[HN Gopher] "Computer security 80% solved if we deprecate techno...
___________________________________________________________________
"Computer security 80% solved if we deprecate technology shown in
this graphic"
Author : mariuz
Score : 265 points
Date : 2023-07-12 15:35 UTC (7 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| meitros wrote:
| I like those icons - wonder what he used to create that chart
| 1970-01-01 wrote:
| Nah. I'm going with a modified Yogi-ism:
|
| "Computer security 80% solved if we deprecate technology shown in
| this graphic. The other half is software."
| LinuxBender wrote:
| _Windows is the malware compatibility layer for everything_
|
| Windows NT and all versions of Windows after NT have more
| security controls than just about any other operating system as
| those controls came right out of VMS. They are mostly all
| disabled or weakened to lower friction and increase adoption. The
| controls are also weakened by default on Linux but it was late to
| the party and was not as happy-clicky as Windows thus more
| friction for less technical people at first. It isn't just
| security controls. Both Windows and Linux allow memory over-
| commit by default which can affect stability but improves
| adoption by developers. All of these things can be hardened at
| the risk of breaking applications _that were coded to the default
| behavior_ so to speak.
|
| As others mentioned Windows has the highest adoption and usage so
| it will be the default target. Should Linux take the lead some
| day it would gain _more_ attention by malware authors. There are
| plenty of unexplored attack vectors in udev, binfmt mount, eBPF,
| systemd and how some of those things are _glued_ together
| currently _for a lack of better terminology_. This may happen
| sooner than later if Linux gaming continues to improve at it 's
| current rate. Gaming platforms often code to default behavior _or
| expect elevated privileges_ thus rendering OS-hardening not an
| option and not many people will buy a separate gaming machine to
| keep this isolated from the machine they do taxes, banking,
| emails, social media, etc...
| onlyrealcuzzo wrote:
| > Should Linux take the lead some day it would gain more
| attention by malware authors.
|
| Android by itself has 50% more devices than Windows.
| LinuxBender wrote:
| I think a key difference is that Android _for most people_ is
| a mostly-closed ecosystem. _Most_ people can only install
| that which has been added to the small selection of app
| stores and the OS configuration is at least partially locked
| down. There have been an uptick in malware targeting Android
| [1] _just one recent example_ but people are not installing
| as many random applications and vulnerable frameworks _such
| as Wordpress or random apps that lack GPG verification_. This
| puts the onus on Google and wireless vendors to manage the
| security of these devices and most applications.
|
| If some day there is a truly open Linux distro on fully
| unlocked-by-default phones that come with root access enabled
| and said phones are adopted by the masses and people can
| tweak the OS however they wish without using debugging tools
| or installing custom images then I think the phones will
| _almost_ be on equal footing to Linux desktops, gaming and
| graphics power aside. They key part being adopted by the
| masses.
|
| Even Android is not a majority market share [2] so people
| would have to target apps that Android, Apple and others
| share.
|
| [1] - https://www.scmagazine.com/news/malware/letscall-
| vishing-mal...
|
| [2] - https://www.bankmycell.com/blog/us-smartphone-market-
| share
| richardjam73 wrote:
| GNU/Linux versus Android/Linux
| donatj wrote:
| The single largest outstanding security problem with Windows is
| the one-two punch combo of hiding file extensions by default +
| not having an executable bit. This makes it insanely easy for an
| attacker to simply create a malicious executable that has the
| icon of a word document or other recognizable type. There is
| literally no way for a lay person to detect the danger there.
|
| If there were an executable bit, exe's from strange places
| wouldn't just run without being granted permission. If extensions
| were visible by default, the very slightly savvy could SEE the
| danger. The combo lack-thereof is the danger.
|
| With how many notifications Windows gives you already, it really
| seems like at the very least just warning you when you double
| click something the first time "this is an executable, use
| caution" would go a long way.
|
| Binaries downloaded from browsers get stapled with a "potentially
| unsafe" extended attribute that pops a warning the first time you
| try to open it. This helps but is backwards. It should go the
| other direction and every binary should warn you until stapled
| with a "user has acknowledged the danger" attribute.
| gochi wrote:
| Windows does what you're suggesting on several layers. Default
| browser warns about downloads before downloaded, smartscreen
| prompts about running unverified apps, and UAC prompts a final
| time.
| jeroenhd wrote:
| Everything you download already comes with the mark of the web,
| which stops most simple exploitation in its tracks. That's why
| malware distribution has to go through annoying side steps like
| attacker controlled SMB servers over the internet to spread
| executable files.
|
| Also, Windows ACLs come with an execute permission per user,
| group, or any other policy related object. It's enabled by
| default for executable files you're allowed to read, but
| there's absolutely nothing stopping you from making executables
| unexecutable.
|
| Furthermore, just about every executable file gets a massive
| "you're about to infect your computer, kill your pets and
| sacrifice your children to Satan" prompt by default. You can
| disable it, but it's enabled in almost every other case.
|
| That's why attackers leverage the side effects of fringe cases,
| like RTF OLE embeddings and CHM/MHT wrappers.
|
| Half the steps in this graph would work for macOS or Linux as
| well if they're set up for corporate environments. Most of it
| is browsers and office applications just doing their thing.
| Notice how none of these include code actually executable in an
| operating context until the very end, when the very last
| sandbox has been escaped and a script downloads the actual
| payload from a position where it would be able to set the
| executable bit anyway.
| rollcat wrote:
| > Also, Windows ACLs come with an execute permission per
| user, group, or any other policy related object. It's enabled
| by default for executable files you're allowed to read, but
| there's absolutely nothing stopping you from making
| executables unexecutable.
|
| That's the whole point that GP is raising: whether the
| execute bit is set by default, or not.
|
| However personally I think the file itself should carry the
| information that it is meant to be executable (e.g. through a
| magic like shebang, an ELF/PE header, file extension, etc).
| Under UNIX-like OS's, it just creates pointless friction for
| users who are already certain that they do want to run the
| executable they just downloaded.
|
| Quarantine is (at least conceptually) a better and more
| general mechanism than the execute permission, as files other
| than executables could also be considered dangerous (like an
| image file trying to pwn the decoder, or a local HTML file
| trying to access the network). The quarantine bit could tell
| the OS and/or application to highly distrust the content
| (e.g. run it in a sandbox that denies FS/network access).
| thefz wrote:
| > Half the steps in this graph would work for macOS or Linux
| as well if they're set up for corporate environments. Most of
| it is browsers and office applications just doing their
| thing. Notice how none of these include code actually
| executable in an operating context until the very end, when
| the very last sandbox has been escaped and a script downloads
| the actual payload from a position where it would be able to
| set the executable bit anyway.
|
| Yes indeed, but this logical and thought out explanation is
| no match for a limited-characters hot take (plus an image!)
| on Twitter. That's "information" now.
| nullindividual wrote:
| > file extensions by default
|
| File extensions aren't necessarily mandatory in Windows as long
| as the Magic Number is recognized by Windows (Word documents,
| for example).
| nicce wrote:
| > If there were an executable bit, exe's from strange places
| wouldn't just run without being granted permission. If
| extensions were visible by default, the very slightly savvy
| could SEE the danger. The combo lack-thereof is the danger.
|
| By default Windows does not run anything which does not have
| valid signature, unless you give the permission.
|
| Maybe you have disabled this feature? Many do it, because it is
| annoying, as you need to give permission almost for anything
| you download from the internet.
| nullindividual wrote:
| Windows prompts if it doesn't have a signature, but will
| allow you to run it directly from the prompt, unless it
| involves a driver, which must be signed without using bcdedit
| to bypass that feature.
| nicce wrote:
| That does not fit the usecase when someone clicks
| executable with Word icon.
|
| And how it is different than asking permission to run it?
|
| Edit: as prompt I thought command-line
| mrguyorama wrote:
| And like all hard problems, that cannot be solved by
| technology.
|
| "Users will literally run the icon that's called malware"
| has nothing to do with Windows being written in not-Rust,
| and won't be solved by an operating system written in
| Rust.
|
| You cannot simultaneously empower the user to do useful
| things and prevent the user from using that exact power
| to fuck themselves.
|
| It's no different from trying to build a gun that can
| only shoot criminals. It's a completely invalid goal.
| giantrobot wrote:
| Part of Windows' problem is the system has given users
| prompt fatigue over the years. Lay people do not stop and
| read prompts. They will click "Yes" to just about anything.
|
| The macOS prompt is much better. It doesn't have a "ok run
| this anyways". You have to go into the Security pref pane
| and explicitly open the application (or launch it via
| context menu in Finder). The dangerous path is blocked for
| most users.
| jeroenhd wrote:
| Exactly, Windows is asking for permission to execute the
| executable file.
|
| Actually, in its default configuration, it's telling you it
| has blocked a dangerous file from opening (but you can
| click a tiny link to show a second button to allow
| executing the file anyway).
| nullindividual wrote:
| There are two separate mechanisms here. In this
| particular subthread, we're discussing code signing --
| when an executable lacks it, Windows says "this isn't
| signed, you sure you want to run this?".
|
| When you download a file from the Internet Zone (the old
| IE concept, but it applies to current browsers), Windows
| will _block_ the file preventing you from running it (or
| for certain file types, open it) until you explicitly
| unblock the file, then re-perform your action.
| emptyfile wrote:
| [dead]
| FireInsight wrote:
| A common technique is exploiting macros in real word documents,
| which would still work with the added protection of an
| executable bit and being able to see file extensions.
| nicce wrote:
| There is protection and that is why macros are mainly used.
|
| https://learn.microsoft.com/en-
| us/windows/security/operating...
| ectospheno wrote:
| No human would assume he was providing a solution to every
| attack. Not doing something because it doesn't solve every
| problem is a great way to never fix anything. Not brushing
| your teeth because you ran out of dental floss is dumb.
| tracker1 wrote:
| Worth noting, if you use NTFS, there is an executable bit. In
| fact in many places, user profiles are set to disallow
| execution altogether.
| mr_mitm wrote:
| And then Microsoft in all its wisdom decides to place one of
| the most widely used pieces of software, Teams, inside the
| user profile.
| sixothree wrote:
| I'm not understanding why the practice of installing
| applications inside of my user profile is an acceptable
| practice to the point where it is actually common.
| drbawb wrote:
| As far as I'm aware it's mostly a hack to avoid UAC
| elevation. If your goal is to get Chrome onto as many
| computers as possible: you have to be able to install
| without admin privs. (Also, even if the user _can_
| elevate themselves, I imagine the conversion rate is
| marginally better if you can avoid the "scary" UAC
| prompt. The conversion rate is _definitely_ better if an
| unprivileged user can avoid invoking the wrath of their
| IT admins /policy.)
| nullindividual wrote:
| > If there were an executable bit, exe's from strange places
| wouldn't just run without being granted permission.
|
| If the file is downloaded with IE/Edge and comes from the
| Internet zone, there is an ADS written (Zone.Identifier) which
| flags the executable to prevent it from being executed. The
| user needs to manually unblock the file.
| cobbal wrote:
| Firefox too, and they show up as annoying extra files with
| weird unicode names if you download directly to a WSL drive.
| nullindividual wrote:
| Which makes sense as this is an NTFS Alternate Data Stream;
| so much like the resource forks of MacOS Classic, you'll
| see ADS files as separate on file systems which don't
| understand the structure.
| GordonS wrote:
| Totally with you on hiding file extensions - why they made that
| the default is beyond me.
| mrguyorama wrote:
| It doesn't matter if they showed extensions by default,
| because users still download and run nude-photo.jpg.exe
| tracker1 wrote:
| Compared to Linux that doesn't use file extensions at all to
| mark executables?
| fnordpiglet wrote:
| Computer security would be 75% solved if we deprecated technology
| shown in this graphic:
|
| C
| whalesalad wrote:
| There are two reasons to use Windows: you are building software
| for Windows, or you are a gamer.
| Aleklart wrote:
| 3 You are manager with 240 Mb Excel file with macros and very
| important 40 gb pst of Outlook mail. You relax by playing
| solitaire. Your time is important so your PC is managed by IT
| departments SCCM along with same 10k+ managers and 100k
| corporate drones PCs. 4 You work in Microsoft
| mrguyorama wrote:
| Computer security is 95% solved if we turn off the powerplants.
|
| Human sustenance is solved if we choose to let everyone die.
|
| These statements have equal utility.
| Pannoniae wrote:
| As long as some platform is capable and powerful for many things,
| there will be malware. The reason why most (consumer-facing at
| least) malware isn't targeting Linux is because its desktop
| market share is like 3%. It's way better to target Windows on
| desktop since you can reach way more users that way.
|
| The only other alternative is turning your computer into a
| glorified phone (a.k.a. a locked-down media consumption device)
| where everything is nicely sandboxed and nothing has any kind of
| permission to do "bad" things. (Except tracking. Because guess
| what, the company who makes the OS also sells ads.)
| INTPenis wrote:
| >As long as some platform is capable and powerful for many
| things, there will be malware.
|
| Might want to rephrase that, uhm, Linux?
|
| Windows is a platform that is accessible to the most dumb (and
| disinterested) users in the world. No offense, but phishers,
| malware authors and spammers all rely on a sucker buying OEM
| every minute.
| soraminazuki wrote:
| Wait, you say malware don't target Linux because it has no
| market share? The OS that is ubiquitous on servers and mobile?
| vuln wrote:
| Typically there aren't users on the servers. The servers
| aren't used for browsing the internet or checking emails.
| lelanthran wrote:
| The rewards are greater on the server.
|
| If you pwn just one server you can attack thousands of
| people, their data, their credentials, etc.
|
| Saying that there's no malware for Linux because there's no
| reawrd is myopic - the payoff is potentially larger.
| vuln wrote:
| > Saying that there's no malware for Linux because
| there's no reawrd is myopic - the payoff is potentially
| larger.
|
| I didn't say that. My comment was really just commenting
| on the fact that most attacks
| (mal/ransomware/phishing/exploits) very frequently need
| some sort of user interaction. Without users or users
| doing user stuff it makes it harder to get things to
| execute on the machine/server. Sure if the server is in
| the DMZ and unpatched then yes it will be hammered by
| scanners and automated exploiters. With proper security
| hygiene and a proper patch cadence servers are usually
| more protected through defense in depth and lack of
| human.
| lelanthran wrote:
| You are correct, you most certainly _did not say that_ ,
| and I apologise for implying that you did.
|
| Mea culpa.
| sanitycheck wrote:
| They're configured and administered by professionals
| though, not your grandma (probably).
| lelanthran wrote:
| One would hope, but that doesn't solve many problems.
|
| Just this week I did some work for a client (a tech
| company) on a public facing webapp.
|
| After fixing the issues, I gave the manager and their
| architects who had been reviewing my PRs a short list of
| errors that I noticed in the current app.
|
| They politely declined to have them fixed, but want to
| proceed with another engagement for more features.
|
| You just cannot win sometimes ...
| jrm4 wrote:
| This is _such_ crap.
