Join or sign in Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below. Use Your Email Use FacebookUse Linkedin

Member says ZDNet ‘Fails to Understand’ Linux

Locked

TECHREPUBLIC BLOG ROUNDUP NEWSLETTER for October 5, 2005

MEMBER SAYS ZDNET ‘FAILS TO UNDERSTAND’ LINUX

In a blog entry titled, “Failing to understand how it works,” APOTHEON
has taken on ZDNet’s DANA BLANKENHORN who wrote, “I strongly believe
that Linux users badly need the kind of automated anti-viral patch
management service that Windows users now take for granted.”
http://techrepublic.com.com/5254-6257-0.html?forumID=99&threadID=173898&messageID=1855793&id=3923716

Apotheon begins his argument with, “Clearly, he hasn’t been paying
attention. I’ll break it down a bit for you.” He goes on to explain that
Blankenhorn has failed to understand how Linux provides automated patch
management, and is less vulnerable to attack than Windows. He also said that he
suspects Blankenhorn is “using Windows more than Linux.”

Who’s right? Read Blankenhorn’s entry, “Automating Linux security
should be a higher priority,” and Apotheon’s blog post. Then, post your
opinions about who’s got it right in this discussion.

* “Automating Linux security should be a higher priority”
http://blogs.zdnet.com/open-source/?p=455

* Apotheon’s post
http://techrepublic.com.com/5254-6257-0.html?forumID=99&threadID=173898&messageID=1855793&id=3923716

Miss an issue? You can view the Blog Roundup archive here.
http://techrepublic.com.com/5260-1-0.html?query=blog%20roundup%20newsletter

Did someone forward this newsletter to you? Use this link to
automatically subscribe to the Blog Roundup Newsletter and have it
delivered directly to your Inbox every Wednesday.
http://nl.com.com/MiniFormHandler?brand=techrepublic&list_id=e131

————————————————-

THIS WEEK’S BLOG ROUNDUP HIGHLIGHTS

We’ve got something new for you, and TR staffer PETER SPANDE would like
to make the introductions. Check out his blog to get the scoop on the
new layout and features for our news site, Technology.updates.com.
http://techrepublic.com.com/5254-6257-0.html?forumID=99&threadID=174663&messageID=1857843&id=1583166

AKSELSOFT is working the podcast scene. His real name is Andrew MacNeil
and he hosts The Fox Show, an interview show about FoxPro, database
design, software development and business. Find out more about The Fox
Show and how you can be a part of it in “So what would be your one
question?”
http://techrepublic.com.com/5254-6257-0.html?forumID=99&threadID=179675&messageID=1854943&id=4203374

The cool points are out the window and HUTCHTECH is caught up in the
game. Find out why he says you can’t love your technology too much,
lest your pants be stolen.
http://techrepublic.com.com/5254-6257-0.html?forumID=99&threadID=176583&messageID=1854193&id=2899447

TechRepublic’s MARK KAELIN is “contemplating the possibilities of a
media PC.” Can anyone offer him some advice?
http://techrepublic.com.com/5254-6257-0.html?forumID=99&threadID=173910&messageID=1855899&id=3268665

It took him a while longer than some, but now THE TECH JUGGLER is in
love with Google Earth.
http://techrepublic.com.com/5254-6257-0.html?forumID=99&threadID=180502&messageID=1858204&id=4212131

You may need to send REXTECH a supportive message as he says “Farewell,
MiniDisc?”
http://techrepublic.com.com/5254-6257-0.html?forumID=99&threadID=173892&messageID=1857499&id=3690253

————————————————-

JUST FOR FUN

Are you fully versed in proper radio etiquette? CCERINO certainly is,
and he’s taking someone to task about the phrase, “Over and out.”
http://techrepublic.com.com/5254-6257-0.html?forumID=99&threadID=179946&messageID=1854947&id=653504

As you cross the Williamburg Bridge from Brooklyn into Manhattan, what
Jewish phrase do you see? Find out in BARRY.CAMPBELL’s latest post,
“Only in New York.”
http://techrepublic.com.com/5254-6257-0.html?forumID=99&threadID=180423&messageID=1854948&id=4212675

Need a movie review of Serenity? Check out what THE TRIVIA GEEK thought
of the film based on the series Firefly.
http://techrepublic.com.com/5254-6257-0.html?forumID=99&threadID=173893&messageID=1857452&id=1383826

————————————————-

WHO’S RIGHT ABOUT LINUX? APOTHEON VS. BLANKENHORN

Do you believe, as Blankenhorn said, that Linux users need an automated
anti-viral patch management service like Windows,” or are you more on
the side of Apotheon’s theory? Read their blog entries and weigh in
with your opinion in this discussion.

