Discussion on:

With the rise of the Linux desktop, will viruses follow?

I've used windows since it first appeared thru Win95, now Win7 and there is always the risk of virus attacks even with paid virus protection software.

I've used Linux since Slackware was first introduced ... but have been an Ubuntu user for many years and have NEVER had even the hint of a virus and as far as I know, no one I am in communication with that uses Linux has ever seen a virus either.

I personally think about the only risk to Linux users is just plain basic system security common sense. Don't all root login via ssh, keep your password safe & use good passwords etc... which of course are the same things you'd do with Windows.

As system admins, engineers and developers we can prefer security, restrictions etc. but lots of the people will prefer to run everything without so much questions (remember how people hate from Vista) This is why they use linux. Of course when they lost their files due to a virus they'll start blaming but still they'll not run linux, because it'll be a very complex system for them. Even so many businesses will prefer to run insecure systems behind a firewall. Because when they install the new security patch so many applications will not work, will take a long time to fix and nobody can answer the claims. With current business model is it possible to dominate the desktop of average Joe?

You would also get more devs fixing holes.
In the end, I think it would balance out. Some unlucky people (probably face book users) will get viruses as they are fresh. But then patches will quickly appear and everyone else will be safe.
That and probably the most vulnerable code will be close source code like Flash and silverlight.

The first "viruses" were on Unix, and the usual attempt was to alter commands. To do that, they needed a "secure shell" like SSH or telnet. It is easy to move telnet to "guest" user and disable SSH port and then inhibit remote login to the few that needs it. There is no way you can change essential parts of Linux or MacOS without having to ask for the Admin password from the user, and been provided this. But, it is fully possible to embed a script in a Jpeg picture, that executes in the user's own context.
If the user wants to see picture effects, video (Flash definitely contains a dangerous script language) and rich media, you will need a way to connect the presentation of these to local applications. These must be able to execute scripts, also to verify and authenticate.
Knowing some of the flaws that allows viruses, I don't expect the developers will have to worry much, except that their code will be inspected to verify that it does just what it should and nothing else. The rest is simple. On Linux and MacOS, an application cannot modify another by accident. It cannot debug the kernel, it cannot chage the "rm" command. Should a pointer go way out in the blue, it will be trapped, and cannot "see" the memory of others (beside allocated shared memory).
I believe most hacks originates from Linux today, since they can leave without making a trace. They have seen to that their systems cannot be hacked. So those writing virus scanners today are facing a bleak future.

Maybe it is harder to crack, but impervious? Don't think so. Here's another theory:
Could it be that hackers see Linux as part of the same counter culture movement that they belong to so why would they break into their own house? OK... It's a bit cynical but I it's a theory - nothing more... Tthe lack of viruses on the platform is for real and there is definitely something to be said for the open source system helping to resolve these things. BTW I have an android tablet that had the rotate feature crippled by a manufacturer pushed upgrade in OS level. Problem is there is no vector to get to the manufacturer and they have no official response even though it is a known problem. Why do I mention this? Well taking this discussion into account - maybe Linux/ubuntu does have a future on the tablet platform. At least with open source somebody who can do something may actually be listening.. (hear this Acer???)

Hackers are a diverse lot.
1) There is the counter culture like Anonymous, they will break into government computers (linux or wintel). Lulz will do just everybody if you happen to piss them off...
2) There are criminal hackers like the Russian Business Network. they will break into anything where they expect to make money. Wintel offers bigger bonusses than linux, but that's not much of a safeguard.
3) State hackers like Chines Army, Iranian Guard, Israels Mossad and the American agencies like CIA, FBI, NSA. They will break into anything, which they suspect, Linux, wintel or Apple. Not much of a safeguard either.

In the end: with the rise of Linux there will be more break-ins. And a lot of break-ins are browser-attacks...

When you have a kernel built on a sound basis, you cannot hack it. If you ever wrote a production operating system, you would understand. With virtual memory on main frames you have "keys" for each user and that prevents them from accessing other users or the nucleus (kernel). While you may POSSIBLY be able to attack the application in a particular user's memory, you won't be able to attack another user's nor the kernel. A good kernel will not provide any back doors to other components, unlike Windows gives access to its other products .

