 |
Typical Windows updates
list (dated 10/22/08) |
Open Source Software vs. Commercial Software:
Migration from Windows to Linux
An IT Professional's Testimonial
Maintenance Headache of Windows
Security is definitely one of the hot topics nowadays with computers, both servers and desktops. Servers need to be secure to prevent attackers taking them over and getting valuable data, and desktops need to be protected from malicious users on the computers as well as those trying to attack them remotely. This is where the operating systems come in to play and are the main core of the issue. The operating systems are the ones running the programs and/or services that get attacked. So naturally, you would probably want to be using the operating system that is the most secure, right? At first, you can tell yourself that computers are using software written by humans, and that there will always be security holes in software. And while yes this is true, there are different levels of operating system security. It is a widely known fact that Windows seems to have the highest number of security holes, and security breaches among all other operating systems. However, this could be because it is the most widely used operating system on desktop computers. It is also a widely known fact that Linux seems to be one of the most (if not the most) secure operating system used today. And, this could follow the same analogy above, Linux is one of the lowest used operating systems on desktop computers so virus writers don't waste their time writing viruses for Linux. Is this true? Time will tell as the market shares of Linux and Windows change. Generally I think this theory is partially correct, but those that support that argument are missing one point. There are also a lot of vulnerabilities published week after week for 3rd party products that are present on multiple platforms, Windows, Linux and Mac OS X. And guess which operating system is affected a majority of the time? You guessed it: Microsoft Windows. And it's not just older version of Windows, it's the latest and greatest versions, too. The statements by Microsoft about the greater security features of the newer operating systems is mostly a marketing ploy. If you look at the security patches released each month, they are released for both old and new versions of Windows. In early 2010 there have been several security breaches published for the Mozilla Firefox web browser and Adobe Reader, which run on Windows, Linux and Mac OS X. And, just about all of them only affect versions that run on the Windows platform. So, I believe that even though Windows is still the most used operating system, there is still evidence that Windows is less secure than Linux (and Mac OS X).
But one thing for sure today is: Linux is more secure than Windows, case closed. In fact, our very own Department of Defense has published several articles stating just that. Most recently, the Department of Defense openly published [1] [2] [3] that it uses the Linux operating system, and actually published articles recommending the use of Linux for others as well because it has superior security. Part of the reason they justify this is because Linux is open source, and since the code is available to everybody, potential security problems can be found more quickly, and as a result patched more quickly, often times before anybody else discovers them. This is huge, especialy when you look at Microsoft Windows where there may be many users looking for security breaches, but only Microsoft can patch them since they alone are the only ones that have access to the code. But at the same time, by closing up the code Microsoft eliminates other parties from identifying potential problems ahead of time, which is a huge disadvantage.
Even Dell has openly published information that mentions Linux is more secure than Windows. The most recent post of this happened in June 2010, when Dell put out a page on its website touting Linux as being safer than Windows. OK, so you are probably thinking that this is a big event. Well, it is. But, what is even more interesting about this event is that a couple days later, Dell went back and reworded the very statements made about Linux being more secure than Windows, basically to say that "Linux is safe". They completely dropped the reference to Windows. This again demonstrates just how tight of a grip that Microsoft has on Dell. Which is unfortunate to end users and consumers.
The page mentioned, is on Dell's website, that mentions Ubuntu as an alternative to Windows. At first, on point 6 on this page, it said:
6) Ubuntu is safer than Microsoft® Windows®
The vast majority of viruses and spyware written by hackers are not designed to target and attack Linux.
Just 3 days later after this line was posted, it was changed to:
6) Ubuntu is secure
According to industry reports, Ubuntu is unaffected by the vast majority of viruses and spyware.
Call it what you want, but I think it's pretty sad on Dell's part that they have to give in to Microsoft, and reword the sentence. Why do we need to hold back truthful information? Why can't we simply publish the real facts? Unfortunately for Dell, Microsoft has a very tight grip on Dell. And as such, you see such things like this covered up so as to keep people from getting the truth.