If you’ve got suggestions or comments about the Blog Roundup, send me
an e-mail. If you’re recommending a blog for the next newsletter,
please include a link to the member’s blog and a sentence or two about
why you found it helpful.
mailto:beth.blakely@techrepublic.com (Please use “Blog roundup” as the subject.)

Topic

SuSE Linux has automatic software update

In reply to Member says ZDNet ‘Fails to Understand’ Linux

I use SuSE Linux. This distribution has an application that will monitor the availability of software patches and it will automatically install them if you want that to happen. Novell puts in a good effort to create patches for software soon after problems are found. I don’t use the automatic update software that comes with SuSE Linux. Instead, I manually check for patches twice a week but that’s just my preference.

I believe that some other distributions either have an automatic software update application or they have a manual software update package that can be run automatically by a cron job.

Lastly some distributions stay away from the newest applications and kernels. The software that they include are mature and rarely have vulnerabilities found in them. Patches are still created when required but the requirements are far less frequent in these mature and stable distributions than they are in the leading edge distributions.

It appears that either Mr. Blanhenhorn hasn’t said what he means or that he is ignorant of Linux.

who is right?

In reply to Member says ZDNet ‘Fails to Understand’ Linux

Apotheon is.
why automate updating a listing of virus definitions when we can, using cron or at automate patching the exploitable bug out of existance, and not have a virus listing needed.

CRON job automatic but not default

In reply to Member says ZDNet ‘Fails to Understand’ Linux

a & j, a cron job is fine but it must be set up. The Automatic Update in Windows XP is turned on by default during installation. The average end user transitioning from XP is going to assume a similar configuration, won’t know he has to set up a scheduled batch job, and won’t know how to do it.

This is the only point in apotheon’s rebuttal that I have issues with.

Yes. Different distros vary widely.

In reply to CRON job automatic but not default

I just spent last night installing Debian Linux for the first time. That was after a Slackware installation failed. In both cases you had better know Unix or Linux if you want to use these distros. They are definitely NOT for non-techies. Using either of these distros is very like purchasing a kit car. You get the parts but you have to know how they go together. I expected that with the Slackware but I had no idea that Debian was also so primitive. I eventually got a nice GUI environment going but it was a lot of work. Setting up a cron job to perform automatic software updates is something that a newbie would probably not think of doing. The nice thing is that the Debian does have a tool that you can use via cron.

Bottom line: newbies need a distro that incorporates a highly developed environment that includes automatic software update capabilities. Novell SuSE has the resources to do this. Most other distros don’t have the resources or their engineering philosphy doesn’t include that kind of thinking. Nothing wrong with that; it’s just that they’re not for newbies.

I would say

In reply to Yes. Different distros vary widely.

that their thinking doesn’t include the concept of doing for the user what the user should do, rather than no capabilities to do it.

since basic cron and rpm / apt* can do the updates and are included. ( slak, and lfs excepting as they are not “package” systems. )

the distros definately not for newbies are slak, and the from scratch distros. building from sources requires a basic knowledge of linux that a newbie ain’t gonna have.

*majority of distros will have one of the two big package management systems as distro default.

Why should the user have to do it?

In reply to I would say

“…their thinking doesn’t include the concept of doing for the user what the user should do…”

If it -should- be done, why not set it up at the time of installation and bypass the user entirely? At least include a prompt to set it up.

I agree with you Palmetto

In reply to Why should the user have to do it?

I think that all that a user should do is use the computer. The user friendly Linux distros that add a lot of automatic functionality are the way of the future. I don’t believe in Unix purism. Plain ‘meat and potatos’ Unix isn’t that great. Unix and Linux need to have applets added to the system to reduce the need for system administration and make running the system easier for nontechnical people.

Remember how MS got into trouble in the first place

In reply to Why should the user have to do it?

Remember how MS got into trouble in the first place. Turn everything on by default, and do for the users so they don’t have to know anything.

This over automation is WHY windows is constantly getting over run with viruses and why we NEED AV software to protect the system instead of holding MS accountable for fixing the system as a very wise man has already pointed out. 😀

The less you expect out of someone, the less you will get. That is why you get so little from todays users.