Most viruses are not possible on Linux/MacOS. Only trojans, and for all, they can only get to the files you can get to without any effort. Regarding Linux on the tablet, most early days tablets ran Linux. Then the "analysts" demanded Windows, and Steve Jobs finally got them to make it with their variant of Unix: iOS. But the tablets came from Linux and will most likely return here because of the rich applications you find here.

Is Linux more secure than Windows? Probably, but it's hardly perfect. Equal growth, maybe not. But never say never. As Linux popularity increases the value of attacking it will increase. As that value increases, so will the attacks. It's pretty basic market economics. There are already a number of Linux server exploits. I suspect a lot of this is due in part to Linux popularity in that area.

I also think it makes no sense to define the problem narrowly. Rootkits, worms and other malware are problems. Malware is an issue for every OS, even Linux and BSD. It's only going to get worse as the value of attacks increase.

Finally, the OS isn't the only attack path. Applications present attack paths as well. Linux may provide better tools for dealing with this, but very few installations apply those tools effectively. It's only going to get worse when less technically oriented users become a higher proportion of the base.

unless some nitwit makes a distro which logs on as root for convenience and it becomes popular.

I have seen the same logic said for the Mac OS, yet it's met by derision by the Windows folks. Will it be the same here?

I am in year 11 of using Linux as my only system. During that time I have introduced family and friends to Linux and estimate we have collectively 60 years of run time and so far as I know the only successful attack was against my Daughters Yahoo online email address book which we caught right away and she had to change her password. That was a Yahoo problem and was a spam bot thst passed through emails that appeared to come from a friend.

... to [Yes (lots)] and [Yes (a few)] -- I mean, if the number of Linux viruses tripled, we'd get to what... 1 a year? I think there will be an increase, but not an alarming amount... Because of this fact, I did vote Yes, but I don't see this as "the end of the world."

It's human nature to "not fix what isn't broken" and I think a lot of the viruses for Linux that may be created in the future will not target the latest-n-greatest kernel, but concentrate on older vulnerabilities that people don't patch for. For this to be "cost effective" for the virus creators, there has to be a "critical mass" of Linux machines already (which *might* happen in the next few years) and then wait for these individuals to ignore the patch manager. It's also possible that the virus creators could target embedded machines (routers, wireless APs, etc.) that would not be patched on a regular basis -- there are a *lot* of those machines out there now.

And there are very secure closed-source operating systems out there - I don't believe there was ever a virus written for VMS, for example; and there were a *lot* of VAXen installed at one point in previous history... [[ Yes, I still have a couple in my basement... ]]

Since there are, to date, NO viirii in the wild, the appearance of one would be an increase. The increase in numbers of Linux machines is less the issue than what is to be gained by the cracker. No profit, no attack. Given the general profile of Linux users, if a successful attack was crafted, they would detect and kill it quickly. Thus no profit. It is possible there may be a few crackers out there who would go to the time and trouble of writing malware for Linux just to prove it could be done, but I do not forsee any serious efforts.

"Given the general profile of Linux users"

That may be true now, but if Linux were to draw a large number of users away from Windows(and possibly Mac) that general profile would change. One of the reasons that the recent Mac virii ave had success, even with a similar security setup to Linux/BSD/Unix, is that many of the users infected were previously Windows users that switched to the "virus-free" Mac. Rmember when Mac users and ads were spouting the line "there are no viruses for Macs"? People bought into that, got Macs, assumed they were safe and wound up authorizing the malware when hackers started writing it.

Switching to a "more secure" platform had not helped them in the least because the basic behaviours which got them into trouble in the past had not been corrected. And having masses of people switch to Linux would net the same effect. It does not matter how secure a platform is if the user behaviour is not fixed. Once the platform becomes a large enough target hackers will start trying to break it in earnest.

and expressed it better.

I totally agree with you. The protection offered by the need to enter sudo to gain admin rights is no protection if the user keeps typing it every time it is requested (or the password via GUI) without understanding what's happening.
As I teach in my training to users: the IT department with their AV, UTM and firewalls won't do much for you if you keep inviting the bad guys in. Users are the guardians of their system, period. You need to learn to use a computer safely and keep updating your skills.
The problem with computers today is that most users and specially business users have their priorities for attention and learning on the job they are supposed to complete; many see the PC and all its issues as a burden they don't want to go through. They just wan to "use" the computer without getting a "master degree" in its use. This is the most common complain among my company's users: "I don't want to be a computer expert; I wan to do my job".

