Currently windows is mainstream and there are all kinds of viruses and spyware, but when linux becomes mainstream as desktop, will the same thing happen ? (have all the same viruses and spyware?)

I use linux right now and am hoping this does not happen in a few years from now and was just curious to know what will stop it from happening?


Thanks for input.

Oh dear... I presume this thread will grow very fast very soon

So, here are my 2 cents:

Yes, there will be more worms, viruses and spyware as Linux becomes mainstream.

But my hope is that it will not be as bad as with Windows, because:

- in the early stages of development, security considerations were already an issue
- at the moment, there are lots of Linux distros and installations differ a lot. That may change if computers with Linux pre-installed will use only a few mega-distros
- no one has an interest to hide flaws once they are discovered and patches are usually available very soon

On the other hand: as more and more - let's call them "mainstream" - users enter the field, Linux will have to fight the same problems of user laziness:

- Always use the standard installation
- Do I have to use a separate root account?
- Security updates? I don't need no stinking security updates
- Oh, this software looks cool, let's download and execute it...

IMHO, Linux virus epidemics will be much harder to achieve as their counterparts in the Windows mono-culture. But Linux is not immune.

There will be more worms and spyware, but no viruses. No true Linux virus has been demonstrated to exist: if there had, NetProject would have had to stump up the £10,000 that Eddie Bleasedale has offered for years to anyone who could "infect" a properly hardened target machine running Linux configured by his company.

It might be a pedantic play on definitions, but it's an important one nevertheless, given the reason for the question in the first place. No version of Windows has a decent security model, and there never will be one until Windows has been re-written from scratch, taking out the backwards-compatibility - which, of course, will never happen, because it would kill the "upgrade regularly" goose that lays the "Windows Tax" golden egg.

Microsoft's sudden missionary zeal to promote security is too little, too late. If they manage to pull off increased security based on hardware lock-in to Digital Rights Management ("Palladium", renamed "Next-Generation Secure Computing Base for Windows"), the Tiger economy in the Far East will ramp up its production of non-Western-dependent silicon accordingly to ensure freedom from the shackles of this predatory monopolist. Read the disgraceful story of the burst.com patents plundered by MS over 9 months before they broke off their sham of discussing a licensing deal with this little company, using the patented technology as the core of Media Player 9, and fabricating a patently transparent story for the US Department of Justice about how every single MS executive who had had any part in the discussions with burst.com simultaneously decided to delete 9 months of said e-mails without any mutual discussion or direction from "on high" - and no backups, as a matter of company policy. So much for the MS concern about piracy!

PS - "Palladium": the mythological Greek goddess of wisdom and protector of civilized life... yeah, right Bill..

No, for two reasons:

1) Realistically, Linux isn't taking the desktop world by storm. Market share will not approach that of Windows anytime soon, if ever. There's always a lot of hype in the Linux community about how any year now, we'll kill MS, but it doesn't seem any closer now than it did when I first got involved 3 years ago

2) Even if it does, Linux is more secure by design, because it doesn't give OS level priveleges to every damn thing like Windows.

I guess if you are nutty enough to install a virus, then you can get one but there are not really any around to install. Remember, if you are not root, you can't get away with a whole lot of installing. If you do, it usually only affects that user anyway. I have mine set up so only root can install. That should keep me safe.

I agree with what one of the other guys said though. Windoze is flawed and has to be redone from scratch to be secure. If they did that and lost that backward compatability, windoze is dead. The only thing more secure than Linux is OpenBSD, possibly Unix. That is what I was told by a long time guru in one of these forums. I was building a firewall/router at the time. I was !supposed! to get DSL. Yeah right. Lying Bell South. Oh, Bell South runs Windoze 2000 and it won't let me pay my bill. I told them they need to convert to Linux. My desktop runs longer between reboots than their server.

I think about two months is their best. Poor windoze. Wonder if they will fix it so I can pay my bill. They closed the office where we pay our bill. I'm NOT buying stamps. I pay everything else on the net and they can fix their crappy OS.

Sorry for the rant.