I really can’t agree with this approach

In reply to Remember how MS got into trouble in the first place

By this theory, we should still start our cars with a crank in the front and use only manual transmissions. Just because MS didn’t properly implement some features doesn’t mean someone else can’t do it right.

Yes, MS deserves some of the blame for marketing an unsecure system. A larger share of the blame should be placed on the @$$h0l3s who write viruses. THEY are the reason we need AV software. Blaming MS is like blaming GM for a car with no airbags. Your injuries aren’t GM’s fault, or your own for purchasing the car. Responsibility lies with the driver who hit you.

This theory says GM will install the safety features, but the buyer has to learn how to hook them up.

You don’t seem to be listening

In reply to Remember how MS got into trouble in the first place

A common problem in comunication, people don’t step away from what they already know to try to understand something new.

When there is a “feature” in windows that is regularly exploited by viruses, why isn’t this “feature” fixed so a virus can’t use that ever again?

If there is a DEFECT in a car that causes crashes, THEY do what is called a “recall” and FIX the problem. IF they DON’T do this, they end up in court and get sued for selling a flawed system that they could have fixed. Why can’t we sue MS for selling a flawed system that THEY could have fixed?

Your looking too narrow at this strictly from a “windows is doing it right” point of view instead of looking at the big picture.

Anther thing about patches and updates. As a RULE, I never go with them as soon as available, just like I never buy the point 0 version of software. The point one version will have let other people test and find the bugs.

Have you ever heard of a MS patch crashing a server? The only solution is to boot to safemode, uninstall and reboot. How about patches that break applications?

Can we get back to my original point?

In reply to You don’t seem to be listening

I’ve never felt Windows was right. Dominant, but not right. You can try to sue, but the courts usually rule that you agreed to the EULA when you opened the envelope.

If there is a defect with a car, there are procedures in place to notify the owner and have the problem fixed. Detroit doesn’t expect the car owners to fix the problem themselves. Please excuse the caps; I’m not shouting, just adding emphasis. MY ONLY QUIBBLE WITH APOTHEON’S ORIGINAL BLOG ENTRY WAS WITH THESE STATEMENTS:

“You want automated patch management? Set up a cron job to grab software updates using your distribution’s standard package management system on a regular schedule. With the GUI tools available in Linux these days, that can even be a point and click operation.”

My opinion is the user should not have to set up a batch job to pull updates. That batch job should be created at the time of OS installation. If the user has to set it up manually, it isn’t “automated”.

I’m not debating the advisibility of automatically pulling down updates, just the method of scheduling them. If you’re going to use a batch job, as appy recommends, then whether you create it manually or it is created during OS install, it’s going to pull down patches as they are available. I have no argument with the batch file displaying the recommended patches and giving you the option to install some, all, or none. But the reliability of the patches isn’t a part of “batch job at install vs. creating a batch job” debate. Okay, I’ll factor it in strictly for conversational purposes.

First, I agree with you about not immediately installing insufficiently tested MS patches. But we’re talking about an automatic patch system for Linux, not MS products. Every open source advocate I’ve read at TR preachs the superiority of the approach. The programs are better because there are more people looking at the code and eliminating the problems quicker than with closed proprietary applications. Surely the same people are checking the patches, so the patches must be superior to the proprietary ones, right?

Second, the ZD original article and apotheon’s response refer to Linux for home end users, not IT professionals. If we counsel home users to install patches manually instead of automatically, we put several burdens on them: remember to keep checking for new patches, research whether the patch causes problems with their apps, and finally decide if they should install it. They aren’t going to do that any more than they would go to Ford’s web site every day and look for recall notices, see if it applies to their make / model / VIN, and then fix it themselves. The manufacturer notifies you when your car has a problem and provides an easy method to fix it. An OS should do the same.

You have a point.

In reply to You don’t seem to be listening

I’ve actually long wondered why there wasn’t a one-click configuration option for setting up automatic updates on more Linux distributions’ default installs. I don’t think it’s a good idea to have it turned on by default, but there’s no reason to avoid having a one-click operation to set it up on systems that tend toward the kitchen-sink approach (think Fedora, Mandriva, et cetera). Of course, [b]some[/b] of those distros do that, and more of them are doing that every year, but not as many as I’d expect.