I have also archived PDF files, of the before and after versions of the Dell Ubuntu web page for you to look at.
Staying Secure
|
Let's talk about security updates, since this is a hot topic in today's world of malicious software. When you put Linux and Windows on the scale and look at security, Linux has quite a few advantages. But how, when Windows seems to be all over the place, and Linux isn't as much? Well, that is exactly the reason. More people are using Windows, so Windows is the target of those trying to write malicious software, viruses, and such. But, I am not convinced that is the only reason. Year after year and with each release of Windows, Microsoft claims that it has finally secured it up and swears that each version is more secure than ever, yet each week they release update after update to fix security holes. Even the widely boasted "Bitlocker" feature of Microsoft's newest operating system, Windows 7, designed to secure files on a disk with a secret password, has been breached. [4] See the example at the right, dated 10/22/08. This list was taken after the month's batch of regular updates were applied on the second Tuesday of the month. Note that all versions of Windows is listed, from Windows XP to Windows Server 2008. And, while I was writing this section of the document, yet another batch was released just 2 days after. I can definitely understand if Microsoft found additional bugs or updates, but it seemed that they were re-releasing updates that were already released the first time! On average during the time while writing this, it seems that updates are being released about once a week. On one hand, it is good to see that Microsoft is trying to keep things up to date and as secure as possible. But, think about it this way: could any of these security updates be avoided by developing software without as many security holes and glitches? The answer to this one may never be known for sure since software is constantly changing. It is one thing to release bug fixes which will happen and are fairly unavoidable no matter what operating system you are using. But, to release security update after security update gets a little old and tiresome after a while. When you stack up the list of security updates for Windows and put them next to the stack of security updates for Linux, the Windows stack is much much higher.
|
So, we have acknowledged that viruses are constantly coming out and being released into the cyber world. Along with viruses, spyware is continuously released as well. When running Windows, you must continously make sure your antivirus and spyware removal software is continuously updated, to ensure you can catch as many bugs as you can before they harm your computer. Keeping this software up to date can be time consuming and expensive. Even though you purchase antivirus and antispyware software, doesn't mean that you can update it for life. Most commercial products will require you to pay even more for updates. There are also some free antivirus and antispyware products on the market as well. Either way, keeping them up to date is a continuous process that is repeated over and over every day, week and month, to ensure you have the latest detection definitions for your antivirus/antispyware software. Things can go wrong, and the software can malfunction.
Probably the worst scenario that I've heard of to date is the one announced 4/21/2010, where the popular McAfee Antivirus software started to accidentally quarantine a critical Windows process, svchost.exe. This was triggered by a definitions update, which in turn started to warrant thousands of Windows XP computers unbootable. Even the following day, McAfee did not have an exact reason for the behavior of their software. It was reported that the malfunction of McAfee Antivirus caused widespread outages. An Australian supermarket chain called "Coles" had to close many of its stores, Kentucky State Police lost their entire computer systems, and hospitals in Rhode Island had to postpone electrive surgeries. And, there was also an aftermath of damage as well. Not only did the glitch leave computers unbootable, but the fix was also time consuming, especially for large companies. Installations of Windows had to be repaired manually, one by one, and the bad McAfee definition files manually patched as well. So as you can see, the widespread effects of this software malfunctioned snowballed on some. Granted this is a worst case scenario, it proves a valuable point. And that is the more 3rd party programs you have in the mix, the more chance you have for failures.
Overall antivirus and antispyware software are tools in place and are reactive to malicious software. Linux is the proactive approach as it almost completely disregards the need for preventative software since it is immune to Windows viruses and spyware. This doesn't mean that viruses and spyware do not exist for Linux, but they are very rare and hardly ever seen. In the world of computer security, this is a big deal. This means that a Linux system can run and it doesn't have to be burdened with 3rd party products and continuous scanning and cleaning of viruses, spyware, malware, etc. Instead, the Linux systems can be used to do more constructive tasks with the resources at hand.