|
| A very long time ago, Windows normalized the absolute worst
| security practices ever. This was never meaningfully
| addressed/punished publicly and we just kind of drifted to
| today -- where we're stuck with absurdities like the fact that
| you can't use a USB key literally as intended. No other product
| is this bad in terms of security; bread will not destroy your
| toaster the way a USB key can your computer.
|
| You can't JUST put this on market share.
| mrguyorama wrote:
| Windows being inherently insecure hasn't been the issue since
| at least mid-XP. It's also a completely moot point, because
| nearly any security breach since then could have been
| conducted over snail mail, because it has nothing to do with
| how computers are programmed. While everyone was complaining
| about windows security, stuff like shellshock sat in the open
| for decades, including on all the servers that were
| supposedly so secure.
|
| Every organization that does internal phishing testing still
| fails every time. Any modern discussion about information
| security that doesn't deal with that is a red herring, and
| provides zero utility to anyone who isn't the enemy of a
| nation-state. Focusing on the remaining few buffer-overflows
| that take a chain of ten other exploits to even reach in the
| first place while everyone's data and info is leaked daily
| because the CEO clicks everything in an email is a
| dereliction of duty. It's like investing in StarWars and
| magic lasers that can't work while placing nukes on Moscow's
| door step.
|
| "Security Researches" keep looking for the buffer overflows
| because that's _fun_ and they don 't want to admit that the
| real problem is a social one because that's _hard_ and
| _boring_ and doesn 't let them play with the newest fuzzer or
| get them a $100k bounty.
| jrm4 wrote:
| I get what you mean here, but I still can't help but think
| that the Windows "make everything run really easy"
| mentality still crept in and stuck around,and to this day
| prevents software from implementing better ideas of "who or
| what really needs to run executable code?"
|
| Like Javascript? Sure, it's VERY versatile, but "just
| download arbitrary code and run it in the browser?" That
| should have _never_ happened in the way it has.
| lofatdairy wrote:
| I think there's a unique element to Windows with it's attempt
| to be extremely backwards compatible. This can be a tremendous
| boon when, say, running older software targeting a previous OS,
| but introduces vulnerabilities since your dependency tree has
| such deep roots. It's definitely a good target because god
| knows how many banks/hospitals/etc are running windows and have
| critical business data in Excel sheets or Power BI or whatever,
| but it doesn't help that Windows itself is constructed of
| layers and layers of older code that can't be sacrificed
| without wrecking some client workflow. I mean that screenshot
| of 10 different design styles in Windows 11 kinda goes to show
| how much of it is just ported over kinda arbitrarily.
| Beached wrote:
| Linux has both a huge stack surface and a huge focus on the
| malware and TA sphere. I worry about my Linux environment far
| more than my Windows environment. properly securing, monitoring
| and responding in a Linux environment is much harder than a
| windows environment for a SOC. the enterprise tool set lags in
| this space by a lot, and the TAs targeting Linux are generally
| FAR more sophisticated.
| charcircuit wrote:
| You are underestimating the amount of IOT botnets that run on
| Linux and the amount of Android malware.
| howinteresting wrote:
| Heterogeneity is an important part of defense in depth.
| Monocultures are more likely to be attacked.
| eikenberry wrote:
| You can lock down your computer and keep it a computer. For an
| example look at the work going on with Fedora Silverblue [1]
| where you have an immutable OS install and use containers and
| flatpaks for everything. It is coming along nicely with side
| projects to allow for customization via Dockerfiles [2].
|
| [1] https://fedoraproject.org/silverblue/ [2]
| https://github.com/ublue-os
| kazinator wrote:
| Apple Macs had like single digit percentage market share in the
| 1980's, yet were havens for viruses.
| dacryn wrote:
| I don't fully agree on this one.
|
| Linux has a wider attack vector since there are tons of
| packages out there. Yet the core has a lot of attention and
| many eyes on it, just because it is so open.
|
| Vulnerabilities get patched rather sooner than later. Linux
| versions and gnu packages are running basically the entire
| internet, so there is definitely incentive to break into into
| it.
|
| It's also a lot clearer in linux when a process is doing
| something it shouldn't, since it's a lot easier to probe into
| it to check what's going on.
| SoftTalker wrote:
| > It's also a lot clearer in linux when a process is doing
| something it shouldn't, since it's a lot easier to probe into
| it to check what's going on.
|
| Is this true? It's been a while but I remember being able to
| set performance monitors on almost anything in Windows. It
| seemed to have very robust instrumentation support.
| nequo wrote:
| > Linux has a wider attack vector
|
| Nit but you probably mean attack surface. A vector doesn't
| have a width.
| rodgerd wrote:
| > Vulnerabilities get patched rather sooner than later.
|
| Unless they're in the file systems, in which case it's in the
| too hard basket.
| nradov wrote:
| Is there any evidence that security vulnerabilities are on
| average fixed faster in the major Linux distributions than in
| Windows?
| chmod775 wrote:
| Some. Here's for the Linux Kernel:
| https://googleprojectzero.blogspot.com/2022/02/a-walk-
| throug...
|
| The dataset is quite small, but on average it took Linux 25
| days to fix a 0-day while it took Microsoft 83 days.
| schemescape wrote:
| Does that metric include the delay if fixes getting
| incorporated into Linux distributions (and pushed out,
| assuming automatic updates--maybe not a good assumption)
| or Windows fixes getting deployed via Windows Update?
|
| Edit: I don't know much about this topic, but thought
| "time to deployment of a fix" might be more useful. Edit
| again: also unclear if the comparison is "apples to
| apples".
| RunSet wrote:
| I doubt it, any more than it includes the time it takes
| procrastinating users to actually update their systems.
| trelane wrote:
| > The reason why most (consumer-facing at least) malware isn't
| targeting Linux is because its desktop market share is like 3%.
|
| This is also why there's not as much software in general. So if
| a (lack of) regular software is a valid reason to _not use_
| linux, a lack of malware is also a valid reason to _use_ it.
| CyberRage wrote:
| I see a ton of linux malware as part of my job but it's a
| different kind to windows malware(which I also
| reverse/research) in Linux the focus is on server/enterprise so
| things like webshells, miners, data scraping are very common
| marcodiego wrote:
| > The reason why most (consumer-facing at least) malware isn't
| targeting Linux is because its desktop market share is like 3%.
|
| I don't eat that argument anymore. In the mobile space, Android
| (Linux) is the biggest player. It is even bigger than windows
| if both are considered among end-users[1] and I don't see as
| many people complaining about malware on Android as people
| complain about it on windows.
|
| Of course, I don't think ms is incompetent with regards to
| windows security. But there are design decisions that make it
| historically problematic. The fact that win9x had zero process
| isolation (although with was possible since i386) and people
| expect program to continue working on winxp (NT kernel), the
| fact that centralized software distribution is a relatively
| novelty on windows (compared to apt which exists since 1998)
| and many other minor things, like extension hiding, make it an
| easier target than ChromeOS, iOS, Android, MacOS and GNU/Linux.
|
| I remember people saying "when Linux become as popular as
| windows, you'll see it being target by malware devs". Well,
| consider smartvs, infotainment, servers, supercomputers,
| embedded systems, mobile (specially Android). Linux is bigger
| than windows for a long time. I don't think its lower desktop
| market share is the main reason for its lack of malware.
|
| [1] https://gs.statcounter.com/os-market-
| share#monthly-202206-20...
| dartharva wrote:
| > I don't see as many people complaining about malware on
| Android as people complain about it on windows.
|
| Can't believe I'm seeing such a statement on HN. Android
| phones are arguably worse on malware-related threat vectors,
| especially when most OEMs themselves package in the majority
| of malware on consumer phones to begin with. Even assuming
| less dumb users, at its best it is an unholy combination of
| adware mixed with spyware, ridiculous amounts of tracking in
| the name of "telemetry" and consumer-hostile design choices
| often literally designed to make the user choose the wrong
| option. Combine that with how ridiculously easy it is to get
| malware installed on Android (the most popular apps and games
| on the Play Store are all adware, installing compromised
| "modded" apks that "unlock premium features" is just one tap
| away) and you get a platform that would make any infosec
| manager cry. At least Windows PCs are controllable by the
| organization's administrator, how are you going to control
| people's phones unless you start issuing company phones as
| well?
| kernal wrote:
| What a ridiculous take to even imply that malware on
| Android is even comparable to the malware dumpster fire on
| Windows. There is more malware on Windows than there are
| apps. 99% of what is considered "malware" on Android is
| often aggressive adware that is benign. Remember when the
| security pundits were predicting that the Stagefright
| exploit would infect billions of Android phones?
| Stagefright didn't amount to anything.
|
| >At least Windows PCs are controllable by the
| organization's administrator, how are you going to control
| people's phones unless you start issuing company phones as
| well?
|
| You mean the same "controllable" Windows PC's that are
| responsible for nearly 100% of the ransomware, virus and
| malware infections in corporations? Right.
| eddythompson80 wrote:
| As the original comment said
|
| > _As long as some platform is capable and powerful for
| many things, there will be malware._
|
| Android != GNU/Linux. iOS != MacOS. GNU/Linux, Mac,
| Windows are far more capable and powerful that mobile
| platform and therefore far more susceptible to malware.
| Plenty of Linux-based servers are hacked every day,
| plenty of scanning bots are targeting Linux-based
| software vulnerabilities over the internet.
| Reubend wrote:
| I don't think that's a fair comparison, because Android
| phones allow the user to download signed apps from a
| "curated" store by default (I'm using the term curated very
| loosely here, but Google does make efforts to remove malware
| from their store).
|
| If, by default, users only downloaded software directly from
| the Microsoft store, would Windows achieve a similar level of
| security?
|
| As for smart TVs, infotainment, servers, etc. they all share
| the commonality that the end user doesn't typically download
| untrusted software. And if they do, it's typically from a
| vendor's own store.
| jolux wrote:
| > The only other alternative is turning your computer into a
| glorified phone (a.k.a. a locked-down media consumption device)
|
| There's a third alternative: keep the platform powerful but
| increase the default isolation level for third-party software
| and let the user choose what permissions it has. macOS is
| headed in this direction. Qubes is a more radical example and I
| think probably the future of desktop computing: everything will
| run in its own virtual machine.
| vorpalhex wrote:
| This is already painful though. The filesystem becomes a
| disjointed mess. Doing anything in an app becomes fighting
| permissions. Weird things break (eg I can drag and drop a
| screenshot from my downloads folder but not my screenshots
| folder into the discord flatpak).
|
| Then of course apps simply get sloppy in requesting
| permissions.. and in return malware pretends to do the same.
|
| The end result is now doing anything takes a half dozen
| prompts and isn't any more secure. It just sucks for me as a
| user.
| jolux wrote:
| The restrictions are a starting point for improving system
| security, not an end point. I agree that the prompts are
| annoying, there need to be better ways to delegate
| permissions.
| otikik wrote:
| MacOS phones home before running an unverified app. I
| understand why they do it, but I'd rather they didn't. And I
| definetly hope that Linux doesn't go that route.
|
| Windows ... well my expectation is low with regards to
| phoning home _and_ security defaults.
| RunSet wrote:
| > MacOS phones home before running an unverified app. I
| understand why they do it, but I'd rather they didn't.
|
| Considering Apple was brazen enough to name the software
| that phones home "Gatekeeper" it is all too clear why they
| do it.
|
| https://support.apple.com/guide/security/gatekeeper-and-
| runt...
| bamfly wrote:
| ... because it supervises and scrutinizes "traffic"
| coming through the "gate" for security reasons, before
| letting it inside the "walls" where it might do harm?
| Like a gatekeeper does?
| FireInsight wrote:
| This is where Linux is going as well. I believe that in the
| future most peoples base systems will contain only necessary
| packages and other software will be run out of Flatpaks or a
| comparable technology separate from the host.
| jchw wrote:
| Flatpak right now isn't really a security boundary. That
| said, I don't think there's any particular reason it
| couldn't or shouldn't be in the future. The model seems
| amenable to it, and maybe it was at one point the intent
| even.
| nickstinemates wrote:
| This is how I run _everything_ outside of coreutils in
| Linux.
|
| Either with VM isolation or packed away in a container.
| Host is basically a hypervisor with external monitoring and
| logging.
| saagarjha wrote:
| This is difficult to do effectively.
| [deleted]
| didntcheck wrote:
| How do you mean? Phone OSes prove the model works, at least
| for ordinary "productivity apps". Linux kernel features to
| enforce it exist and are well tested, and are used by
| Docker and Flatpak. Microsoft implemented the technology,
| but had trouble getting developers to actually commit to it
| (which is rational, why choose a harder option if there's
| no incentive?). And MacOS seems to be doing a good job of
| balancing increased default restrictions with maintaining
| escape hatches where needed
| saagarjha wrote:
| There's a lot of software that doesn't fit into the phone
| OS model that people generally find it useful to have
| available. macOS has tried to bring some of this to the
| desktop but beyond straight ports of mobile apps their
| efforts to allow for apps to progressively do more
| powerful things have largely been failures.
| jolux wrote:
| I agree, but I'm definitely curious what you see as the
| biggest challenges given your extensive experience with
| Apple OS internals.
| pdntspa wrote:
| I like the sandboxing model but virtual machines add way too
| much abstraction and overhead. Apple's approach is really
| good here IMO, as a user I need to be able to do things like
| select any file at any time, and it will under-the-hood add
| that selection to the sandbox
| jolux wrote:
| VM technology currently adds a lot of conceptual and
| computational overhead in most cases but there are examples
| of it being integrated more seamlessly. WSL 2 is a good
| one.
| wongarsu wrote:
| Windows tried that with MSIX which brought sandboxing and a
| permission/capability system. They even made using that
| system a requirement for getting on the Microsoft Store.
| Developers nearly universally rejected dealing with that.
|
| Now there's the Windows Sandbox, which tries to provide a
| strong security boundary through virtualization while still
| having the kernels cooperate on performance-critical matters
| (memory, CPU time and graphics).
|
| Over time someone (maybe even Microsoft) could expand that to
| a Windows-based QubesOS-light. Having the user segment
| applications into containers (with temporary containers for
| sketchy stuff) but allowing all applications to show windows
| in the same Window manager might be a viable tradeoff that
| fills most security needs without breaking compatibility with
| any software.
| didntcheck wrote:
| We already have proof the model works both technically and
| commercially: phones. This is how Android and iOS have been
| working basically since the start. I imagine the reason
| most developers rejected MSIX was rational (there was no
| incentive for them to take a harder option when the older
| option was still there), but they could have done if it
| they were forced to. Exceptions are programs which actually
| do need high privileges, or those which require a degree of
| interaction with other programs that the safe interfaces do
| not allow (though Android anticipated this problem with the
| "intents" system from the start, which solves a lot of use
| cases)
| delfinom wrote:
| >There's a third alternative: keep the platform powerful but
| increase the default isolation level for third-party software
| and let the user choose what permissions it has.
|
| That's the direction Windows is going as well with the MS-
| Store and appx/msix bundles.
|
| There's also Process Memory protection by using
| virtualization https://support.microsoft.com/en-
| us/windows/core-isolation-e...
| Retric wrote:
| Sandboxing isn't incompatible with a highly customizable OS.