A distribution like Debian or, even moreso, Slackware, should never include something like that. It’s extra cruft. SuSE, on the other hand, should (and does).

If you want fully graphical, fully automated patch management, get SuSE. If you want a system that does exactly what you want, and only what you want, get Debian.

Lycoris, Linspire, and Xandros almost certainly do much the same as well (though I haven’t tried any of them personally), and automated patch management is sorta the point of RHEL. If that’s what you want, those are the distros you should be looking at: SuSE, Lycoris, Linspire, Xandros, RHEL, and anything like them.

In short, you have a point, but it’s a moot one, since that issue actually is already addressed. Just don’t go for a distro whose claim to fame involves such characteristics as “bare metal” installs if you want everything done for you.

Palmetto, to get emphasis

In reply to You don’t seem to be listening

if you know html coding, follow that for doing [b]bold[/b], [i]italics[/i], and [u]underline[/u].

Just use the [ and the ] instead of the normal html brackets. a set to turn on and a set with / to turn off. text (replacing the brackets, so you will see the code instead for the results.)

Funny note about automatic updates for uneducated home windows users.

Recently I had to wipe and reload a system for a friend of my moms, because she got a nasty virus.

When I asked if she ever applied the “Windows updates”, she said that no she hadn’t. She liked this version of Windows and didn’t want to update to a newer version. (oh, it was hard to keep a straight face and I ended up having to turn away for a minute! :^O )

Even a home users should receive SOME education about how to maintain their computer. When they buy a car they are told if they don’t put gas in and have someone change the oil it will die. They can even handle having someone change the tires and brakes. Why can’t they learn the very basics of antivirus, firewall and updates?

Why, indeed?

In reply to Why should the user have to do it?

Why should the user have to buy or otherwise acquire, and install, an AV package? Shouldn’t that be included and turned on by default?

Why should the user have to install a separate word processor? Shouldn’t that be included by default?

Why should the user have to get new computer games as they come out? Shouldn’t you have a game installed by default?

Hmm. Wait a minute. Let me think about this.

What if a user wants to do it differently from the “standard” way of doing it?

Some distros and sub-distros include automated, default cron jobs for things like software updates. Some don’t.

What happens if you don’t have a broadband Internet connection? Do you really want something erroring out every day at four in the morning, filling up error logs? Maybe you should just have it turned off.

What if you want to check your updates to make sure they’re what you want rather than having them run on their own? Maybe you should just run it yourself, rather than letting the machine do it every day (and possibly install an update you don’t want).

Maybe the problem is that Linux doesn’t assume everyone’s a cookie-cutter perfect clone of the next guy over. Personally, I don’t see that as a problem at all.

which

In reply to Why, indeed?

is my point.

if you grab every update, you get updates for software that is not installed.
why is this a good thing?
lets grab the updates, and crash the webserver.
( seen this with mandrake 8 and 9, update to mod perl crashes apache )

oh, lets update everything by default, so that the 10 gig hard drive is absolutely full in 2 weeks.
( all that extra stuff you didn’t install on purpose getting installed via updates. )

long live the meentality of the user should choose what to run and when.

Huh?

In reply to which

It’s a pretty poor update program that get’s updates for programs that aren’t installed. Geez, even Windows doesn’t do that. It’ll patch those things that were installed by default that you didn’t originally want, but it won’t try to patch anything that isn’t there. Any program that does that needs to be rewritten regardless of whether it the batch file was scheduled at install or added manually later.

The original ZD article was about home users, something everyone seems to have a hard time remembering. I don’t know about north of the border, but there are few U.S. home users who run web servers. Most ISPs prohibit it for home accounts. Maybe you guys have more time for it since you get snowed in more often.

Few home users are running 10Gb drives any more. But why can’t the patch clean up it’s install files after itself? I thought one of the advantages of Linux was it required fewer patches than Windows; what’s filling up all the drive space? Even Windows patches don’t take up that much; certainly not as much as the unpatched OS.