Virus Outbreaks
We've acknowledged that viruses and worms are a huge deal in today's computing world. We've all heard of them and probably have dealt with them at some point in time when our computer was infected and doing all sorts of strange things like it was possessed. We're all very much acquainted with anti-virus software and making sure it's virus definitions are regularly updated. But, step back for a minute and imagine a computer without an Antivirus program. You probably think I'm crazy, right? Well, this is reality in Linux. Viruses are pretty much nonexistent in regards to Linux itself, so the need for an anti-virus program is too.
I already mentioned the infamous Slammer and Blaster worms, that traversed over Windows systems in years past. Viruses are still commonplace in Windows, but large scale outbreaks have been pretty much non-existent since Slammer and Blaster... until now. As I started writing this, a new and very advanced worm called Conficker has arisen. It was first discovered spreading around on Windows systems in October 2008. From that point up to March 2009, it is still spreading, and has additional versions: variants A, B, and C. As of March 2009, it is spreading wildly across all unpatched and vulnerable Windows systems from all regions of the Internet. Even with the patch by Microsoft, the worm can still be spread by flash drives and removable media. Microsoft has even issued a $250,000 reward for information leading up to the person behind it.
|
Five months later since it was first discovered, Conficker is still spreading rapidly, and it is unknown what exactly the worm is intended to do. Some have speculated that it will gather valuable and personal information and send it to a central server, or possibly take over the infected computers and turn them into some sort of supercomputer. Rumors have floated around the Internet that on April 1, the worm will rise up and do something evil. Whatever the reason, it is a bad situation and scary in some ways, that data and personal information can be easily obtained from computers, when the user is completely unaware.
Can you believe that in 2006, Bill Allchin of Microsoft actually stated publicly that Windows Vista would not need any antivirus software, because it was too secure?! [5] First, this is just another example of how Microsoft will say anything to sell their software, just like the pesty salesman that shows up at your door from time to time. We know now that this is far from the case. Viruses for Windows Vista have been circulating around just like every other Windows operating system. In fact, Microsoft ended up doing the very opposite from Allchin's statement, and released their own antivirus software for Vista! Again, Microsoft just doesn't want to publicly acknowledge that their software is riddled with security problems, even though all of us that have used it know that it is so.
Recall that Linux is not affected by any of these viruses or massive worm outbreaks. To this date, viruses and worms are pretty much nonexistent on Linux. This means that there are pretty much no worries about getting infected with something, while viruses run wild on Windows systems. Why is this? Well, I've already mentioned that since Linux is still a relatively small portion of the desktop computing world, that it's possible the hackers have not deemed it worth trying to attack. However this reason can be argued since Linux is very apparent in the server world, which leaves a high number of Linux systems sitting on the Internet at all hours around the clock. It's also possible that Linux is more difficult to hack or exploit, however it is still really unknown since not many have attempted to perform exploits over it. However, with that being said, since Linux is used heavily in the server world there have certainly been attempts to take over Linux servers. Luckily since Linux is open source, the attacks have not been widely successful, and patches have been released quickly for the exploits, often times before any opportunity is given for exploits to be executed. In fact, it is common for the patches/fixes to be released this quick which may account for such a low number of exploited problems. Since the open source community is so vast, there are a lot of tests and checks done to try and discover possible exploits all of the time. Yes, these tests and checks are also done for Windows, however they cannot be fixed by the very same individuals that discover them. Fixes must be channeled through Microsoft itself, which can cause significant delays. Where with open source, the same community that identifies them can in theory also fix them. Typically, the fixes are submitted to the group responsible for developing the software that has the security problem.
I have been hit by viruses and worms in the past, it's essentially unavoidable especially on networks full of users. There are many avenues that they can be spread. Probably the worst part of the whole deal is that viruses and worms cannot only steal valuable information, but they can cause a lot of downtime, high cost, and valuable resources to fix. Often times viruses can spread at the speed of data transfer, which can be seconds over a local network or minutes over the Internet. But, the aftermath can be devastating, and can take hours, days, or even weeks to fully recover. During this recovery stage, costs can skyrocket as resources are pooled in order to fix all of the issues and remains of the virus or worm. So, in my opinion being immune to this sort of activity is truly a huge advantage and can save tons of valuable time and money for any individual or business.
