[Previous entry: "Bush/Cheney bumper stickers"] [Main Index] [Next entry: "New Words for 2004"]

03/12/2004 Archived Entry: "bulletproof computing: operating systems"

What, is Microsoft reading McBlog? Right after I razz them about rating a security flaw merely "serious," I learn that they've raised it to "critical." On the bright side, MS has finally, grudgingly allowed those who use Outlook 2002 to read their mail as plain text. If you don't mind editing the registry, that is.

Sell it while you can: In the face of a plummeting stock price, SCO has announced a stock buy-back. The smidgen of Austrian economist in me suspects that they're hoping to prop up the price.

The SCO/Microsoft connection is now front page news at BusinessWeek Online ...and consequently appearing on dozens of news outlets. Suddenly no one's talking about DaimlerChrysler or Autozone. Could SCO's spin managers be losing their grip?

Back to bulletproofing your PC. What I've called the third line of defense is one of the most powerful, and one that just might be able to save you if you slip up and click on the wrong attachment. I'm referring to a secure operating system.

There are several reasonably secure operating systems, and none of them are made by Microsoft. If you are really concerned about the security of your computer and your data, you need to move away from Windows, to either Linux, or Unix, or Mac OS X. (There are other contenders, but these are the big three.)

This article describes many of the reasons why Linux/Unix/Mac are so much more secure than Windows.

Overall, the UNIX family of systems are designed to be immensely easier to monitor, to simplify, and to administer for security. They feature fewer interdependencies, more transparency, and better isolation of users.

Some of these facets are of interest mainly to system administrators or students of software design. But the last -- isolation of users -- has direct impact on you and how you set up your system.

Unix, and its cousins Linux and Mac OS X, were designed from day one to be multi-user systems. (For this posting I'll just call them collectively "Unix" systems.) To use such a system you must "log in" with a user name and password. When you do, you have access to only your own personal directory (folder) on the hard disk, plus a few "public" directories. All of the system files are protected from you, and this protection is enforced at the lowest level of the operating system. Only the administrator (normally called "root") can access the system files.

When you install your Unix system -- even though you're the system administrator -- you should set up a user account for yourself. Then you should log in as this "ordinary" user for all your day-to-day activities (web browsing, word processing, and the like). Because when you're logged in as "fred" (or whoever), nothing you or your programs can do can affect the system files! So if by chance (a) someone writes an effective Linux virus, and (b) you carelessly click on that attachment, all that can be damaged is your personal user files. You can't infect the operating system.

In contrast, when you set up a personal Windows system, you're basically running in Administrator mode all the time. You have permission to add and change system files -- DLLs, registry, the works -- and so a virus that you accidentally execute has those same permissions and can run rampant through your entire operating system.

This is why when you're using Unix, you should never log in as administrator unless this is absolutely required. For most admin tasks, like installing new software, you can log in temporarily as the administrator; and the system will prompt you when this is necessary. (And if you get such a prompt when you're not doing an administrative task, you know to be suspicious.)

If you're really paranoid, and have documents you don't want at the slightest risk of exposure to the Internet, create two user accounts for yourself. Use one of them for Internet activity, and the other for your "private" stuff. One user's files can be completely protected from another user, so your Internet persona can't access your private files any more than it can access the system files. (If you're going to do this, learn about how to set permissions for Unix files. By default, many systems allow users to read each other's files unless otherwise instructed.)

This is one reason why so few viruses have been written for Unix/Linux/Mac. It is so much harder to write an effective Unix virus, and Windows systems are so vulnerable -- and, truth be told, Windows systems are so much more numerous -- that most virus writers would rather go after the easy prey. Which is in turn one more reason why it's safer to use Unix.

"But," you say, "I must use Windows."

Okay, if your employer is requiring you to use Windows on your personal computer, you have my sympathy, and you'd best get to work on the other five lines of defense. If it's just that you need to use some software that's only available for Windows, you should investigate the many ways you can run that software under (or alongside) Linux. But if you're like the vast majority, who use PCs for web browsing, email, word processing, spreadsheets, and similar basic tasks, then Linux can easily meet your needs. (An average user needs Windows like a fish needs an Edsel.) Yes, you'll have to learn some new things, and yes, you'll have to undergo the nuisance of converting your files, but you have to ask yourself: "is the security of my computer and my data worth it?"

brad

P.S. Here's an interesting rant about the security of Mac OS X vs. Windows, which repeats some of the points made here. And here's another excellent discourse about the track record of Linux vs. Windows.

Powered By Greymatter