But, one more time, my only disagreement was with apotheon’s original statements. “Linux is as automated as you want it to be. You want automated patch management? Set up a cron job to grab software updates using your distribution’s standard package management system on a regular schedule. With the GUI tools available in Linux these days, that can even be a point and click operation. That’s not too tough, is it?” No, it’s not too tough, but the average home user is used to Windows’ “on by default” update system. I’m agreeing with the ZD article on only one point, that Linux will be adopted more quickly by home users if there is a similar system. apotheon says in his post that some distros include this feature. Great! That’s all I’m advocating. I’m not trying to deprive anyone of any options. I’m saying that updates are so important the option to do them automatically should be presented to the home user and require an “Yes / No” response, not left for them to initiate the process themselves.

ugh

In reply to which

Let’s not use Mandrake as an example. It’s the Windows of Linux, complete with less stability, less documentation, less transparency of operation, and so on, than almost all other Linux distros available.

re: unwanted updates
I’ve never seen an update for a program that wasn’t installed. I’ve seen a new version of something have more dependencies, thus causing more packages to be installed when the program is updated to the new version, though. As for Windows, I have indeed seen it install updates for software that wasn’t currently installed, and install software that was previously removed. Palmetto made this point accidentally, in fact: Windows won’t provide updates for software that never gets installed (because it can’t: it can only update the stuff that comes with Windows), but it certainly will occasionally download patches and updates for Windows-bundled software that had previously been removed (such as MSN Messenger, Windows Media Player, and so on).

re: web servers
You might be surprised by how many people are running web servers at home, even on Windows. See, Windows includes a rudimentary web server, and starts it automatically, by default, whenever you turn on your computer. In fact, it’s embedded in the OS and can’t be turned off. Nobody uses it to serve websites, but it’s there. It’s the back end to all those applications that use the IE rendering engine for the interface.

re: drive space
I think Jaqui was talking about Windows drives getting filled up by patches. Hotfixes and service packs take up more space than you probably realize.

“[i]the average home user is used to Windows’ ‘on by default’ update system[/i]”
You can’t have your cake and eat it, too. Do you want it done right, or do you want it done for you by Microsoft? I’m aware that home users are used to everything being done for them, the Microsoft way, but if they want to improve on that they’ll have to get used to something else. That doesn’t mean they can’t have automated patch management, but it might require them to make one or two extra mouse clicks when they first install their OS. Oh, the horror.

apotheon, right is better than MS

In reply to which

I’d rather it be done right than the way MS does it. Home users are used to having some form of automatic update. That doesn’t mean there isn’t room to do it better. But for -inexperienced home users-, the way MS does it is better than nothing at all.

Home user NOT used to auto updates

In reply to which

Most don’t even know what an update is.

With windows ME was the start of update by default, and it went from there. I still see a lot of windows 98 systems out there and it does NOT update automatically. The BEST it can do for you is notify you when there are critical updates.

XPsp2 took this a big step further “for your own good” approach. But if it accidentally is turned on by default, the vast majority of the users are NOT used to it or even aware of it.

You are giving grandma running AOL WAY too much credit, and are actually talking about more advanced users that don’t want to be bothered to have to do this.

THAT is the flaw in your argument.

And has been stated here, there are options to easily have this going automatically just by choosing RH,suse, or the window imitation flavors.

The truth is out there. 🙂

I admit myself of not knowing that until this post as I have been “distracted” the last year, and only run linux servers. I have the systems WAITING and begging to be loaded as linux desktops and now that the distraction is ending I can finally get around to doing it. I will have four systems, each running a different flavor. My goal it to have this next to my Win2k system and get where I can do anything I do in it, on the linuxes. [b](linuxi? linuxs? linuxus? What is plural of more than one linux?)

end users and plurality

In reply to which

1. Unfortunately, ignorant end users who, apparently, “need” to be coddled by default automatic updates are [b]kept[/b] ignorant by the application of such tactics. I’m of the opinion that, at the very least, one should have to click on something with a very clear label to activate automatic updates, complete with an explanation in the activation process short enough to not drive them away of what is being accomplished. If you don’t “force” a little opportunity for education on them, they’ll never learn, and they’ll continue to be ignorant enough that no matter how much automated security you give them they’ll continue to sabotage their own security.

2. The plural of “Linux” is “Linuxen”. Similarly, the plural of “box” when referring to a tower system is “boxen”. On the other hand, the plural of “unix” is “unices”. At least, that’s how these things tend to be pluralized in the hacker communities in which I hang out.

Somebody say “Amen!” – jdc, jaqui, appy.