Later

Concering the �10,000 reward for "infecting a properly hardened target machine running Linux configured by his company": I think you can secure a windows machine so much that no existing virus can get in, and you can also misconfigure a Linux machine so that a virus can get in (thinking about it, that happened to me in my first years with Linux... some bad combination of misconfigured listenaddress in smb.conf, sharing the windows C: drive in Samba for convenient access from another PC, and an accidentally turned off firewall... On next Windows boot, Zonealarm complained about several unknown programs wanting internet access

So if you eg. get a user to open an attachment in an unknown Email ("hey I'm on Linux, I'm secure!") you can get user permissions. That's already enough for a virus to stay alive (it just infects one user home directory) and to spread (users can send Email). And then it can go and earch for root exploits (IIRC standard Debian Woody installations with kernel 2.2.20 are still vulnerable to the ptrace bug, which can be used to gain root permissions).

So, as a conclusion, I think that Linux per se isn't a guarantee for virus-free systems... But I agree, it has some good security enhancements over Windows, and most distributions are quite secure even in the standard installation - at least at the moment.

Oliver

Unix viruses do exist, but they are of academic curiosity (search for the work done by Silvio Cesare on this subject).

Viruses has never been -and will never be- a real problem for Unix-like machines because of its design that assigns ownership and permissions to system executables. The only way to infect them all would be with root privileges (which would be a waste of this special account). If you're using tripwire, and/or mount these binaries on read-only filesystems, then you're further protected. This has been said a million times...

But there are other kinds of attacks that affect Unix systems... DoS, exploits, privilege escalation, etc... (The Linux 2.6.x kernels worries me a lot)

There will come a day when Windows won't be used anymore (we just have to take care of our planet to enjoy a really new age - when I say "new", I mean no shit religions, no oil wars, etc...)

When Unixes become mainstream, there would be too many versions of it to make a single worm to cause mayhem... Because of this, Unix is a vital international security interest, and there are some governments that are taking the lead to make this happen.

Many people are switching to Unix, and I'm sure no-one would switch back.

Just because you place your Windows box behind a firewall router, it does not make your windows
box any more secure. You are securing your windows box from the internet with a piece of additional
hardware. VERY different.
You think your windows system is secure with the latest updates? Check out the security sites.
Then check out some of the blackhat websites. Should be enough to let you know that there is never
such a thing as a secure Microsoft anything.

The saying goes
"The only way your computer is safe from the internet is if it's not on the internet."
That goes for any operating system.

However, as pointed out in previous posts (and probably reiterated in many to come) Linux is built for
network computing thus network security was a major part of it's design.

The chain is only as strong as it's weakest link.... windows 3.11 compatible files exist in all versions of Windows.

Dare I say it - It's OK folks because just like after every release of Operating System from Redmond their
first statement after the first flaw(s) are found is "Our NEXT version of Windows will be the greatest thing since sliced bread!!"

And to think, they tried to call Linux a virus!

G.

Well, I don't think any OS is secure from attack. There are always going to be individuals that will attempt to gain access to your system. It's really a matter of how much your willing to sacrifice for security over convenience. I think linux does a better job because of permissions and Windows is starting to realize that now, (to late).

I would only say to anyone worried about public access to their information is to not supply it in the first place...

KC

My $0.02:

IF Linux had 50% or more of the desktop market then yes there would be some incidence of virus/trojans/worms/spyware. It wouldn't be as bad as Windows and would almost entirely rely on social engineering - ie. tricking users who don't really know how to use their computer into running stuff, not on security holes and problems with the OS and client software (web browsers, email clients) like it does in the Windows world.

If Linux had 10%-15% of desktop market and most of those were 'power users', ie. people who have a reasonable understanding of how a PC works to the point where they know to enable auto-updates, not run email attachments sent to them and so on then there would be virtually no virus/trojans/worms/spyware.

I think I'm going to get in on this thread

I think as far as everything goes, Linux is extremely secure, and

*please no one shoot me*

Windows CAN be secure. When a version of Windows is released, it is indeed very buggy... but that's sort of to be expected. Version 1.0 of any software is inherently screwed from the get-go... Linux had it's times I'm sure, however it gets quickly resolved because someone who finds something and says 'hey, I can make a worm to exploit that security hole" and just as easily fix the hole and submit it to the developers

and even if they do make a worm, the developers will be able to fix it in a jiffy and release it into the mainstream of Linux users via up2date or a similar tool.

