> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:owner-scots-l@;argyll.wisemagic.com]On Behalf Of John Chambers > Sent: 18 October 2002 15:35 > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: [scots-l] I've got the virus too - perhaps I can help. > > > Ted wrote: > | > Janice Chan wrote: > | > Most viruses are inert on Linux & Solaris as well. Ah the joys of > | > existing in an environment free from the influence of Bill Gates & his > | > evil geniuses :-) > | > | Most (but not all) viruses are inert on Unix-type systems simply because > | they were written to attack Windows. This is not due to any inherent > | security defects in Windows, but is simply because Windows is the most > | popular OS. If Unix was as popular as Windows, there would be > just as many > | Unix viruses about. > > This is flatly false. Viruses were prototyped on unix before 1980, > the problem was studied, and the fixes still work. The few viruses > that appear for unix-type systems are usually very limited in the > sort of damage they can do. They are usually found and fixed fast.
Isn't that exactly what I said? There are fewer Unix viruses about. > The most common Windows virus now are those that are embedded in > email. This is possible solely because of something very wrong that > Outlook does: If an attachment is an executable program, Outlook > interprets clicking on it as a command to execute it. This is not a > design flaw; it was intentionally built into Outlook. And when the > problems became obvious, Microsoft handled them with PR rather than > software fixes. > > The basic fix for this is simple: You never, ever permit atuomatic > execution of code that was received from another machine. Anything > that does this is a wide-open security hole. But by your own admission, Outlook doesn't permit automatic execution of attachments, you have to click on them. If you don't want to execute, don't click. Also, Outlook isn't Windows - it's an application which runs under Windows. Anyone who doesn't like it can use another email client. > Similar stories exist with other software. There was a funny report > last week that argued that linux had more security problems than > Windows. The numbers were counts of problem reports on public > security sites. The explanation, of course, is that when problems are > found on unix systems, they are publicised. This looks like a "PR solution" to me. Given the relatively small number of Linux users, I would have thought that this report was worthy of serious consideration. > Vendors are typically > given only a few weeks to fix the problem, and then descriptions are > posted. If the problems aren't fixed fast, first details and then > exploits are published. This gets the attention of vendors. > > On linux and the BSD clones, the source code is public, so even if > the vendors can't or won't fix a problem, there are plenty of users > who can and will. Being the first to come up with a fix gets one a > certain amount of honor, so people compete to fix problems. There's a certain illogicality here. You've already said "Since then, the unix user community has had a lot of people who are on the lookout for this sort of problem. When spotted, the problem is publicised, the vendor is told to fix it. Now. It gets fixed." If that's the case, why should users need to fix a problem? > Microsoft has a history of sitting on security problems for months or > years, and threatening the people with prosecution if they publicise > problems. Microsoft's licenses often explicitly forbid telling others > about problems you may find. Here in the US, the DMCA is a good tool > for this. This law makes it illegal to publicise security holes in a > company's software products, under the guise of copyright protection. > So Microsoft's licences tell people they should obey the law! That's a problem? Or would you rather have a system where everyone chooses for themselves what laws they will obey? > So Microsoft's software is inherently much, much worse than unix > software from a security viewpoint. But it's the user communities > that make the difference. Unix users are mostly intolerant of > security problems, insist on publicity, and want fixes now. Microsoft > users accept PR "solutions" and suppression of problem reports, and > continue to use software after problems have been made public. So the > problems will continue. As far as I can see, the principal characteristic of the "Unix user community" is to criticise Microsoft and Windows at every opportunity. Windows users don't seem to be nearly as prone to bashing the competition, perhaps because they're getting on with productive work using the world's best-selling software, rather than writing their own fixes for OS bugs :<) Regards, Ted Posted to Scots-L - The Traditional Scottish Music & Culture List - To subscribe/unsubscribe, point your browser to: http://www.tullochgorm.com/lists.html