In reply to which

“I’m of the opinion that, at the very least, one should have to click on something with a very clear label to activate automatic updates, complete with an explanation in the activation process short enough to not drive them away of what is being accomplished.” – apotheon

I’m sorry, I thought I’d been saying. Apparently I once again haven’t been expressing myself clearly. My -only- quibble with the original blog entry was that this very clearly labeled activation should appear automatically, not by requiring a home user to manually set up a batch job. I don’t want the update process to run automatically, I want an automatic prompt to start or decline this batch job. I’m not trying to include this in all distros, just those that are aimed at the beginner or home market. As someone pointed out, some distros already include this.

JDC, nobody could have more contempt for the home user than I have. I’m just not expressing very well.

apotheon, I hear you, but I’m always going to want to run AV software, wear my seatbelt, and cook my turkey until the stuffing is 185 degrees. Mark it up as unnecessary system overhead, but I’m going to want it anyway.

Thanks guys.

lack of clarity

In reply to which

Sometimes, I think I’m not clear enough in expressing my thoughts on matters related to information technology. I think I have a tendency to assume certain bases of knowledge at times, and leave some stuff unsaid that should perhaps be said.

When I said something about setting up a cron job, I wasn’t talking about the user necessarily having to edit crontab files by hand. While that’s the way I do it, it’s not necessarily the way everyone else has to. Ultimately, a cron job is the most likely and most common underlying mechanism for ensuring scheduled automatic updating of software through any Linux distro’s package management system. Different distros might come with different “user friendly” front ends for that, which address the problems you seem to have with my mention of cron jobs, but ultimately those front ends usually just set up a cron job — or its functional equivalent, in rare cases where some idiot thought it would be a good idea to reinvent the wheel unnecessarily.

I’m all for wearing seatbelts, but you’re basically talking about wearing a seatbelt when using a Star Trek transporter to “beam down” to the planetary surface. It’s simply not needed: they’ve solved the problem of possible injury due to traumatic deceleration.

I wear my seatbelt whenever I drive. If I had a transporter, though, I wouldn’t install a seatbelt in the thing.

Not TRYING to show contempt

In reply to which

Just state the facts. Many people that get a computer wouldn’t be able to plug it in if it wasn’t color coded, and there is nothing wrong with that.

Just the less you expect out of people, the less you will get. Todays user, the only thing that is expected is they have money and lots of it. We really should be able to expect a little more, but concidering I see the same thing with corporate users, what chance does grandma have?

I often wonder if this is intentionally done (the dumbing down of users) to create work in the support field, not to mention the security field.

A very basic writeup, similar to the quick-setup poster they get with even a printer these days, explaining that you NEED an AV/spyware/firewall for all windows systems as well as about the windows updates.

That would go a long way.

Internet providers should also incorporate router/firewalls into the cable/DSL “modems”. (but they don’t).

Why.

In reply to Why, indeed?

“Why should the user have to buy or otherwise acquire, and install, an AV package?” Good question, why should he? Unlike word processors or games, can we agree that an AV package is something everyone needs? I’m not saying it should be an uninstallable, or that it can’t be replaced by something better, just that it might not be a bad idea to have one available as an option -during OS install-.

Yes, I know you were being sarcastic. But there are tons of people who slam home users for not running AV software. Yes, they should take the responsibility of installing AV just like they should change the oil in their car. Guess what? They aren’t doing that either, and the car costs them a lot more. When their engine lets go on the public highway, they have to be physically close to someone else’s unmaintained car to damage it. If they get a virus on their computer, they can pass it on other unmaintained computers regardless of location. If they aren’t going to install AV after OS installation, what’s the problem with presenting it as an option during installation? If the user wants to do it some other way, fine, they should have that option. Brakes on your car are installed by default, but you can pay to have them upgraded or do it yourself. AV is a “safety feature” like brakes; word processors and games are accessories like a CD player or a spoiler. Would you rather they have the option to initially install it, or gripe about how they won’t do any preventative maintenance? (Not that I recall you personally every doing that; I’m using the universal “you”.)

“Some distros and sub-distros include automated, default cron jobs for things like software updates. Some don’t.” Great! I didn’t know that some distros were available that way. My point is the distros with default update jobs are probably the ones best suited for home users. This is especially true for those making the migration from Windows where they’ve come to expect automatic updates.

Write the script so it prompts the user the first time it runs. Ask what kind of connection they have, if any. Ask when they want it to run. Ask if they want to install by default or approve each patch. Hell, ask if they want the silly thing to go away and never come back. But don’t leave it up to the home end user to initiate security on a device he regards as an entertainment tool.

