There but for the Grace of Bill.... - page 3
Getting Down to that Crazy Nero Beat
Guess what? No matter what you've heard about Microsoft Outlook, the situation is basically the same as it is in Linux. The difference is in the knowledge level of the user, not in the e-mail software itself. Windows users are naive about security, even after being hit time and time again with Melissa and all her sisters. They still are likely to double-click on an attachment, even if they have no idea what it is or what it does, and even if it's overtly marked as an executable program. That was the situation yesterday with ILOVEYOU, which is clearly marked as a VBScript executable. The message looked appealing, so users ran the script to see what it would do. They saw, all right, but by then it was too late. Zap!
Once the executable is running (under either Linux or Windows), the security features of the operating system can work to limit its damage potential. In Linux, unless you are running as root (a dumb thing to do), the worst you can do is to corrupt or delete all of your own files. The operating system, if properly configured, is mostly safe unless the attacker is very smart. Most of them aren't that good.
This is the same situation in Windows NT or Windows 2000. Windows 95 and 98, though, have no concept of file-level security and therefore any user can modify or delete any file in any directory. The "login" prompt that Windows 9x users see at bootup is a joke--it only captures the desired username and password for later access to network resources and to determine which desktop profile to load.
So Linux users have the right to be smug about security when compared to Windows 9x, but we still shouldn't feel invulnerable. Losing all your personal files isn't as bad as trashing the operating system, but it's no fun either. And, as I have shown, we Linux users are protected from that situation by our typically greater knowledge and a paranoia that comes from years of server administration experience. Linux is hard to use, so "they" say, and therefore most people running it are techies. We know how to protect ourselves. But this situation will soon change.
Earlier in this article I said that we should be thankful to Bill Gates for being our stunt double. What I meant by that is that the current state of leading e-mail programs, from a security standpoint, is abysmal. This is true no matter which operating system you're using. By being the overwhelming market leader, Microsoft has graciously volunteered to take most of the hits from virii and worms. There but for the grace of Bill go we. As Linux becomes more popular, and starts appealing to less skilled users, we are condemned to the same fate as the Windows community. More Linux users will attract more Linux attacks, because the people who write such code want to hurt as many systems as possible.
The difference is that we will suffer more in the press and in the highly-unfair court of public opinion. The problem is that we Penguinistas have claimed for so long that our system is more secure. "We are open source," we explain, "so security holes are found and fixed quickly through peer review." Then we go on, "Besides, Windows 9x doesn't have user-level security. And Outlook and ActiveX are really vulnerable, but Linux doesn't use any of those bad technologies."
All of these claims are true, in my opinion. Open source does encourage peer review, both for security and for code quality. Outlook does automate things that should be manual, as do Word and Excel. Microsoft time and again trades a lot of security for a little user convenience. ActiveX really does have serious security holes; it was originally designed for component embedding within the local machine, and network/Web functionality was glued on as an afterthought.