Most articles moved to the Main Page
Dumbass

Viruses and Worms and Trojans, Oh My

Let's just say this up front: I use nothing but GNU/Linux at home (Gentoo if you must know).

Now that we have that out of the way: there are multitudes of zealots out there who believe with all their hearts that all the virus, worm, trojan, and even spam problems would all disappear if all Microsoft products would go away. Why, if everyone would just use Linux, FreeBSD, and Macintosh along with open source products, everything would be super-duper secure and we'd have no more viruses and worms, all the poor Ethiopian children could be fed, and the nuclear stockpiles would vanish.

Bullshit bullshit bullshit bullshit bullshit bullshit bullshit bullshit bullshit.

Microsoft Windows is the target of most viruses, trojans, and worms because it is on 90+ percent of PCs, period. Linux and Macs usually aren't targetted because they aren't on 90+ percent of PCs, period.

If you are a virus writer and want to infect as many computers as possible, you are not going to target an operating system or email client that is on just a few PCs.

For starters, their pitiful egos and correspondingly sub-par genitalia demand they go after the larger target to get larger results. (That, or the script-kiddie package they downloaded was set up for attacking Windows.)

Second, a virus that targets a small percentage of the PC population will have a very hard time spreading. Think of a bioweapon like an engineered virus that targets only people of "Eskimo" descent who live in the lower 48 US states. Even if you can find one to infect, the virus will have a hard time reaching the next one and so on, so it simply stops spreading before it reaches even a tiny fraction of the infectable population.

I hereby make a (not so) bold prediction: if/when Linspire reaches over 10% of the PC market, it and its default browser and email client will start showing up as a virus/worm target in a big way.

Notice I keep saying "PCs" and not just "computers". Home PC owners, on average, are (or at least act) far dumber than non-PC computer owners. They'll happily run any old attachment that lands in their in-box. They'll happily (and dutifully) "update their Paypal information" because a semi-authentic looking email told them to go to an IP address and do so. They'll happily share out a drive to the internet with world-writable permissions (or possibly with "secret" as a password). They'll NEVER install software updates or set up a firewall.

"Hey look!" I can almost hear them say, "Grandma sent me an attachment called 'sexy girls.exe', I better open it!" <click> "What? My email program is asking me if I'm sure I want to run it?" <click> "'Might be dangerous...' it says. Hmmm. Grandma wouldn't send me something dangerous!" <click>...

You can only "blame Microsoft" for a virus or worm if the infection mechanism used a vulnerability in a Microsoft product. So, remove any worms that rely on the user being a dumbass by running an attachment or other bad choices like sharing drives with no permissions or weak or non-existent passwords.

If the virus or worm used a vulnerability, was a patch already out when the infection occurred? Nearly always the answer is "yes", usually by many months or even years. Again, the user was being a dumbass.

Once upon a time (1992-1996) users could have been forgiven for not knowing. It was all new to most of them, the internet was still a mysterious "thing" and no one in the general public knew what it was all about. But that excuse hasn't held water for a long, long time. Now it's like not knowing what AIDS is, or going to see a movie starring Tom Cruise: if you don't know the terrible risks by now, you're a dumbass.


But wait, surely Microsoft products have more vulnerabilities, right? Again, bullshit, repeated. Check out the security webpage of any Linux distribution. You'll find plenty of vulnerabilities, many just as serious as the worst of the Microsoft flubs.

What I usually hear at this point is "But most Linux distributions are made up of thousands of products, you should only count those vulnerabilities in the Linux kernel itself." That, too, is shite.

You have to count all the products a home PC user will have installed. For most, that will be the operating system itself, the window manager, a web browser, and an email client.

However, on your GNU/Linux system, "the operating system" is more than just the kernel and its modules; you have to include all the things that make the OS run: fileutils, bash, syslogs, gawk, grep, man, tar, gzip, bzip2, cpio, xinetd, initscripts, ftp/telnet/ssh, pam, cron, perl/python, hundreds of libraries, etc etc etc that vary with the distribution.

Likewise, "the window manager" means all of KDE or Gnome (or other) plus X and a few hundred libraries. The web browser and email client may be included in the desktop of your choice, or not. You have to count the ones they have.

So, these are the product vulnerabilities you must count when "blaming Linux". Of course, if you use KDE, you don't have to count Gnome. If you use KMail, you don't have to count Evolution. Etc. (Of course the guy down the street can.)

On a typical Microsoft computer, a user will probably have the following Microsoft products: the OS, Internet Explorer, Outlook or Outlook Express, and Media Player. We can throw out any other products or keep them, but whatever you count for Microsoft, you have to find the corresponding Linux tool and count that. If you include IIS, we have to count Apache. If we include SQL Server, we have to include MySQL or PostgreSQL. Exchange? Sendmail. Media Player? Xine/XMMS/amaroK/Mplayer. Etc.

Without further adieu:
1 Vs 2 I'll leave figuring out which ones to count as an exercise for the reader.


But all the above was just to knock down some of the apologists' arguments I've heard. Truth is, it doesn't matter where the vulnerability comes from. It doesn't matter if Joe's machine was taken over because of a broken IIS or a broken Apache. Fixes might have existed for both, but because neither patch was installed, the machine is now a spam zombie. Joe's a dumbass, and he'd be just as much of a dumbass with a SUSE machine.

Speaking of spam: All of the "Please update your Paypal information" phishing emails I have received have pointed URLs hosted on cracked Linux machines. Is Linux to blame? Or should we blame the crap admins who never updated Apache, PHP, ssh or whichever flaw let the machine be taken over?

A few years back when I did have a Windows box at home, I had it directly hooked up to the Internet for over a year with no firewall and no virus scanner. I never had a single virus, worm, or hacker on that box. All I did was install security updates. Yay for me.

So, the moral of the story is: Linux/GNU/Open Source is not "more secure". You must update your software to be secure, and users are dumb.





2005-7-6

View all pages in Dumbass.

Copyright © 2005 the page author (Thamus) and Craptaculus.com. All rights reserved.