Malware and Spyware
More recently, malware and spyware has hit Windows hard, maybe even more so than traditional viruses. Why? Because malware and spyware are very sneaky, and take advantage of human error in order to infect computers. Malware and spyware are similar, usually malware has a malicious outcome, where spyware simply gathers data. For malware, there have been a lot of well known outbreaks, such as "Cryptolocker" [5b] which installs itself on Windows, encrypts the data, and demands that money be sent in order to unlock the data. Information security is becoming more and more important, too, as malware can comb through your data and send all information to a server without you even knowing it.
For spyware, it can be retrieved accidentally by a lot of different methods. I have also seen spyware bundled with popular download sites, such as www.download.com. Years ago, download.com was the place to go for getting freeware and shareware, software that you can "try before you buy". Unfortunately, websites like download.com have changed hands and some include spyware in their downloads. Other websites like Softonic, Brothersoft, and CNet also bundle in spyware to their downloads. I recently had this experience with download.com, when downloading a piece of software for Windows. After visiting download.com, searching for the product, seeing that it had thousands of downloads, and downloading it, it seemed just fine to me. But, after attempting to install the software I downloaded, it used a shim downloader to download the actual product I thought I had already downloaded to begin with. The next thing we realized is that we had a piece of spyware called "PUP.Optional.OpenCandy" as found by the popular anti-malware product MalwareBytes. "PUP.Optional.OpenCandy" is known to simply display ads on the computer, but there could be other unknown behaviors with it. Do you trust just any stranger to come in to your house, and simply move in with you? How could you trust them, if you had to leave the house for a bit? The same should apply to your computer. You should be aware of what is being installed and what the software is doing. Today, this is becoming a very hard task to do with closed souce software like Windows. Closed source software that is installed on Windows does not have the source code available to the public, so there is no way to verify what the programs do, let alone Windows itself. Sure, there are 3rd party products that will offer to keep an eye on your computer, but how do you trust those as well? As you can see, the problem can keep spiraling. Open source software on the other hand has the source code available for anybody to look at. If desired, the actual functionality of open source programs can be determined by the source code.
So, I won't go in to detail any more about the advantages of having the source code available for all eyes, which I have already done. But, know that using an open operating system like GNU/Linux gives you not only freedom of your computer, but does not bundle in spyware and does not phone home to any services without your knowledge.
Information Security
As just mentioned, spyware can secretly gather your information. But, there are other problems with keeping your information safe with closed source software. A lot of free closed source products require registration just to download them. What these sites do with the data is unknown. Even if they store it and don't use it, there's always the chance that somebody else can get their hands on it. I can understand paid for products would require registration for future support calls. But, even in that case as well, once your information is submitted, there's no guarantee that it is safe from prying eyes. Take for example in 2013 when Adobe was hacked and millions of customer records were retrieved electronically.
Open source software requires no registration, unless required by a vendor that releases it. But even in that case, choose a different vendor if you so choose. You should never be required to release personal information for open source software.
Desperate Measures
Recently I came across a very interesting article regarding CNL Bank in Florida [6] that actually considered the initiative of mailing Linux Live CDs with Ubuntu to its clients. Why on earth would they do this? Well, it turns out that they are smart enough to realize that having their customers boot from a Linux CD is much safer for them to access their online banking sites. Pretty clever, eh? The fact of the matter is that booting from a CD is one of the safest ways you can use your computer, because the computer cannot write back to the CD. This means that no software can be downloaded, especially malicious software. Linux is pretty much immune to any sort of malicious software anyway when running it on a regular hard disk (which I will go into more detail in a bit). But, adding this additional level of security really makes it a quick and easy way to access online resources in a very safe manner. Luckily, using Linux is much safer than Windows because it doesn't have as many security woes to it. And, since Linux is open source and extremely flexible and powerful, it can actually run on CD. Granted, it's not the fastest way to boot because of slow CD access, but it actually works. There are some 3rd party hacked versions of Windows that run on CD, like BartPE. These would be alternatives if you use Windows, however doing so would still add some security risk because of numerous exploits of Windows. Plus, I don't believe that BartPE is in accordance with Microsoft's strict Windows licensing scheme.