I agree with the ROI camp. As the number of desktop, tablets etc grows it will become worthwhile to exploit. Just look at Android. Looks to be easily exploited through social engineering and poisoned apps. The distro will open Linux in general to attack.

As I remember Lindows did at one point log in as root.

Android is based on Linux. True, while it isn't an actual open source OS, it has had its vulnerabilities exploited. Why? I believe because of its popularity, and its use by people who have NO IDEA how to use it. I don't believe you need to verify passwords to install or change stuff on it either, whether because it's logged on as root, or whatever. That could be a point, as well.
I tried last night to put a program on my Linux desktop computer, it used to work, but with a few updates to the kernal and a new release under its belt, enough dependencies were broken to where I couldn't figure it out. "Compile from source" was the solution. Well, being the geek I am, I still haven't figured THAT out. The instructions were too vague and confusing. BUT I couldn't just download a new program and bam.. have it work (and who knows what came in with it?) True I could have gotten the updated version but I've tried that and it works horribly. I think I should have stuck with the old distro, the old versions, etc. where everything worked!
Part of the problem was, this is not a Linux native program, but converted for it from Windows. Most likely it's horribly complicated and never will "just work" on Linux.

I like the 4-point concept you noted. But, getting back to some basics, I think there are additional reasons for the low occurrence of vulnerabilities.

The Attack Surface
From a security stand-point, the greatest attack surface is always going to be the most likely target to produce a favorable outcome. In military terms, it's easier to hit a larger attack surface than a smaller one; EG: putting a 50-cal projectile through the top of a beer bottle is far more difficult than tossing a grenade into a fox hole.

We all have to justify our time output for likely success; if you never hit a target, the game becomes less productive towards the goal. This probability calculator must also apply to those that make viruses. Windows OS is the biggest target. Should Linux ever get to that place it may represent the greatest likelihood of attack success.

But, there is another important factor as well...

Corporate vs. Open Source Development
Developers know what to do and what not to do. Corporations need to release on a date though; software ready or not. A release date is not chosen for the greatest good of the software/product but by quarterly need to keep the executives off middle management backs; everything rolls down hill.

Open Source developers build with purpose and don't release until that purpose is met. They understand the importance of commenting their code, for example, so they don't forget the purpose of a code block and accidentally remove it at a later date during a rewrite. These comments serve as long-term memory and ultimately a set of requirements for the next go-round of development. You would be surprised how many large corporate development initiatives forgo this simple but important concept in the interest of time.

Then there are the 4 points you've noted. Only the most competent can achieve this kind of ninja-like movement. The corporate types could do this as well if they weren't trying to meet other deadlines.

It should be noted too that MS has less than a thousand developers and testers in their offices while open source projects will allow test results and bug reports from anyone in the world. Who has the bigger staff?

The last point is Software Regression
When an open source project puts in a fix it's in forever. Not till the next release or a new version - forever. A test case is added to cover the fix for the exploit and test automation is run on every subsequent build. Simple concept rarely happens in the corporation. In open source projects, if you see an exploit you're only likely to see it once and never again.

Security vs. Usability
The security design is the most important thing though. When a virus comes to the desktop the differences between Windows and Linux is clear:
1) Both accept email and store contents in a temporary location while you're reading a message. Linux stores them in /tmp and Windows, in a folder deep in the users applications directory.
2) During this temporary storage (pending user forward/reply/deleting the message) the difference is:
*Linux stores message and payload without the ability to execute.
*Windows stores message and payload with the ability to execute.
*This assertion is testable, test it.

Security vs. Usability is usually the argument I get at this point - not an issue. My Linux email works without the security gap just as Windows does with it.

This one security measure is (more likely was) the single greatest problem contributing to virus execution. Seems like a simple fix. Apparently, since Microsoft hasn't fixed it in 20 years, it's more complicated than that.

Either way, the easiest way to get a virus is to open Outlook and start forwarding joke emails. You'll find out just how funny they are soon enough.

Moving Forward
A heavier reliance on web-mail would fix most of these problems; then employ one server-side solution to scan emails for everyone before viruses make it to the desktop. I use a combination of postfix/greylisting (though it's more complicated that that) to filter messages before they ever hit MS Exchange.

Then you're (mostly) only left with web-based attacks, malicious scripting embedded in web sites; it's the one thing facebook and porno sites have in common.