My point is we as IT professionals can’t expect home end users conditioned by MS to change their behavior. The original ZD article was about Linux needing an automated update system to increase -home- market penetration. I’m neither pro nor con on increasing the number of Linux home installations. I’m saying a default batch update job would ease the transition for home Windows users.

It’s warm and sunny here. How’s that snow treating you?

Reply To: Member says ZDNet ‘Fails to Understand’ Linux

In reply to Why.

“[i]can we agree that an AV package is something everyone needs?[/i]”
No, we can’t. We can agree that it’s something [b]every Windows user[/b] needs, as long as Microsoft refuses to fix its basic OS architecture, but not that it’s something [b]everyone[/b] needs. Keep in mind, as well, that if every Windows machine came with AV already installed, it would have Microsoft AV installed, and we’d soon have the same sort of worthless crap AV on 90% of home computers as we have worthless crap browser on the same computers. Ultimately, I’m reasonably certain that the same number of viruses would proliferate that way as the way things are done now, with many Windows users not even using AV. Besides, the moment you introduce that sort of conflict of interest for a big corporation like Microsoft, they’ll start doing everything in their power to “force” people to use their AV and prevent them from using others.

In practical terms, for most people, providing a default has the same effect as not allowing any alternatives.

“[i]Write the script so it prompts the user the first time it runs. Ask what kind of connection they have, if any. Ask when they want it to run. Ask if they want to install by default or approve each patch. Hell, ask if they want the silly thing to go away and never come back. But don’t leave it up to the home end user to initiate security on a device he regards as an entertainment tool.[/i]”
Really, that’s the realm of vendors, not development communities. That’s why the distros that do that sort of thing are the corporate distros, like SuSE, Linspire, RHEL, and so on.

“[i]My point is we as IT professionals can’t expect home end users conditioned by MS to change their behavior.[/i]”
My counterpoint is that we as IT professionals have to expect that if end users don’t change their behavior, none of the problems will go away. Creating a bunch of “user friendly” automated defaults won’t solve all our problems. At best, they’ll just create new problems while solving a few old problems for a limited subset of people, and at worst they’ll introduce new problems without really solving the old ones (though a lot of people will surely think they’re solved, until they get hit personally by the consequences of accepting a false sense of security). The ultimate end result is that nobody can do security for you. When they try, you end up with nothing but a false sense of security (a danger in itself) and a system so complex that it reduces security rather than increasing it. By focusing on not introducing security problems first and foremost, and giving users the power to see to their own security, OSes like Linux have succeeded in being far more secure than Windows could ever be with its philosophy of coddling end users with fairy tales and facades that add up to a pile of feces covered over with doilies and spritzed with perfume, in the final analysis.

The problem is that thinking you can do security in a centrally-managed, default system, such that the end user never has to think about it, just guarantees a failure of your security model. An end user can screw up any security system.

Snow? Me? It rained a little today. Yesterday it was bright and sunny.

Okay, we’re at another impasse

In reply to Why.

We’re back to basic philosophical differences again. I won’t run any OS without client resident antivirus protection, regardless of it’s reputation.

AV is available

In reply to Why.

for linux by many of the major vendors.

Just because it isn’t generally needed or used, doesn’t mean it isn’t available.

Again, the nice thing about linux is you CAN do it if you chose.

Just remember not to run your system as ROOT if your not doing maintance and your looking pretty good.

AV on Linux

In reply to Why.

Antivirus software is available for Linux systems. In fact, the most effective system scan software for Windows that I’ve ever seen (ClamWin) is a port of a Linux-based antivirus solution (ClamAV). The AV software for Linux, however, is designed to protect Windows systems with which Linux systems interact. See, because Windows viruses have no effect on Linux systems at all, and aren’t even recognized as viruses in general, an email sent through a Linux mail server will still get passed on to a Windows client if there isn’t some AV running on the Linux server. Thus, there’s software like ClamAV.

However: You seem to have missed my point about [b]why[/b] AV software is unneeded on Linux systems. It’s not unneeded because of a “reputation” that Linux has. Basing your security-based activity on the “reputation” of a platform as being secure is stupid in the extreme. You must base such decisions on the actual technical realities of the platform.

The reality is that Linux does not need antivirus software, not because nobody’s writing viruses for it — occasionally, people do, in fact, write unix/Linux viruses, in fact. More than half of them are “proof of concept” viruses written by companies like Symantec, but that’s only because fueling their advertising campaigns is the only real return on investment of effort for writing a Linux virus.