Immunity to Malicious Software
What about spyware? People have become very clever at writing software that runs on your computer and watches what you do, hence the age of spyware that we are in. But, in Linux, there is practically no such thing as spyware either. Why is this? My theory is this: Spyware is usually bundled or hidden within a free program that somebody downloads on the Internet and installs. Sometimes spyware is installed by simply visiting a website. But either way, when people download this software, it is to add some sort of functionality that does not already exist on their computer. In Windows, there are probably a million programs out on the Internet to add certain functionality, all developed by 3rd parties of all sorts. Some will be good and others will be bad and include spyware in them. On the flip side, since Linux is open source, you don't have competing 3rd parties writing software that does the same thing, trying to beat the other. Yes, there are some cases where there is more than one piece of software for handling the same function or task. But overall, esentially what you come up with is many people coming together and borrowing ideas and code, collaborating and coming up with a single software package. And, the chances of it containing spyware are slim to none. If a piece of open source software did contain some of spyware, you can bet that it would be published all over on the Internet and software download mirrors would avoid it. And, if you stick to a Linux distribution such as RedHat (Fedora), Ubuntu, Suse, etc. (there are too many to list), you can get the software from them directly. Distributors would never want to bundle any sort of malicious software inside their own distributions. This is just one of the beauties of open source, you can go to one distribution and get all of the software from one source. In specialized cases, the distribution may not have the software you are looking for. But this is open source, so chances are somebody else has already created something that you are looking for. With commercial software as in the Windows world, there is no central filter or distribution for 3rd party software, leaving it completely open directly from vendor to consumer. While some may argue that this is a plus, it can have many downsides as I have just mentioned (and has demonstrated to us many times in the real world).
The Elevated Rights Model
One of the more recent security enhancements of modern operating systems such as Windows and Linux is the ability to have the logged in user run with regular or restricted rights on the computer. This effectively lets the user do everyday normal tasks, without jeapordizing any system settings. The thought is that if the user does run a virus or some sort of malicous software, that the program they run will only have rights to change things that the user has rights to, which will be in most cases just their specific settings and files. This avoids a complete system takeover by the virus or malware. If the user needs to make system settings changes, they are prompted for the password. In the past, this was unheard of in Windows, until Windows 2000 came along and Microsoft offered the "RunAs" feature, which allowed a normal user to run as the Administrator on the computer and perform system maintenance tasks. Microsoft refined this feature in Windows XP and even more so in Windows Vista. Linux has always had this running model in place where a user logs in as a restricted user and can log in or authenticate as root (the administrator in Linux) to perform system maintenance tasks. In more recent versions of Linux, this is streamlined even more so, where the user can see all of the administrative tools but will be prompted for the root password when they attempt to run something that needs administrative rights. This is very similar to the model that Vista uses.
In the years to come, we will see how Linux will face up to the growing concerns for security. At the time of this writing though, Linux is sitting in a very comfortable position.
Further Reading
Articles on Windows and Linux security are readily available all over the Internet. Some of my favorite columns to read on security are as follows:
Next Section : Maintenance Headache of Windows:Reliability,Anomalies,Stability
Previous Section: Maintenance
Headache of Windows:Licensing
Click Here to Continue reading on making the actual migration.
References
1. Information Week: Defense CIO Touts Benefits of Open Source
2. Defense Systems: DOD Open Source Memo could change software landscape
3. ITWire: US Defense Dept backs more FOSS use
4. Windows 7 BitLocker: Germans Devise Attacks on Windows BitLocker
5. Betanews: Allchin Suggests Vista Won't Need Antivirus
5b. Wikipedia: Cryptolocker overview
6. ComputerWorld Blogs: Can Ubuntu Save Online Banking?
