Windows Anonymous

While chris_k discovers that 1st-year IT schooling isn't as easy as he thought, and mike_k is out wherever he is writing a script to automate half the Gulf Coast on a machine running only a Pentium Pro and 32MB of RAM, I figured I'd take the opportunity to address a basic concept that a number of us have taken for granted: Why is Linux synonymous with security?

Well if you believe Microsoft or Apple, it isn't. Of course, MS and Apple depend on this kind of FUD to profit, so it's not surprising that they would rig tests/slant numbers to that end. At the bottom of it all, however, is UNIX and the concept of a true multi-user system. Apple's Mac OS has this advantage to an extent, but we'll get to that later.

We'll deal with the easy answer to this question first, and that is security-through-obscurity. Mac benefits from this as well, though unlike Linux users you'll seldom hear any of the iPeople admit it, as they're usually too busy bragging about the .01% increase in market share they got last week and not realizing that it's to their detriment the whole time. Fact is, everyone uses Windows. A bigger target is an easier target. If, like many crackers and black-hat malcontents, you want the world to know about your 1337 h4x0r ski11z, you want the biggest audience possible; that's Windows. Duh. While iPeople focus on increasing market share, they inadvertently open themselves up to this particular issue, as the combination of more machines and elitist attitude make the Mac a more attractive target (there's nothing a black-hat enjoys hearing more than a naive computer user grousing about how their machine is bulletproof).

To make things easier for the black-hat, all Windows machines are basically the same. Doesn't matter if you're running McAfee, Norton, AVG, or whatever; the file and permissions structure of the Windows operating system is the same, which means everything is in the same place and has the same permissions. If malicious results on one machine can be replicated on 5 million others via a simple email, the race is on and the black-hat's work is already done. Macs are also "all the same" in this particular sense. Linux? Not so much. Sure, most beginners won't bother to change their security posture in their shiny new Ubuntu install and most Fedora users will probably disable SELinux, but there are many (some might say too many) different Linux distributions out there, and most cursory OS scans will just pop up "Unknown GNU/Linux" or take a guess. In that case, the user-executables might be in /usr/bin, or /usr/local/bin, or /opt/bin, or /home/$USER/usr/bin, or someplace else entirely. In Windows, they're always in C:\Program Files.

This brings me to the structure of the OS itself. Contrary to popular belief, Windows is not a true multi-user OS. Sure, you can add users, but in Windows this is little more than a login name and password to protect a folder with your name on it. The rest of the system is just as open to nefarious behavior committed by you as it is by your wife/husband/mom/dad/kid/miscreant little brother, because everyone (unless specific steps are taken to the contrary) has admin privileges. The truly bad part about this is that Microsoft has conditioned everyone to think this situation is actually preferable. After all, no one knows more about your machine than you, and you don't need anyone to hold your hand, right?

Yeah. Right.

In a true multi-user setup, you are just a user. You have no more rights or privileges than anyone else, even if you're the only one using the machine. The admin or "root" account should be (and is, in *nix) separate from everything else. There is no need to operate a machine with full privileges all the time; just as a mechanic doesn't drive everywhere with the hood open on his own car, it's unnecessary and unsafe. Even if you know everything there is to know about your machine, the mere fact that there's open access to system-level files is asking for trouble; if someone else happens to gain access to your system, they can torch it in short order with admin privileges whereas the worst-case scenario as a regular user is that you have to delete a few files. This is why you have to type in a password in order to get system-level stuff done in anything UNIX-based. Windows, at its best, makes you click a button, which can be easily circumvented (and most people turn off User Account Control anyway). "Ohhh, waaahh, I don't wanna have to type in a password every time I need to do something!!" If you have to type it in every time, you're already doing something wrong; experienced Linux/BSD users can go months without having to access system-level stuff. Even so, is typing in a password even once a day any harder than updating antivirus?

Okay, I admit that's a disingenuous question...of course it's harder to type in a password for some people, because those are the same people who don't bother to update their antivirus in the first place.

Now, what's this about Mac? It's UNIX-based and I don't have to deal with all the command-line stuff, right? Well, not exactly; you'll notice that admin stuff still requires you to type in a password. You'll also notice that Mac engineers went out of their way to keep most of the nuts 'n' bolts away from the casual user in an attempt to keep you (yes, YOU) from borking your expensive Apple-branded work of art and making His Highness Steve Jobs look bad. This means that most Mac users are blissfully unaware of their security situation, content to be told that their iBox is immune to all the bad stuff out there. Admit it: How many Mac users out there are ready should a trojan or worm happen down the pike which is executable in a UNIX environment? Well, I'm here to tell you, despite the security-through-obscurity thing, they're out there. See, UNIX variants are running on the most high-powered and mission-critical servers on the planet, and they make for some pretty attractive targets; you'd better believe that there is work being done to deceive a permissions-based multiuser system just long enough to do no good. Guess who'll get hit first when the technique is perfected?

Its name rhymes with Snapple.

That's right, a hysterical (as in "highly amusing") number of Mac users will be left staring at the spinning beach-ball, their iTunes collections in flames and not know why, precisely because they believed it couldn't happen to them.

Don't by any means misunderstand, here: the Mac OS, by virtue of it's UNIX-ness, is indeed a secure OS. It's important to realize, however, that "secure" is relative. I'm not here to just shout "Linux FTW" but rather to explain why it's considered more secure. It's that key piece of information, the actual evidence, which we provide here and others are lacking. At the same time, if you expect Linux to do all the heavy lifting for you security-wise, you'll regret it soon enough. Linux admins still need a rootkit app to run every so often, and ClamAV is one of the best antivirus apps around (it's available for Windows as well). SELinux might sound like a pain at first but if you go to the effort of learning how it works and use it, rest assured you'll end up with one of the most secure operating systems on the planet.

The key to all this, if anyone hasn't figured it out yet, is that security starts with the user. The best tools in the world are useless in the hands of an idiot. The most secure machine is the one which is unplugged and stored in a vault; the 2nd most secure machine is the one with which the admin is vigilant. Linux gives you the freedom to be that vigilant and take control of the situation, rather than depend on others. If you feel you "shouldn't have to worry about this type of thing", there are plenty of individuals and businesses who will be more than happy to address the situation for you...for a price.