| Malware is really more a question of being able to install
| software without the users control and the inability to remove
| such installations after the fact.
|
| Windows suffers from Malware in no small part due to the
| systems design rather than simply being common. Plenty of
| alternatives have more users than windows did back in the late
| 90's when it was a huge target.
| s1gsegv wrote:
| I think the crux of the issue is that making a system that's
| customizable AND sandboxing AND user friendly multiplies
| together to create development and testing effort that's not
| palatable for most right now.
|
| Even the open source offerings that add sandboxing often drop
| either the customizability or the user friendliness.
| xorcist wrote:
| It's not just the kernel, it's the whole ecosystem. How does
| Linux have _anything_ resembling OLE? SMB? Sharepoint paths on
| the public Internet?
|
| It's an operating system that _automatically_ executes code
| found on USB sticks.
|
| How is this even a discussion?
| throw47474777j wrote:
| This argument is very unpopular when it's used to explain why
| iOS is locked down.
|
| Usually there is a lot of pushback along the lines that APIs
| should simply be made secure.
| failuser wrote:
| Proper sandboxing in Unix was a missing feature forever since
| SUID bit was introduced and was slowly mitigated by adding
| layers of virtualization instead of OS-level controls.
| mdgrech23 wrote:
| Would argue 95+% of people would find w/ this kind of setup on
| their desktop.
| 666satanhimself wrote:
| [dead]
| everdrive wrote:
| This is definitely true, and I think there are at least two
| points worth considering here.
|
| - Part of what makes the mainstream OS terrible is the mere
| fact that it is mainstream. If Linux hit 60-70% adoption, a
| plague of terrible software, adware, malware, and more would
| start degrading its quality.
|
| - Despite the points above, it would be really nice if some of
| the lousy things pointed out the in the graphic were
| deprecated.
| bee_rider wrote:
| Free Software licenses typically say basically "I'm giving
| you this for free, so you take it as it is, no promises." You
| get the guarantees that you pay for.
|
| But nobody would write some of the absolute schlock they get
| over in proprietary-land if they didn't think they could dupe
| unwitting consumers into paying for it.
| mcpackieh wrote:
| Popularity was the canned cope for why Windows 95 through XP
| were riddled with so much malware. But then Microsoft started
| taking security more seriously with Vista and onwards. The
| situation didn't turn into sunshine and roses, but it _did_
| improve dramatically. It turns out that popularity wasn 't the
| problem, the problem was the insecure nature of the software.
| There is of course still a lot of room for improvement.
| itsTyrion wrote:
| As-is, every unprivileged application you run can
|
| - take a screenshot
|
| - record the screen
|
| - capture audio output and input (microphone)
|
| - use and record the camera, if present
|
| - read almost every file
|
| - write and delete most files (excluding some OS-owned ones,
| without elevation at least)
|
| - capture mouse and keystrokes
|
| - use the internet without too much restriction
|
| (Tbf, it's mostly the same on Linux with X11/Xorg, but at
| least there's more/better sandboxing and packaging like
| flatpak - and Wayland).
|
| MacOS, AFAIK that is, is leading the way in this regard .
| dj_mc_merlin wrote:
| As opposed to the Linux security best practices of curl |
| bash? I have no choice but to set up my computer to run
| untrusted code, on a CPU which itself might be spying on me
| -- I don't feel like my environment is inherently more secure
| than Windows at all. Just less popular.
| jchw wrote:
| Worrying about the security of curl | bash when talking
| about an operating system where the modus operandi for
| installing software was downloading closed-source and often
| obfuscated binaries from random websites and running them
| is insane.
| olyjohn wrote:
| Honestly, I feel like more people have been infected with
| malware from App Stores than from downloading and
| executing shit from random websites. Even Warez sites
| from back in the day were more trustworthy.
|
| Cuz if you download from a random site, you might think
| twice about what it is, is the source trustworthy, etc?
| But the App Store, well Apple and Google tell me it's
| 100% safe, so just download all kinds of trash.
| mcpackieh wrote:
| Browser extension 'stores' are terrible too. Both
| Google's and Mozilla's.
|
| On the other hand, I do trust F-Droid. The vetting of
| ideological motivated volunteers beats the vetting of
| disinterested corporations.
| MattPalmer1086 wrote:
| For mobile app stores you are right, but only because
| they are the ONLY place most people will obtain software
| for their device from. You don't download binaries and
| install them from web sites on Android or Apple.
|
| For desktop operating systems, I think you are probably
| wrong. Downloading and installing binaries from web sites
| is a huge cause of malware infection. And warez sites
| were not trustworthy at any time.
|
| I doubt much malware has been installed via Linux package
| managers or by the Windows app store (if anyone actually
| uses that).
| gkbrk wrote:
| > Linux security best practices of curl | bash
|
| I don't know who tells you about Linux security, but you
| should replace them.
|
| The best practice for installing software on Linux is to
| use the package manager and install from the repositories
| of your Linux distro, or trusted software vendors.
| mcpackieh wrote:
| > _The best practice for installing software on Linux is
| to use the package manager_
|
| Bingo. In Windows and even MacOS, it is normalized
| behavior to download and run software with your web
| browser. Want VLC? Google for VLC then maybe end up on a
| website like sourcef*rge that adds malware to the
| installer. On Linux, this sort of workflow is possible
| and permitted, but not encouraged. Instead users are
| encouraged to only install software through their package
| manager.
|
| I can leave my dad with a Xubuntu install and trust him
| to not download malware because I taught him how to use
| the package manager, and warned him against trying to
| download software with his browser as though he were
| using Windows. 15 years like this and he still hasn't
| messed it up. With Windows he had new malware every week.
| Downloading and running strange software off the web is
| normal windows culture and windows scarcely even provides
| a better alternative to it.
|
| (The "Windows Store" is an improvement to this situation
| I guess, but from what I understand most software
| available through it isn't free. This means windows users
| are incentivized to fall back on old habits and go
| scrounging around on the web for free binaries to blindly
| run.)
| eptcyka wrote:
| You can curl into bash all you want, but how's that better
| than just running an Installer.exe ? Most software I
| install on Linux is at least somewhat verified by a
| maintainer to be sane, there are no maintainers on Windows,
| just HTTPS servers with binaries.
| ilyt wrote:
| Linux best practice is to download package off signed
| repository, curl|bash is JS bros sniffing glue again
| Macha wrote:
| Morally curl | bash is no different to downloading a
| package from the provider directly, or adding a repository
| managed by the provider. As people are well aware, it will
| not protect you from the software provider being malicious.
| Neither will obtaining that proprietary installer from
| adobe.com for Windows/Mac. I'd argue the security level
| goes from worst to best:
|
| 1. curl | bash = npm/pip/cargo/whatever install = developer
| provided package repositories = proprietary software
| installers
|
| 2. App stores from proprietary OS vendors. You still don't
| really know what's in the software, but at least you
| already have to trust Apple/Microsoft if you're using those
| OSes and they can remove detected bad behaviour globally.
|
| 3. Package repositories from trusted traditional linux
| repositories. You can view the purported source code of the
| build, plus there is now someone who can block bad
| packages.
|
| 4. Package repositories from linux repositories with public
| build processes. Not just the scripts, but being able to
| see the execution of the build and have it signed to prove
| where it came from (as opposed to Joe packager's personal
| machine then FTPing it up).
|
| 5. Making your own copy of every piece of software,
| auditing the entire source code, building it in an
| environment you control, and keeping the artifact you then
| sign somewhere you control. This is so much work that
| nobody does this.
|
| People like to tut tut at curl | bash, but most of them are
| happy to do everything else in line 1, and maybe trust line
| 2. This is not the position of safety and moral superiority
| it's portrayed as.
| tracker1 wrote:
| 6. use flatpak/snap/appimage that run in relative
| isolation from the core os.
| prmoustache wrote:
| This argument is moot once you allow said software to
| have access to your files...which you will usually have
| to if you want that software to be useful to you.
| didntcheck wrote:
| Access scoped to a directory is a big improvement over an
| unsandboxed process. Any unprivileged program can
| trivially steal your browser sessions by reading your
| profile dir, but with Flatpak it would be possible to
| only grant it access to your "documents". I don't know if
| this is currently done in practice though, or if it's
| still common to just grant it full access to ~, including
| dotfiles. Even if so, the technology is there, showing a
| clear route to improvement
| Macha wrote:
| Flatpak itself is really a different dimension of
| security to that discussed here. It solves a different
| problem (the software might have exploitable security
| vulnerabilities) than the one discussed here (the
| software itself might be malicious). Running software
| that secretly phones home everything you do in the
| program is still going to be a problem in flatpak.
| sigotirandolas wrote:
| I wouldn't say that it's a different dimension. If you
| install a Flatpak (and you check that the permissions it
| asks for make sense), the application will not be able to
| do as much damage _even if it 's malicious_.
|
| Furthermore I'd argue that a big reason (2) > (1) is not
| that Google/Apple are that great at detecting malicious
| applications, but that malicious applications also have a
| harder time getting too many permissions with their
| system.
|
| And furthermore, a reason why "curl | bash" is bad, is
| that you are piping arbitrary code straight into a shell,
| which gives no chance for the system to know which
| permissions the code needs. Whereas if you do a "curl ...
| && flatpak install ...", it can.
| classichasclass wrote:
| If you're on a non-standard architecture, you're
| absolutely doing a lot of #5.
|
| For that matter, I build my own Firefox even though
| Fedora offers a package because I like the concept of
| doing so, I can submit fixes, and I can do local
| optimizations. It's a lot of work but it's hardly
| infeasible.
| Macha wrote:
| Do you also build your own kernel, glibc, dnf, openssl,
| pipewire/pulseaudio, systemd, ffmpeg, ffmpeg extensions,
| gtk, gcc, rustc, llvm, python, coreutils, ca certificate
| bundle, x11/wayland, clang, nodejs?
|
| I'm guessing no. So your overall security posture is line
| 3, where you're trusting fedora to be the gatekeeper for
| you.
| michaelmrose wrote:
| Average security is what is easy and common(usually because
| its easy). It's common for regular users to install via
| their software center where they will find their office
| software, browser, and other common apps.
|
| It's common for some developer oriented software to list a
| lazy way to install software from a trusted source. They
| also aren't running curl $URL | bash on a $URL from a scam
| email they just got. It is indeed bad practice but its a
| relatively contained bad practice and its not reasonable to
| compare this situation where some developer oriented
| software recommends a controllable insecure method with the
| common user experience of hundreds of millions of windows
| users constantly installing all software by downloading and
| clicking on executable the functional equivalent of
| curl|bash
| jrm4 wrote:
| This an _absurd_ example; ironically what makes it 'safer'
| in reality is that the only people who use it know how
| dangerous it theoretically could be, and thus are able to
| reason about its source. How often has curl | bash ACTUALLY
| been a vector for problems?
| ajross wrote:
| > As opposed to the Linux security best practices of curl |
| bash?
|
| Gotta take offense here. _That 's a MacOS paradigm_.
|
| All Linux distros have proper package management, always
| cryptographically signed and increasingly reproducibly
| verified, and extremely broad coverage of virtually all the
| software in the community. The closest you get to this kind
| of thing as an "official install mechanism" is e.g.
| bootstrapping a package repo for third party software,
| which has you hand-verify the keys.
|
| People who pull unverified code to their boxes are
| virtually all developers cloning stuff to build.
| safety1st wrote:
| Oh this is balderdash. Firstly if it's curl | bash you
| actually do have the choice to download the script before
| running it and review its contents.
|
| Secondly most software on Linux is not installed this way -
| it's installed through the distro's package manager,
| flathub, Steam etc. where it actually is way more vetted
| than a random download. Of course you can install random
| downloaded appimages etc. if you want as well because this
| is Linux and it doesn't treat you like a child in a
| sandbox, you own your system, you do what you want with it.
|
| Which gets to my last point - the software which is
| installed through curl | bash is generally targeting
| developers and frankly, as a developer, you should know
| what you're doing. You take the risk where the risk is
| small (on your throwaway dev VM), you vet & review the code
| first where the risk is real (on a production server or
| something).
|
| Your comment was counterfactual nonsense
| robertlagrant wrote:
| A CPU that might be spying on you isn't to do with malware.
| This is about the difference between OSes, which is worth
| talking about in and of itself.
| throwbadubadu wrote:
| "Best practice" is a bit exaggerated.. or tbh a joke. Any
| reasonable software I have lately seen distributing that
| way (and that were few ones) usually come with disclaimers
| like "beware that you must trust us" or pointing to
| alternatives in the direction of package managers..
|
| > to run untrusted code,
|
| No again, that depends on who you trust, right? If you
| trust noone, it is all up to you, certainly.. and at least
| you have the theoretical possibility to review almost
| everything (which other people actually do).
| mcpackieh wrote:
| > _the Linux security best practices of curl | bash?_
|
| 1. Widely criticized.
|
| 2. Not something the OS does, or even encourages. The OS
| permits it in the same way that the OS permits you to set
| your root password to hunter2 and run telnetd. You can't,
| and shouldn't, stop people from deliberately screwing
| themselves.
| jaywalk wrote:
| How do you know my root password? Delete this.
| bch wrote:
| What is it? I only see "*******".
| DaiPlusPlus wrote:
| lol, yes. See, when YOU type hunter2, it shows to us as
| ****
| ghostpepper wrote:
| Context for the uninitiated
|
| http://bash.org/?244321
| ChuckNorris89 wrote:
| Indeed. If you think Linux is inherently more secure than
| Windows, then I dare you to curl/wget some random sh script
| and run it as root.
| mcpackieh wrote:
| Make sure to also test the safety of a spoon by scooping
| your eye out with it.
| revolvingocelot wrote:
| But isn't installation via curl more of a PEBKAC issue? You
| don't _have_ to pipe it to a shell immediately -- pretty
| sure you could curl the install script and manually verify
| it. And isn 't the CPU-might-be-spying an invariant?
|
| One certainly cannot change how one feels about one's
| security, but those don't seem to be reasons Linux is
| inherently more or less secure than Windows...
| pxc wrote:
| > the Linux security best practices of curl | bash?
|
| You do realize that even this is the same as downloading
| and running an executable from a website, which is _still_
| the norm on Windows, right?
| xigoi wrote:
| In fact, curl | bash is safer, because you can replace "|
| bash" with "| less" and inspect the script.
| xmodem wrote:
| I would argue that Windows checking certificate
| signatures provides a lot more safety to the vast
| majority of users than manually inspecting a bash script.
| Asmod4n wrote:
| The security practice on windows is to click yes on any
| prompt shown to you.
| chx wrote:
| That's not just Windows, someone had a presentation I
| think from Mozilla showing people can't make heads or
| tails of the SSL certificate error window and consider
| the whole thing to be "click yes to get on with things".
|
| Found it: https://inoio.de/images/something-happened.jpg
| could be from https://www.usenix.org/sites/default/files/
| conference/protec...
| reidrac wrote:
| You are supposed to run software packaged by your
| distribution, and that's trusted.
|
| The curl | bash is bad practice and shouldn't be used.
|
| You have way more control and security using a Linux
| distribution. The objectives of that and Windows are
| completely different, and that affects user's security.
