Discussion in 'Science and Technology' started by Gorilla, Aug 25, 2014.
Someone shared a neat app they made on Hacker News and it's pretty slick.
Most heavy computer users that are concerned with security are probably using a Unix derived platform BSD / Linux for example, all open source, thousands of software packages and some extremely easy to use. Many can be run from a live CD, You may even be able to use a live CD to recover a lost Windows partition.
Lets put it this way, no security minded computer user, be they hacker, espionage (political or industrial) worker in their right mind would be caught dead using anything from Microsoft. Ask the Chinese, Russians or serious hacker, they'll tell you that Windows has more holes built into it than Swiss cheese.
Everything is vulnerable. Let me say that again. All software is vulnerable because all software contains bugs.
Some of the FOSS community has adopted this mantra that given enough eyeballs all bugs and software defects become shallow but that simply isn't the case. Despite there being a number of extremely talented developers contributing to open products, things still fail.
OpenSSL (a project that has been heavily relied on and classically been under funded and under staffed) offers two pretty recent examples of this. A few years back OpenSSL's PRNG was compromised by a developer who was following the advice of a static analysis tool (valgrind). They commented out two lines of code and neutered entropy collection in a cryptographic tool . It sat there unnoticed for a few years. Another recent example is the Heartbleed bug in the heartbeat functionality of their implementation of the TLS protocol. Essentially, not checking bounds properly allowed someone to scoop more things from memory than they should've been allowed to (private keys, cookies, passwords etc) . Quite a few more knowledgeable experts consider this one of the worst bugs/vulnerabilities of recent history.
Security is a mindset and a set of practices when it comes to information (or hell operational security). Here are a few things that matter more than whether or not a product is open source or even Unix-y:
What are the actual qualifications or experience of the the developers in question when it comes to making secure software?
What are their source code review practices?
What are their auditing practices?
What are their testing practices?
How do they respond to defects found in their products?
Is the project actively maintained/supported?
How mature is the product?
There's a ton more to this such as vigilance, regular maintenance, good configuration management and practices (including sane defaults), and threat modeling but really I think people already get the idea. I think people would also be surprised to learn how much Microsoft actually gets right, but they're an easier target for criticism because of that massive market share. I'm not personally a big fan of them because of their business practices but I have to admit that company has learned a lot of hard lessons and they have at least shared some of that hard won wisdom (for a price from Microsoft Press).
Heartbleed didn't just compromise Debian's version of OpenSSL like the valgrind incident. I intentionally chose something that was upstream and pretty much distro/os agnostic. If you built your own from source, you could've still encountered the vulnerability. You're also close to making a "went through line by line" argument when talking about compiling from source.
If the NSA wanted into particular targets that were running something Debian-based they could've done it in a much better way. In fact, I doubt they would have to rely on compromising a particular implementation at all considering the problems with SSL's trust model and the nature of certificate authorities.
If you're looking at a particular CVE that affects a particular version of one of these hardened kernels you're basically hoping that whatever hardening they done mitigates the potential damage of that vulnerability. You'll also be hoping that they get it right with backporting fixes into whatever version of the kernel they've decided to freeze at. There's a lot of complexity here and a lot of room for things to go wrong. That's why it's no surprise things like SELinux and AppArmor have become a lot more popular than specialized harden kernels.
And we're not even talking about compromised firmware, hardware, or toolchains yet.
Bottom line, it's not an easy route to take and projects like OpenBSD that are practiced hands at it still run into problems.
This doesn't really add much to your argument. Every operating system has its pros and its cons, and I'm not the type of person to tell people what they should use when they're perfectly capable of weighing their own needs. I will say that you're wrong about running a live version of Windows. It's possible. There are also specialized embedded versions of Windows too.
If Microsoft puts out a live version they would lose money, their embedded products are usually their own products and you can't carry your operating system with you on a flash drive. Every new version seems to be worse than the previous, hopefully they can fix that.
The number one reason to use a Linux distro is that it's free,
The second reason is that linux works better on old Window boxes than Windows
The third, no blue screen of death
The fourth is that you are not limited to how some corporation think you should use your computer
There is nothing to defrag
I have used linux in some form or the other and have not had a virus in 10 years
Linux is more versatile
There seem to be more pros here, did I say free
Nothing stops you from making a bootable USB image of the Windows installation media. And Microsoft does make some of these possible because they expect their products to be used among end-users in Enterprise environments. Build images, un-attended installs, etc are all part of the norm.
Let's talk about the cons:
I think Linux is a great system, but the "Year of the Linux Desktop" has been a sliding goal post for over the last decade. People want a system that just works, and well a lot of times that isn't Linux. Despite all the recent improvements, there are still lots of messes:
Sound Architecture (PulseAudio and ALSA enough said)
ACPI Backlight controls on a lot of laptop models doesn't work out of the box
Sleeping/Hibernating reliably for a lot of laptops / netbooks
Power management in general, expect to lose some battery life
Wireless out of the box is still an issue in 2014 for some chipsets
Graphics drivers are still a problem and Intel is about the only vendor that has open drivers (minus Cedar Trail's PowerVR SGX).
Gaming is a joke (yes, even with wine and the efforts of valve)
Dealing with EFI can be a pain the neck, especially for beginners
Unless you're about to use some more hardcore tools, Microsoft Office is still better than LibreOffice. The gap isn't going to close any time soon, especially for Calc vs Excel.
I mean there's so much more. It's a system that expects users to have no problem diving into the CLI. Is that going to work for everyone? Nah.
There's hope though. Android and Chrom[e|ium]OS are proof that a system based on Linux can be a much more mainstream success beyond the host of embedded "smart products" that rely on Linux.
Linux has been right for me for a long time, but I'd be delusional to think that it's right for everybody. And I'm okay with that. The things that make Linux right for what I and many others enjoy using it for probably wouldn't be improved by attempting to be the system for everybody people are pushing for.
Remember that most Linux / BSD users were once Windows users and once they understood its uses moved on without looking back.
The average PC user will more than likely have zero issues with Linux.
Linux simply represents freedom. Companies that have been bleeding the public for years do not like this, so they send out their pitch men to discourage the average Joe.
Its totally free.
Separate names with a comma.