See, anyone writing a Linux virus runs up against three huge problems:

1. It probably won’t propagate. The software running on Linux systems is so heterogenous across the range of Linux systems running at any given time that it’s difficult to write a virus that will replicate in that environment when introduced to any number of systems, since most of them won’t have any clue what to do with the virus.

2. It probably won’t even run on supposedly vulnerable target systems. This is because of the strict privilege separation that exists in Linux systems. Oh, sure, it’s [b]capable[/b] of running, but the reason viruses work so well in Windows systems is because the end user never has to see that the things are there: the software on a Windows system very helpfully runs every piece of untrusted code that gets dumped on the computer, and generally runs it with access to administrative privileges, allowing something introduced through (for instance) a Word macro to affect email, remote procedure calls, and dishwashing functionality (or whatever). On Linux, you’d have the problem that your virus only has access to the user account that ran the thing, and even then only if the user is stupid enough to run it himself (since newly arrived code has a tendency to arrive non-executable and Linux software has that aggravating tendency to not run untrusted code, let alone running it without asking).

3. When a virus that work on open source software is invented, nobody needs AV software because viruses exploit software vulnerabilities, and open source software developers understand that: they address that root (pun intended) issue, and ignore the surface symptoms for the most part. If you cure the disease, the symptom goes away. On Windows, when you’re using Norton AV, you’re treating symptoms. You get a virus definition that targets a specific variant on a virus exploit of a specific flaw. On Linux, when you get security updates and patches to your software, you’re treating the underlying “disease” — a flaw in the software that allows that virus to run. You get vulnerability fixes directly to the software, without an AV suite middleman, and that vulnerability not only prevents that specific virus from running ever again, but also prevents any variants from running and exploiting the same vulnerability.

If you got stabbed in the belly, I’m sure you’d rather that you got the hole stitched up and were handed a chainmail shirt to protect you next time, rather than having a band-aid put over it and were simply given a new cotton shirt to hide the blood. Antivirus software is needed because software source code is closed and vendors don’t have any credible system in place for solving the underlying vulnerabilities that allow virus propagation. Linux [b]does[/b] have such a system in place, rendering AV software superfluous and pointless for protection of the local system.

I recommend you go back and read my blog post again, if you didn’t get that the first time through. I addressed this. AV software isn’t unneeded on Linux because Linux is just magically not the target of viruses: it’s unneeded because the software is fixed to prevent any previously possible virus activity from continuing to be possible. On Windows, a virus definition is issued, and the vulnerability remains, allowing a huge family of viruses exploiting the same vulnerability to grow up around it. A separate definition needs to be created for each one of them, when a single software patch could have extinguished that family of viruses entirely.

A virus in Linux does act the same as a virus in Windows

In reply to Why.

Ok, let me break this down (again). In Linux there is STRICT seperation of user space and kernel space. So that means:

A) You can’t create a system wide virus like you can in Windows
B) You can’t infect other users “indirectly”

So, you have a more secure system with less access to un-needed services by the user. Plus, if you really want to get securty going, you can limit the number of processes a user instancitates, you can disable the user stack, you can implement stateless Linux, and SELinux helps ensure tight security system wide.

Windows just can’t do that. You think of a virus in terms of Windows, but that isn’t how it works in Linux land.

jdc, appy, jmg: If not needed, why does AV exist?

In reply to Why.

Okay, I’m semi-convinced AV software isn’t necessary for Linux, although I confess I’m still going to want to run it anyway. But if it isn’t necessary, why did somebody (or several somebodies) go to the trouble to write it?

the reason for AV

In reply to Why.

I thought I already addressed this, actually, though I may not have been clear enough.

Antivirus software for Linux has basically been designed for use on mail servers, FTP servers, and the like. The purpose for which it is designed is to clean up and/or block files for distribution to Windows clients. Thus, you can run a unix-based mailserver that helps to clean up virus-infected email rather than simply passing on whatever unsafe stuff it gets that is addressed to its Windows clients.

another reason for linux av

In reply to Why.

because people will buy it.

People coming from a windows only environment will often be used to not even questioning the idea of not having AV loaded on every system because that is all they have ever known.

If something is NEEDED has never been a reason to provide it. If something is WANTED, then you have a market and thus a profit.

[Author]

Replies