| pmarreck wrote:
| > As opposed to the Linux security best practices of curl |
| bash?
|
| This comparison would only be valid if almost everything
| you install on Windows was at least theoretically
| inspectable before installation, instead of, well, almost
| _nothing_. LOL, nice cope.
|
| Anyway, here's a Bash function you can add to your dotfiles
| to add confirmation to that sort of "workflow":
| confirm() { tmpfile=$(mktemp) # use tee
| to split stdin to stderr and the temporary file
| tee "$tmpfile" >&2 echo >&2 # Prompt
| the user. >&2 read -p "Do you want to pass this
| code along? [Y/n] " response < /dev/tty case
| "$response" in [nN]*) echo
| "Operation cancelled." >&2 rm "$tmpfile"
| exit 1 ;; *) echo
| "Proceeding..." >&2 cat "$tmpfile"
| rm "$tmpfile" ;; esac }
|
| Now you can just take those one-shot install lines and
| stick this "confirm" function in the pipe like so:
|
| curl <url> | confirm | bash ...
|
| There's probably a slicker way to do this, if you're super
| into Bash. And you may want to `set -o pipefail` in
| general, so that the "exit" code of 1 actually gets seen...
| [deleted]
| causi wrote:
| Linux security will never stop feeling weird to me. Like
| when I try to do something that needs to be started with
| sudo, instead of warning me and just asking me if I want to
| run the command as root, I have to go back and input it
| again with sudo. Then some programs like VLC just straight-
| up refuse to run as root.
| ElectricalUnion wrote:
| > Like when I try to do something that needs to be
| started with sudo, instead of warning me and just asking
| me if I want to run the command as root, I have to go
| back and input it again with sudo.
|
| This sounds like a misconfiguration or lack of support
| for policykit to me.
|
| > Then some programs like VLC just straight-up refuse to
| run as root.
|
| That IMHO should be the standard behaviour of most non-
| basic/GUI programs to me, running as root is overall a
| terrible idea.
| dsr_ wrote:
| Those are two great things for security that prevent you
| from:
|
| $ rm -rf *
|
| No permissions in this directory - want to try with sudo?
| (Y/n)
| wepple wrote:
| There are a bunch of bad legacy technologies still baked
| into windows for which I can't see a non-windows equivalent
|
| For example: credential hashes. They can be used as a
| bearer-token, and a privileged enough one can log into
| absolutely any system in the entire domain and do anything.
| kbenson wrote:
| > As opposed to the Linux security best practices of curl |
| bash?
|
| Just because some people like to ask you to install their
| software that way doesn't make it "Linux security best
| practices" and it doesn't mean you need to follow those
| directions.
|
| You can review whatever you're running, and you should if
| you want to install that way and feel it's insecure. At a
| minimum you can download the script to an actual file you
| keep around for a while and run it, so if something weird
| does seem to be happening you can at least see what the
| script was attempting.
|
| Or, just refuse to install software that way. There's
| almost always a different way, and that's just provided for
| convenience. If people are opting for the unsafe method
| because it's convenient, I don't think that says as much
| about the OS as it does the people using it.
| whydoyoucare wrote:
| The same can be said of Windows users.
| usrusr wrote:
| "You can review whatever you're running"
|
| You could also review remotely hosted OOXML and its chain
| of oddly side-effecting dependencies.
| [deleted]
| adamc wrote:
| While reviewing the software you are running would
| definitely help, it is also utterly impractical as a
| security measure for more than a small fraction of the
| folks who use software.
| bscphil wrote:
| Linux security best practices are to (a) only run open
| source software with all code changes publicly visible on
| a version control website, and (b) rely on an expert
| maintainer to have performed at least minimal review on
| the software.
|
| Granted, you might sometimes need to run something else,
| perhaps even closed source software. But insofar as
| that's considered necessary, the security posture of
| Linux isn't significantly worse than Windows, where
| almost _everything_ is installed that way.
| tracker1 wrote:
| This is a large part of why I'm a heavy proponent of
| Flatpak/Flathub, Snaps and AppImage. The applications
| themselves may have a heavier payload, but run in
| relative isolation. It's an overall better option for
| security. Not to mention app/security updates won't
| affect the core os, and vice-versa.
|
| It's not a panacea, but it's the best option for most
| people. I get why some may not like it though... I don't
| quite get the visceral resistance though.
| JPws_Prntr_Fngr wrote:
| Same reason windows nerds have a visceral resistance to
| software that costs money, and mac nerds have a visceral
| resistance to the idea that window management should be
| more sophisticated than pixel-hunting through a morass of
| overlapping crap. Nerds over-invest in a hobby/product,
| get locked into the inertia, start to identify with it,
| and must then defend it irrationally.
| tracker1 wrote:
| The amount of money the game studios, steam and others
| make would counter your first point... and compared to
| what, Linux, where nearly everything is free and won't
| generally pay for software?
| JPws_Prntr_Fngr wrote:
| You're right, add an asterisk for games. My whole point
| is the nerd will get stuck/fixated on his original way of
| doing things, which for a Windows nerd (like my past
| self) is spending your meager cash to cobble together a
| custom pc powerful enough to play games as a
| child/teenager, and pirating everything possible. Windows
| was The Best OS Ever (because you have no choice) - just
| like your [Xbox|PS2] was the Best Console Ever (because
| you couldn't afford both).
|
| Of course, the adult version of this nerd will be able to
| weave much better post-hoc rationalizations. Head on over
| to ars technica or reddit or macrumors or linustechtips
| video comments for thousands of examples.
| tracker1 wrote:
| Honestly, my biggest gripes against Windows is the
| current direction of monetization of users... When I saw
| ads in my start menu search results, I was out. I've
| still used it a couple times for work, I still have it on
| my desktop, that I've booted to that drive twice. I've
| spent a fair amount of time getting some Windows things
| running on Linux.
|
| All said, I like and dislike aspects of Windows, Mac and
| Linux... they all have faults. I'm a bit more forgiving
| of Windows in terms of security today (after a decade+ of
| working very diligently at it) than a couple decades ago,
| when I saw the likes of ILoveYou and I forget the SQL
| Server one a year or two later. Those were just stupid
| decisions all around (running Email in "local/full-
| access" security context instead of internet/untrusted).
| Similar for the SQL issue.
| api wrote:
| "curl | bash" exists because there are too many Linux
| distributions and forks of distributions, making it
| basically impossible to distribute Linux software any
| other way without losing your mind creating hundreds of
| different repos.
| JTbane wrote:
| > Just because some people like to ask you to install
| their software that way doesn't make it "Linux security
| best practices" and it doesn't mean you need to follow
| those directions.
|
| It's the de-facto option for installing cross-distro
| software on Linux, especially if it's not in a package
| manager repo.
| the_af wrote:
| I don't disagree with what you're saying, but:
|
| > _You can review whatever you 're running_
|
| How realistic is this for regular users? And even power
| users, in some cases. Let's say you download the install
| script. It's either hundreds of lines or it in turn
| downloads and runs some blob. Are you comfortable
| asserting your review is enough?
|
| Is this truly so different to clicking on some random
| Windows installer?
|
| If the same kind of Windows non-power users start running
| Linux and it becomes a really widespread desktop OS,
| would the situation be particularly different?
| anonym29 wrote:
| Unpopular opinion: "regular users" are, by their very
| nature, incapable of using any networked operating system
| with a 100% certainty of not infecting themselves with
| malware.
|
| They're not qualified to only make safe decisions during
| their computing because they're not educated enough to
| understand what makes any given action safe or unsafe.
|
| Using a computer is fundamentally not like using a car.
| Using a car, by and large, does not change. The only
| major exceptions are when the user fails to properly
| maintain it, altering weather conditions, and altering
| traffic conditions.
|
| Once a driver has driven in any given permutation of
| traffic condition and weather condition, as long as
| they've maintained their vehicle, the driver's experience
| will be almost identical when they find themselves in
| that same permutation of conditions again.
|
| This consistency allows drivers to build experience in
| adjusting their driving to operate in those conditions,
| which makes them better at it in those same conditions in
| the future.
|
| We let laypeople drive, even those who haven't the
| slightest idea of how their braking system works
| mechanically, because there is an extremely limited range
| of outcomes from pressing the brake pedal at a given
| pressure in a given set of conditions provided it's
| maintained.
|
| The scope of inputs we give drivers is ultimately tiny.
|
| Computers are not like this. The safety habits you
| learned in 1995 are not going to cover every threat you
| encounter in 2005, the safety habits you learn in 2005
| won't cover every threat in 2015, and likewise from 2015
| to 2025.
|
| As long as we give users a broad range of possible
| inputs, they will find ways to screw themselves with
| their own incompetence.
|
| The reason iPhones and Mac OS computers are perceived by
| the layperson to be more secure isn't that they're
| inherently less hackable, it's because they treat the
| average user like the moron that the average user
| actually is by substantially restricting the input
| freedoms of that user. How many millions of iPhone users
| _didn 't_ get hacked because the developer denied them
| the freedom to sideload aribtrary unsigned IPA's
|
| With great freedom comes an increased responsibility to
| understand the consequences of one's own actions. Users
| are lazy. Many are stupid. They do not read very much of
| anything. They do not understand the systems they are
| using and they don't want to.
|
| As a technologist, I love having the freedom of an
| unbridled OS that lets me do whatever I want, including
| deleting the whole file system. That kind of freedom just
| isn't optimal for a typical user's security.
|
| This may sound misanthropic to you, but look no further
| than the scores of people who microwaved or soaked their
| iphones because 4chan made spoofed ads that looked like
| real apple ads promising software updates that made it
| possible to charge one's iphone by microwaving it or a
| software update enabling waterproofing.
|
| Users really are that stupid, and will ultimately find
| ways to harm themselves and their devices any way you
| allow them to, so long as there's a competent adversary
| trying to get them to do it.
| kbenson wrote:
| > Unpopular opinion: "regular users" are, by their very
| nature, incapable of using any networked operating system
| with a 100% certainty of not infecting themselves with
| malware.
|
| Unpopular? I'd go so far as to say it's a given, and go
| so far as to so even an "expert user" isn't going to be
| able to reach 100% certainty while still using the system
| for it's purpose in almost all cases, unless it's air
| gapped or they've had their permissions reduced to the
| point they can't do certain things (which might help the
| regular user as well).
|
| > Using a computer is fundamentally not like using a car.
| Using a car, by and large, does not change.
|
| Except in the way that it's exactly like using a car.
| That is, in that it's someone operating a complex piece
| of machinery within narrow bounds that make it generally
| safe, but sometimes things happen either from the
| operator stepping outside of those bounds for convenience
| or inattentiveness or because of outside actions that
| make it unsafe.
|
| > We let laypeople drive, even those who haven't the
| slightest idea of how their braking system works
| mechanically, because there is an extremely limited range
| of outcomes from pressing the brake pedal at a given
| pressure in a given set of conditions provided it's
| maintained.
|
| I would say it's more because "normal" operation of a car
| only requires being trained to a specific level on
| specific capabilities. A professional driver that races
| may use the controls of the car very differently and
| achieve a much different outcome (the e-brake is just for
| when parked? Says you...).
|
| We do tend to only legally allow specific types of car
| use in specific contexts though, so that's food for
| thought.
|
| > Users really are that stupid, and will ultimately find
| ways to harm themselves and their devices any way you
| allow them to, so long as there's a competent adversary
| trying to get them to do it.
|
| I totally agree. I just don't think that Linux is
| particularly worse than windows these days with regard to
| the trouble you can get into (you can run powershell
| scripts to do installs to, and I've seen the powershell
| equivalent to curl | bash.
|
| There's a whole host of behaviors that people view as
| different when the _context_ changes that aren 't really
| different in practice. Running random executables on
| Windows is generally unsafe, and most people develop that
| sense after a while (either from being told or the hard
| way). Doing the same on Linux is unsafe in many ways too
| (except that often there's some additional trust we layer
| on some of the places we're getting the executables
| from), and running random shell commands isn't really any
| different, but people _feel_ like it is because it 's no
| longer in the context of Windows. That doesn't really
| make it better, it just makes people feel better about
| it.
|
| If you want to be safe, you either stick with a vetted
| source you trust such as the package repo for the OS or
| software originating at a company you trust (which might
| just mean they're someone possible to track down and sue,
| so they're less likely to go rogue), or that has a
| reputation they don't want to screw up and a mechanism is
| in place that you're fairly sure you're using code from
| them (e.g. github and a trusted author or project). Other
| than things fundamentally like that, you're just rolling
| the dice. Which happens, and we've all done it, usually
| without problem. Which makes up complacent.
| mcpackieh wrote:
| Regular users on linux shouldn't be downloading software
| through their web-broswer at all; that's a Windowsism.
| Regular users on linux should be using their package
| manager to install new software. Say what you want about
| Debian's volunteers, but they're a hell of a lot more
| trustworthy than the average windows software download
| website.
| majkinetor wrote:
| That is nonsence. On various distributions, packages are
| just packed stuff rom the vendor site.
|
| Package manager has little to do with security, unless
| you count hash checking as one. Its about automation.
|
| Besides, windows has multiple good package managers sine
| long time ago.
|
| BTW, to demonstrate the invalidness of the argument, you
| don't have to look further then nvm package manager...
| mcpackieh wrote:
| > _That is nonsence. On various distributions, packages
| are just packed stuff rom the vendor site._
|
| If it's _actually from the vendor_ that 's already an
| improvement over the typical Windows experience.
| reisse wrote:
| > Regular users on linux shouldn't be downloading
| software through their web-broswer at all; that's a
| Windowsism.
|
| Sure, downloading executables and running them in UAC-
| protected environment is a Windowsism. Linux way is to
| copy commands from a random web page and run them as
| root. Of course all the commands on how-to sites in
| search results are trustworthy!
| 26fingies wrote:
| > Regular users on linux shouldn't be downloading
| software through their web-broswer at all; that's a
| Windowsism
|
| have you ever met a regular user?
| whyoh wrote:
| >Say what you want about Debian's volunteers, but they're
| a hell of a lot more trustworthy than the average windows
| software download website.
|
| Really? Software developers, who distribute through their
| websites, have an economic incentive to _not_ give users
| malware. I 'm not sure the same applies to Debian's
| volunteers. I don't even know who these volunteers are.
| raverbashing wrote:
| > Really? Software developers, who distribute through
| their websites
|
| Yeah, then some company installer-hijacks your software
| and SEOs your site. Case in point, VLC (for Windows of
| course)
| ilyt wrote:
| And how user is supposed to know that the company is a
| trustworthy company just selling their software and not a
| scam ?
|
| Single Debian volunteer would have to do quite a bit of
| work to get into position of being able to just push
| malware into the repo; and if they did it lands in debian
| unstable/testing so there is also a pretty good chance it
| would be noticed.
| mcpackieh wrote:
| Average windows user does a websearch for software and
| very often finds not the first-party website operated by
| the developer, but instead finds websites like
| sourceforge, cnet, softpedia, etc. Downloading sketchy
| freeware from third parties is Windows culture. This
| culture is encouraged by Microsoft not vetting and
| packaging free software themselves like Linux distros do.