After that, it's going to boil-down to a little training and common sense.

Good article, Jack

"With the rise of the Linux desktop..."

What rise? Anybody got numbers showing desktop installation beyond the same 5% of the market it has been stuck at for the last decade? Did I miss another 'Year of The Penguin' manifesto?

The increase in Linux viruses is doubtful because the increase in Linux desktops is doubtful.

I don't mind a differing opinion, but tell me who you are and what you disagreed with.

Obviously you have not been reading other articles regarding more people moving to Ubuntu from Windows. As the Linux desktop becomes easier to utilize you will have more people using it. Unfortunately for Microsoft more people are bashing Windows 8 and the Metro interface, many suggesting to stay with Windows 7 or move to a Linux based OS. And you might want to check your figures, 5% is rather low, or are you only looking at the users in the US?

NetMarketShare statistics show a slight DECREASE in desktop Linux
visitors to their sites over the past couple of months! That 5% is also
rather too high...probably a tad over 1%.
Here's an excerpt from a recent ZDNet post by Jack Schofield...
"Since October 2011, Windows' total market share has declined by .09 percentage points from 91.86 percent to 91.77 percent, while Mac OS X has grown by 0.19 percentage points from 6.94 percent to 7.13 percent. In a three-horse race, Linux has declined slightly from 1.19 percent to 1.10 percent. This may represent some open source supporters buying proprietary Macs, as described by Gnome co-founder Miguael de Icaza in a recent blog post, What Killed the Linux Desktop."
And here's the link to the post...
http://www.zdnet.com/windows-7-overtakes-xp-mac-os-x-steams-ahead-of-vista-7000003591/

And, if you don't like ZDNet, how about a link to another article at PingDom...
http://royal.pingdom.com/2012/02/28/linux-is-the-worlds-fastest-growing-desktop-os-up-64-percent-in-9-months/

http://en.wikipedia.org/wiki/Usage_share_of_operating_systems

although I can understand questioning Wikipedia's accuracy. There's this one, too:

http://marketshare.hitslink.com/operating-system-market-share.aspx?qprid=8

I confess I didn't check before posting the 5% number. I assumed it would have at least held ground since I last checked. That figure is obviously out of date, unfortunately. Maybe it will see a bump after W8 is released; maybe.

I'd like to see Linux get a greater share of the desktop, but many of us have been hearing those trumpets blown for years. Besides, Linux is a success in every other platform and application; it doesn't need the desktop. Anyway, haven't we been hearing the desktop is dying for almost as long?

collect, as they say:
quote
We collect data from the browsers of site visitors to our exclusive on-demand network of HitsLink Analytics and SharePost clients.
end quote
I know lots of people who have security settings on their systems and browsers that kill the ability of web sites to collect this data, heck the settings are recommended by a lot of law enforcement organisations as part of Internet security. Also, I'm sure there are large numbers of people who do NOT visit any of the sites they use to collect data. All of which lowers the validity of the data collected.

As best as I can tell from the archives for the last few years they show very little growth in Linux desktops, yet we know a number of large government agencies in Europe have switched from Windows to Linux and have seen a significant growth in the use of Ubuntu Linux and its derivation in recent years as well - yet no change in the overall percentage by these people.

If the majority of their data collection is from USA based retail sites then I would expect to see results that reflect the US IT market sales trends. I would also expect them to be like those stats on Linux desktop usage based on retail sales of systems preloaded with Linux, a process that represents a one digit fraction of actual new Linux systems that bears no relationship to the numbers of Linux downloads.

It's highly possible these stats are representative of the major US sites, but I doubt they are really that representative of the world wide stats.

The problem I have with Schofield's analysis is he is using percentages. In one way it is not as meaningful as showing absolute numbers. For example, if there are a 1000 Windows users out there and 100 more people buy a new (or first) PC then the percent just for Windows is 10%. Now if you have 100 Apple users and 15 people buy a new Apple PC, it is also a 15% increase, but overall 15 out of 1100 is a bit more than 1%. Now if you have 10 Linux users and 5 people hop on the Linux bandwagon, you have a 50% increase, but less the 0.5% overall.