No OS is bulletproof, however Linux is to kevlar vests as Windows is to a bike helmet.

I do a bit of side work helping out folks who have screwed up systems. In my experience 90% of the infections that typically happen to a Windows box come from either Internet Explorer (IE) or MS Outlook. Outlook just makes things way too easy, it automatically launches lot's of badness. IE is usually exploited by ActiveX. The real problem is that when you compromise IE you compromise the entire operating system. There just isn't anything like that in the Linux world. Sure, when Firefox has greater market share there will be exploits for it (evil pop-ups!) but it won't be able to affect your whole system. Also, the Mozilla crew will have the fixes out rapidly. IE just doesn't have much development going on anymore (they won the browser war then got lazy).

Root kits exist but they're really rare. IE related infections are ridiculously common. (Aparrently 50% of PCs are infected within 12 minutes of being online. link: http://www.globetechnology.com/servl...ry/Technology/ ). IE is the main culprit. Simply locking down IE alone greatly improves the security of a Windows box (Win2K is still their best distro, IMHO). However, locking down IE is something most MS users don't know how to do and removing it is problematic.

Linux just doesn't have these problems, and the root causes of the MS vulnerabilities can never arise in the open meritocracy that the Linux platform comes from. The kernel developers would shriek if anyone tried to integrate a browser into the kernel. Out of the box a Windows machine is a petri dish with an open lid. Out of the box a Linux machine is a surgical theatre. Either can host an infection but the probabilities are grossly different.

D.

Actually, its completely impossible to remove IE as lots of other Windows bundled applications rely on it. Even if you go into Windows Components and deselect IE, it only removes links from the desktop and start menu, etc, it leaves the application there. If you delete or rename the executable, it simply recreates it. As for locking it down, that only creates more problems, as many useful/beneficial Web technologies such as Javascript menu systems won't work properly, if at all.

Now, back to the actual topic of Linux security:
A quote from 'Practical Unix and Internet Security, 3rd edition', published by O'Reilly Press.

Although a Linux box can be as susceptible to worms as Windows (Notable case: the sendmail exploit back in the early days), when properly set up it is far more secure than the most secure Windows box. Trying to run a secure Windows server is like trying to plug the holes in Swiss cheese without first cutting it up - aka impossible.

All I can add is this. I would trust a basic install of Linux, Mandrake or something, before I would trust windoze with just about any install at all, even if it has a guru sitting behind it. I have been using Linux for a long time and don't even have windoze, never did, and I have yet to have any kind of infection. Someone gave me a old rig once with windoze on it and I hooked it up and it got a bug the first time I got mail. It got more as I surfed. It got a good dose of Linux too. I may put it back together and run folding on it. It is a old 800 MHz rig that I have no case for. It runs good though, cool too. I added a big heatsink to the CPU. I just wish it would boot without a video card. It just beeps when I remove it.

I need to add that to my project list. I like this folding thing. May even find a cure for what I have. I have a genetic disorder.

Later

Microsoft and its shitty OS Windows is the biggest mistake in the history of Computer Science and Technology! They have completly bastardised the computing market, and made already dumb people dumber for using their operating system. Yes there might be the odd virus and worm kicking around for unix systems, but nothing exceedingly dangerous, due to the complexity and sophistication of the permissions, not to mention the tightness of the code. The only major (if you can call them major) security vulnarabilities you see for linux, is to do with third party applications and not the accuall kernel. If your worried about hackers, you shouldn't be, normally indiviual users dont get targeted, only web-servers or "computers of interest". Now, I'm a hacker (not a cracker, thats a criminal!!), i've been hacking away at systems on my own personal network for years, and the only way that anyone can do any serious damage to your linux system is if they get physical access to your machine and root it by creating a stack-based buffer overflow (among a few other ways). As for spyware in linux, no chance, although i wouldn't past it some people / corporations to attempt it.

The only thing i would be worried about in security of DESKTOP linux is the competance of the user / sysadmin. And if your a business using linux, the competancy of your sysadmin and IT staff and make sure everyone has sufficient training to prevent social engineering.