| _gabe_ wrote:
| I don't know where you've gotten the idea that Windows
| will just run whatever software you provide it without
| saying anything. Executables must be signed with a
| trusted CA. You can get this trust by buying a CA and
| waiting for reputation to build (which means any malware
| you produce can be tracked back to your business),
| submitting the software to Microsoft for malware
| analysis, or waiting a very long time for reputation to
| build[0].
|
| If your executable doesn't have trust, a scary warning
| pops up (or Windows blocks the app from running) and
| tells the user _Windows Defender SmartScreen prevented an
| unrecognized app from starting. Running this app might
| put your PC at risk_. This seems about as effective as
| having a bunch of random people vetting packages for a
| Linux distro.
|
| [0]: https://stackoverflow.com/questions/48946680/how-to-
| avoid-th...
| [deleted]
| mindslight wrote:
| Sure, if by "scary warning" you mean the click through
| nags that Windows pops up early and often (sometimes
| multiple times for a single action) and that have trained
| generations to ignore software warnings and dialogs in
| general.
|
| I honestly just installed my first non-throwaway Windows
| VM in a long while, and I was appalled how the state of
| the art in Windows "security" is still stuck where it was
| a decade ago.
| shortrounddev2 wrote:
| > Downloading sketchy freeware from third parties is
| Windows culture
|
| No, it's "computer illiterate" culture. Windows has a few
| package managers available these days (including a first
| party one). Developers on windows install things the same
| way that linux users do, though not usually building the
| software along the way (though I often have to use cmake
| with visual studio)
| mindslight wrote:
| > _Software developers, who distribute through their
| websites, have an economic incentive to not give users
| malware_
|
| You're putting way too much faith in the efficient market
| fallacy. In reality, proprietary software companies are
| incentivized to distribute malware to increase their own
| control and their bottom line. Prominent examples being
| BonziBuddy, Sony Rootkit, Denuvo, all the crapware that
| comes bundled with Android/Windows, web ads, web
| surveillance, etc. Like every other day there is a new HN
| topic about how some company violated the trust they had
| built and screwed over users.
| 6c696e7578 wrote:
| > I don't even know who these volunteers are.
|
| They're probably on here, reading your comments, or
| reading LWN.
|
| You have more chance of reaching a DD and reading their
| work than you do of reaching a commercial software
| author.
| tumult wrote:
| Regular users on Linux shouldn't run commercial software?
| washadjeffmad wrote:
| Is commercial software incapable of being packaged?
| iscream26 wrote:
| No, but packaging a software package for _every_ Linux
| distro that exists _is_ unfeasible. Not that _I_ care
| though, _I_ don 't run commercial software. But, you
| know, devil's advocate and all that. Still, I completely
| understand why someone might be frustrated by the way
| software is usually installed in Linux if they were, say,
| a game developer.
| josephcsible wrote:
| > packaging a software package for _every_ Linux distro
| that exists _is_ unfeasible.
|
| For _every_ Linux distro, sure, but it is feasible to
| create an apt repo and a Yum repo, and don 't those cover
| the vast majority of distros by usage?
| askiiart wrote:
| Yes, packaging a software package for every Linux distro
| _is_ unfeasible, but have you ever used Linux? There are
| snaps, flatpaks, and AppImages, which can all run in any
| distro, and are generally more secure than "native"
| packages (for lack of a better word).
| iscream26 wrote:
| > Snaps
|
| A technology superseded by Flatpaks, yet pushed
| incessantly by Canonical, a befuddling move that I still
| don't quite understand. Rough to use in any other distro.
|
| > AppImages
|
| Speaking from experience, these _don 't_ run on every
| distro. So they fail to fulfill their intended purpose.
| As far as I'm concerned, that makes distributing software
| as AppImages a no-go.
|
| > Flatpak
|
| Better than any of the technologies previously quoted,
| but it is not without it's own issues. The chances of a
| Flatpak working on any particular distro are acceptably
| high, but they still suffer from the same problem
| AppImages do. I've had an instance were a an app refused
| to run on OpenSUSE, even though it was working completely
| fine on Fedora (I was using Flathub's repo on both
| distros, I _wasn 't_ using Fedora's, just to clarify). I
| think it was Firefox, though I'm not 100% on that.
|
| Still, I'm yet to see a commercial software being
| distributed as a Flatpak. My guess is that it's all more
| of a hassle than it is worth. Which, I guess you could
| say that about packaging commercial software for Linux in
| general. So, we're back to square one with the chicken
| and the egg problem that Linux suffers from. Though
| nowadays it's less severe what with the existence of
| SteamOS and all of that, so at least there _is_ a
| substantial marketshare, small as it is.
|
| EDIT: fixed vertical spacing.
| ilyt wrote:
| 99% of software packed for Debian will just work with any
| of the derivatives. No idea how it looks like on the RPM
| side, but as long as your distro is new enough, 3rd party
| software packaged for Ubuntu usually works on Debian and
| 3rd party software packaged for Debian near-always works
| on derivatives.
| tumult wrote:
| Incapable of being packaged? Usually not. Incapable of
| being included in a distro's repositories? Usually, yes.
| prmoustache wrote:
| Commercial software vendors can provide the source and
| build procedure.
| the_af wrote:
| How can you vet the source and build procedure?
|
| Assuming this is a commercial vendor not available
| through your package manager, and that you must go to the
| website, pay and get a download link (with source in this
| scenario), how is this fundamentally different to a
| Windows user paying for and downloading something bundled
| with malware?
|
| Were Linux to go mainstream, it'd be unrealistic to ask
| users to vet the source code! Who has the time and
| expertise? You fundamentally rely on others to tell you
| it's safe. On Linux it's a safe bet, since malware
| authors are less interested in targeting it.
| salawat wrote:
| <violent head shake, spilled drink>
|
| Excuse me, _what_?
|
| Downloading via web browser was the original means
| (besides ftp) of getting anything. Hell tarball
| distribution was how _everyone_ used to move bits around.
|
| Package maintainers are not Linux. Never will be, never
| have been. Linux may start with a distro or live CD, but
| from there it's you arranging things in a way that best
| works for you.
|
| Or are you going to try to sell me on the fact that Linux
| From Scratch is basically pushing you to wget source
| tarballs, is peak windowsism?
|
| If anything, distribution package managers are more of a
| windowsism than anything else. About the most I tend to
| allow myself is to use the apt-ified form of software
| install after I've torn apart an sbopkg build from
| source. Even on windows I've gotten to the point I've
| started dumping symbol tables from binaries, for all the
| cold comfort and reminder that the world is a capitalist
| hellhole that offers nothing but clients of servers
| looking to charge you rent anymore.
|
| How do you ever expect to learn how your computer works
| and how to drive it if you don't read?
| the_af wrote:
| Yeah, I'm nodding in agreement with you.
|
| I'm surprised by some of the answers I'm getting -- and
| I'm both a Linux fan and an almost exclusive user for the
| past 20 years. Yet I don't delude myself about the ton of
| crap I download in order to get things to be the way I
| want. Sometimes it's Steam, sometimes it's GOG, sometimes
| it's the official repo, sometimes it's a PPA, sometimes
| it's just random stuff on the web.
|
| And yes -- downloading stuff from the web is how it's
| supposed to be used. Have people really changed so much
| that this is now frowned upon?
|
| In any case, I still think we're "safe" because malware
| authors don't think it's worth their time to target
| Linux.
| shortrounddev2 wrote:
| I think it's pretty common these days to have people git
| clone a repo and then build it. Not everything is on a
| package manager, and I see fewer new things on aptitude.
| At best, they're available as modules in npm or pip to be
| installed globally
| didntcheck wrote:
| I would guess most of those are tools aimed at
| developers, who can take that risk if they wish. For most
| users, almost anything they want is either in official
| repos, or in Flatpaks, which offer some sandboxing
| (although I guess a malicious Flatpak could just ask for
| excessive permissions, like a random apk)
| the_af wrote:
| Developers are less common than regular users, but still
| they are among the "common" users of operating systems,
| so that use case must be handled. Malware on Windows also
| gets distributed in tools supposedly for developers,
| after all.
| smodo wrote:
| I just said 'git clone' to my wife and she slapped me in
| the face. I'm sorry but for the aforementioned regular
| users this is nowhere near common.
| callalex wrote:
| This is giving me flashbacks to my consulting days. The
| IT people were all forced to call it "JitLabs" and
| "JitHub" because HR considered git to be offensive.
| shortrounddev2 wrote:
| Are you british? God forbid you used mongoDB
| shortrounddev2 wrote:
| Yeah but I think it's unfair to compare average linux
| users to average windows users. They're not the same kind
| of users. Most (desktop) linux users are software
| engineers
| the_af wrote:
| Agreed about `git clone`, but installing things from the
| web is one of the expected usages of any system. For
| regular users. Lots of indie and non-commercial (and even
| commercial) stuff to download this way.
|
| In Linux, .sh installers are common. GOG games get
| distributed this way. If your wife still metaphorically
| slaps you when you mention .sh installers, it's only
| because she doesn't play games on Linux. She wouldn't
| know how to use apt either.
|
| I think in the end the truth is that Windows is more
| targeted by malware because it's more widespread than
| Linux.
| the_af wrote:
| > _Regular users on linux shouldn 't be downloading
| software through their web-broswer at all; that's a
| Windowsism._
|
| I strongly disagree. "Only download from here; if it
| doesn't have what you want, though luck".
|
| Also, this seems like an argument in favor of a walled
| garden. If so, I suppose that would fix Windows.
| AnthonyMouse wrote:
| > "Only download from here; if it doesn't have what you
| want, though luck".
|
| It's not that doing otherwise is prohibited. It's that
| doing otherwise should get your hackles up.
|
| Which is why it isn't this:
|
| > this seems like an argument in favor of a walled
| garden.
|
| There are no walls. It's just a garden. But you have to
| understand that if you leave the garden, you're on your
| own.
|
| For software developers and IT professionals, that's
| fine. They have a professional knowledge of the
| reputation of the source or know how to read the code, or
| how to set up a virtual machine if they want to try it
| but don't trust it. And if an ordinary user who is
| rightly wary of doing that still wants to get the latest
| AI thing from github, they call up their friend the
| software developer or their company's IT department or
| pay a computer repair shop they trust to set it up for
| them.
|
| But that should be rare, because anything which is both
| popular and safe should promptly get added to the package
| manager.
| the_af wrote:
| Agreed, not a "walled" garden but a garden. Essentially
| an app store.
|
| So essentially if Windows had this, problem fixed?
|
| Or put another way, if most users came to Linux and
| started downloading crap from everywhere, there would be
| incentive for malware authors to write it for Linux,
| bringing it to the current situation with Windows?
| ilyt wrote:
| Regular users on linux shouldn't be downloading software
| through their web-browser at all.
|
| They should be adding a repository trusted with keys but
| so far UI/UX for it is horrible for regular users. Still
| better than... whatever the fuck windows is doing tho.
| pessimizer wrote:
| These are dishonest arguments.
|
| 1) Download random shit from the internet at your own
| risk. If you're given a vast supply of safe software, and
| you choose not to use it, remember that you're a grown up
| and you should do what you like.
|
| 2) Nobody is objecting to walled gardens with no walls.
| Almost nobody, I should say; I've seen people tell Apple
| users that the fact that they are happy with the app
| store makes them bad in some way, but those people are
| shitheads. The reason to attack Apple is on behalf of
| their users, not some perverse brand nationalism.
|
| If an Apple user can install whatever they want, and end
| their relationship with the Apple corporation at any
| time, that's winning. If the vast majority of Apple users
| decide that they value whatever contract (implicit or
| explicit) that Apple has made with them, and enjoy the
| relationship and the stewardship of the app store, that's
| a choice they're making as free people. And under the
| pressure of free people, the app store would have to
| improve anyway. I certainly have affection for what
| Debian does (and for everybody who wrote the software
| packaged in Debian.) Why shouldn't they feel that for
| Apple?
| the_af wrote:
| I misspoke, it's indeed a "garden", not a walled garden.
|
| Linux users often rail against Apple's gardens, so it'd
| be dishonest to pretend otherwise. I should know! I've
| been a Linux user for 20 years now.
|
| > _If you 're given a vast supply of safe software, and
| you choose not to use it, remember that you're a grown up
| and you should do what you like._
|
| But lots of software in Linux isn't available in any
| repos. For example, games and stuff a typical mainstream
| user would expect. So Linux couldn't be turned into a
| "safe" mainstream OS unless it adopted a more diverse
| "app store", like macOS.
|
| But this could very well be done by Windows, so it's not
| that one OS is "safe" or "safer" than the other. It's
| essentially a popularity thing.
|
| > _Download random shit from the internet at your own
| risk_
|
| And here we have it! Linux users "download random shit at
| their own risk" because they are not mainstream users;
| their needs are served by their distro's repo because
| their needs are different. If Linux was a mainstream OS,
| with the kinds of users that come with it, it would
| either have to turn into macOS or Windows. Either
| draconian measures (a single store where you can buy
| everything), or no measures at all (== malware).
|
| Expecting people to "review the installer" is ridiculous.
| rodgerd wrote:
| > Also, this seems like an argument in favor of a walled
| garden.
|
| It is always entertaining to see HN's commentariat both
| rail against walled gardens by (for example) Apple or
| Android that are aimed at making life easier for regular
| people, while advocating them for Linux.
| haswell wrote:
| _Shouldn 't_ perhaps (with caveats, and therein lies the
| rub), but is there a reason to believe that they won't?
|
| I'm torn on this. On the one hand, yes, a "regular" user
| should be using a distro that has a wide array of
| natively packaged software, and relying on that as much
| as possible. But not all software is distributed this
| way.
|
| And many "regular" users will be coming from a Windows
| background, meaning they're not going to recognize the
| fact that the site they found when googling for "Install
| Spotify on Ubuntu" that tells them to open a command
| prompt and paste this command or download this .deb file
| is actually malicious.
|
| In practice, they're susceptible to the same kinds of
| attacks they would be on Windows.
| mindslight wrote:
| That blame still appropriately lies with maladaptive
| behaviors learned from Windows. The _only_ way to
| completely stop users being susceptible to the "attack"
| of them phrasing their desires as web searches and then
| blindly following whatever malicious instructions come up
| is to fully remove administrator privileges and lock them
| out of "their" computers. But doing this at the level of
| the OS producer is utterly at odds with the foundation of
| a free and open society.
|
| The incremental way to solve this problem is through
| various rules based around users engaging with details of
| the OS. One very simple one of these is "only install
| software through the system package manager". If users
| violate those rules, short of the above "solution", there
| is literally nothing that can be done to help them.
| pessimizer wrote:
| > That blame still appropriately lies with maladaptive
| behaviors learned from Windows. The only way to
| completely stop users being susceptible to the "attack"
| of them phrasing their desires as web searches and then
| blindly following whatever malicious instructions come up
| is to fully remove administrator privileges and lock them
| out of "their" computers.