One thing that will hinder Linux catching on with the general public is Ubuntu's switch to Unity. To many in the Linux community, it is as bad as Microsoft switching to Metro (or whatever). The Gnome 2 desktop had sufficient familiarity to XP and earlier Windows versions - even Windows 7 (which has generated a lot of complaints from XP users). Other distros, such as Mint and other Ubuntu/Debian based distros, have different desktops and they are also affected by the move to Unity and Gnome 3. I have used the KDE desktop and, while it is OK, it is not Gnome 2. Now you have to install MATE or something similar to get the look and feel of Gnome 2. ZorinOS and SolusOS are trying to pick up the slack, but it will take a while before they gain popularity within the Linux community.

Remember, when you are posting on this type of web sites, you are not the average (or typical) home user, whose knowledge of PCs is extremely limited. They know how to log on, do e-mail, surf the web and maybe one or two other basic functions. One reason why tablets are so popular - a lot more portable, similar to their I-Phone (or clone) and do the basic functions. Typically, the e-mails sent are short, one liners (send from my I-phone) and/or pictures of the kiddies taken. Probably why Microsoft "seems to be abandoning" the desktop - they figure the business world has technical personnel (or access to a tech person) who can lead them to the desktop they have come to know (and, some, even love).

They just switched to Mint and other alternatives.

it was, is and always will be a duplication of MACOS ui, not windows.
KDE is windows look.
both are GARBAGE, way to bloated to be usable.

Those sites are completely unreliable for unbiased numbers for operating systems. NetMarketShare, for example, has had Linux numbers that vary relatively wildly up and down recently.

Wikimedia stats numbers are much more unbiased and believable. The only issue with them is that Linux growth on the desktop appears relatively flat percentagewise because of the growth of mobile over recent years. If you consider only the percentage of non-mobile Linux use compared to total non-mobile figures you will see that Linux desktop use has grown pretty steadily since the numbers started in 2009, with over a 30 percent increase during that time period. Whether this will continue or not I couldn't tell you, but it appears that Linux desktop use has been rising.

"...since the numbers started in 2009, with over a 30 percent increase during that time period."

Source, please.

A 30% growth from even a 5% starting point is less than 7%. Depending on the method of measuring, that might be within the margin of error.

and centre, I wonder just WHERE these people are getting their stats from. They claim Linux desktops are static or decreasing, but it's during a period when European agencies are switching to Linux and Unix by the bucket load. I also know of groups of people in third world countries putting Linux on used equipment due to not being able to afford legal copies of Windows and the pressure to clean up pirate copies has had an effect in their area.

I strongly suspect the stats are based mainly on US usage and possibly on units sold with Linux preloaded, which means they aren't truly representative of the world usage.

A few fanatics and one or two clusters.

Oh and don't start with the fanboy crap. I work and play on both.

I don't believe the windows stats either.

And there are thousands of exploits for Linux servers. Just because the vulnerability has been patched doesn't mean there aren't countless exploitable servers still in the wild. If you stay on top of things and are constantly installing updates then you can stay reasonably secure but there is still the possibility of getting hit with a 0-day, the same as on any other platform.

Obviously no system is completely immune. Linux was, is and will probably keep being order(s) of magnitude more secure than Windows, especially because of the availability of white box peer review.

Nonetheless, and even taking into account the patching system you describe, when (if) the userbase increases well enough, there will be eventually a sufficient number of careless users who will disable automatic updates AND ignore every advise about updating unsecure packages (maybe carrying over a history of doing that in the windows world).

When (if) that number is significant enough, linux viruses may get to a point of being viable and they may appear.

What I think is that, for a security relatively conscious user, linux will remain orders of magnitude more secure than windows and easier to mantain clean.

But this statement is simply not true
>any user of Linux would know if an email attachment asked for an administrative-level password, shenanigans were afoot.

Every IT support professional knows that you cannot underestimate the stupidity of the end-user. If the email was phrased correctly then some would.

Mr Wallen is saying we'd treat just being asked as suspicious,whereas unfortunatley many windows users either wouldn't get prompted becasue they turned UAC off, or would curse it and click okay.

Social attacks, aside from not allowing the user any privileges on their machine, only education can alleviate.

I can't tell you how many times I've stood beside a user and watch him click 'Yes' or 'OK', then have them be unable to tell me what he just clicked. I've seen them get two different errors but refer to them as the same one. They just don't look.

It makes sense, this new trend towards silent crashing instead of error messages that phones are setting.