), you can get the software from them directly. Distributors would never want to bundle any sort of malicious software inside their own distributions. This is just one of the beauties of open source, you can go to one distribution and get all of the software from one source. In specialized cases, the distribution may not have the software you are looking for. But this is open source, so chances are somebody else has already created something that you are looking for. With commercial software as in the Windows world, there is no central filter or distribution for 3rd party software, leaving it completely open directly from vendor to consumer. While some may argue that this is a plus, it can have many downsides as I have just mentioned (and has demonstrated to us many times in the real world).
The Elevated Rights Model
One of the more recent security enhancements of modern operating systems such as Windows and Linux is the ability to have the logged in user run with regular or restricted rights on the computer. This effectively lets the user do everyday normal tasks, without jeapordizing any system settings. The thought is that if the user does run a virus or some sort of malicous software, that the program they run will only have rights to change things that the user has rights to, which will be in most cases just their specific settings and files. This avoids a complete system takeover by the virus or malware. If the user needs to make system settings changes, they are prompted for the password. In the past, this was unheard of in Windows, until Windows 2000 came along and Microsoft offered the "RunAs" feature, which allowed a normal user to run as the Administrator on the computer and perform system maintenance tasks. Microsoft refined this feature in Windows XP and even more so in Windows Vista. Linux has always had this running model in place where a user logs in as a restricted user and can log in or authenticate as root (the administrator in Linux) to perform system maintenance tasks. In more recent versions of Linux, this is streamlined even more so, where the user can see all of the administrative tools but will be prompted for the root password when they attempt to run something that needs administrative rights. This is very similar to the model that Vista uses.
In the years to come, we will see how Linux will face up to the growing concerns for security. At the time of this writing though, Linux is sitting in a very comfortable position.
Further Reading
Articles on Windows and Linux security are readily available all over the Internet. Some of my favorite columns to read on security are as follows:
Next Section : Maintenance Headache of Windows:Reliability,Anomalies,Stability
Previous Section: Maintenance
Headache of Windows:Licensing
Click Here to Continue reading on making the actual migration.
References
1. Information Week: Defense CIO Touts Benefits of Open Source
2. Defense Systems: DOD Open Source Memo could change software landscape
3. ITWire: US Defense Dept backs more FOSS use
4. Windows 7 BitLocker: Germans Devise Attacks on Windows BitLocker
5. Betanews: Allchin Suggests Vista Won't Need Antivirus