|
| And making it a class at school. We have universal
| education in most places, we can use it for something
| useful. There's no reason that we have to capitulate to
| corporations and their moats. We can teach children how
| the devices that surround them and order them around
| work, and how to deal with the predators that they'll
| encounter while interacting with them.
| the_af wrote:
| What about things that are not in their package manager,
| like most games?
|
| "Only download through this walled garden [Steam, GOG
| Galaxy, etc]"? So walled gardens are the answer?
| pessimizer wrote:
| If someone gives you a guarantee of safety, you get to
| blame them when things go wrong. If you demand to strike
| out on your own, you have no one to blame but yourself.
| And you should honestly be proud of taking the risk; it's
| literally the only reason to use all this proud,
| evocative language about being trapped and needing to be
| free.
|
| You want to be cutting edge, but not get cut.
| the_af wrote:
| Wait. Linux users "strike on their own" all the time!
|
| Who here is a Linux user and never downloaded stuff
| outside the repo, or compiled sources and run them
| without reviewing every security loophole? Linux users
| are the most "demand-ey" of users, even starting
| flamewars over being forced to do things this way or that
| way!
|
| I'm really _skeptical_ that this wouldn 't introduce
| malware if malware authors deemed Linux a worthy target.
| ilyt wrote:
| Just gardens. Package repositories are just that, you can
| pick whatever you want.
|
| Games are a bit of special case as they don't exactly
| play nice with Linux and many of them are also run thru
| emulation like Proton
| the_af wrote:
| But that's it. Games and games downloaded from dubious
| sources are one of the primary infection vectors. It
| doesn't happen enough in Linux because there aren't
| enough Linux users to make it a worthwhile target for
| malware authors!
| mcpackieh wrote:
| Gardens are the solution, but people shouldn't be locked
| into any garden against their will. Users should be free
| to choose the garden they prefer any time they wish, or
| to start their own garden and invite other's to visit it.
|
| I choose the F-droid garden and the OpenSUSE garden.
| Other people may prefer other gardens, and they should be
| free to choose the ones they prefer as I am free to
| choose mine.
|
| When people criticize _walled_ gardens, it 's because the
| wall is like the Berlin Wall; a wall designed to keep
| people in against their will.
| the_af wrote:
| > _When people criticize walled gardens, it 's because
| the wall is like the Berlin Wall; a wall designed to keep
| people in against their will._
|
| Fair enough. You are right there.
|
| But in essence, it's not that Linux is "safer" than
| Windows against malware. It's that it's a nerdier culture
| with different practices that don't translate well to the
| mainstream. Like user kbenson above who suggested
| "reviewing the installer"... I hope we all agree that's
| ridiculous, right?
| mindslight wrote:
| Yes, gardens are _one_ answer, and likely the best one
| currently, for non-webapps. Distro package repositories
| themselves are the original gardens. People tend to give
| them a pass because having good incentives have kept them
| decently honest, but distro package repositories are
| fundamentally gardens.
|
| Gardens allow you to make a small number of trust
| decisions, and then trust all the software they have
| vetted by extension.
|
| Note that I'm leaving out "walled" because multiple
| software sources can coexist. "Walled" only comes about
| when some company tries to constrain you to their
| singular source.
| gspencley wrote:
| Yeah this conversation is borderline philosophical. What
| does "secure software" mean? As a software engineer I've
| always thought about secure software as software that
| does not have bugs that can be exploited by non-
| authorized users. Be it privilege execution, code
| injection, remote code execution etc.
|
| As an end-user, I choose to use Linux because it does not
| stand between me and my computer. I am the master of the
| machine. I tell it what to do, and it obeys. That is the
| relationship I want to have with a piece of tangible
| property that I paid money for.
|
| So if I do something unsafe, even through ignorance or
| naivety, I still see that as being my fault. Not the
| software's. In other words, the software was behaving as
| expected. There were no bugs. It did what the authorized
| user told it to do.
|
| But I can see the point of view that secure software
| could also mean software that makes it difficult for the
| authorized user to do dangerous things. Especially in an
| organization setting where the user is not actually the
| owner of the machine, but is using company equipment and
| software.
| ilyt wrote:
| The way of solving it would be streamlining adding new
| repositories for the 3rd party stuff.
|
| Way too often it's "download some dumbass script running
| some half-assed autodetection just to add a line of text
| to config and a GPG key.
| nephanth wrote:
| Do regular users `curl|bash`? From my experience that's a
| pretty rare occurence: stuff users need is generally in
| the repos
| amalcon wrote:
| What's confusing here is that desktop Linux almost
| doesn't have "regular users". You're a power user already
| if you are running apt, much less curl|bash. It's not
| super meaningful to ask what the small number of
| "regular" desktop Linux users are doing; what is
| meaningful is to ask what they would do if they existed.
|
| Which is probably the same thing they do on Windows: use
| a browser to download and run whatever program claims to
| do what they want.
| the_af wrote:
| Exactly! You articulated that better than I did.
| the_af wrote:
| > _Do regular users `curl|bash`?_
|
| They don't (unless following instructions). But that's my
| point: downloading stuff and "reviewing" it is not
| feasible except for power users -- which are not the
| scenario we're describing -- and not even then! Can you
| tell me you trust yourself to review a non-trivial
| install script?
|
| > _stuff users need is generally in the repos_
|
| Even games? If we're talking about regular users, they'll
| want to play games and other things not packaged with
| their repo.
| kbenson wrote:
| Whether regular users actually realize this or not, they
| shouldn't download random binaries or scripts from random
| sites and run them on Linux any more than they should on
| Windows.
|
| Contextually, it feels different, but it's not. Not
| really. If you want safe, there's needs to be a chain of
| trust or something analogous, whether that's vetted
| repos, trusted companies (i.e. "able to be tracked down
| and sued") you're installing from, or an individual or
| group with a vested interest in keeping things safe (a
| project that has a track record).
|
| Should regular users be using a script from some site to
| install stuff? Probably not. It's not safe. But that's
| not a Linux problem as much as it's a developer ecosystem
| problem and people not recognizing it as unsafe when
| they'd be leery of doing the same thing on Windows.
|
| As an example, I give you Deno's installation
| instructions page[1]. Notice that equivalent to curl and
| bash as the first available Windows installation method?
| You can do that, or you could winget install it from the
| Windows Store, which presumably goes through _some_
| vetting process. Mac OS is in there as well with a bunch
| of possibly unsafe options (depends on how much you trust
| each package system...).
|
| This isn't an OS problem, it's a community problem.
| Either we have the option of people being able to do less
| safe things, or we all run the equivalent of iOS and can
| only install and run software vetted by others. Pick your
| poison.
|
| 1: https://deno.land/manual@v1.35.0/getting_started/insta
| llatio...
| JadeNB wrote:
| > How realistic is this for regular users? And even power
| users, in some cases. Let's say you download the install
| script. It's either hundreds of lines or it in turn
| downloads and runs some blob. Are you comfortable
| asserting your review is enough?
|
| > Is this truly so different to clicking on some random
| Windows installer?
|
| Yes, because you literally _can 't_ look in a random
| Windows installer (or, at least, it's not made to allow
| you to do so). It's true that many users won't have the
| competence to read and understand source code, but ... it
| seems like that may be a genuinely unsolvable problem (if
| you want powerful software to be available to non-dev
| users); I don't know much about my car, but I _could_ ,
| and, when it is genuine complexity making understanding
| difficult rather than intentional black-boxing and
| obfuscation, I don't blame that on the car manufacturer.
| the_af wrote:
| I think realistically you cannot expect any user, in any
| system, to be able to review arbitrary scripts.
|
| Experts can, but it's asking too much of regular users
| who aren't programmers.
|
| And therefore, that's the answer of why Linux is "safer"
| than Windows.
| wongarsu wrote:
| > Yes, because you literally can't look in a random
| Windows installer
|
| Most windows installers are regular archive formats, with
| either msi information or an executable tacked on. They
| open just fine in 7zip. Of course analyzing the binary
| files inside the installer is another matter.
| nullindividual wrote:
| MSIs often contain CAB files, which 7Zip can also open,
| though usually files in MSIs aren't named the same as
| their uncompressed files (i.e., .dl_ for .dll).
| wg0 wrote:
| It is not a remote theoretical possibility but just that
| no one has attempted it, the PID 1 such as systemd can be
| replaced with an infected version of systemd and then
| imagine what's not possible once you as malware yourself
| are systemd, the ring master.
|
| This Linux superiority complex isn't rooted in reality,
| not that I'll ever pick Windows as my daily driver.
| the_af wrote:
| Exactly.
|
| I like and been using Linux as my personal and work
| computer for decades. But I don't delude myself about
| what safety is inherent to the system and what just about
| popularity.
| blkhp19 wrote:
| regular users _don 't use linux_ lol...
| the_af wrote:
| That misses the point. There was a context to my reply!
|
| I _know_ regular users don 't use Linux. What I'm
| refuting is the notion that Linux is _safer_ than Windows
| because "you can review the install script".
|
| What I'm arguing is that you really can't review
| anything. Suppose Linux were to magically go mainstream
| on the desktop: you cannot ask users to review
| installers. That's crazy.
|
| Finally, what I'm supporting is the assertion that Linux
| is safer from malware _precisely_ because it 's less
| widespread than Windows, making it a less interesting
| attack target for malware creators.
| tiffanyg wrote:
| Yup, basically.
|
| The situation is relatively straightforward, though
| people with biases (&/ desire to just argue &/ trolls)
| complicate it over and over again:
|
| UNIX, and specifically Linux as a descendant, was evolved
| with very sensible and fairly solid security models (in
| multiple ways - including balancing simplicity [making it
| easier for users to specify and have that specification
| actually match their intention] against flexibility /
| rigor). Furthermore, from early days, there were heated
| substantial arguments about security vs. usability.
|
| When I was younger, I had a more "Theo de Raadt" POV - it
| should be way more secure. But, I think that the
| arguments people like Torvalds made about "enough trouble
| getting adoption AT ALL", in essence, were better
| arguments.
|
| Linux has been pretty good through the years. Far from
| perfect, but a good enough mixture in terms of balancing
| "getting sh1t done" against "keeping people safe".
|
| Windows is a mess. It's always been a mess (though, to be
| fair, it DID really improve between 2000 and 2010, but
| only to the point sort of REQUIRED to continue to be
| commercially viable). The incentives etc. are all
| different. The M$ model is always "make things as easy as
| possible to just start using" and "try to keep everyone
| chained to the platform, in part through the otherwise
| almost altruistic method of never breaking ancient
| software".
|
| There is no question that security - in terms of what is
| best for the user - is not the key principle / drive,
| there. You can judge that however you like, or not at all
| - it doesn't implicitly mean Windows is "worse", because
| that always depends on what is "important" ... what
| perspective you're looking at it from.
|
| But, I certainly find that model ugly and unfortunate,
| personally.
| ryanisnan wrote:
| This kind of comment reeks of idealism. Sure, you can
| look at every single thing you install because of the OSS
| nature of Linux, but you are incredibly naive if you
| delude yourself into thinking a) that you have the
| bandwidth do to this and stay meaningfully productive,
| and b) have the technical abilities to sufficiently
| evaluate what each piece of software does.
|
| This take is reductive and should not be taken seriously.
|
| edit: Editing to say, I do agree with the OP in spirit,
| you should try to avoid running untrusted software. But
| the devil here is in the details, it's simply not an
| easily feasible goal.
| dTal wrote:
| You have so many more _practical_ options for even
| amateur security auditing on Linux. You can trivially
| spin up a temporary OS /chroot/container and run your
| specimen inside it, or run it under strace and log every
| system call, or statically sift through an executable for
| strings like IP addresses in an instant using basic
| tools. Bash install scripts can simply be grepped. It's
| an environment that gives the user control by default,
| and as such it's that much harder for executables to gain
| the upper hand.
|
| Obviously you don't do that for every binary you run, but
| you have options if there's something you're a bit
| suspicious of.
| chrisdave wrote:
| All of those options have Windows analogues though.
| Windows users can spin a VM, run procmon, and even have
| access to text editors.
| rodgerd wrote:
| Indeed. "Run a program or browser extension in Sandbox
| mode" is a great deal easier in Windows than the
| equivalent in Linux.
| reedf1 wrote:
| If people were doing their due diligence on every binary
| they execute, malware beyond highly targeted zero-days
| would be non existent.
| majkinetor wrote:
| Yeah, its so naive that its not even worth commenting.
| bawolff wrote:
| On the other hand it seems entirely possible to use only
| apt-get install and be happy on linux.
| wongarsu wrote:
| Nowadays, you can also mostly life with just choco
| install on Windows. Not as well vetted as Debian
| packages, but a lot better than google.
|
| But that only helps power users. On linux learning these
| things is simply a necessity because installing things
| outside your package manager is even less user friendly.
| bawolff wrote:
| I dont know, i think the graphical frontends to package
| managers on linux are much easier than downloading and
| installing an exe on windows
| chrisdave wrote:
| This is the essence of most of the rhetoric I'm seeing in
| this thread: Linux is more secure because its users are
| more technical.
| hiatus wrote:
| I thought choco software is not vetted but managed by
| individuals, like the AUR in arch.
| donkeybeer wrote:
| If the alternative is not even sources but just a black
| box binary, then its at least better to be able to
| inspect the sources.
| ryanisnan wrote:
| I agree. But I think we shouldn't equate the fact that
| we-have-the-technical ability-to-do-this with we-have-
| the-bandwidth-and-the-skills-required-to-do-this.
| donkeybeer wrote:
| The discussion was a comparison against the security
| culture in Windows. Source availability is a sort of bare
| minimum at least, obviously by itself thats not enough
| one wants the source to have been crosschecked by lots of
| eyes.
|
| My personal opinion regarding security I would say is
| easy ability to apply sandboxing at various levels on the
| _user side_ for software we trust less. (By user side I
| mean not depending on the developer to package the app a
| certain way etc. A virtual machine or a chroot jail etc
| are examples of what I meant by this).
| gochi wrote:
| Microsoft cannot fix this problem because it requires
| fundamentally pissing off large portions of users who do not
| want to change how they use windows. They don't want to lose
| access to their legacy software. You start putting everything
| legacy in a nice little container, and people will freak out
| when they notice FPS loss or some things being a little odd.
| You limit people's windows installations to only permit apps
| that utilize the newer permissions system, and they'll
| screech about wanting to install chrome. Microsoft's attempts
| throughout the years, like 10S indicate as much.
| JPws_Prntr_Fngr wrote:
| > You start putting everything legacy in a nice little
| container, and people will freak out when they notice FPS
| loss or some things being a little odd
|
| God forbid we waste a little processing power on security
| instead of the ever-expanding slime of bloated frameworks
| and nonsensical UI.
|
| Seriously, someone competent, _please_ bring an OS to
| market that can waste my CPU cycles on a robust sandboxing
| model, a la Android. Take my money. I 'm tired of spending
| it on Apple's constantly degrading UX disaster and security
| half-assery.
| anthk wrote:
| It already happens. Direct Draw games run like shit from
| Windows 8 and up, you need to use DXGL or something like
| that which wraps ddraw.dll calls into DX or GL.
| SoftTalker wrote:
| Sometimes you have to ignore what people want because the
| status quo does too much harm.
|
| People objected to seatbelts in cars when they were
| introduced. Some people still do.
|
| People object to EVs and don't believe that burning
| hydrocarbons is a problem.
|
| We've mostly banned smoking in public places. A lot of bar
| and club owners thought that would kill their business, but
| it didn't.
|
| We banned lead paint, despite the fact that it worked
| really well and covers just about anything without needing
| multiple coats.
|
| It's easy to think of more examples.
| didntcheck wrote:
| Also Windows Vista. IIRC one of the main reasons users
| disliked it was incompatibility with some drivers and
| other software, but AFAIU a lot of these breakages were
| due to that software assuming admin permissions, and
| hooking into the kernel in undocumented ways, whereas
| Vista started the process of forcing software to actually
| use proper interfaces and made them actually get user
| permission to escalate privileges. A good thing, but
| which caused teething problems at first. I don't even
| blame users for their reaction, as the fact was their
| software wasn't working, regardless of the cause, but we
| got through that stage and now modern Windows is much
| more stable. I do still scorn Apple and others who
| criticised the existence of UAC - they should have been
| calling Microsoft out for taking so long to introduce it!
| adamc wrote:
| Lead paint harmed a lot of innocent third parties, as did
| smoking near other people. Not sure I see the analogy.
|
| When MacOS killed 32-bit libraries, it didn't save me
| from harm. It just made MacOS incapable of playing old
| steam games, and therefore my macbook air was no longer
| an acceptable laptop for vacations. I'm not saying it was
| a crime for Apple to change it -- OSes change. But it
| wasn't a benefit to me, and I took my business elsewhere.
| adamc wrote:
| Well, the problem is that there are really many different
| markets for Windows. If my major use of Machine123 is to
| play old games, of course I'm going to be unhappy when
| Microsoft compromises my ability to do that. For that use,
| it might be better to lock down the OS in other ways (i.e.,
| no internet).
|
| The users were sold Windows as a solution to doing a wide
| variety of things. Now those things are getting
| compromised. They are not wrong that it was oversold.
| giobox wrote:
| > You limit people's windows installations to only permit
| apps that utilize the newer permissions system, and they'll
| screech about wanting to install chrome. Microsoft's
| attempts throughout the years, like 10S indicate as much.
|
| I don't think the 10S example works here at all - 10S was
| never locked down for security, it was locked down because
| it was for cheap devices to drive sales on the mandatory
| Microsoft Store software distribution - you get cheap
| Windows, it comes with software distribution strings
| attached was the deal offered with 10S effectively.
|
| People hated having a crippled copy of Windows on their
| cheap computer understandably because app availability on
| the Microsoft Store was poor at that time (and still is
| today), whether it had security benefits wasn't the issue
| there - people just wanted to use their computers to run a
| Windows app and rightly got upset when 10S couldn't
| sometimes.
|
| 10S was arguably much more a product planning/marketing
| decision to offer cheap Windows PCs at ChromeBook price
| points, even if there were some security implications.
| gochi wrote:
| It works very well, because the Microsoft Store was
| trying to operate as other locked down stores do by
| enforcing better practices. Store apps used to have to
| use the new permissions system for example. 10S was
| locked down for security and even encouraged it after
| they dropped the cheap devices to help bolster secure
| environments on your own, Microsoft also benefited
| through control of the Store. They aren't mutually
| exclusive.
|
| So yes, the security benefits _is the issue_. Once you
| impact people 's ability to install Chrome and give it
| full permissions, they scream. 10S didn't allow this, and
| Google (just using them due to popularity and because
| they weren't trying to be malicious here either) didn't
| give a damn about adhering to the new app format's
| restrictions on permissions.
| onlyrealcuzzo wrote:
| Aren't there 50% more Android users than Windows users at the
| moment?
|
| One would assume the average personal has more personal data
| lying around on their phone than their PC.
|
| If popularity was all that mattered, Android would be the top
| target.
| LightHugger wrote:
| It is the top target, and so many android phones are
| infected with malware that people just consider it normal
| these days, hell it often comes preinstalled. The
| difference is that the people making the malware also have
| huge teams of lawyers so they can get away with anything
| they want.
| onlyrealcuzzo wrote:
| I think there's difference between AT&T's contact app and
| Mydoom.
|
| YMMV.
| zenapollo wrote:
| Agreed. MacOS has much stronger security despite Apple not
| waiting for its users to get pounded by malware. I think it
| has something to do with basic philosophy - MS supports
| corporate certified malware. If adobe creative cloud needs a
| feature that uses 25%cpu 24-7 with telemetry and maxed
| permissions, MS is gonna support it.
| asveikau wrote:
| Mac OS (Classic Mac) had basically no security in the Win95
| timeframe. It didn't even have address space isolation
| between processes.
| asveikau wrote:
| I think the error in your comment is assuming there was one
| cause, or "the" problem.
|
| Popularity is a factor. Poor design of 90s software is
| another factor. Neither of these are 100% of the problem.
| majormajor wrote:
| Mac System 7 to OS 9 were not exactly security paragons, but
| they had far fewer virus issues. And that was the main
| alternative that anyone actually used.
|
| Popularity was definitely a huge factor.
| phendrenad2 wrote:
| The possibility of there being a confluence of problems is
| one that's hard to grok, but doing so is ultimately fruitful.
| cogman10 wrote:
| It seems like your thesis is disproved in your own examples.
|
| Linux is hugely popular on phones (android), which are every
| bit as juicy (if not more so at this point) than a desktop
| target.
|
| There is mobile malware but it's far more rare and harder to
| come by.
|
| But then there's just the fact that the way software is
| installed on a linux machine is wildly different from how you'd
| install it on windows. Just getting that binary blob to run
| requires some heroic efforts (To the point where we've pretty
| much decided it's easier to distribute via containers rather
| than compiled binaries for a given desktop).
|
| And if we expand beyond the desktop, we find linux everywhere
| in the server world. Easily the most popular OS to run server
| software. Which makes it a hugely valuable target for hackers.
| They'd love nothing more than to compromise a bank server.
|
| To say there's nothing about linux that makes it inherently
| more secure than windows seems just unreal. Because _nix was
| designed around multiple users from the ground up, user
| permissions have been baked into the common flow for decades.
| That alone creates a huge layer of security that makes things
| like root kits or worms running at root super hard to pull off.
| The old windows (9_ ->XP) pretty much gave everyone running
| admin permissions. Writing or changing a system32 dll was
| child's play.
|
| To exploit linux, you have to either trick a user to run
| something with elevated permissions or find a vulnerability in
| software running with root permissions. To exploit windows
| (particularly older windows) you have to trick a user to run
| your software.
| ghusbands wrote:
| Why would you need root on a typical linux system? A program
| running under your user account can alter config (in your
| home directory) to make sure it always runs when you log in,
| can add programs to your path by altering your path, can
| access all your personal files and can debug-attach to all
| processes and do what it likes with them (and your personal
| data) in order to spread mayhem. A lack of root access seems
| irrelevant to an individual user.
|
| Android is more secure by not acting like a typical Linux
| install; it's not really evidence of Linux being a tricky
| target.
| cogman10 wrote:
| > Why would you need root on a typical linux system? A
| program running under your user account can alter config
| (in your home directory) to make sure it always runs when
| you log in, can add programs to your path by altering your
| path, can access all your personal files and can debug-
| attach to all processes and do what it likes with them (and
| your personal data) in order to spread mayhem. A lack of
| root access seems irrelevant to an individual user.
|
| All true, but I guess I'd just say that the main difference
| is without root, recovery/removal of the virus is fairly
| simple (as is detection). To recover, reboot, login as a
| different user, restore the .bashrc/startup configurations
| to default, remove the virus. Done.
|
| If a virus gets root access, really the only safe way to
| recover is a full system wipe and reinstall.
|
| But I would say that typical linux is more secure than
| android. It's fairly uncommon to install software from
| untrusted sources. On debian, I'd do an `apt install xyz"
| for most stuff. I'm not typically just installing unvetted
| software from the internet, certainly not something emailed
| to me.
| gochi wrote:
| Android malware isn't rare or harder to come by at all. Every
| so often even Google has to remove a whole lot of apps from
| the store due to malware and these are apps that went live
| and were downloaded. Some of this being even more intense
| malware than on desktop, as people rarely store contacts or
| SMS on a desktop (Joker malware for example). You've negated
| your entire point.
| bscphil wrote:
| The vast majority of "malware" on phones isn't software
| that exploits security bugs in the system software. Instead
| it's software that effectively asks the user nicely to give
| up their information, using mechanisms provided by the
| system software to do just that. This isn't something you
| can trivially prevent, as some software really does need
| access to your location, contacts, SMS, etc.
|
| The response to _true_ malware on Android isn 't looking
| for and removing APKs from compromised devices after the
| fact, it's patching the vulnerabilities in system APIs.
| CyberRage wrote:
| same is true for windows... zero day exploits are hard
| and get patched rather quickly in all major operating
| systems
|
| It is always the abuse of legitimate features which are
| the problem
| cogman10 wrote:
| More intense than the desktop? I think not.
|
| At the windows malware peak, your system could be infected
| merely by having an internet connection. How many android
| worms are there? None that I can think of.
|
| Heck, windows PCs were regularly infected by browsing the
| wrong website. Or getting served a malicious advertisement.
| Can you honestly say that people are getting infected on
| Android regularly by surfing the internet?
|
| The vast majority of android malware relies on social
| engineering to get the end user to grant a malicious app
| permissions to be malicious. That's hardly a failing of the
| OS. It's also nowhere near as bad as "I'm online and now
| risk being infected".
| Peanuts99 wrote:
| > Heck, windows PCs were regularly infected by browsing
| the wrong website. Or getting served a malicious
| advertisement. Can you honestly say that people are
| getting infected on Android regularly by surfing the
| internet?
|
| I have used Windows for nearly 2 decades and I can't tell
| you the last time my system was infected. I do agree that
| browsers are the largest vector of attack but that also
| means browser vendors share some of the largest
| responsibility for creating secure systems.
| bamfly wrote:
| Two decades ago was near the end of that Windows-malware
| peak. And really, if you were behind a NAT two decades
| ago, that would have stopped nearly all of it, so you
| might not have noticed how bad it was unless you were
| supporting a lot of Windows machines in varied
| environments.
|
| There was a span of a few years when a Windows box
| connected directly to the Internet, using a public
| address, would reliably get pwned before long, even with
| nobody using it. But that was quite a while ago, and,
| again, just being behind a NATing router mostly solved
| the problem (assuming nothing infected ever connected to
| your local network).
| saagarjha wrote:
| Android basically doesn't rely on users and groups in a
| traditional sense for security. Most of its security model
| was bolted on top of Linux.
| orbital-decay wrote:
| _> As long as some platform is capable and powerful for many
| things, there will be malware._
|
| This is true but there are also degrees of that. Windows in
| particular is a graveyard of discarded tech waiting to be
| galvanized by malware, because of the backwards compatibility
| and because of the Microsoft's habit of abandoning the half-
| done frameworks and APIs. Apple's stuff is much tidier just
| because they regularly deprecate and compress their fully owned
| stack (although they also have their turds of course). In
| Linux, there's terrible fragmentation and a lot of ancient and
| barely maintained stuff, but at the same time it can be
| customized to only include the best practices and omit a lot of
| dead weight.
| TazeTSchnitzel wrote:
| Vulnerability chains on iOS (and presumably macOS) also rely on
| various complex 90's/late-80's legacy technologies at the heart
| of the OS. But I can only assume that such complexity would exist
| _somewhere_ even in a clean-slate OS.
| Pxtl wrote:
| Yes, I agree we should deprecate html
| _gabe_ wrote:
| > Computer security would be about 80% solved if we just
| deprecated every technology shown in this graphic.
|
| Computer security would be 100% solved if we just got rid of
| computers. It's impossible to break into something if it doesn't
| exist. I wonder why we haven't tried this strategy yet?
| Supermancho wrote:
| Abolishing a number of these technologies means that new
| technologies will be developed to do the same tasks, with
| similar (and probably some novel) new vulnerabilities.
|
| Overall, I do feel like new technologies are being scrutinized
| more than in the past. Especially when those implementations
| were done in a corporate vacuum and released as a canned
| solution.
| at_a_remove wrote:
| I don't see PDFs in this. Did I miss something?
| timbit42 wrote:
| PDFs are in the other 20%.
| anthk wrote:
| DJVU was better. No, please, not PostScript until you like
| running a Game Boy emulator in Ghost Script or a ZMachine
| playing Zork. And you can actually do that with
| Zork/Anchorhead or whatever IF Z-code game up to v3 version.
| PS can be crazy for security. It might be good on
| plan9/9front where you can isolate namespaces and filesystems
| for free, but not on the rest of the OSes.
| tester756 wrote:
| Ain't gonna lie
|
| I thought this tweet
|
| >Computer security would be about 80% solved if we just
| deprecated every technology shown in this graphic.
|
| is going to be about memory unsafe languages like C, C++ and JIT
| compilers (web browser) since
|
| >Around 70% of our high severity security bugs are memory
| unsafety problems (that is, mistakes with C/C++ pointers). Half
| of those are use-after-free bugs.
|
| https://www.chromium.org/Home/chromium-security/memory-safet...
|
| >Figure 1: ~70% of the vulnerabilities Microsoft assigns a CVE
| each year continue to be memory safety issues
|
| https://msrc.microsoft.com/blog/2019/07/a-proactive-approach...
|
| Also HN title is editorialized.
| tracker1 wrote:
| Large reason why MS has been embracing Rust recently... IIRC,
| they have their first rust based dll replacement in testing
| now. May take a while to see even half of it shift over though.
| sedatk wrote:
| Yes, Rust has finally made it to Windows kernel:
| https://twitter.com/esesci/status/1679215711183605760
| CyberRage wrote:
| Vast majority of malware doesn't use any exploits, let alone
| something like a zero-day
|
| Most of malware, logically, abuse common features within the
| operating system
| motohagiography wrote:
| Ransomware exists mainly to persuade us that apps and commercial
| software are somehow benign and work in our interests.
| [deleted]
| delfinom wrote:
| I wish they would eliminate being able to execute .scr files
| which were used to share screensavers...back when anyone cared or
| windows even bothered to use them since its all lock screens. Now
| they are nothing but guaranteed malware and pretty common for
| that purpose.
|
| There's absolutely no negative impact disabling the support other
| than someone still using Windows XP with custom screensavers
| saying "SEE MICROSOFT IS EVIL!!!"
| fredoralive wrote:
| PIF files are perhaps madder. They're configuration files for
| MS-DOS programmes running under Windows. But you can rename an
| .exe to .pif and it'll still work as an .exe as the same
| internal function to start an executable also handles PIF file
| parsing. But Windows Explorer considers PIF files "shortcuts",
| and so like .lnk files the file extension is always hidden even
| if visibility is requested.
|
| This included 64 bit Windows (at least for 10), which can't
| actually run MS-DOS programmes, and has no real reason to
| actually try and do anything for PIF files anyway.
| omgtehlion wrote:
| Thanks, did not know about this one. Really mad, just nuked
| .pif from HKCR to regain some sanity ;)
| londons_explore wrote:
| I was surprised to find screensaver support still in Windows.
| And they still have a bunch of screensavers like "3D Text"
| which appears to still be using the same code from its first
| release in 1998.
|
| They also seem to have isolated them onto their own desktop,
| meaning that if a screensaver crashes then the users desktop
| won't be shown. That broke the official 'Bubbles' screensaver
| in Windows 11 - and they clearly don't test that stuff, because
| they released it anyway, broken.
| ripdog wrote:
| Hmm, I just tried the Bubbles preview on Win11, and it worked
| fine. Is it different when it's running 'for real'?
| londons_explore wrote:
| When running for real the background ends up black. (unlike
| the preview, which works properly)
| PlunderBunny wrote:
| Just reading the headline, I expected solely a picture of a human
| being (although that's not strictly 'technology' I guess).
| giantg2 wrote:
| "Solved"? Lol that's the wrong mindset for someone in security.
| CrampusDestrus wrote:
| backwards compatibility is the cause for all of this, and it's a
| bitch to deal with
|
| in an ideal world every time you need to break compatibility you
| would provide extensive documentation and make migration as
| painless as possible.
|
| this might work if it wasn't for the tiny little problem of
| abandonware. the amount of critical tasks for which a piece of
| software that nobody knows how it works anymore is required is
| astounding.
|
| should it be illegal for businesses and public-adjacent entities
| to operate proprietary software that is not actively maintained
| by anyone and has zero support contracts attached?
| jeroenhd wrote:
| All of these technologies are pretty great, actually. MHTML
| solves real problems. VBScript is just bash but with different
| wording. OLE embeds are an awesome idea that has sadly fallen
| in disuse (embedding a spreadsheet inside a text document
| without resorting to weird table hacks? that's just a good
| idea!). VBA macros power more businesses than any startup ever
| will. CHM help files were absolutely wonderful and I'm sad to
| see them replaced with terrible websites that rely on Google
| for anyone to actually find anything. Being able to not only
| save your complex search result, but also share it is a great
| idea that didn't get advertised long enough. Sending someone a
| file so other people can also find "photos taken by my camera
| between last August and last September" without having send
| some kind of proprietary photo album is a great idea.
|
| Say what you want about their proprietary lock ins and
| abhorrent business practises, but they have had some great
| ideas that took competing operating system years or even
| decades to copy. You still can't embed documents as easily and
| effective the way you can in Microsoft Office in most competing
| products. These features aren't abandoned, they're used by
| millions across the globe.
|
| Microsoft does need to configure its tooling better to detect
| executable code. The VBScript at the end of the chain shouldn't
| have been executed. I'd be sad to see most of the other
| "legacy" tools disappear because of their malware capabilities.
| CrampusDestrus wrote:
| >These features aren't abandoned, they're used by millions
| across the globe.
|
| abandonment refers to the lack of support, not lack of usage
| o1y32 wrote:
| ...good luck asking companies that are no longer in business to
| maintain their software
| CrampusDestrus wrote:
| If we fined businesses that use unsupported proprietary
| software they would either have to move to something
| proprietary and actively maintained or collectively crowdfund
| an open source alternative.
| throw47474777j wrote:
| That would make it infeasible to buy software from any
| company except the most stable mega-corporations and
| immediately destroy all independent software businesses.
| mcpackieh wrote:
| We shouldn't need backwards compatibility built into the OS
| when we have perfectly functional compatibility shims that can
| be isolated from the rest of the system or run with
| reduced/user privileges. VMs, DOSBox, Wine, etc.
| jollyllama wrote:
| They're not perfectly functional. There are plenty of USB
| issues when using VMware and other similar pieces of
| software.
| mcpackieh wrote:
| Okay, fair. Instead of perfectly, call it good enough most
| of the time.
|
| People with some specific legacy need can run an old OS on
| a computer isolated from the rest of the network, but
| there's no reason to have such security-compromising
| backwards comparability built into every OS install _by
| default._
| halkony wrote:
| Also worth considering that the big companies with
| mission critical systems on abandonware would certainly
| "lobby" to orgs like Microsoft to keep them from having
| to dust the cobwebs (whatever that looks like).
| fsflover wrote:
| I have no problems with USB on Qubes OS when I connect the
| USB controller to a VM.
| [deleted]
| intsunny wrote:
| I hate how a twitter link only shows the exact tweet and not the
| replies/context/etc. Not even when the person has multiple tweets
| about a subject. (I forget what this is called.)
|
| I have mostly stopped clicking on twitter links these days.
| Aaronmacaron wrote:
| Off topic: why can i read this tweet? I don't have an account.
| Didn't they recently put all tweets behind a login?
| sumtechguy wrote:
| they did
| mminer237 wrote:
| They reversed that change after a few days:
| https://techcrunch.com/2023/07/05/twitter-silently-removes-l...
| nimbius wrote:
| Malware isnt even the worst part about windows by far these days.
| Windows is essentially a downloadable telemetry engine; a spyware
| go-kart with a login screen. When its not cosplaying a mall kiosk
| barker, flogging various wares and useless dreck its curated
| through your complacent surveillance, its gaslighting you like a
| toxic ex into thinking you dont "need" a new browser because this
| ones better and good and okay. When its time for an upgrade,
| you'd better hope you have hardware for it because Redmond will
| expend the same tireless energy gaslighting you about your
| 'obsolete' 5 year old PC thats performing just fine as it spends
| reminding you to check out its ghost town app-store and
| microtransaction rodeo. Oh and did you somehow manage to install
| chrome? sorry but most of your apps wont remember that preference
| for longer than it takes Microsoft to find out you had an opinion
| that wasnt approved by the marketing department.
|
| Windows is like a zombie clown at a haunted carnival, shambling
| from booth to booth just long enough to offend by its very
| presence before it shuffles off back to big top corporate
| america, arguably the only place it still exists to an audience
| of appreciative patrons at all.
| revscat wrote:
| This was beautifully written.
| koromak wrote:
| I bootcamped Windows for the first time since 8, its
| unimaginable how miserable the experience is. Its genuinely
| disgusting, my desktop feels like a Subway station with shitty
| ambulance chaser ads and Graffiti spread all over it.
|
| Its remarkable how many button combinations lead to a popup
| telling you to use a different Microsoft product you don't
| need. I can't believe its gotten this bad.
|
| We need a Windows alternative for the average consumer.
| lucb1e wrote:
| https://nitter.net/matthew_d_green/status/167913542680678400...
| PeterStuer wrote:
| The most popular stack will always be the preferred target of
| malware.
|
| Seriously, if another platform would hold 90% of the juice, you
| realy think it would not be the victim of malware by a long shot?
|
| FwIW, I used to be a front line malware eradicater in the 80's ,
| the prime target back then were Apple Mac's on uni computer
| classrooms.
| fsflover wrote:
| Where is the widespread malware on Linux servers?
| peppermint_gum wrote:
| Servers have much fewer attack vectors.
|
| Do you really think that a typical scenario of Windows
| infection is some kind of RCE in the OS? No, that's extremely
| rare.
|
| Most of malware doesn't exploit any vulnerabilities in the
| OS. Either a user downloads and runs an infected executable,
| or they get infected through a bug somewhere in userland
| (e.g. web browser or image viewer).
| scrollaway wrote:
| Ransomware targeting server data, primarily.
| p_l wrote:
| Linux server malware is common, mainly targeting naive owners
| for misconfiguration (SSH password guessing), or targeting
| remote shell exploits in various popular packages (personally
| had it happen with Gitlab, for example).
|
| The opportunistic attackers like that mainly go for dropping
| some blockchain mining software (monero is popular payload)
| and sometimes go for deploying botnet agents for things like
| DDoS ransoming and similar.
|
| Low success rate, but low effort on attacker's side, who
| often buys a premade tool on a forum.
| halkony wrote:
| That's a pretty cool job. What's the most clever malware you
| eradicated back then?
| johnea wrote:
| Windows has been king of malware for decades, only in the last
| decade has it seen this dominace challenged, by android.
|
| While windows evolved into a data exfiltration and malware
| distribution platform, android was designed for the task from the
| beginning.
| kernal wrote:
| Windows didn't need to evolve into being the king of malware.
| It was insecure by design. Whenever you hear a ransomware or
| virus story on the news you can rest assured that Windows was
| involved. It's malware superstar.
| _trampeltier wrote:
| I think most problem could be solved, if VBA would not have any
| access outside of the document.
| user6723 wrote:
| Imagine being dumb enough to run Windows. Running a copy of
| Windows in a throwaway VM is the only acceptable place to run
| Windows.
| dgellow wrote:
| Please don't insult people based on something as subjective as
| the OS they decide to use. That's completely unnecessary to
| make your point regarding VMs and doesn't have that place on
| HN.
| user6723 wrote:
| [flagged]
| zer8k wrote:
| Pretty hot take considering Windows Server is still incredibly
| popular especially in stuffy fortune 500s. It's also an
| acceptable OS for people who are less technical, or have a
| specific requirement to be on Windows. I would argue mechanical
| engineers are very smart and yet they are stuck on Windows
| because CAD software is stuck on Windows (no, FreeCAD isn't
| enough remotely good enough). There's also a lot of bespoke
| locked-with-dongle stuff that only runs on Windows as well.
| Video games almost exclusively run on Windows. At least until
| Proton really takes off.
|
| I suppose you may not be very experienced. Windows is actually
| pretty powerful. I am a full time Linux user and still miss how
| convenient installing things like drivers, weird software, etc
| was on Windows. I just can't stand the new spyware angle
| they've taken their consumer offering. It's not hard to
| configure Windows to be safe and Microsoft is often times
| better than many linux distros about pushing patches.
| anthk wrote:
| With hard ramsonwares from Eastern Europe most fortune 500
| will consider changing into anything non-Windows based (at
| least for servers and office work such as documentation and
| management) because of their own sanity.
| zer8k wrote:
| Hasn't been my experience. With managed systems on azure
| life is fairly easy from a sysop perspective. Getting
| ransomware is more of a strategic problem than an operating
| system problem at that scale. Personally, I prefer Linux
| servers. But my motivations aren't the same as other
| companies. For example, I really don't like the idea of
| license fees or vendor lock-in. In exchange, however, my
| Linux servers take more effort to secure properly with many
| more foot-guns available via configuration file.
| jeroenhd wrote:
| I know hating on Windows is popular and I myself detest what
| Microsoft is doing to their operating system, but Windows is
| still a better OS than its competition for most people. This is
| reflected in its worldwide market share.
|
| Windows can actually be managed by am IT department and has a
| massive security ecosystem. If a corporation with more than ten
| people has to deal with my data, I'd much rather see them use
| Windows than anything else.
| user6723 wrote:
| >> and has a massive security ecosystem.
|
| lol and we all know why
| anthk wrote:
| And yet useless because 90% of compability modes will send
| such security to /dev/null. Office macros, OCX, Active X
| compat plugins for IE11 (they still are), VBA, VBScript
| executions, screensavers as they stated, drop-in
| replacement DLL's, security overrides because that w9x
| doesn't work with admin rights...
|
| And so on.
|
| WinNT would be secure if MS ditched Office Macros (or at
| least hard-sandboxed them) and ran all w9x software on
| seamless VM's.
| fsflover wrote:
| > Windows is still a better OS than its competition for most
| people. This is reflected in its worldwide market share
|
| If people chose things according to what is better, marketing
| would not exist.
| anthk wrote:
| Also, for every AD/GPO key on security there are 2000 ways
| either overriding them or doing huge harms with Office
| macros, OLE calls, VBscript, OCX compat calls and so on.
| more_corn wrote:
| Cool, I'll put on my Q3 roadmap "deprecate html"
| radicalbyte wrote:
| Windows 11 literally comes with OS level malware, they've turned
| the OS into an advertising platform.
|
| Them having actual backwards compatibility (unlike the fruity
| side) is the least of our problems.
| mikewarot wrote:
| Windows isn't unique, it shares the same design flaw as Linux and
| MacOs, etc. Ambient Authority is an incredibly bad design choice
| for an operating system.
|
| Until capability based security[1] becomes widely deployed, we'll
| keep blaming the wrong things, instead of Ambient Authority.
|
| This _is not_ permission management as practiced on smartphones
| and tablets.
|
| [1] https://en.wikipedia.org/wiki/Capability-based_security
| 1vuio0pswjnm7 wrote:
| If computer security is "80% solved" then "computer security
| researchers" also lose 80% of their "work".
|
| There is an argument to be made that these researchers work for
| "developers", i.e., the people who create and perpetuate the
| stuff in the graphic, more than they work for "users", i.e., the
| people suffer as a result of its continued usage.
|
| Here the security researcher does not tell users, most of whom do
| not read Twitter, to stop using software that utilises the stuff
| in the graphic. Instead he communicates with computer security
| researchers, developers and other Twitter users apparently hoping
| that developers will deprecate such usage. (But knowing this will
| never happen.)
|
| Note this comment does not argue that this state of affairs is
| good or bad. Only a reader can make that so. The comment only
| makes some observations.
| rainonmoon wrote:
| Did you actually look at the graphic? In your imagination,
| these researchers should tell laypeople to "stop using
| software" like... XML, SMB, and NTLM auth. Sure thing. In the
| reality where the original post has actually been digested,
| you'll note that controlling for the aforementioned is in fact
| what any penetration tester should tell your company. As in,
| the "developers" who actually manage the policy for the use of
| those things in an organisation, not the "users" who have no
| control over it at all. But go ahead, tell Carol in HR to
| switch to Kerberos, I'm sure she'll get right on that.
| bb88 wrote:
| Archive for those that have hit the api limit.
|
| https://archive.fo/2MIuC
| dekhn wrote:
| Frequency bias- Windows is the most commonly used OS, but has a
| similar security posture and implementation quality to the
| alternatives.
| Run_DOS_Run wrote:
| >Computer security would be about 80% solved
|
| Hmm, no. You'd use other attack vectors and once you've closed
| most of the attack avenues you'd find yourself on a smartphone OS
| with no permissions and mass tracking... and there would still be
| malware galore.
|
| https://www.bleepingcomputer.com/news/security/apps-with-15m...
| tjpnz wrote:
| And ads are the delivery mechanism.
| exabrial wrote:
| So basically as long as Windows is still a thing
| mrkramer wrote:
| As Linux, Android, iOS and MacOS are as well.
| fsflover wrote:
| Linux has no malware included by default.
| adamc wrote:
| Isn't that a lot like saying "if we just deprecated history,
| there would be a lot fewer issues"?
|
| But history is a thing.
|
| Also, every time I click on a twitter link, I seem to get
| "something went wrong" and have to reload. Is that the modern
| twitter?
| chungy wrote:
| That's been my Twitter experience for many years now.
|
| So, yes or no. Depending on your idea of modern.
| somsak2 wrote:
| it's even simpler: stop using C/C++. responsible for 70% of CVEs.
|
| https://www.zdnet.com/article/microsoft-70-percent-of-all-se...
___________________________________________________________________
(page generated 2023-07-12 23:01 UTC)